27 January 2021

The unexpected rise of the QR code

COVID-19 public health Technology

The COVID-19 pandemic has resurrected an almost defunct technology in QR codes, raising fresh privacy concerns for the security of personal data collected.

Smartphones in hand, most people have become quite accustomed to plugging in their personal details by scanning a code that opens an app or website before entering a restaurant, gym or other venue.

While cyber crime or identity theft might seem like a remote possibility, the risk is multiplied in COVID times when practically every outing means registering your name, phone number and possibly email.

Electronic check-in systems, now compulsory for businesses and venues in every state, are designed to make contact tracing more efficient in the event of an outbreak.

But privacy concerns are rising with the sudden explosion of QR codes because not all codes are created equal, and unsuspecting users could be redirected to a malicious website, unwittingly handing over their contact details to bad actors.

Depending on how and where data are stored, the deluge of personal information amassed by the minute could also be a clear target for cyber activity, which has increased in recent months, according to cyber security experts.

“If [cyber criminals] want to get personal information at bulk, these are the targets,” said Dr Suranga Seneviratne, an academic at the University of Sydney specialising in data security and privacy.

QR (Quick Response) codes were originally designed to keep track of car parts in manufacturing industry, and have been used extensively across Asia as efficient cashless payment systems.

The now-familiar square black-and-white arrays encode data similarly to a regular barcode. When scanned with a smartphone camera, they bring up a link to a web address or open an app. 

Only with their pandemic resurgence has the QR code’s creator been thinking about how the codes could be used in health, for easy access to imaging and test results – a scenario that would open up a quagmire of security concerns.

It’s also been suggested that QR codes could be used to issue ‘health certificates’ to revive international travel.

As it is, businesses and hospitality venues now required to collect patrons contact details electronically could be using QR codes freely provided by unregulated service providers with little understanding of the data security policies attached.

Some state governments are now providing businesses with unique QR codes, supplied via their government app, in which case the data are encrypted and stored securely for no longer than 28 days (except in Queensland, where it’s held for 56 days), and released only to their health departments for contact tracing.

The use of these apps and government-supplied QR codes by businesses and patrons is not always mandatory, rather “encouraged” in some states.

Initially, in the rush to reopen, businesses appeared to be using whatever means available to them to comply with COVID safety plans, and even now there is no regulation on which QR code providers to use, Dr Seneviratne said.

This exposes patrons to the risk of data breaches and possibly identity theft if cybercriminals get hold of personal details.

“If the federal or state governments had vetted some QR service providers, checked their privacy policies, checked where they store data, and who has access to that data, then I think it is a reasonable way of collecting contact information, given the circumstances,” he said.

But the responsibility of scrutinising privacy policies to find trusted service providers falls to business owners, which is not appropriate given what’s at stake, Dr Seneviratne said.

It also means that unless businesses are using QR codes provided by their state government, users cannot be sure how exactly their data is being managed, said Kate Carruthers, a cyber security and data governance expert at UNSW Sydney.

Information on a service provider’s data policy or security practices is rarely provided at the point of check-in, she said, and a lot of new QR code providers entered the scene before state governments were ready to issue government-generated codes direct to businesses.

“Where that data is being stored, where that data is going, we have no idea,” Ms Carruthers said. “We don’t know the companies [and] small organisations, they typically don’t have strong standards for how they secure data.”

The Commonwealth Privacy Commission has issued guidelines for digital check-in services collecting personal information, including secure data storage.

But an ABC investigation found some check-in services were inappropriately listing a business’s standard terms and conditions (which allow customer details to be shared with partners for marketing or promotions) or collecting more information than is necessary for contact tracing, such as date of birth.

Unsettling as that may be to individuals, there are other larger data security concerns that doctors and health staff should be attuned to during the pandemic, Ms Carruthers said.

Healthcare workers should be on alert for cyberattacks to their practice’s or hospital’s health information systems, she said, as there had been a “tremendous growth” in cyberactivity targeting health systems in the past year, particularly ransomware.

Even in ordinary times the healthcare sector, with its critical services and high-value personal health data, is a prime target for ransomware – software that encrypts valuable files, rendering them inaccessible until the ransom is paid.

“Private health practices, especially ones that don’t have a lot of cyber security skills in their own organisation, are quite vulnerable to this and should seek professional advice,” she said.

Ms Carruthers said individuals can also use a multifactorial authentication and password manager tool to protect against security breaches.

Associate Professor Paul Haskell-Dowland, a cyber security academic at Edith Cowan University in Perth, agreed that organisations needed to remain on high alert because the healthcare sector was being targeted by organised cyber criminals with “increasing regularity”.

“The pandemic is a factor as people’s attention is perhaps not as focussed as it was,” said Professor Haskell-Dowland.

“Things may have gone unnoticed while IT staff focused on delivering remote-working technologies and integrating services previously only conducted on-site.”

Professor Haskell-Dowland said the rise of telehealth and remote working during the pandemic might have shifted data security controls from the office to the home – to personal computers not managed by an organisation’s IT department.

He said standard cyber security good practice involved protecting systems with antivirus software, firewalls and regular updates; testing data backups; and providing cyber security education for all users at all levels.

Users should avoid sharing accounts and never open suspicious email attachments or links, as this is how malicious software usually enters a system.

“Every organisation will experience a cyber security incident at some point,” Professor Haskell-Dowland said. “Knowing what to do and how to respond is vital.”