COVID-19 QR Code Scanners: Advice for Survivors

The purpose of this advice is to help survivors of domestic and family violence or stalking to make an informed decision about whether or not to use QR Code Scanners for COVID-19 Contact tracing.  

Background

When COVID-19 cases increase and ‘hotspots’ start popping up everywhere it becomes increasingly difficult for manual contract tracers to stay abreast of the situation, hence governments and businesses have started to use or mandate scanned QR codes to track visitors to various venues and establishments.

What is it?

A QR code (abbreviated from Quick Response code) is a type of matrix barcode (or two-dimensional barcode) is a machine-readable optical label that can be scanned using the camera function on most smartphones and which contains information about the item to which it is attached. Some phones may require a free QR code reader app to scan the QR code, and these are available from the Google Play store (Android) or the App Store (iOS). Many QR code technologies are owned by private companies, however, more recently local governments have been offering up their own versions to businesses to try and centralise and simplify the process.

What data does it collect?

QR Code scanners generally record the date and time of the user’s visit to the premises and, in most cases, the user is asked to provide their contact details and answer a questionnaire.  A concern is that these apps collect together in one place a person’s full name, phone number and email address and that the venues or businesses may be using an unregulated online service or app to manage the data collected.  

What about the Government storage end of things?

Some QR code collections are performed by government run apps, however many businesses just use outsourced QR code vendors supplying businesses with COVID-19 contact tracing technology. It is difficult for a consumer to assess from the sign at a venue where the data collected will reside and who may obtain access to it. Many QR code vendors state that users’ data will be kept safe and secure, but there is very limited regulation in this area. What happens to the data collected remains a privacy concern. Our recommendation is that survivors wishing to ensure their privacy and security look for viable alternatives to provide contact tracers with the information they need to do their job successfully, while protecting themselves online.

Should I check in using a QR code scanner?

If you are a survivor and you need to keep your personal information secure for safety reasons, or if you are concerned that leaked data captured by a QR code scanner could put you or your loved ones at risk, then we recommend the following:

• Set up a new email address specifically for checking into services and venues. 
• Opt for an email provider that has no links to other providers you may already be using (e.g. ProtonMail), and avoid using your name or any other identifying details in the new email address. 
• Don’t scan the QR code with your phone, instead, ask to leave your details manually rather than scanning the QR code, wherever possible. This may mean providing your details using pen and paper, or entering your details into an electronic database.
• When entering details online or via a QR code scan, provide as few details as possible. Use your new email address rather than providing your name and phone number, or, if a name is also required then enter initials or a pseudonym only. 

We also recommend the above advice for those whose phone is unable to read a QR code or for those members of the public who do not own a smartphone and have concerns for their safety.