After CovidSafe, QR codes spark privacy concerns

Researchers are calling for a renewed public discussion about the role of technology in Australia’s contact tracing regime as questions remain over the effectiveness of CovidSafe and private companies continue to harvest data via QR code check-in systems. 

Graham Greenleaf, professor of law and information systems at the University of New South Wales summed up the dilemma: 

“We've got a genuinely voluntary CovidSafe app with Australia's strongest privacy policy protections, but it's now largely ignored because it's been shown to be ineffective. 

“In contrast, we have semi-compulsory QR codes which have no effective privacy regulation but look like they're going to be here for quite a few years to come.”  

Speaking during a panel hosted by Deakin University's Global Digital Publics Network and the Science and Society Network, Greenleaf said after six months the government’s app “has not made any significant contribution to combating COVID in Australia”. 

According to a recent senate estimates hearing, CovidSafe has traced just 17 cases in NSW that might not have otherwise been found by human contact tracers. 

While the app in its current state might be a dud, Greenleaf defended the CovidSafe legislation that accompanied it, which was introduced in May. 

In particular, he highlighted protections against making it compulsory for people to download the app, limiting scope creep by not allowing “police or the spooks” to access the data, and a sunset clause which would require all data be deleted if the app is “no longer required or effective”.  

“The app might have been a failure but in many ways the legislation is a success because we have not seen a piece of surveillance-related legislation in Australia that genuinely addresses the various problems of surveillance systems in as serious fashion as this one does,” he said.  

“It may still be a valuable model for the future for how to constrain future surveillance systems that will be built.” 

Greenleaf contrasted the rules surrounding CovidSafe with the “laissez-faire neglect” of QR code industry. 

Scanning a QR code has quickly become a condition of entry to many Australian venues, mandated by state and territory governments to assist in contact tracing efforts. 

Greenleaf argued those jurisdictions aren’t paying close enough attention to the collection and use of data which is being outsourced to a range of QR code providers. 

“There is no quality control over those QR providers in relation to the privacy protections. The venues that hire them have no strong incentive to enforce what they do with their privacy protections and governments have abdicated from setting required standards for QR providers.” 

The current system raises concerns over data being sold to third parties for data matching and marketing. 

“The data that you're providing is solid gold for data aggregators, full name, email, and phone number all together, linking to one person,” Greenleaf said. 

Greenleaf argued state and territory governments could use the licensing powers to force venues to impose quality standards and the Commonwealth Privacy Commissioner could impose a new code on QR providers, or consumers can insist on a pen and paper option. 

Another possibility raised during the panel discussion was the New Zealand Covid Tracer, which makes a digital diary note in a centralised location when QR codes are scanned rather than creating a record in a vendor’s database.