Tens of thousands of small and medium Australian businesses that rushed to outsource the management of their COVID check-in obligations could find themselves snared in a looming data privacy calamity.
- Privacy advocates have warned of “marketing surveillance” operations tied to QR code data collection
- The ABC found some companies’ privacy policies had fallen short of standards
- Cybersecurity experts called for states to adopt the New Zealand and United Kingdom QR code models
At stake are the personal details of millions of Australians who have visited cafes, restaurants and pubs or attended places of worship, wedding and funeral venues since rules designed to help manage the spread of the virus were introduced earlier this year.
These regulations, which operate in most states and territories, require customers and visitors to provide their name and contact details so that they can be traced in the event there’s a potential virus transmission risk.
However, many of these electronic check-ins are outsourced to registration platforms that are often owned by companies that deal in collecting data, some operating under opaque rules about how that information is stored and used.
Privacy and cybersecurity experts are warning that the lack of due diligence in vetting providers has left the system and the “gold standard” personal data it manages vulnerable to exploitation.
“Governments have made collection compulsory, without exercising supervision about how it is carried out,” said Graham Greenleaf, a professor of law and information systems at the University of New South Wales (UNSW).
The problem is set to be compounded as thousands more venues in Victoria open for business again after a strict three-month lockdown.
The kind of information being collected is a highly prized commodity with the data broking industry, giving users of that data direct access to a person’s inbox and their mobile handset.
And there are concerns that the data could potentially be resold, used for identity fraud or to track a person’s location and social groups, and employed in micro-targeted advertising for misinformation campaigns.
Justin Warren, from privacy and digital rights group Electronic Frontier Australia (EFA), said while some appeared to be doing the right thing, he had also observed the hallmarks of a “marketing surveillance” operation.
He said the abundance of smaller companies collecting and storing the data had also created a “honeypot” for cyber criminals.
“We have a lot of people whose primary business is running a cafe, they’re not technical experts,” Mr Warren said.
“[These] conditions really lend to mistakes that people will regret later on. With privacy, once you’ve lost it, it’s kind of gone forever.”
Big, green tick of approval
While some venues offer patrons a pen and paper solution, the majority use a contactless technology based on scannable QR (quick response) codes.
The characteristic black squares are essentially a barcode, which when scanned with a smartphone, converts its geometric patterns into readable text — usually a website address.
The customer types their name and contact details into a form on the web page before submitting the details and receiving a confirmation, often displayed as a big green tick.
But the ABC found some companies did not have specific COVID privacy policies, as recommended by the federal privacy commissioner.
Other companies, such as UberEats rival HungryPanda, didn’t appear to make any distinctions between COVID-related data and information it harvested from customers pre-pandemic.
At least 50 Asian eateries in NSW, many located in Sydney’s CBD, using HungryPanda’s check-in service defaulted to the app’s standard terms and conditions.
Those policies allow the company to share customer details with “partners for marketing or promotions”.
Company spokeswoman Tina Sun said there was no intention to collect the COVID check-in data for purposes other than contact tracing.
“We can’t access the data because we didn’t want to take the risk,” she said.
Ms Sun said it was up to each business to manage their COVID data and said HungryPanda would again “remind the restaurants” about their privacy obligations.
Vanessa Teague, cryptography professor and founder of Thinking Cybersecurity, said good intentions weren’t enough.
“A company doesn’t always live up to their promises and even if they want to, this doesn’t just preclude security problems or accidental data breaches,” she said.
There are no available figures around how many private entities are managing the digital check-in process, nor the volume of check-in data that has been generated.
The four companies willing to disclose their check-in figures — MyGuestList (MGL), BGL Corporate Solutions, NCH Software and ImpactData — have managed upwards of 28 million COVID registrations since the start of the pandemic.
MGL, which labels itself as “Australia’s Most Powerful Marketing Platform”, has stored over 20 million COVID check-ins across over 20,000 locations in its servers in Canada and backups in the United States.
An MGL spokesperson said the data was only used for contact tracing and was protected under Canada’s more robust privacy laws.
NSW so far has the strictest compulsory registrations, with gyms, hospitality venues, funeral homes, and places of public worship all required to collect the names and phone numbers of all patrons.
But the NSW Government’s visitor registration feature that is integrated into the ServiceNSW app is not widely accepted and has only had 1.1 million check-ins since it launched in September.
In June, the NSW Government said businesses unable to record visitor details would be forbidden from reopening after the COVID lockdown and that non-compliance would be punished with heavy fines.
“Guidance” around how that data should be collected and stored was established around the same time by the federal privacy watchdog, the Office of the Australian Information Commission (OAIC).
It said customers must be clearly informed about what information was being collected, that it should be stored securely, that it should not be used for purposes other than contact tracing and it should be destroyed once it was no longer needed.
In Queensland, the retention for the data is 56 days, while in other states it is 28 days.
An OAIC spokesperson said it had held regular consultations with business groups to advise about “best privacy practice” and how to incorporate privacy principles into the design of registration systems.
However, some companies were found to be falling short.
“Some of these applications are asking for a lot more information than they actually need to,” EFA’s Mr Warren said.
“The regulations are pretty prescriptive, so they say here in Victoria it’s just a first name and a contact number.
“But some of these applications are asking for a lot more information than that including things like last name, email address and other things they could use to potentially track you.”
An example where information has been collected outside the scope of contact tracing is with the free digital check-in service GuestTrack, which allows for the collection of a user’s date of birth.
The app, which has registered over 2 million check-ins across 3,500 businesses, was created by Melbourne-based software and data service company BGL Corporate Solutions.
Its founder, Ron Lesh, said this was an optional feature which had to be enabled by the business itself.
He said he created the app in July to “give back to the community” and had no intention of profiting from the re-use of COVID check-in data.
‘Gold standard data’
Some of the personal information collected by smaller QR code providers during the “cowboy period” before late May, when the OAIC stepped in, could have already ended up in improper hands, according to data commercialisation expert Peter Leonard.
“It’s fair to say that some of the early providers of the apps were not as careful with their information management practices,” he said.
“[But] there are probably still some operators who are not really aware of the restrictions that the law imposes and they may still be sharing data in ways that they shouldn’t.”
An OAIC spokesperson said it had received about 10 complaints about the collection of information by venues this year, half of which related to QR codes.
The regulator said it had “proactively written to a range of digital check-in service providers and related industry groups” about their privacy obligations.
Even if the OAIC was able to police all breaches — which Mr Leonard says it doesn’t have the resources to do, especially if the data moves overseas — there is little incentive for the smaller operators to do the right thing.
A spokeswoman for the Office of the Victorian Information Commissioner (OVIC) said the privacy regulator was concerned about the lack of oversight on small companies.
While the federal regulator can pursue breaches with the big companies, businesses with an annual turnover of less than $3 million are not accountable for any privacy breaches.
“This means that some small organisations collecting COVID check-in data would not be subject to privacy rules and could potentially misuse check-in data,” the OVIC spokeswoman said.
UNSW’s Professor Greenleaf said the information being collected in COVID check-ins was “gold standard data”.
“With fragmentary data what you want to be able to do with that is match it with really rock solid identification data about a person,” Professor Greenleaf said.
He said an existing database might include search histories of a person looking up particular types of illnesses, operations or medical conditions.
“But before they didn’t really have an effective way of contacting you, now they’ve got that data, which makes you vulnerable.”
Mr Leonard said for marketers looking to micro-target, having those personal details packaged together could mean paying the “difference between cents and dollars” for advertising campaigns.
Looking overseas for solutions
While the check-in measures have helped to allow authorities to quickly trace those exposed to outbreaks, experts say we should look to the United Kingdom and New Zealand to find the balance between public health and privacy.
The UK recently launched its NHS QR code program, which allows visitors to “anonymously register” that they’ve been to a location.
A person would enter a restaurant or public venue, scan a displayed QR code and the information would only be stored locally on the person’s device like a personal diary.
When a person tests positive to COVID-19, health authorities would access the encrypted data directly from their phone and issue a public health alert about their movements.
Other people can then, through the app, check their own “diary” against those locations to determine if they’ve been exposed.
Across the Tasman Sea, the NZ Tracer app worked in a similar way and effectively removed the need for private businesses to manage the digital check-in process.
Prior to the app’s introduction in May, NZ authorities were alarmed by potential data mining operations.
“We definitely had some concerns,” said Shayne Hunter from the NZ Ministry of Health, who helped develop the app.
While many, he said, were individuals or private entities trying to genuinely help, there were some who “did have thoughts around how they might be able to use the data”.
Once the app launched and the Government notified them of new privacy obligations, he said many private providers simply “disappeared”.
“I think once they realised we were going down that path, there were a lot who just fell by the wayside,” Mr Hunter said.
Professor Teague said the inherent flaw in the Australian model was that the databases existed at all.
“Instead of architecting things that protect our privacy we are responding by designing things that are inherently invading our privacy,” she said.
“And then we get really upset about vulnerable databases … but it wouldn’t be vulnerable if it wasn’t in existence.”