The privacy implications of venue check-in for COVID-19

Thursday 08 Oct 2020

The COVID-19 pandemic has completely transformed the way that many of us go about our daily lives. For example, it’s now commonplace for people in England and Wales to have to “check-in” to workplaces and venues which they visit in person. Indeed, many types of business are now required to request and record the details of their customers, visitors and staff so that NHS Test and Trace can identify and notify people who may have been exposed to the virus.

Until recently, the main way in which businesses have been collecting this information is by requesting it in handwritten form. Either by filling out small slips of paper, or writing an entry into a visitor book, we have quickly been getting used to the idea of handing out our personal information as a condition of entry. In addition, a number of digital alternatives have emerged which replicate much the same process but use customer’s mobile devices to capture their personal details.

As of 24 September, the launch date of the new NHS COVID-19 app in England and Wales, there is also now a third way in which people are being encouraged to check-in to physical events. In addition to its decentralised contract tracing functionality, the app allows users to check-in by scanning the NHS QR (quick response) code posters that are now mandatory for a range of hospitality businesses to display. Over 160,000 businesses have already generated an official QR code poster using the government's new online service.

In this blog we evaluate the current privacy landscape for Test and Trace venue check-in and compare the new NHS COVID-19 app against the alternatives which are currently available.

The current venue check-in privacy landscape

Recent government policy demands that many types of businesses must collect customer, visitor and staff contact logs or face fines of up to £4,000. If individuals choose to check-in using the NHS COVID-19 app then they simply scan the venue’s NHS QR code poster, otherwise they must provide their personal information either in handwriting or by using an equivalent digital solution. 

In the case of the NHS COVID-19 app, which does not require individuals to submit their personal information during install or venue check-in, potentially exposed individuals are notified directly through the app and no third party learns which exact people have been instructed to self-isolate. In the conventional mechanism, which involves handwritten or digital copies of personal information being provided to NHS Test and Trace on demand, individuals instead receive a text message, email or phone call which provides the instruction to self-isolate. In both cases, users are advised to log into the NHS Test and Trace contact tracing website which will request the full name, date of birth, sex, ethnic group, NHS number, address, phone number and email address of any individual who has been in close contact of someone who tests positive.

The crucial difference between the NHS COVID-19 app and its alternatives (visitors must use one or the other approach to check-in to a range of businesses) is that individuals who do not come into close contact with someone who tests positive are never required to provide their personal information. The implications of this simple difference are significant when we consider the technologies that are being used by digital check-in solutions. 

Digital check-in technology and its implications

While any system that collects personal information presents risks to privacy, the specific implementation details and technology used will determine the size and number of threats which must be considered. We now compare the venue check-in notification provided by the NHS COVID-19 app with an illustrative alternative system which also provides notifications to users when they may have been in close contact with someone who has coronavirus. This alternative solution may be run alongside the NHS app for designated venues, but could also appeal to a broader range of businesses which are not necessarily required to display an NHS QR code poster by law. 

Crucially, this alternative system also relies on QR codes but does not require individuals to download a special-purpose app. Instead, upon scanning a QR poster, users are taken to a webpage and instructed to enter their personal information using an online form. Users provide the same information as would otherwise be given by hand, and this data is then stored online for the venue operator to access. In the event of an outbreak, the NHS Test and Trace team will request this information directly from the venue operator and will then attempt to notify each exposed individual using the details they have provided.

The first technical difference between these two approaches is whether the user needs to download an app. Having to download an app could deter some users as an inconvenience and risks excluding those who encounter difficulties with compatibility. On the other hand uptake of the app is being strongly encouraged with a national campaign which includes the compulsory display (and use of) of an NHS QR code poster at hospitality venues, and there are technical methods in place to ensure widespread compatibility.

The alternative approach, while avoiding the need for a special-purpose app, introduces a number of additional privacy risks to individuals. Firstly, users are taken to a webpage to submit their personal information. This webpage may not be familiar and is likely to be run by a different business to the venue they are attending. From a technology perspective, assessing the trustworthiness of web pages can be difficult for users and also presents a challenge for website operators who must defend against cyber attacks. On the occasion that a positive test result becomes associated with the venue, the venue operator must also be protected from cyber attacks and practice good data governance as they will intermediate the data of customers, visitors and staff when complying with Test and Trace. In the longer-term, there is a broader risk associated with conditioning the population to be okay with routinely supplying their personal information to websites that they have no good reason to trust.

"In the longer-term, there is a broader risk associated with conditioning the population to be okay with routinely supplying their personal information to websites that they have no good reason to trust."

Lastly, both the NHS COVID-19 app and this alternative solution depend on QR code technology. QR codes are a type of barcode technology that was originally designed to help rapidly track vehicles and their components during manufacture. As such, QR codes have a number of shortfalls which were not a consideration during their initial design. Most notably, QR codes do not provide a way for individuals scanning them to verify their authenticity. 

In the case of the NHS COVID-19 app, this risk is partially mitigated in two ways. Firstly, the app performs cryptographic verification of QR codes. This means that only QR codes that have been approved by the government will be accepted by the app. Second, NHS QR codes do not work when they are read without using the corresponding COVID-19 app. In particular, NHS QR codes do not direct users to any website which might instruct them on how to download the correct app. Whilst this could be seen as a missed opportunity to onboard more users, the posters themselves clearly direct users to download the app and a much greater risk is avoided.

The alternative solution necessarily directs users to a web page as there is no app to provide a more privacy-friendly functionality. This puts individuals in the situation where they are being asked to scan QR codes which they cannot verify, to follow URLs they might not recognise, and to provide their personal information to entities previously unknown and tertiary to their relationship with the venue they are attending. The threat of normalising this process of providing our personal information to unverified websites, and the potentially confusing coexistence of multiple solutions for Test and Trace, is a significant risk to user privacy. Furthermore, without an app to provide an extra layer of cryptographic source verification, this approach is particularly susceptible to an impersonation and replay attack which would allow an adversary to collect personal information without knowledge of either user or venue. 

Looking ahead: Weighing up risks and benefits

The latest NHS COVID-19 app provides a novel mechanism for venue check-in that illustrates how privacy and utility can be harmonised in a real-world deployment when careful attention is paid to the functionality that is minimally necessary. We highlight the coexistence of several systems for providing venue check-in exposure notifications and explore the privacy risks of these different approaches and the technologies which support them. 

Beyond Test and Trace for the COVID-19 pandemic, the revival of QR codes and the adoption of digital visitor lists presents a unique set of risks to individuals and businesses which should be carefully weighed against the benefits and requirements of each particular solution.