- The EU and the UK are rolling out QR codes that allow people to travel again during the pandemic.
- The systems both involve Chinese-style encoding of personal information into scannable codes.
- Insider digs in to the new QR passports to see what’s in them.
- See more stories on Insider’s business page.
Encoding your personal information in a QR code is set to become mainstream in Europe — years after the concept spread through China.
Though first pioneered in Japan, using QR codes to navigate society is more commonly associated with the communist state, where citizens use codes to pay for items, make donations, and order food. During COVID-19, The New York Times reported that that government used color QR codes to tell individuals whether to quarantine. In 2018, Human Rights Watch reported that China used QR codes to surveil its Uyghur minority.
Western countries, before the pandemic, generally rejected equivalent systems on privacy grounds.
But starting this month, European Union member states will begin rolling out the EU Green Pass — digital COVID-19 passports that will show, via QR codes, a holder’s age, identity and vaccination status.
And a decade after repealing a pre-smartphone-era scheme to have universal identity cards on civil-liberties grounds, the UK government has similarly introduced two digital passports within the new National Health Service app, centered on QR codes.
We dug into the new QR code passports
There are two codes that can be generated inside the UK app: one for international travel and one for events in the UK.
The codes contain the user’s COVID-19 vaccine status, potentially permitting foreign travel or access to certain mass events, like Euro 2020 matches at London’s Wembley Stadium.
Use of the app requires the holder to be registered with a general practitioner, and the travel pass requires proof of identity to be confirmed accessible via a person’s smartphone. The events pass requires double vaccination, a recent negative test or proven “natural immunity” via a previous positive PCR test.
Scanning the UK travel QR code brings up a chain of numbers, symbols and letters, which is encoded via the same base-45 system used on the EU Green Pass.
Tobias Girstmair, a self-described “nerd, hacker and general computer and electronics enthusiast” recently examined the EU system in a blog post.
Using slightly modified code from Girstmair’s post on my own code revealed precisely how much personal information is within the QR code:
- Birth date
- Certificate ID
- Doses received
- Doses required
- Certificate issuer
- Vaccination date
- Vaccine, manufacturer, and product ID
- Targeted disease
- Batch number
There are still questions about whether the UK’s COVID-19 travel pass will be accepted in Europe, but clearly the aim is cross-border compatibility.
Despite the limited scope, requiring citizens to carry a piece of code containing private medical information is a remarkable step for Europeans.
Europe’s system is less invasive than China’s and isn’t tracking people’s location data
Those who have dug into the code say we’re not headed to a China-style surveillance system.
Girstmair, a “privacy-conscious person” said he was impressed at the EU’s implementation, describing the Green Pass as “pretty good from a privacy perspective” thanks to the limited sensitive data. China’s QR codes, generated in the WeChat app via a mix of location tracking and self-reporting, are undoubtedly more invasive.
“Also, from a technological perspective, I’m fairly impressed: Much thought has gone into making the codes as compact as possible while still containing all the data it does,” Girstmair told Insider.
The lack of location data makes the travel code less invasive than the Chinese equivalents.
There are early signs that Brits aren’t repulsed by the principle of vaccine passports. A YouGov survey in March found that 58% supported the concept, with 34% opposing — 18% “strongly.”
Crucially, the same survey found 58% of Britons opposed it if were private companies, rather than the government, running the initiative.
This lines up with the research of Helen Kennedy, a professor of digital society at the University of Sheffield.
Her upcoming Living with Data report, due for publication this week, finds that more than three-quarters of respondents were comfortable with their data being added to the UK health system’s COVID-19 data store. That’s provided that data doesn’t find its way into the hands of private operators.
“They see the value of using data to tackle COVID-19 but are concerned about potential future uses of the data in the data store,” she said via email. Think commercial profit, leaks, or misuse of data.
If vaccine passports offer similar public-health goals, will people be equally supportive? For Kennedy, this will come down to the purpose, data collected and organizations involved.
“I could imagine that for certain groups, e.g. migrants, their views about data sharing in vaccine passports to enable border crossing might be informed by their migrant experiences and identities,” she wrote.
Phil Booth, coordinator of MedConfidential, a group campaigning for confidentiality and consent in health and social care, is not content.
“Getting a ‘COVID certificate’ on your phone and especially in the NHS app is and always was daft and dangerous,” he said. His group favors paper certification for vaccine passports.
“It was inevitably going to be the route to further ‘function creep,’ including domestic use — as people are now finding out,” he added.
Still, the fact that the travel QR code’s data can be so easily decoded and scrutinized could reassure people that it isn’t — for now — overreaching, and the readers’ comments on Girstmair’s analysis of the EU Green Pass are mostly relaxed about the app’s implementation.
“I do think that breaking the data inside the code down and analyzing every byte stored within took the wind out of the sails of those concerned,” Gitrstmair said.