What is the point of QR codes on PCR Test Results?
 

Is it to have a link to your negative test results on a webpage with all the details that you'd already have in an email or printout of the results? If so, doesn't that break privacy standards to just have your medical data sitting on the internet? If the airlines had a direct and secure connection to a singular system where only they can use the QR code to look up your test results, then it makes sense, but I doubt that is the case in most places outside of perhaps the EU with their centralized pass system.

Outside of that, do check-in counter employees even do anything with the QR code? Or is the point to just "have" a shiny QR code and you can just generate one that goes to example.com...?!?

when the test requirement first started people were making fake results, specially in developing countries. QR code is a way to verify those results (of course, agents don't check it normally). And yes, this is a privacy concern but generally the countries that have these qr code requirements don't give a crap about privacy.

I'm not sure that generalization is true: In Europe at least, it seems that privacy is taken much more seriously than in the US (where I live). My recent experience with QR codes is only in Switzerland and the Netherlands, but at least they claim that the scans contain only the minimal information to assure vaccine or test compliance, and to match the holder up with an ID. If you are US-based however, I understand your skepticism :)

I was actually impressed in NL, where the QR codes were efficiently scanned by any restaurant I entered, without fuss. Much more advanced than in the US, where even in CA where a QR is available, they still ask to see the paper CDC card and an ID.

Yes, US lags because we don't have a national identity system beyond social security numbers, which are mostly just used for credit reporting. I highly doubt we will get a centralized vaccination or COVID testing system; people are just too paranoid of government tracking.

But my question was mostly about QR code use by airlines and check-in personnel. If you were required to have your PCR results contain a QR code, did the airline personnel actually use that QR code for verification?

The QR codes on vaccine proof are not convenient links to the internet... they are encoded data that contains a copy of your vaccine record right there in the qr code itself (in other words they are readable offline). Verification might require a check of the signature (that also exists in the QR code) with a database somewhere but that signature isn't the person's health data, which remains local.

The reason they are there is because they are encoded in such a way that they are verifiably from an official source and cannot be created by anyone else (in theory).

Why is it a privacy concern to encode exactly the same information that is listed in writing on the certificate in a QR code format?

This applies to EU certificates but not to "regular" text-based certificates OP was referring to. Indeed my recent test result is merely a link to the website where you can check the result.

I was in Russia a few weeks ago and due to them not recognizing the Pfizer/Moderna vaccines had to get a ton of PCR tests. All of them had QR codes on the result page. Whenever we went to a museum/or other venue that required a Russian vaccination QR code (which we didn't have due to the problem with Pfizer/Moderna recognition) they would scan the QR code on the PCR test results and it would pull up a page with the name of the person tested, time when the test was completed, and result. From my experience most places scanned the tests to confirm their validity, but when flying home to the US notably Finnair did not.

Novak Djokovic may have some views on the thread's title....

https://www.spiegel.de/international...27d4795e97-amp

To answer the question - to prevent photoshopping out one name and inputting another.

Also you are voluntarily showing your QR code to the attendant, to enter the restaurant/museum, or to prove eligibility to fly. So it is not an invasion of your privacy.
The result page linked to the QR code i have only shows first few letters of my name and last name and passport number. So the providers can further limit amount of information exposed.

Sorry, I am specifically asking about COVID PCR result QRs that some airlines are requiring to be shown at check-in... not vaccination status QR codes.

I see. I just checked a couple of my PCR result certificates and found that the QR codes actually just decode to the information that is otherwise contained in the certificate itself, which is somewhat theatrical by way of verification as that would be easy to replicate by a motivated individual.

​​​​It would be interesting to see the form of the web link. Sadly I have none that have this. Embedding the test reference number in combination with something like a UUID (a 32 digit string of letters and numbers that would be [virtually] impossible to guess) into a link that operates via HTTPS would mean you can be satisfied that access to your information is protected from anyone who you didn't already give it to on the certificate itself (up to the extents of the ramshackle test company's overall IT security posture, that is!)

To chime on the US perspective for these codes, I often do PCR tests with Walgreens.

The results come with a QR code where the URL has an appropriate obfuscated appendage, a 36-character alpha numeric code (fake example: 759auy9e-7a0b-4gd3-b749-c74fyh458e5c). While, yes, this means my data is accessible to anyone on the internet, unless they have the capability to brute force or luckily guess all 36 chars (which, when inputted into a password security checker, will take 1e+49 years to crack), they can't access my test results.

And if, by some lucky guess, they are able to do so, they need my MM/DD/YYYY DOB in order to open the results.

And then, they have to do it within thirty days before the digital record is destroyed off of Walgreens' servers.

Honestly, coming from Canada, I seriously did not think Walgreens or any American medical/pharm provider took this digital security stuff seriously. While others have chimed in about what the QR codes could leak from less developed/secure providers, implementing this stuff is trivial and gives me peace of mind to my own medical security...which I don't care much about when it comes to a COVID test from a foreign country.


Back to your point, OP...is hiding this stuff behind a URL sufficient? An incredibly small chance of cracking the URL would render the link publicly "accessible", but I'd argue that the math and the security measures in place would make that extremely unlikely, hence a reasonable trade-off between security and convenience and document verification?

Thanks, that's very informative. I guess the second part of my question is do check-in counter airline employees actually do anything with the QR codes, or are they merely for "show"?