Go Back  FlyerTalk Forums > Miles&Points > Coronavirus and travel
Reload this Page >

What is the point of QR codes on PCR Test Results?

What is the point of QR codes on PCR Test Results?

Old Jan 12, 22, 1:14 pm
  #1  
Original Poster
 
Join Date: Feb 2013
Posts: 27
Question What is the point of QR codes on PCR Test Results?

Is it to have a link to your negative test results on a webpage with all the details that you'd already have in an email or printout of the results? If so, doesn't that break privacy standards to just have your medical data sitting on the internet? If the airlines had a direct and secure connection to a singular system where only they can use the QR code to look up your test results, then it makes sense, but I doubt that is the case in most places outside of perhaps the EU with their centralized pass system.

Outside of that, do check-in counter employees even do anything with the QR code? Or is the point to just "have" a shiny QR code and you can just generate one that goes to example.com...?!?
nartman is offline  
Old Jan 12, 22, 2:24 pm
  #2  
 
Join Date: Aug 2017
Posts: 1,428
when the test requirement first started people were making fake results, specially in developing countries. QR code is a way to verify those results (of course, agents don't check it normally). And yes, this is a privacy concern but generally the countries that have these qr code requirements don't give a crap about privacy.
LETTERBOY and tpsmith82 like this.
nomiiiii is offline  
Old Jan 12, 22, 2:51 pm
  #3  
 
Join Date: Aug 2006
Location: near to SFO and LHR
Programs: BA Gold, B6 Mosiac, VS, AA, DL (and a legacy UA 2MM)
Posts: 2,203
Originally Posted by nomiiiii View Post
And yes, this is a privacy concern but generally the countries that have these qr code requirements don't give a crap about privacy.
I'm not sure that generalization is true: In Europe at least, it seems that privacy is taken much more seriously than in the US (where I live). My recent experience with QR codes is only in Switzerland and the Netherlands, but at least they claim that the scans contain only the minimal information to assure vaccine or test compliance, and to match the holder up with an ID. If you are US-based however, I understand your skepticism

I was actually impressed in NL, where the QR codes were efficiently scanned by any restaurant I entered, without fuss. Much more advanced than in the US, where even in CA where a QR is available, they still ask to see the paper CDC card and an ID.
etiene and sushanna1 like this.
StingWest is online now  
Old Jan 12, 22, 3:09 pm
  #4  
Original Poster
 
Join Date: Feb 2013
Posts: 27
Originally Posted by StingWest View Post
I was actually impressed in NL, where the QR codes were efficiently scanned by any restaurant I entered, without fuss. Much more advanced than in the US, where even in CA where a QR is available, they still ask to see the paper CDC card and an ID.
Yes, US lags because we don't have a national identity system beyond social security numbers, which are mostly just used for credit reporting. I highly doubt we will get a centralized vaccination or COVID testing system; people are just too paranoid of government tracking.

But my question was mostly about QR code use by airlines and check-in personnel. If you were required to have your PCR results contain a QR code, did the airline personnel actually use that QR code for verification?
LETTERBOY likes this.
nartman is offline  
Old Jan 12, 22, 4:35 pm
  #5  
 
Join Date: Mar 2014
Posts: 118
The QR codes on vaccine proof are not convenient links to the internet... they are encoded data that contains a copy of your vaccine record right there in the qr code itself (in other words they are readable offline). Verification might require a check of the signature (that also exists in the QR code) with a database somewhere but that signature isn't the person's health data, which remains local.

The reason they are there is because they are encoded in such a way that they are verifiably from an official source and cannot be created by anyone else (in theory).
etiene, FlitBen and chrisny2 like this.

Last edited by NandoDave; Jan 12, 22 at 4:52 pm
NandoDave is offline  
Old Jan 13, 22, 1:15 am
  #6  
 
Join Date: Jan 2008
Posts: 3,488
Originally Posted by nomiiiii View Post
when the test requirement first started people were making fake results, specially in developing countries. QR code is a way to verify those results (of course, agents don't check it normally). And yes, this is a privacy concern but generally the countries that have these qr code requirements don't give a crap about privacy.
Why is it a privacy concern to encode exactly the same information that is listed in writing on the certificate in a QR code format?
chrisny2 likes this.
Kgmm77 is offline  
Old Jan 13, 22, 1:22 am
  #7  
 
Join Date: Apr 2010
Location: VIE
Programs: SAS EBG / *A Gold, Radisson Platinum, SJ Prio Black
Posts: 2,561
Originally Posted by NandoDave View Post
The QR codes on vaccine proof are not convenient links to the internet... they are encoded data that contains a copy of your vaccine record right there in the qr code itself (in other words they are readable offline). Verification might require a check of the signature (that also exists in the QR code) with a database somewhere but that signature isn't the person's health data, which remains local.

The reason they are there is because they are encoded in such a way that they are verifiably from an official source and cannot be created by anyone else (in theory).
This applies to EU certificates but not to "regular" text-based certificates OP was referring to. Indeed my recent test result is merely a link to the website where you can check the result.
84fiero and sbandy like this.
the810 is offline  
Old Jan 13, 22, 3:58 am
  #8  
 
Join Date: Sep 2019
Location: CMH
Programs: American Airlines Gold, Hilton Diamond, Marriott Gold
Posts: 218
I was in Russia a few weeks ago and due to them not recognizing the Pfizer/Moderna vaccines had to get a ton of PCR tests. All of them had QR codes on the result page. Whenever we went to a museum/or other venue that required a Russian vaccination QR code (which we didn't have due to the problem with Pfizer/Moderna recognition) they would scan the QR code on the PCR test results and it would pull up a page with the name of the person tested, time when the test was completed, and result. From my experience most places scanned the tests to confirm their validity, but when flying home to the US notably Finnair did not.
doc4science is offline  
Old Jan 13, 22, 6:26 am
  #9  
 
Join Date: Feb 2011
Location: Loftus Road UK
Programs: AA Lifetime Plat; BA GGL; Virgin Gold; United Silver; Hilton Dia; IHG Spire; Marriott Tit; Hertz PC
Posts: 326
Novak Djokovic may have some views on the thread's title....

https://www.spiegel.de/international...27d4795e97-amp
sbandy likes this.
mookie10 is offline  
Old Jan 13, 22, 7:05 am
  #10  
 
Join Date: Sep 2005
Programs: AC MM E50 , Former SPG, now Marriott LT Plat
Posts: 5,772
To answer the question - to prevent photoshopping out one name and inputting another.
IluvSQ is offline  
Old Jan 13, 22, 8:46 am
  #11  
 
Join Date: Jan 2020
Programs: Jetblue, Turkish, Hilton
Posts: 248
Also you are voluntarily showing your QR code to the attendant, to enter the restaurant/museum, or to prove eligibility to fly. So it is not an invasion of your privacy.
The result page linked to the QR code i have only shows first few letters of my name and last name and passport number. So the providers can further limit amount of information exposed.

Last edited by ovacikar; Jan 13, 22 at 8:53 am
ovacikar is offline  
Old Jan 13, 22, 10:31 am
  #12  
Original Poster
 
Join Date: Feb 2013
Posts: 27
Originally Posted by NandoDave View Post
The QR codes on vaccine proof are not convenient links to the internet... they are encoded data that contains a copy of your vaccine record right there in the qr code itself (in other words they are readable offline). Verification might require a check of the signature (that also exists in the QR code) with a database somewhere but that signature isn't the person's health data, which remains local.

The reason they are there is because they are encoded in such a way that they are verifiably from an official source and cannot be created by anyone else (in theory).
Sorry, I am specifically asking about COVID PCR result QRs that some airlines are requiring to be shown at check-in... not vaccination status QR codes.
nartman is offline  
Old Jan 13, 22, 11:19 am
  #13  
 
Join Date: Mar 2014
Posts: 118
Originally Posted by nartman View Post
Sorry, I am specifically asking about COVID PCR result QRs that some airlines are requiring to be shown at check-in... not vaccination status QR codes.
I see. I just checked a couple of my PCR result certificates and found that the QR codes actually just decode to the information that is otherwise contained in the certificate itself, which is somewhat theatrical by way of verification as that would be easy to replicate by a motivated individual.

​​​​It would be interesting to see the form of the web link. Sadly I have none that have this. Embedding the test reference number in combination with something like a UUID (a 32 digit string of letters and numbers that would be [virtually] impossible to guess) into a link that operates via HTTPS would mean you can be satisfied that access to your information is protected from anyone who you didn't already give it to on the certificate itself (up to the extents of the ramshackle test company's overall IT security posture, that is!)
NandoDave is offline  
Old Jan 13, 22, 12:20 pm
  #14  
 
Join Date: May 2017
Location: YEG, SFO, JR JY-13
Programs: AC 75K and also 25K on account I don’t use
Posts: 491
To chime on the US perspective for these codes, I often do PCR tests with Walgreens.

The results come with a QR code where the URL has an appropriate obfuscated appendage, a 36-character alpha numeric code (fake example: 759auy9e-7a0b-4gd3-b749-c74fyh458e5c). While, yes, this means my data is accessible to anyone on the internet, unless they have the capability to brute force or luckily guess all 36 chars (which, when inputted into a password security checker, will take 1e+49 years to crack), they can't access my test results.

And if, by some lucky guess, they are able to do so, they need my MM/DD/YYYY DOB in order to open the results.

And then, they have to do it within thirty days before the digital record is destroyed off of Walgreens' servers.

Honestly, coming from Canada, I seriously did not think Walgreens or any American medical/pharm provider took this digital security stuff seriously. While others have chimed in about what the QR codes could leak from less developed/secure providers, implementing this stuff is trivial and gives me peace of mind to my own medical security...which I don't care much about when it comes to a COVID test from a foreign country.


Back to your point, OP...is hiding this stuff behind a URL sufficient? An incredibly small chance of cracking the URL would render the link publicly "accessible", but I'd argue that the math and the security measures in place would make that extremely unlikely, hence a reasonable trade-off between security and convenience and document verification?
asovse1 is offline  
Old Jan 13, 22, 12:28 pm
  #15  
Original Poster
 
Join Date: Feb 2013
Posts: 27
Thanks, that's very informative. I guess the second part of my question is do check-in counter airline employees actually do anything with the QR codes, or are they merely for "show"?
nartman is offline  

Thread Tools
Search this Thread