Starting June 10, the government implemented KI-Pass, short for Korean Internet Pass. This application utilizes QR code check-ins on Naver, KakaoTalk, and PASS to identify when people use public facilities such as cafés, restaurants, bars, and movie theaters. Although the system was presented as a relatively safer alternative to handwriting personal information including names and phone numbers, this QR code system still raises doubts on its credibility.
Privacy is the key point of contention in QR code check-in applications. Those who oppose the widespread usage of this system contend that what is dubbed as a QR code check-in ‘service’ is not at all optional. In fact, it has become mandatory to the extent that it is impossible to use facilities if one refuses checking in through QR codes.
People’s Solidarity for Participatory Democracy (PSPD), a nongovernmental organization, expressed their concerns through an official statement.
“The administrative convenience that such a system has in the containment of the pandemic should not be prioritized over people’s privacy,” PSPD said. “There were no thorough discussions nor public consent that preceded this QR code check-in policy. This may well be the precedent to other overpowering measures the government could impose on the public stating that it is due to ‘national emergencies.’”
Additionally, policy analysis activist Hyiu from the Korean Progressive Network JINBONET (Network) mentioned that the major problems of QR code check-in systems lie in the boundless collection and unsure removal of personal information.
“The government announced that they will track ‘those suspicious of contact with confirmed patients,” Hyiu said. “However, this labeling itself is very vague. It means that the authorities do not have any specific numeral limits in collecting and tracking information of those deemed as suspicious.”
She referred to the Itaewon club incident when authorities requested access to base stations. They collected data of 10,905 people who used their phones for more than 30 minutes in 17 different Itaewon clubs, from April 24 to May 6. Hyiu believes the government blew the incident out of proportion to consider over a million people to be suspected patients.
“According to the response the Network received from Korea Disease Control and Prevention Agency (KDCP), the Agency did not discard the personal information acquired from MERS in 2015,” Hyiu added.
Oh mentioned that clarification is needed on how QR codes are used and later extracted when any confirmed cases are found. Simply explained, it is like a puzzle. When a user checks in through the system, the information of when and where the QR code was processed is kept in the database of the Social Security Intelligence Service (SSIS). Later when a confirmed case is notified, SSIS would request KakaoTalk or Naver on whose QR code it was and receive the information of the visited people. QR codes saved in separate databases expire after 28 days.
When Oh was asked why he thinks Korea chose a tracking policy making use of applications, he replied the nation’s highly advanced IT technology enables it to do so.
“Most people use smartphones and the internet networking system is stable in Korea,” Oh said. “Considering this environment, it was apt for the government to make QR codes that the public could easily use. Japan for instance, worsened their disease control due to an inefficient tracking system consisting of handwritten forms.”
Some public facilities still use paper logs to note personal information, but after QR code check-in was initiated it became the preferred method. Given the rising concern in privacy issues, this digitized system requires more social consensus.