[INTERVIEW] How a disappearing QR code helps combat Covid-19
After a cluster of Covid-19 infections in Itaewon’s nightclub district in early May, authorities were unable to contact roughly 60 percent of the 4,961 people that submitted names and phone numbers before entering clubs and bars. Many submitted fake names and numbers.
Later that month, the government announced a solution to that problem: an electronic registry using QR codes. Short for quick response codes, these square-shaped bar codes contain various types of data.
From June 10, every visitor to a club, hostess bar, karaoke joint or concert hall became obliged to have a QR code issued via smartphone. The code is captured by the club or concert hall when patrons enter. Named “KI-Pass,” these codes are only used in emergency situations to track people who may have come into contact with an infected person.
Internet portal Naver is the government's first partner for the QR codes. People with Naver IDs can have a QR code issued on their smartphone through the portal’s mobile app or internet website. QR codes expire in 15 seconds. A different QR code will be issued every time someone wants to go into a restricted place like a club or bar.
“If the same QR code is reused, it becomes statistically possible to trace back personal information on a user, like the places they went, the person’s age and even singling out who that person is. So we needed a one-time identification code,” said Baek Jong-won, the tech leader of Naver’s mobile app.
Quarantine authorities first reached out to Baek on May 20. They were looking for ways to use QR codes as a complement to handwritten logs to track people. After numerous all-nighters, videoconference calls and lots of dedication from the Naver team, the QR code function was operable in three weeks. Normally, only a rough blueprint would have been possible in that amount of time.
Below are edited excerpts of the Korea JoongAng Daily's interview with Baek on June 18 at Naver’s headquarters in Bundang, Gyeonggi.
Q. Let's say my QR code was captured and saved by a club owner. Where does this information go?
A. Each QR code contains what we call a unique identifier. It doesn’t mean this holds any personal information — it’s like a time record that tells when this QR code was produced. Club owners also have a mobile app offered by the government that gives them unique IDs. The user’s QR code, the store’s ID and information on when the visit was made are sent to the database of the state-run Social Security Intelligence Service (SSIS). Naver doesn’t have information on which store or club the user visited, but it does keep automatic records of when an ID holder had issued a QR code and can match IDs to one’s actual name and phone number.
In other words, it’s impossible to know which person visited which store at a certain time and what his or her contact number is without combining data from both parties. Every QR code saved in the two databases expires after 28 days.
What is the procedure when the government confirms that someone has an infectious disease and wants access to information about people that may have come into contact with the patient?
The government would start off with the patient’s phone number. Then it would reach out to Naver to get QR codes that were made by this specific person. The SSIS would take those codes to find which crowded places this person had gone to and the QR codes each operation had received from its other customers — this is the pool of people that may have come into contact with the patient. The government would then take this list of visitors’ QR codes and come to Naver for the names and phone numbers in our database to reach out to them. We intentionally made the process complicated to prevent misuse of information.
The service officially launched on June 10. Has the government used your customer information for quarantine purposes or contact tracing?
Not yet. That’s probably because there was no confirmed case where a patient was infected in a crowded area. We did see that as of Tuesday, 1.13 million users agreed on user terms for the function, which is the first step in issuing a QR code. But this doesn’t necessarily mean all of them used it to enter a crowded operation, just that they agreed to it.
As an internet portal, providing the government with personal information of your customers can be a sensitive issue.
From the company’s perspective, personal information is a valuable resource that can’t be compromised. It’s not something we can just hand over to the government because they tell us to. But our cooperation in a pandemic situation is specified in Korea’s Infectious Disease Control and Prevention Act, which was passed after the Middle East respiratory syndrome [MERS]. This is the same law that provides the grounds for mobile carriers to offer customer information in the same situation. Our official stance is that giving personal information is strictly restricted and follows the law.
We have authorities asking for cooperation with warrants from time to time so we have an internal team that knows the law and our obligations in terms of customer information. That experience also helped us in the accelerating of the launch date [for the QR codes].
Would you say the KI-Pass was a system made possible by Korea’s IT environment?
Well, the government wanted a solution that could track contact points to a patient while securing personal information. And to do that you need to have a new QR code made and discarded in seconds. Considering the number of crowded operations and the number of Korean people, this translates to hundreds of millions of QR codes being produced per day. And there aren’t many countries out there that have portal service providers that can offer a service on such a scale apart from us or the United States.
BY SONG KYOUNG-SON [firstname.lastname@example.org]