On Sunday 17 May, Thailand got its first taste of the “new normal” with the Thai Chana (Thailand Wins) application, run by Krungthai Bank (KTB).
Entering a shopping mall, we have to scan the QR code to check-in and check-out. Why? So the government can obtain our personal data in order to keep track of us, in the interests of containing the spread of COVID-19.
But frankly, it’s a loss where privacy is concerned. Furthermore, the QR code for check-in/out is problematic. Not to mention, using phone numbers for contract tracing isn’t exactly reliable.
Privacy
When we scan the QR code that leads to www.ไทยชนะ.com for the first time, the website shows us a user agreement form.
The form asks for our consent in sending our registration data to the Public Health Ministry, which consists of our phone number, check-in/out location and time spent at the location.
The catch is, it doesn’t really tell us everything about how our data can be used. For that, we would need to read the terms and conditions for registration of merchants to Thai Chana.
The T&Cs state that customer data may be sent to any organization authorized by the Ministry of Public Health. Apart from using the collected data to prevent and contain COVID-19, it can also be used for “public interests,” even after disease control measures cease to be in effect.
Both points raise a bloody red flag in regards to our right to privacy. It essentially gives the state a blank check to use our data in any way it sees fit, providing that it’s for “public interests”.
There is currently no legislation to prevent our personal data from being “misused”; nor are data handlers accountable for breach of privacy. The right to privacy of citizens should be protected, even in time of crisis. For example, Australia has a drafted legislation for their contact tracing app.
But for Thailand, all we have to go by is the “trust” we put in the government not to “misuse” our private data.
Usability
Thai Chana’s design is clearly aimed to be user-friendly.
When entering a store, we just need to “check-in” by scanning a QR code, like we would do adding friends in Line Chat. When we exit, do the same to “check-out.”
The problem is, when entering a shopping mall, we will have to do this over and over again. First when we enter the mall. Then when we enter a store. Then again when we enter a restaurant. And so on.
Long queues are the result. Social distancing becomes an issue.
For people without a smartphone, there is no other choice but to register by pen and paper. Longer queues. Longer delays. Not so much social distancing.
The problem can be alleviated by reducing mandatory check-in to only at the main entrance of shopping malls. There’s no need to check-in at every store, unless the government fears there’s a good chance of someone catching COVID-19 on the way from the main entrance into a store, and into another store, then into another store. And so on.
For those without smartphones, we can employ a feature to allow check-in using automated calls or SMS, similar to how India caters their contact tracing app to 550 million mobile-phone users.
Reliability
Last, but not least, when we register on the website for the first time, it will ask for our phone number, which is linked to our ID or passport number. This way, the app can identify who we are and keep track of us.
Problem: What if some people don’t give their real phone numbers?
Unless you are someone who wholeheartedly trusts the government with your private data, let’s face it, a lot of people would just punch in fake numbers.
The problem can be fixed by adding a step after entering the phone number. This step is for the app to send a text message containing a One-Time Password (OTP) back to the user and request the user to verify the phone number to complete the registration.
This should be the easiest to implement, since KTB already uses the OTP method to verify their Internet Banking users.
But then again, should we trust the government with our personal data?