A review of the Thai store tracking system during check-in & check-out in fighting with coronavirus spreading.
On May 17, 2020, the Thai Chana (ไทยชนะ – “Thailand Wins”) online platform was launched as a part of the preparation for the 2nd phase of easing COVID-19 lockdown in Thailand.
All business owners could register their business to get their own QR codes & set their own limit for visitors number at a time. And they have to respond that all customers scan the QR code during their check-in & check-out. Business owners can also check how many people are in their store right now.
Speaking “check-in” & “check-out” means a required registration of all store visitors at the entrance & exit by scanning QR codes.
The manual is available only in thai language, but it contains screenshots & illustrations.
It was supposed that everyone should have a phone with a camera or some special application that can scan QR codes.
And all stores should have their own generated QR codes printed on a paper. There has only thai language on it. But from what I could read there is a store name & its address. Some stores provide additional information in English.
- Scan the QR code to follow the link.
- Select English language & tap Check-In.
- Mark the checkbox to agree to collect your personal data & tap Next.
- Fill-in your mobile number & tap Submit.
- Check-In completed!
On the check-out the process is the same.
- Scan QR code & tap Check-Out.
- Check-Out completed!
- Optionally complete the survey & click Submit or Skip it.
My personal experience
First time I saw the QR code, when I was going to the BigC Extra supermarket in Patong. Their staff asked me to scan the QR code. And it was in addition to checking my temperature, cleaning my hands with sanitizer & wearing a mask. By the way, if you don’t have a mask, they will offer to buy it just right there.
That time I thought I had to use a some application to scan the QR code as it was spoken in Thai news. But anyway I didn’t have a mobile internet. I used only Wi-Fi while staying home.
So if I couldn’t scan the QR code, I was asked to leave my name & phone number in the register book. And clean my hands with sanitizer before & after using a pen.
It looks unsafe as everyone can get your data on check-in. It’s the same if to write your data on the wall.
And also the staff can’t check if you wrote your real name & phone number.
The same process is on the check-out. But I just came out as usual after a payment at a cash counter and no one asked me anything.
When BigC & Jungceylon shopping malls opened, the check-in boxes were set outside. Other malls like Central in Patong or Phuket have check-ins inside.
I tried to check-in with the QR code, it was required to fill-in my phone number, but I didn’t do it. In other check-ins I just made a view that I scanned it & passed. And nobody checked it.
On exits I didn’t see anybody checked-out too.
Even though the staff should respond for that, somewhere they ask to scan the QR code & somewhere not. I saw it only 2 times, when they checked it. And it was on check-in only.
Inside shopping malls, if I want to enter any store, I have to scan QR codes & use sanitizer on check-in & check-out every time.
Scanning QR codes with a phone is ok. But the hands hurt from too frequent cleaning.
There are also some stores with no hands to check visitors, and nobody checked-in by themself.
However in Patong in the shopping malls there are less people than in Phuket Town. Most of them are thais.
By the way there is an “innovative part” of the tracking system: on check-in everyone gets a sticker on clothes. 😄
As a result, these stickers are everywhere on the street.
In one store in the Central Phuket I faced racism. When I scanned the QR code, a thai woman staff member asked me to write my name & phone number in the register book.
I & my thai girlfriend tried to explain to her it’s some bullshit, cuz I had just checked-in with the QR code in front of her. But she said I have to leave my data anyway, cuz I’m a farang!
Thais call any person with a white race - a farang.
In the end she gave up, we got some numbers on a piece of paper and we entered the store. Later we went out and no one asked us anything. Such a classic!
Research of the web application
Here what I found on the web app:
- It lives in qr.thaichana.com domain.
- No main page, accessible for a specific store only following a link from the QR code.
- Already has English language.
- It was built with Next.js the React framework.
- No dark mode.
The official Thai Chana site is in Thai language only:
It doesn’t contain anything related to their application. There is only general information.
All other sites are fake & can steal your data. Don’t follow them!
How it works
The QR code contains a link to a page of s specific store on the Thai Chana site.
Once QR code is scanned by your phone camera or another special for QR code application, the link will be opened in the default browser.
The link looks like this:
If following the link, the store has already reached its limit, it will tell that you can’t check-in. And need to wait for it outside.
At the first time when you check-in it asks to fill-in your phone number.
After check-in registration you don’t need to do it evertime on the same device. The app set a generated ID related to your phone number in your browser local storage.
As there is no OTP SMS for the filled-in phone number, it creates vulnerabilities:
- Can check-in with any number starting with 0.
- Check-in with someone else’s real number, so if there will be a real COVID-19 case, they all will be called.
- Check-in many times & reach the store limit, so other visitors won’t be able to check-in, while the store is actually free.
After reading the terms & conditions you agree to allow the Ministry of Public Health & government agencies under it to collect only your name, phone number, place & time. But the app also tracks you with the 3-rd party service by Google Analytics. That means Thai Chana app violates the agreement.
It’s also unclear how the data will be used.
In Chrome DevTools on the Network tab I checked how much kilobytes the app loads & how long.
The first test is on slow 3G: more than a half megabyte & about 17 seconds.
The second one is on fast 3G: about a megabyte & 5 seconds.
Also I tested it in mobile Safari with 1 mbit/s connection. And it took 7 seconds. Re-entry – 1-2 seconds. Just for comparison, Google opens for a second.
On Google PageSpeed Insights it got 56 points on mobile & 98 points on desktop.
In thai news I saw the iOS version of the Thai Chana app was expected to be released in late May. And the Android version was already available in the Google Play store.
I tried to search it typing “Thai Chana” or “ไทยชนะ” in thai, but there was nothing in App Store, nor in Google Play store.
Later I found that mobile application is actually called MorChana (หมอชนะ – “doctor wins”) & was released in April.
At first it was unclear as there were only talks about the Thai Chana application that was actually the website.
Next I will follow all registration steps in the app.
Terms & conditions
I read the Terms & Conditions and found what data it collects:
- Mobile number, requested 1 time on check-in.
- Age, that it isn’t actually asked in the app. I guess it can be extracted from the data registered with the mobile number.
- Address, only district & province (city).
- Check-in location information
- Contact tracing information, which is determined & collected by the app
- COVID-19 exposure risk such as traveling to high risk areas or being in close contact with an infected individual according to a hospital self-assessment form.
- COVID-19 symptoms such as a fever according to a hospital self-assessment form.
The purpose to collect those data is to prevent coronavirus spreading and other beautiful words. But who’s gonna trust it? At least it violates human rights & freedom.
And there is a data retention period. Within 30 days after coronavirus pandemic & emergency state finish all personal data will be erased. I don’t think so.
And it doesn’t fit with the Thai Chana conditions in FAQ (there is thai, but I translated), where it says, that the time limit for data storage is only 60 days.
I took a selfie of my girlfriend’s kitty-wallet. In the app there is no special AI engine to check if it’s a real face or not.
Permissions & accesses
Next the app asks to grant permissions to share my position, motion & Bluetooth access.
Bluetooth is used to scan & share information with other near-range devices that have the same application installed.
It asks to turn on Notification, but it already asked when I opened the app at the first time.
And then need to start evaluation. That is just a questionnaire.
If you have symptoms related to COVID-19 or went overseas in the past 14 days.
If you get near a person who had COVID-19 risk in the past 14 days, and if you have an occupation that needs to be closed to foreigners frequently.
The app navigation
And in the end there is a risk level bar with your result.
On the data tab there are your avatar & the QR code with information from the questionnaire that can be used by doctors not to waste time asking the same questions.
On the Scan QR tab there is just the same camera to scan QR codes, but cropped in a square.
I scanned one QR code. And what I saw there? It opened the same Thai Chana site inside the app! Looks like they try to sell a browser with a tracker that collects extra data.
In the settings tab you can turn off Track with Bluetooth.
Also I checked what permissions were for this app in iOS settings. All the same as was requested.
- It takes only 14.3 MB in iOS.
- There is no dark mode.
- It uses the web view UI (a browser in the app) to display the Thai Chana web site.
- The app works in the background & eats phone battery, accessing location, motion & Bluetooth.
- If to delete & reinstall it, then need to register again.
- As it’s not an open-source app we can’t be sure it collects only that data in the terms & conditions.
The check-in/-out system in Thailand is not perfect: it works half & has vulnerabilities.
Here is a short squeeze:
- There is no need to download & use the app during check-in & check-out. A phone camera is enough to scan the QR code & open a link in the default browser.
- It’s unsafe to leave names & phone numbers in the register book as everyone can get read it on check-in.
- The app with the personal QR code can probably save time on borders during traveling to another province or city.
- Ad blockers can prevent tracking by 3rd party services like Google Analytics in the Thai Chana web app.