TORONTO -- With the rise in popularity of QR codes at restaurants and other businesses during the pandemic, privacy and cyber security experts are urging Canadians to be cautious in their use of the technology.
While the technology has been around since the early 90s, âquick responseâ or âQRâ codes have experienced a rapid resurgence during the pandemic. The unique black-and-white squares â which serve as a kind of bar code â replaced physical menus at restaurants and other paper forms during the early push to provide touchless service and avoid further spread of COVID-19.
Instead of handling a menu or filling out a check-in document, customers could use their smartphones to quickly scan a QR code, which would take them to a digital menu or online contact tracing form, for example.
And although the science on COVID-19 has been updated to show the disease is not as easily spread by contaminated surfaces as it was first thought, businesses have continued to make use of QR codes for their convenience and other advantages. Some of those perks include cost savings in not printing menus, the ease of editing a menu online, and the ability to collect information on their customersâ preferences to cater to them.
But are there any potential downsides to this QR code technology thatâs being embraced so widely?
INCREASED TRACKING
While directing diners to a digital menu using a QR code may seem innocuous, privacy experts expressed their concerns about what personal data is being collected and how it could be used when a customer visits a particular website.
For example, a customer might be taken to the restaurantâs website or a third-party service provider that uses cookies to track visitorsâ behaviours. If the diner orders directly off the digital menu, the restaurant or service provider might be able to store those preferences and other information, such as the time of the visit, to target their ads or upsell the customer with personalized offers and incentives.
Brenda McPhail, the director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association (CCLA), said QR codes are not always problematic, but it can be difficult to tell when they are.
âWe don't know whether all the code is doing is taking us to a website to show us a restaurant menu, or whether the code also has information built into it that will allow whoever created the code to keep track of what we ordered,â she told CTVNews.ca during a telephone interview on Monday.
McPhail cautioned that every time another layer of technology is added to an everyday activity in a âsurveillance capitalist economy,â there is the risk of increased tracking of consumersâ daily habits.
âWe are increasingly surrounded by technologies that appear to do one thing to help us that we choose, and that beneath the surface, do another thing, which is collect information about us, and how we use that technology, and where we use it, in order to collect more and more detailed information about us for advertising purposes,â she said.
Ritesh Kotak, a Toronto-based cyber security expert, explained that every time a consumer scans a QR code, some metadata, such as the type of device theyâre using, their location, IP address, the date and time, and any other information they input in a COVID-19 contact tracing form, for example, may be collected.
âTo the average person they may be like, âWell, whatever, you got an IP address, you know that I'm on an iPhone or an Android. OK, great.â The problem becomes⌠if that data starts getting aggregated with different sources,â he said.
Kotak said many restaurants are using third-party apps for their QR code technology, which means a single company may be able to collect data on individual customers from multiple establishments.
âWhen you start aggregating that stuff, you start getting a really fulsome picture on an individual and that is when it becomes scary,â he said.
A LACK OF CONSENT
Sharon Polsky, the president of the non-profit Privacy and Access Council of Canada, said one of her major concerns with the use of QR codes is that Canadians arenât always being asked for their consent to have their information collected, stored, and used for advertising or promotional purposes.
Even if they are presented with an option to provide their consent, they typically have no other choice but to accept what it says if they want to proceed with the service.
âItâs an all-or-nothing proposition. Either you consent or you don't use our service or product,â Polsky said. âThe consent model right now is absolutely coercive, we have no alternative. So thatâs something that needs to be changed.â
McPhail agreed that businesses should request customersâ consent to track their data when they first scan the QR code.
âIf it was a consent-based as opposed to something that happened in the background and in secret, then that changes the consumer equation, people have a choice,â she said.
âWe have privacy laws that require that personal information collected about us by a commercial entity should be consent based. So itâs not just a nice thing to ask for consent. It's actually legally required.â
Unfortunately, because the widespread adoption of QR codes is still relatively new, in Canada at least, McPhail said businesses arenât necessarily aware of these laws or how they should be asking for consent when theyâre using third-party apps.
SECURITY RISKS
In addition to privacy concerns, Kotak said there are also potential cyber security risks with the use of QR codes. He said the technology could be vulnerable to cyber attacks in which someone embeds malicious malware into the QR code to extract data from the mobile device used to scan it or they embed a different URL that takes the scanner to a phishing site to get them to disclose information.
âWe have seen this where the URL actually gets redirected to another site that is actually collecting information,â he said.
McPhail added that there are known scams in which people paste a sticker with their own QR code on it over top of a legitimate code in order to redirect an unsuspecting user to their website.
âIt gets more dangerous if the code takes you to a site that's not just about looking at a menu, but maybe also paying for your purchase because at that point, of course, then there's the risk that your banking information or financial information will get scooped or that you'll simply be paying scammers instead of the restaurant,â she said.
Kotak said that while QR code technology is certainly convenient, there could be a price to pay for that convenience, especially if itâs not implemented properly with the right safeguards.
âIf the recent increase in cyber-related frauds and crime is any indication of where we're headed, it is all the more important to think about these things and patch up vulnerabilities before they become mainstream, before they get exploited, and our data gets weaponized against ourselves.â
EQUITY CONCERNS
McPhail noted that restaurants or other businesses that require customers to scan a QR code with a smartphone for service might be discriminating against those who donât own a device containing that technology.
âWhile most of us do, many of us do, one thing we learned during the rollout of the COVID alert exposure notification app⌠was that there's a small, but significant proportion of the population that don't have that phone,â she said. âIf you don't have a phone, you should still be able to order in a restaurant.â
According to the (ACLU), older populations, low-income individuals, the unhoused, and those with disabilities are less likely to be able to afford a smartphone than other groups.
âWhen restaurants make owning a smartphone and being able to scan a QR code the default for being served a meal, that also has significant implications for equity,â the group states on its website. âThese are some of our most vulnerable communities.â
McPhail said the easiest way to solve this disparity is to provide paper menus or contact tracing forms for those who donât own a smartphone.
âWhat we know about the way that COVID transfers is that it's probably perfectly safe to look at a paper menu for a few minutes to decide what you want,â she said.
HOW TO PROTECT YOURSELF
The simplest way for customers to protect themselves from the potential risks of scanning a QR code, according to the privacy and cyber security experts who spoke to Âéśš´ŤĂ˝, is to avoid using it altogether and to request a paper copy of the menu or to provide their contact tracing information on paper.
âI think it's important for people to understand that the convenience comes at a price, and that they're allowed to ask for a paper menu, they're allowed to present a paper immunization record,â Polsky said.
Another option is for diners to navigate to the digital menu through their browser instead of using the QR code; however, McPhail said there might still be cookies on the restaurantâs website, but at least visitors know itâs the right website and they can turn off cookies in their browser if theyâre concerned.
The ACLU recommends that consumers treat QR codes like a link in an unknown email. The organization also said they can use software that allows them to inspect the QR code or the action it will take before itâs passed to their browser or any other app.
Kotak suggested that diners look out for QR codes that look like they have been pasted over top of another one. He said they can also ask the host or manager of the restaurant if the link to their website on the QR code is the correct one because itâs the responsibility of the restaurant or business to ensure it hasnât been manipulated.
âThink before you click. Think before you provide information,â he said.
âDonât arbitrarily just snap a photo. You take out your phone, get the link, and start giving away your personal information. That is your data. And if it gets out in the wild, getting it back and remedying it is extremely difficult and in some cases, almost impossible.â