'Convenience comes at a price': Experts urge caution on QR codes
TORONTO -- With the rise in popularity of QR codes at restaurants and other businesses during the pandemic, privacy and cyber security experts are urging Canadians to be cautious in their use of the technology.
While the technology has been around since the early 90s, “quick response” or “QR” codes have experienced a rapid resurgence during the pandemic. The unique black-and-white squares – which serve as a kind of bar code – replaced physical menus at restaurants and other paper forms during the early push to provide touchless service and avoid further spread of COVID-19.
Instead of handling a menu or filling out a check-in document, customers could use their smartphones to quickly scan a QR code, which would take them to a digital menu or online contact tracing form, for example.
And although the science on COVID-19 has been updated to show the disease is not as easily spread by contaminated surfaces as it was first thought, businesses have continued to make use of QR codes for their convenience and other advantages. Some of those perks include cost savings in not printing menus, the ease of editing a menu online, and the ability to collect information on their customers’ preferences to cater to them.
But are there any potential downsides to this QR code technology that’s being embraced so widely?
While directing diners to a digital menu using a QR code may seem innocuous, privacy experts expressed their concerns about what personal data is being collected and how it could be used when a customer visits a particular website.
Brenda McPhail, the director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association (CCLA), said QR codes are not always problematic, but it can be difficult to tell when they are.
“We don't know whether all the code is doing is taking us to a website to show us a restaurant menu, or whether the code also has information built into it that will allow whoever created the code to keep track of what we ordered,” she told CTVNews.ca during a telephone interview on Monday.
McPhail cautioned that every time another layer of technology is added to an everyday activity in a “surveillance capitalist economy,” there is the risk of increased tracking of consumers’ daily habits.
“We are increasingly surrounded by technologies that appear to do one thing to help us that we choose, and that beneath the surface, do another thing, which is collect information about us, and how we use that technology, and where we use it, in order to collect more and more detailed information about us for advertising purposes,” she said.
Ritesh Kotak, a Toronto-based cyber security expert, explained that every time a consumer scans a QR code, some metadata, such as the type of device they’re using, their location, IP address, the date and time, and any other information they input in a COVID-19 contact tracing form, for example, may be collected.
“To the average person they may be like, ‘Well, whatever, you got an IP address, you know that I'm on an iPhone or an Android. OK, great.’ The problem becomes… if that data starts getting aggregated with different sources,” he said.
Kotak said many restaurants are using third-party apps for their QR code technology, which means a single company may be able to collect data on individual customers from multiple establishments.
“When you start aggregating that stuff, you start getting a really fulsome picture on an individual and that is when it becomes scary,” he said.
A LACK OF CONSENT
Sharon Polsky, the president of the non-profit Privacy and Access Council of Canada, said one of her major concerns with the use of QR codes is that Canadians aren’t always being asked for their consent to have their information collected, stored, and used for advertising or promotional purposes.
Even if they are presented with an option to provide their consent, they typically have no other choice but to accept what it says if they want to proceed with the service.
“It’s an all-or-nothing proposition. Either you consent or you don't use our service or product,” Polsky said. “The consent model right now is absolutely coercive, we have no alternative. So that’s something that needs to be changed.”
McPhail agreed that businesses should request customers’ consent to track their data when they first scan the QR code.
“If it was a consent-based as opposed to something that happened in the background and in secret, then that changes the consumer equation, people have a choice,” she said.
“We have privacy laws that require that personal information collected about us by a commercial entity should be consent based. So it’s not just a nice thing to ask for consent. It's actually legally required.”
Unfortunately, because the widespread adoption of QR codes is still relatively new, in Canada at least, McPhail said businesses aren’t necessarily aware of these laws or how they should be asking for consent when they’re using third-party apps.
In addition to privacy concerns, Kotak said there are also potential cyber security risks with the use of QR codes. He said the technology could be vulnerable to cyber attacks in which someone embeds malicious malware into the QR code to extract data from the mobile device used to scan it or they embed a different URL that takes the scanner to a phishing site to get them to disclose information.
“We have seen this where the URL actually gets redirected to another site that is actually collecting information,” he said.
McPhail added that there are known scams in which people paste a sticker with their own QR code on it over top of a legitimate code in order to redirect an unsuspecting user to their website.
“It gets more dangerous if the code takes you to a site that's not just about looking at a menu, but maybe also paying for your purchase because at that point, of course, then there's the risk that your banking information or financial information will get scooped or that you'll simply be paying scammers instead of the restaurant,” she said.
Kotak said that while QR code technology is certainly convenient, there could be a price to pay for that convenience, especially if it’s not implemented properly with the right safeguards.
“If the recent increase in cyber-related frauds and crime is any indication of where we're headed, it is all the more important to think about these things and patch up vulnerabilities before they become mainstream, before they get exploited, and our data gets weaponized against ourselves.”
McPhail noted that restaurants or other businesses that require customers to scan a QR code with a smartphone for service might be discriminating against those who don’t own a device containing that technology.
“While most of us do, many of us do, one thing we learned during the rollout of the COVID alert exposure notification app… was that there's a small, but significant proportion of the population that don't have that phone,” she said. “If you don't have a phone, you should still be able to order in a restaurant.”
According to the American Civil Liberties Union (ACLU), older populations, low-income individuals, the unhoused, and those with disabilities are less likely to be able to afford a smartphone than other groups.
“When restaurants make owning a smartphone and being able to scan a QR code the default for being served a meal, that also has significant implications for equity,” the group states on its website. “These are some of our most vulnerable communities.”
McPhail said the easiest way to solve this disparity is to provide paper menus or contact tracing forms for those who don’t own a smartphone.
“What we know about the way that COVID transfers is that it's probably perfectly safe to look at a paper menu for a few minutes to decide what you want,” she said.
HOW TO PROTECT YOURSELF
The simplest way for customers to protect themselves from the potential risks of scanning a QR code, according to the privacy and cyber security experts who spoke to CTV News, is to avoid using it altogether and to request a paper copy of the menu or to provide their contact tracing information on paper.
“I think it's important for people to understand that the convenience comes at a price, and that they're allowed to ask for a paper menu, they're allowed to present a paper immunization record,” Polsky said.
Another option is for diners to navigate to the digital menu through their browser instead of using the QR code; however, McPhail said there might still be cookies on the restaurant’s website, but at least visitors know it’s the right website and they can turn off cookies in their browser if they’re concerned.
The ACLU recommends that consumers treat QR codes like a link in an unknown email. The organization also said they can use software that allows them to inspect the QR code or the action it will take before it’s passed to their browser or any other app.
Kotak suggested that diners look out for QR codes that look like they have been pasted over top of another one. He said they can also ask the host or manager of the restaurant if the link to their website on the QR code is the correct one because it’s the responsibility of the restaurant or business to ensure it hasn’t been manipulated.
“Think before you click. Think before you provide information,” he said.
“Don’t arbitrarily just snap a photo. You take out your phone, get the link, and start giving away your personal information. That is your data. And if it gets out in the wild, getting it back and remedying it is extremely difficult and in some cases, almost impossible.”