If you’ve dined out in public recently, chances are you scanned a QR code with your phone to view the menu. You may have even used a QR code to pay the bill. Restaurants, cafes and bars have ditched physical print menus in favor of touch-free options, and QR codes are everywhere. However, this week the New York Times reported that these ubiquitous QR codes can be used for collecting and tracking customer data. So far, there is no evidence that this ability has been abused – yet. But for privacy experts, QR codes are a growing concern.
A QR code (short for Quick Response Code) is a type of bar code that looks like a pixelated square grid. Information is encoded into the QR code and can be read using a scanner. Most smartphones have a built-in QR scanner that uses the phone’s camera to read the codes. Older phones without a built-in scanner can use a 3rd-party app. QR codes can be employed for a variety of uses, from tracking inventory to connecting to a wi-fi network to opening a website.
While QR codes have been around since 1994, their usage in the United States has exploded due to the COVID-19 pandemic. People are more likely now to gravitate towards touchless options rather than expose themselves to potentially virus-laden surfaces.
According to the National Restaurant Association, half of all full-service restaurants in the U.S. now use QR codes to display their menus digitally. Mr. Yum is an Australian company that offers a QR code menu and ordering system for restaurants. According to Bloomberg, Mr. Yum grew 27-fold in 2020, at the height of the pandemic.
Going digital gives restaurants a ton of advantages. They can easily update their menus and drink specials without the cost and waste of printing. They can skip having to clean and sanitize messy, food-stained print menus. They can slash labor costs by reducing the need for waitstaff. And of course, they offer customers a touchless way to select and even pay for their meals.
Diners like QR code menus too. According to the Appetize Contactless Technology Survey, 45% of Americans prefer to view the menu, order and pay with their phone rather than interact with servers during COVID-19. 40% said they want to continue doing this after the pandemic. While many are strictly opposed to viewing screens at the table, they will make an exception when it comes to QR code menus.
When you scan a QR code with your phone, it directs you to an online version of the restaurant’s menu. But there may be more going on behind the scenes that you can’t see. QR codes can be utilized to record and track every scan. They can also point you to a website equipped with analytics to track your personal information, such as your name, search history, browsing habits, device information, geographical location, payment history, etc.
To be clear, much of this information can be collected from many websites, not just the ones accessed through QR codes, via tracking cookies. Typically, this data is sold to data brokers and used for advertising purposes. Mr. Yum and a similar company Cheqout both claim that they do not currently sell any of the data they collect.
Jay Stanley, an ACLU senior policy analyst told the Times, “People don’t understand that when you use a QR code, it inserts the entire apparatus of online tracking between you and your meal. Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”
Because people can’t read the information in a QR code with the naked eye, there is an element of blind faith involved in scanning one. Cybercriminals could create a QR code that points to a malware download or to a phishing site. These malicious QR codes can then be planted in public places (restaurants, for example) and pasted right over the original QR codes. Unsuspecting users may never realize that they have been redirected to a malicious site until it’s too late.
Malicious QR code attacks are relatively rare. Read up on our 12 tips for avoiding mobile security threats and proceed with caution. As always, we recommend that you remain vigilant and check any QR codes for possible tampering before you scan them.
QR codes are not inherently bad, but because they are so versatile and can be used in so many ways, it’s important to be aware of what may be going on underneath the surface. Check your phone's privacy settings for tracking activity, location access and ad personalization to help minimize tracking. Again, there is no evidence that the data collected when scanning QR code menus is being abused. However, it’s worth noting that the information is being collected so that you can make an informed decision before sacrificing your privacy.