Risks associated with QR codes: cybersecurity experts urge caution

TORONTO – With the growing popularity of QR codes in restaurants and other businesses during the pandemic, privacy and cybersecurity experts are urging Canadians to be cautious in their use of technology.

While the technology has been around since the early 1990s, “quick response” or “QR” codes have seen a rapid resurgence during the pandemic. Unique black-and-white squares – which serve as a sort of barcode – replaced physical menus in restaurants and other paper forms at the start of the push to provide contactless service and prevent further spread of COVID-19 .

Instead of managing a menu or filling out a registration document, customers could use their smartphones to quickly scan a QR code, which would take them to a digital menu or an online contact search form, for example.

And although the science on COVID-19 has been updated to show that the disease does not spread as easily through contaminated surfaces as initially thought, companies have continued to use QR codes for their convenience and other advantages. Some of these benefits include cost savings by not printing menus, the ease of editing a menu online, and the ability to collect information about their customers’ preferences to satisfy them.

But are there any potential downsides to this QR code technology that is so widely adopted?


While directing diners to a digital menu using a QR code may seem trivial, privacy experts have expressed concerns about the personal data collected and how it might be used when a customer visits a store. particular website.

For example, a customer may be redirected to the restaurant’s website or a third-party service provider that uses cookies to track visitor behavior. If the customer orders directly from the digital menu, the restaurant or service provider may be able to store these preferences and other information, such as the time of the visit, to target their ads or sell the customer items. personalized offers and incentives.

Brenda McPhail, director of the Canadian Civil Liberties Association’s (CCLA) privacy, technology and oversight program, said QR codes aren’t always problematic, but it can be hard to tell when they are. are.

“We don’t know if all of the code takes us to a website to show us a restaurant menu, or if the code also contains information that will allow whoever created the code to keep track of what we ordered. , ”She told CTVNews.ca in a phone interview Monday.

McPhail warned that every time another layer of technology is added to daily activity in a “surveillance capitalist economy,” there is a risk of increased tracking of consumers’ daily habits.

“We’re increasingly surrounded by technologies that seem to do one thing to help us that we choose, and that below the surface, do another thing, which is to collect information about us, and how we use that technology, and where we use it, in order to collect increasingly detailed information about us for advertising purposes, ”she said.

Ritesh Kotak, a Toronto-based cybersecurity expert, explained that every time a consumer scans a QR code, certain metadata, such as the type of device they are using, its location, IP address, date, and time, and any other information they enter in a COVID-19 contact tracing form, for example, may be collected.

“For the average person, they might be like, ‘Well, whatever, you have an IP address, you know I’m on an iPhone or an Android. Alright, great. ‘ The problem becomes… if that data starts to be aggregated with different sources, ”he said.

Kotak said many restaurants use third-party apps for their QR code technology, which means a single company may be able to collect data on individual customers from multiple establishments.

“When you start putting these pieces together you start to get a very complete picture of an individual and that’s when it gets scary,” he said.


Sharon Polsky, chair of the Canadian nonprofit Privacy and Access Council, said one of her main concerns about using QR codes is that people are not always asked. Canadians consent to their information being collected, stored and used for advertising or promotional purposes.

Even if they have the option of giving their consent, they usually have no choice but to accept what he says if they wish to continue with the service.

“It’s an all-or-nothing proposition. Either you consent to it or you are not using our service or product, ”Polsky said. “The consent model right now is absolutely coercive, we have no alternative. So this is something that needs to be changed.

McPhail agreed that companies should seek consent from customers to track their data when they scan the QR code for the first time.

“If it was consent as opposed to something that happened in the background and in secret, then it changes the equation of the consumer, people have a choice,” she said. declared.

“We have privacy laws that require personal information collected about us by a business entity to be based on consent. So it’s not just a good thing to ask for consent. It is in fact legally required.

Unfortunately, because the widespread adoption of QR codes is still relatively new, at least in Canada, McPhail said companies are not necessarily aware of these laws or how they should seek consent when using third-party applications.


In addition to privacy concerns, Kotak said there are also potential cybersecurity risks with the use of QR codes. He said the technology could be vulnerable to cyber attacks in which someone embeds malware into the QR code to extract data from the mobile device used to scan it or embeds a different URL that takes the scanner to a website. phishing to get them to disclose. information.

“We’ve seen this where the URL is actually redirected to another site that’s actually collecting information,” he said.

McPhail added that there are known scams where people stick a sticker with their own QR code on it on top of a legitimate code in order to redirect an unsuspecting user to their website.

“It becomes more dangerous if the code takes you to a site that is not just about looking at a menu, but maybe also paying for your purchase because at this point, of course, then there is the risk that your banking information or financial get picked up or you will just pay the crooks instead of the restaurant, ”she said.

Kotak said that while QR code technology is certainly handy, there could be a price to be paid for this convenience, especially if not implemented properly with the right safeguards.

“If the recent increase in cybercrime fraud and crimes is any indication of the direction we are heading, it is all the more important to think about these things and fix vulnerabilities before they become mainstream,” before they are exploited, and our data becomes a weapon against ourselves.


McPhail noted that restaurants or other businesses that require customers to scan a QR code with a smartphone for service could discriminate against those who do not have a device containing the technology.

“While most of us do, a lot of us do, one thing we learned when deploying the COVID Alert Exposure Notification app….” If you haven’t phone, you should still be able to order in a restaurant. “

According to the American Civil Liberties Union (ACLU), seniors, low-income people, homeless people and people with disabilities are less likely to be able to afford a smartphone than other groups.

“When restaurants make possession of a smartphone and the ability to scan a QR code the default for a meal, this also has important implications for fairness,” the group says on its site. Web. “These are some of our most vulnerable communities. “

McPhail said the easiest way to resolve this disparity is to provide paper menus or contact tracing forms for those who don’t own a smartphone.

“What we do know about how COVID transfers is that it’s probably perfectly safe to look at a paper menu for a few minutes to decide what you want,” she said.


The easiest way for customers to protect themselves from the potential risks of scanning a QR code, according to privacy and cybersecurity experts who spoke to CTV News, is to completely avoid using it and using it. request a hard copy of the menu or provide their contact tracing information on paper.

“I think it’s important that people understand that convenience comes at a price, and that they are allowed to request a paper menu, they are allowed to present a paper vaccination record,” Polsky said.

Another option is for diners to access the digital menu via their browser instead of using the QR code; However, McPhail said there could still be cookies on the restaurant’s website, but at least visitors know it’s the right website and they can turn off cookies in their browser if they are concerned.

The ACLU recommends that consumers treat QR codes as a link in an unknown email. The organization also said it can use software that allows it to inspect the QR code or action it will take before it is passed to its browser or any other app.

Kotak suggested diners look for QR codes that appear to have been pasted on top of one another. He said they can also ask the host or manager of the restaurant if the link to their website on the QR code is the right one, as it is the restaurant or company’s responsibility to make sure it has not been manipulated.

“Think before you click. Think before you provide information,” he said.

“Don’t just take a photo arbitrarily. You pull out your phone, get the link, and start disclosing your personal information. It’s your data. And if it does go out into the wild, recovering and fixing it is extremely difficult and in some cases almost impossible.

Source link

About Tammy Diaz

Check Also

Intruder removed after security breach at castle I’m A Celebrity

An intruder has been removed from the set of I’m a Celebrity… Get Me Out …

Leave a Reply

Your email address will not be published. Required fields are marked *