Diners Beware: That meal may cost you your privacy and security
If you’ve been to a restaurant lately and scanned a QR code rather than order from a physical menu, you likely paid for that meal with not just your money, but your privacy and security too. Businesses are taking advantage of the rise of touchless services during the pandemic to harvest massive amounts of sensitive information about who we are, where we go, and what we do, including our eating and drinking habits — when all we want to do is just eat a meal.
In the past decade, technology companies and the advertising industry have created a vast and extremely lucrative online spying apparatus. They try to collect information about every click we make online and package it into profiles to be shared, sold, and used in ways we couldn’t even imagine, as seen in the Cambridge Analytica scandal. These surveillance capitalists have long wanted to link online profiling to our physical movements to pry even further into our private lives. Manipulating us into scanning QR codes instead of ordering from a physical menu is a way for these companies to achieve their dream of online-offline tracking by inserting all the machinery of the online advertising ecosystem between you and your food.
Would You Like a Hack with Your Dinner?
You may not have thought much about what actually happens when you open your phone and click on a QR code at a restaurant. Sometimes it just opens the restaurant’s web page. But many of the QR codes you see in restaurants are actually generated by a different company that collects, uses, and then often shares your personal information with other companies. In fact, companies that provide QR codes to restaurants like to brag about all the personal information you are sharing along with that food order: your location, your demographics such as gender and age group, and other information about you and your behavior. Plus, as your phone opens the website or app, all the terrible privacy practices of our current online and mobile environments come into play: cookies, your phone’s advertising ID number, and device fingerprinting. There is an entire industry dedicated to using these and other technologies to identify you — precisely — so that a visit to a restaurant can be connected to all your other tracked activities to create a detailed profile of who you are, where you go, what you do, and your interests and habits.In China, this technology has been used to create a network of mandatory checkpoints used to track citizens as they moved throughout society. While that hopefully could never happen in the United States, if the codes become pervasive enough, an advertising-based equivalent could certainly arise. And your personal information collected by companies can be shared with or accessed by the government for surveillance. In recent years, we’ve seen how information collected by prayer apps has been used to target and surveil Muslim Americans, and how location information of devices has been used to surveil people protesting for racial justice. In Australia, where QR codes have been put to widespread use for COVID contact tracing, the police have already tapped into these treasure troves of personal information.
When restaurants make owning a smartphone and being able to scan a QR code the default for being served a meal, that also has significant implications for equity. Many people do not have a smartphone, including more than 40 percent of people over 65 and 25 percent of people who make less than $30,000 per year. People with disabilities and the unhoused are also less likely to own one. These are some of our most vulnerable communities.
QR codes can also pose security risks. A QR code transfers data directly into your phone that you can’t read, and it could trigger an action that you can’t scrutinize before it happens. That’s an inherently risky thing to do, like blindly clicking a link in an unknown e-mail. Depending on your operating system, QR code reader app, or the QR code itself, you may not get the chance to inspect the proposed action, or you might be distracted or hungry and take the action without considering it carefully. Some scammers have been known to put their own QR code sticker over a legitimate QR code, redirecting anyone who scans it to a subtly different payment target, or to a website that hosts malware. Some QR code software is not trustworthy, and an honest but naïve business may inadvertently steer people to a malware site. Even a legitimate URL can be repurposed by an attacker if the website gets compromised or its domain name expires.
Check Please!
Whether technology helps or harms us depends on its purpose, the people who build it, and how we control and use these technologies. Based on the current privacy and security risks of QR codes, we recommend that people:
- Treat any QR code like a link in an unknown email: Be wary and pay attention to the context in which it appears.
- When not certain a code can be trusted, consider seeking the information another way, such as by manually navigating to the business or organization’s website.
- Use software that allows you to inspect the QR code or the action it will take before it is passed to your browser or any other app.
- Keep an eye out for any QR code that has been pasted on top of another one.
- In restaurants, continue to use a physical menu. We now know that it’s highly unlikely to spread the virus by touching a piece of paper.
With the privacy threats, equity concerns, and security risks of QR codes, no business should require anyone to scan a QR code or make it difficult for people to continue to use a physical menu if they want one. COVID has already cost our communities so much. Now is the time to make sure that any technology we use is working for us, not putting more of our personal information and power into the hands of companies who profit at our expense.
About the authors: Nicole Ozer is Technology & Civil Liberties Director, ACLU of Northern California and Jay Stanley is the Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project. This article was reprinted with the permission of the ACLU.