QR codes may bring up more than just a menu–here’s how to protect your privacy

Businesses can track your purchases and share that information if you scan their QR code, a privacy issue for cyber security experts. Photo by Matthew Modoono/Northeastern University

Diners could be serving up a lot more than just their burger order if they use the contact-free QR codes suddenly available at many restaurants and bars, warns David Choffnes, who studies cybersecurity at Northeastern.

David Choffnes, executive director of the Cybersecurity and Privacy Institute at Northeastern, says most customers who use a QR code don’t realize their information is being tracked. Photo by Adam Glanzman/Northeastern University

The square, black and white pixelated codes have become ubiquitous at many restaurants in the wake of COVID-19, eliminating the need for conventional printed menus and sometimes the servers who take the orders. But consumers who scan the easy-to-use codes might unwittingly allow the restaurant or other companies to collect personal information. That data offers insights into the customers’ purchases and locations, which can be used to sell them other goods and services down the road.  

“It’s sort of like a mystery box,” says Choffnes, associate professor of computer science, about the seemingly innocuous “quick response” code. “You don’t really know what you’re going to get. And for the most part, people don’t see it happening.” 

Choffnes, executive director at Northeastern’s Cybersecurity and Privacy Institute, explains QR codes and discusses how consumers can protect their information. 

What are QR codes and how do they work?

The basic idea is that instead of having to type out the address to a website, then provide a whole bunch of information, like what table you’re at in a restaurant, the barcode just encodes all that information into a square. That’s what those black and white sections are, just a way of encoding information. Your phone, through its camera, can easily read it and translate that into a website, a URL, or an app on your phone. So that’s really all it is.

How does scanning a QR code allow a restaurant or software creator to track our information?

The barcodes themselves don’t store anything, it’s just a picture. But it has a specific meaning to our phones, and the tracking is happening once the phone interprets the QR code. For example, let’s say you clicked on a marketing email, like an ad. You’ve probably noticed that when the page loads, it doesn’t just read GAP.com, it has the website address and also a bunch of junk at the end. That junk at the end is tracking information they’re conveying to the website from your email. With the QR barcode, once they open up a link on your phone, they can gather any information about your phone that’s exposed to your web browser, or if it opens up an app, then it can collect your geolocation or whatever else the app has permission to access.

What makes QR codes so concerning?

They’re convenient, and they don’t look like they’re harmful, but because they can open up arbitrary apps or websites and feed information to them, it allows for somewhat arbitrary tracking. It’s not like you have the 20 pages of privacy policy or anything like that next to the QR code, so there’s no transparency. That’s always a major concern. They’re designed in a way to get you to just scan and move on. They’re designed to protect companies as opposed to protecting individuals. What we’re missing here is exactly what the QR code is doing and what happens once you activate that code, so it’s definitely a blind spot.

What’s the worst case scenario in terms of how the information obtained from a QR code scan might be used?

One example is insurance of any kind. If it’s health insurance, they might notice you were eating fast food, and you were at that restaurant a whole bunch of times, so they decide to jack up your health insurance rates. Or your car insurance company sees that you were at a bar, and you were drinking, and maybe just because you drink a certain amount a year they put you in a higher risk category and increase your rates, or straight up refuse to insure you. Increasingly, we are seeing police purchasing access to data collected by other companies and then using that evidence in court. So essentially, because we’re in a society where we have been forced to give up our rights to our data to be able to use services, now police can do an end-run around the Fourth Amendment. For the vast majority of people, these concerns are probably not something that comes up, but there are always other potentially harmful uses.

Do you have some more common examples?

A restaurant may use the information to try to sell you other things, like more expensive items on the menu. Your menu is now digital instead of a fixed menu, and there’s all kinds of research on how to design a menu and make more sales. This is a major thing in the restaurant industry, so they can tailor that menu to each person. These restaurants, meanwhile, are probably not running their own software. They’re probably contracting with some other company and that company probably collects data on behalf of a whole bunch of restaurants. And while they’re at it, they can go ahead and take that data and probably package it up and resell it to others and make even more money on the side. 

How can we protect ourselves when dealing with QR codes?

Generally speaking, I wouldn’t use a QR code if I had another option. So, you know if there’s a normal menu I would probably do that. Sometimes you’re not given the option, so for the average consumer there’s not much more you can do at that point except just try to be aware of whatever permissions you’ve given the apps or websites that they are accessing. I think this needs to be addressed and there needs to be better ways to disclose to consumers what’s happening and give them better control. If we’re not given a choice, there’s not much you can do. I wish we had better options. Sometimes it’s just a sad trombone on repeat.