Restaurant customers who have become accustomed during the pandemic to pulling out their phones to access menus using QR codes should understand the implications for their personal data, according to privacy and cybersecurity experts.
This is especially important given that some restaurateurs find electronic menus to be effective and cost effective, and they may retain the practice even after COVID-19 is more contained.
It’s not the QR code itself that collects customer data, said Dustin Moores, privacy lawyer at nNovation LLP in Ottawa.
âWhat the QR code does is that it acts in a way like a web link to a web page. So when you scan a QR code on your phone, it will likely send you to either the restaurant’s website. or on the website of a service provider used by the restaurant, âhe said. Cost of life producer Jennifer Keene.
“What is happening is that we are replacing some kind of very harmless object, a restaurant menu, with a website that has all of the tracking technologies you see in modern e-commerce today.”
A marketing device
Displaying an online menu on your phone does not mean that you are passing data like your date of birth and bank details to bad actors on the Internet.
The most immediate implication is that it gives your local pub, or the platform they use, new knowledge about your behaviors and preferences that it can use to sell you better.
âIf you’re a returning customer at one of those restaurants that use QR code technology, they might be able to say, ‘Hey, we know Jennifer ordered the Caesar salad last time; let’s put her at the top of our menu this time because we know she likes it, âMoores said.
The restaurant could also use the information it gathered to sell incentive customers, such as suggesting the customer add chicken to that salad, he said. Or he might try to influence your choices by offering a discount on the dish you enjoyed last time around.
Moore said it’s also likely that the QR code will take you to a website that uses third-party cookies that can be used to track your web browsing habits.
âLet’s say it’s a Hungarian restaurant that you visited. Well, other Hungarian restaurants in the area might suddenly start advertising you,â he said.
A matter of consent
Moore said his biggest legal concern about the spike in use of QR code-enabled menus is consent.
âI think what could be lost for a lot of restaurateurs is that, like all other businesses in Canada, they are subject to our privacy laws,â he said. “Whenever a business collects, uses or shares personal information in the course of commercial activities, it must obtain the consent of individuals to do so.”
Cybersecurity expert Yuan Stevens, head of technology, cybersecurity and democracy policy at Ryerson University’s Leadership Lab, said security issues with QR codes remain “fairly speculative.”
“I have yet to find any cases in Canada of QR codes being used to steal data or violate your privacy,” she said. “But I also think it’s useful to keep in mind concerns that we should be aware of as technology becomes ubiquitous.”
Someone who wanted to direct you to a malicious website could “speed up” this process using a QR code, Stevens said. “Phishing and scams are already happening. And QR codes would be just another way to do it.”
She said some restaurants are using QR codes to collect contact tracing information as well as for menus.
With the drive to reduce contact with and between surfaces, QR codes have grown in popularity during the pandemic, Stevens said, particularly in China, where their use increased 6% between 2019 and 2020.
Stevens notes that last month a benevolent hacking group has already alerted the public that it may have hacked the Quebec government’s new vaccine passport system, which led to the exposure of 300,000 QR codes. The developer fixed the issue within 24 hours, but it’s good to know that there are privacy and security tradeoffs associated with using the technology, she said.
QR code vaccination verification systems are now in place in Manitoba and New Brunswick, and will be in Ontario as of October 22.
Probably here to stay
Jenny Burthwright, owner of Jane Bond BBQ in Calgary, said her company introduced QR code menus in fall 2020 as it “tore up” paper menus while trying to protect COVID.
She plans to keep the high-tech system in place after the pandemic.
âThere are very obvious cost savings,â she said. âWith the increasing costs of everything, we thought about that, and also from an environmental point of view, we just wanted to move away from this paper. “
Restaurants also find it easier and faster to update an online menu than a printed menu, said Olivier Bourbeau, vice-president of Restaurants Canada, the industry association representing employers of restaurants. food services.
Being able to quickly add or remove a menu item, or update the price of the dish, is especially helpful given the complexity of running a restaurant business during this crisis, including rising food costs and issues. supply chains that delay the delivery of ingredients. .
These benefits will likely mean that many restaurants will keep the QR code system in place, Bourbeau said.
To mitigate the risks associated with leaving a digital trail every time you order a breast sandwich or poke bowl, consumers can take certain precautions, according to cybersecurity expert Stevens.
The same principles you would apply to avoiding phishing and other online scams generally also apply to using QR codes, she said.
“Watch out for offers that sound too good to be true. Don’t give out sensitive information via email or phone to untrustworthy sources. Be careful what you click on.”
Treat a QR code with the same care as an email attachment and keep an eye out for printed QR codes that appear to have been duplicated – one stuck on top of each other, Stevens said .
It’s worth taking the time to check with your host or server to make sure the QR code you’re about to use is legitimate, she said.
“You have to be very careful that the QR code you scan is actually the restaurant’s one, otherwise you might be misled. And that’s when you would be scammed.”
Written by Brandie Weikle. Produced by Jennifer Keene.