Scan QR-code menus with a side of caution, say privacy experts
Online menus accessed through QR codes have become common during the pandemic
Restaurant patrons who've grown accustomed during the pandemic to whipping out their phones to access menus using QR codes should understand the implications for their personal data, say privacy and cyber-security experts.
That's especially important given some restaurant owners are finding electronic menus efficient and cost effective, and that they may hold onto the practice even after COVID-19 is more contained.
It's not the QR code itself that collects customer data, said Dustin Moores, a privacy lawyer with nNovation LLP in Ottawa.
"What the QR code does is it sort of acts as a web link to a web page. So when you scan a QR code on your phone, in all likelihood it is going to send you to either the restaurant's website, or to the website of a service provider that's being used by the restaurant," he told Cost of Living producer Jennifer Keene.
"What's happening is we're replacing a very sort of innocuous object, a restaurant menu, with a website that comes with all the sort of tracking technologies that you see in modern e-commerce today."
A marketing device
Bringing up an online menu on your phone doesn't mean you're handing data such as your birth date and banking details to bad actors on the internet.
The more immediate implication is that it gives your local pub, or the platform they use, new knowledge of your behaviours and preferences that it can use to better sell to you.
"If you're a returning customer to to one of these restaurants that use the QR code technology, they might be able to say, 'Hey, we know that Jennifer ordered the Caesar salad last time; let's put it at the top of our menu this time because we know that she likes it,'" said Moores.
The restaurant could also use the information it has gathered to upsell customers, such as suggesting the customer add chicken to that salad, he said. Ot it could try to influence your choices by offering a discount on the dish you enjoyed last time.
Moore said it's also likely that the QR code will take you to a website that uses third-party cookies that can be used to track your web browsing habits.
"Let's say it was a Hungarian restaurant that you visited. Well then other Hungarian restaurants in the area might start advertising to you all of a sudden," he said.
An issue of consent
Moore said his biggest legal concern about the spike in use of QR code-enabled menus is consent.
"I think what might get lost on a lot of restaurant owners is that, like every other business in Canada, they're subject to our privacy laws," he said. "Whenever a business collects, uses or shares personal information in the course of commercial activities, they need to have people's consent to do that."
Cyber-security expert Yuan Stevens, policy lead for technology, cyber-security and democracy at Ryerson University's Leadership Lab, said the security concerns related to QR codes remain "fairly hypothetical."
"I have not yet found any cases in Canada of QR codes being used for stealing data or violating your privacy," she said. "But I also think it is useful to keep in mind what concerns we should be aware of as technology becomes ubiquitous."
Someone who wants to direct you to a malicious website could "fast track" that process using a QR code, said Stevens. "Phishing and scams are already happening. And QR codes would just be another conduit to that."
She said some restaurants are using QR codes to gather contact tracing information as well as for menus.
With the drive to reduce contact with surfaces and each other, QR codes have increased in popularity during the pandemic, said Stevens, particularly in China, where their use increased six per cent between 2019 and 2020.
Stevens notes that last month a benevolent hacking group already alerted the public that it had been able to hack the Quebec government's new vaccine passport system, which led to 300,000 QR codes being exposed. The developer resolved the issue within 24 hours, but it's good to be aware that there are privacy and security tradeoffs that come with using technology, she said.
QR-code enabled vaccination verification systems are now in place in Manitoba and New Brunswick, and will be in Ontario as of Oct. 22.
Likely here to stay
Jenny Burthwright, owner of Jane Bond BBQ in Calgary, said her business introduced QR code menus in the fall of 2020 when they'd been "ripping through" paper menus while trying to keep COVID-safe.
She plans to keep the higher-tech system in place post-pandemic.
"There's a very obvious cost savings to it," she said. "With the rising costs of everything, we considered that, and also environmentally just wanted to move away from that paper."
Restaurants are also finding it easier and faster to update an online menu than a printed one, said Olivier Bourbeau, a vice-president of Restaurants Canada, the industry association representing food-service employers.
Being able to quickly add or remove a menu item, or update the price of the dish, is particularly useful given the complexities of running a food-service business during this crisis, including rising food costs and supply-chain problems that delay delivery of ingredients.
Those advantages will likely mean many restaurants will keep the QR-code system in place, Bourbeau said.
To mediate the risks associated with leaving a digital trail every time you order a brisket sandwich or a poke bowl, there are some precautions consumers can take, according to cyber-security expert Stevens.
The same principles that you'd apply to avoiding phishing and other online scams generally also apply to using QR codes, she said.
"Be careful of offers that seem too good to be true. Don't give sensitive information over email or phone to untrusted sources. Be careful what you click on."
Treat a QR code with the same care as an email attachment, and keep your eyes peeled for printed QR codes that look like they've been duplicated — one stuck on top of another, said Stevens.
- Profit-sharing, signing bonuses and health benefits. Food-service bosses try it all to lure workers back
It's worth taking the time to check with your host or server to make sure the QR code you're about to use is legit, she said.
"You want to be really careful that the QR code you're scanning is actually the restaurant's, otherwise you could be misled. And that's when you'd be scammed."
Written by Brandie Weikle. Produced by Jennifer Keene.