Cost of Living

Scan QR-code menus with a side of caution, say privacy experts

Restaurant patrons who’ve grown accustomed during the pandemic to whipping out their phones to access menus using QR codes should understand the implications for their personal data, say privacy and cybersecurity experts.

Online menus accessed through QR codes have become common during the pandemic

Cyber-security experts say restaurant patrons should take a moment to make sure the QR codes they scan to access menus are legit. (DisobeyArt/Shutterstock)

Restaurant patrons who've grown accustomed during the pandemic to whipping out their phones to access menus using QR codes should understand the implications for their personal data, say privacy and cyber-security experts.

That's especially important given some restaurant owners are finding electronic menus efficient and cost effective, and that they may hold onto the practice even after COVID-19 is more contained.

It's not the QR code itself that collects customer data, said Dustin Moores, a privacy lawyer with nNovation LLP in Ottawa.

"What the QR code does is it sort of acts as a web link to a web page. So when you scan a QR code on your phone, in all likelihood it is going to send you to either the restaurant's website, or to the website of a service provider that's being used by the restaurant," he told Cost of Living producer Jennifer Keene. 

A waiter at FIGO restaurant on Adelaide in Toronto explains the details of a dish on June 16. Accessing menus via QR codes has become a more common practice over during the pandemic as restaurants look for ways to minimize contact and keep surfaces clean. (Sam Nar/CBC)

"What's happening is we're replacing a very sort of innocuous object, a restaurant menu, with a website that comes with all the sort of tracking technologies that you see in modern e-commerce today." 

A marketing device

Bringing up an online menu on your phone doesn't mean you're handing data such as your birth date and banking details to bad actors on the internet.

The more immediate implication is that it gives your local pub, or the platform they use, new knowledge of your behaviours and preferences that it can use to better sell to you.

"If you're a returning customer to to one of these restaurants that use the QR code technology, they might be able to say, 'Hey, we know that Jennifer ordered the Caesar salad last time; let's put it at the top of our menu this time because we know that she likes it,'" said Moores.

The restaurant could also use the information it has gathered to upsell customers, such as suggesting the customer add chicken to that salad, he said. Ot it could try to influence your choices by offering a discount on the dish you enjoyed last time. 

The technology is also being used for vaccine verification in Quebec, Manitoba and New Brunswick and is slated to be rolled out in Ontario on Oct. 22. (Graham Hughes/The Canadian Press)

Moore said it's also likely that the QR code will take you to a website that uses third-party cookies that can be used to track your web browsing habits. 

"Let's say it was a Hungarian restaurant that you visited. Well then other Hungarian restaurants in the area might start advertising to you all of a sudden," he said.

An issue of consent

Moore said his biggest legal concern about the spike in use of QR code-enabled menus is consent.

"I think what might get lost on a lot of restaurant owners is that, like every other business in Canada, they're subject to our privacy laws," he said. "Whenever a business collects, uses or shares personal information in the course of commercial activities, they need to have people's consent to do that."

Cyber-security expert Yuan Stevens of Ryerson University said the security concerns related to QR codes remain 'fairly hypothetical.' Still, she said it's 'useful to keep in mind what concerns we should be aware of as technology becomes ubiquitous.' (Stacy Lee)

Cyber-security expert Yuan Stevens, policy lead for technology, cyber-security and democracy at Ryerson University's Leadership Lab, said the security concerns related to QR codes remain "fairly hypothetical."

"I have not yet found any cases in Canada of QR codes being used for stealing data or violating your privacy," she said. "But I also think it is useful to keep in mind what concerns we should be aware of as technology becomes ubiquitous." 

Someone who wants to direct you to a malicious website could "fast track" that process using a QR code, said Stevens. "Phishing and scams are already happening. And QR codes would just be another conduit to that."

She said some restaurants are using QR codes to gather contact tracing information as well as for menus.

With the drive to reduce contact with surfaces and each other, QR codes have increased in popularity during the pandemic, said Stevens, particularly in China, where their use increased six per cent between 2019 and 2020.

Stevens notes that last month a benevolent hacking group already alerted the public that it had been able to hack the Quebec government's new vaccine passport system, which led to 300,000 QR codes being exposed. The developer resolved the issue within 24 hours, but it's good to be aware that there are privacy and security tradeoffs that come with using technology, she said. 

QR-code enabled vaccination verification systems are now in place in Manitoba and New Brunswick, and will be in Ontario as of Oct. 22. 

Likely here to stay

Jenny Burthwright, chef and owner of Jane Bond BBQ in Calgary, introduced QR-code enabled menus at her business in the fall of 2020. She expects to keep using them long after the pandemic is over. (Jennifer Keene/CBC)

Jenny Burthwright, owner of Jane Bond BBQ in Calgary, said her business introduced QR code menus in the fall of 2020 when they'd been "ripping through" paper menus while trying to keep COVID-safe.

She plans to keep the higher-tech system in place post-pandemic.

"There's a very obvious cost savings to it," she said. "With the rising costs of everything, we considered that, and also environmentally just wanted to move away from that paper."

Burthwright said they still keep some paper menus on hand for those who feel more comfortable ordering that way. (Jennifer Keene/CBC)

Restaurants are also finding it easier and faster to update an online menu than a printed one, said Olivier Bourbeau, a vice-president of Restaurants Canada, the industry association representing food-service employers.

Being able to quickly add or remove a menu item, or update the price of the dish, is particularly useful given the complexities of running a food-service business during this crisis, including rising food costs and supply-chain problems that delay delivery of ingredients.

Those advantages will likely mean many restaurants will keep the QR-code system in place, Bourbeau said.

Jimmy Staveris, left, manager of Dunn's Famous restaurant in Montreal, scans the QR code of a client as the Quebec government's COVID-19 vaccine passport came into effect on Sept. 1. (Graham Hughes/The Canadian Press)

Protective measures

To mediate the risks associated with leaving a digital trail every time you order a brisket sandwich or a poke bowl, there are some precautions consumers can take, according to cyber-security expert Stevens.

The same principles that you'd apply to avoiding phishing and other online scams generally also apply to using QR codes, she said.

"Be careful of offers that seem too good to be true. Don't give sensitive information over email or phone to untrusted sources. Be careful what you click on."

Treat a QR code with the same care as an email attachment, and keep your eyes peeled for printed QR codes that look like they've been duplicated — one stuck on top of another, said Stevens.

It's worth taking the time to check with your host or server to make sure the QR code you're about to use is legit, she said. 

"You want to be really careful that the QR code you're scanning is actually the restaurant's, otherwise you could be misled. And that's when you'd be scammed."


Written by Brandie Weikle. Produced by Jennifer Keene.

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?

now