QR codes and privacy: What you need to know

How does a technology created 28 years ago all of the sudden have a major renaissance? With the COVID-19 pandemic, contactless became a way to stay healthy. And QR codes moved from their origins on the factory floor to mainstream almost overnight.

With QR codes being used for everything from proof of vaccination, re-entry to Canada and contract tracing to restaurant menus and contactless payments, the privacy conversation is prominent.

How do QR codes impact our privacy? What can we do to protect ourselves?

The origins of the QR code

The Quick Response (QR) code was released in 1994 by a Japanese engineer named Hara Masahiro to track vehicles during the manufacturing process. More comprehensive than a barcode in terms of the information it’s capable of storing, the QR code made it easier to scan and track items.

Marketers experimented with using QR codes in the 2000s to direct prospective buyers to their websites, but they didn’t become as popular as they are now until the pandemic hit in 2020. As part of a larger wave of innovation fuelled by COVID-19, the QR code proved very useful in offering a touchless way to share information.

Eric Rescorla, CTO, Firefox at Mozilla explains how the QR code works in his blog, educatedguesswork.org:

• Information gets encoded into the QR code (a popular use case is a URL linking to a restaurant or retailer’s website)
• You point your smartphone camera at the QR code, enabling it to read the information and detect the URL
• A prompt comes up with the option to click through to the URL
• If you accept, your browser takes you to the website

What’s the privacy issue?

The QR codes themselves aren’t necessarily the privacy culprits. It’s the ecosystem they exist in. According to the Washington Post, in its article, QR codes are a privacy problem, but not for the reasons you’ve heard, QR codes, “turn analog interactions — like ordering a pizza — into digital ones, and those digital interactions can be subject to tracking by the restaurant or store. Because QR codes open a browser, companies might use that digital signal to connect the dots between online and offline activity.”

Once you go to a website, you often encounter cookies, which store data on your computer or device to track your session and what you do. For the purposes of privacy, cookies are often used by marketers/advertisers to keep track of browsing activity and gain insight into consumers’ interest, so they can serve up relevant ads.

Rescorla highlights the complexity of a seemingly simple and convenient way of accessing information. The cookie is part of it. But more important is the information the URL encodes. If you provide a table number, or the link goes to an ordering system rather than a readable menu, the site can remember where you sat and what you ordered. Depending on the system operating in the background, you could also be tracked across multiple restaurants.

There have also been some reported security issues with QR codes. In August 2021, several Quebec politicians, including Premier Francois Legault and Health Minister Christian Dube, had their vaccine passport QR codes hacked. While the information compromised only included name, date of birth and vaccinations received, it raised concerns about the safety of QR codes and protecting the information encoded into them.

What can you do to protect yourself?

QR codes have become fairly inevitable, and many businesses, especially restaurants, are using them to cut costs and maximize their understaffed teams – no more updating chalkboard menus or reprinting to stay current. How can you protect your privacy and security while still taking advantage of the convenience?

• Stay vigilant: beware public QR codes – if you see a QR code randomly stuck in a public place, don’t point your phone at it or click on the link that pops up
• Look out for Quishing: hackers have started to place QR codes in phishing emails (in text messages as well) that direct to fraudulent websites that request personal information. Avoid scanning any QR codes received by email or text unless you can verify the legitimacy of the sender
• Use verified apps: there are many illegitimate QR code scanning apps that merely spread malware. Avoid them and use your smartphone camera instead
• Configure your device appropriately: make sure your device asks for permission before launching the QR code action, so you can verify legitimacy
• Store your personal QR codes safely: your proof of vaccine, boarding passes, ArriveCan and anything else that contains personally identifiable information should be stored in a secure folder on your device or in an encrypted folder in a file sharing service

Like anything online, using QR codes comes with compromises. Following a few simple steps can help you protect your privacy and security, so you can order your favourite pizza, make it through customs seamlessly or provide proof of vaccination to businesses that require it.