What's wrong with QR code menus?
Posted by ekr on 26 Jul 2021
TL;DR. Open your restaurant menu QR codes in private browsing mode.
Today's NYT has an article about the popularity of QR code menus at restaurants instead of paper menus and how they enable tracking:
But the spread of the codes has also let businesses integrate more tools for tracking, targeting and analytics, raising red flags for privacy experts. That’s because QR codes can store digital information such as when, where and how often a scan occurs. They can also open an app or a website that then tracks people’s personal information or requires them to input it.
The use of QR code menus does enable tracking, but importantly, this is not how it works; understanding how they do work is key to understanding what's going on and how to protect yourself. At a high level, a QR code is just a way of encoding digital information, in this case the address of the Website (the technical term here is a URL) in a convenient machine readable form that can then be read so your phone. So the way that this works is:
- The URL is encoded into the QR code.
- You point your phone at the code and it detects that it's a URL[1]
- The phone -- at least mine -- reads the QR dcode, detects that it's a URL, and asks if you want to go to the site.
- You agree and your browser navigates to the site.
At the end of the day, then, this is just a convenient way for the restaurant to get you to navigate to a URL. They could instead have printed the URL itself on the table, but for obvious reasons people would find that to be pain to type in.
It's certainly true that the QR code can contain more or less arbitrary of information[2] and can encode it in the URL so that it gets conveyed to the Web site. For instance, you can have a link that goes not just to the menu but to the ordering system and include your table number so that your order is sent to your table directly. However, because they're printed on a piece of paper -- at least in the case we are talking about here -- they are inherently static which means that if I scan the QR code at time A and you at time B we get the same thing[3] The point here is that the QR code itself cannot store "when, where, and how often a scan occurs", because the QR code doesn't it change.[4] As I said above, the QR code is just taking you to a Web site and it's the Web that's the problem, not the QR code.
What is actually happening is that the Web is full of tracking mechanisms, mostly in the form of what's called a "cookie". Many EG readers probably know what a cookie is, but in an effort to keep things broadly accessible, a cookie is a piece of digital data that a Web site can store on your computer and then you send back to that site when you visit it again. Cookies can contain basically any information the site wants and allow the site to connect multiple visits by the same person at different times. This is, for instance, how Amazon maintains your shopping cart and Facebook keeps you logged in. They're a basic part of Web functionality. Importantly, any site can send you a cookie and your browser will just send it back, so cookies can -- and are -- used to track your behavior even in contexts when there is no obvious user-visible state like shopping carts, etc.
It's worth walking through how tracking works in a situation like
this. Suppose you go to Example Restaurant
and scan the QR code, which tells you to go to https://example.com/
[5].
The first time you do that, the restaurant hasn't stored a cookie,
so it just knows you're a new person and stores a cookie. But the
next time you come back, it can read that cookie and see you
are a repeat customer. This isn't that useful in itself, because lots of
customers probably scanned this QR code, but if the
URL encodes the table number
(e.g., https://example.com/?table=123
) or the link goes
to an ordering system rather than a menu, then the site can remember
what you ordered and adjust its behavior accordingly ("Hi Eric,
last time you ordered the Pizza Margherita. Would you
like that and maybe some garlic bread?").
It isn't necessarily just this one restaurant either. Depending
on how the system is put together, your behavior might be tracked
across multiple restaurants -- via technical mechanisms that are
quite straightforward but out of scope for this post --
to build up a picture of your eating behavior.
The thing to recognize is that there's nothing special about QR codes, this is just the normal (terrible!) level of tracking that already exists on the Web. The article quotes Jay Stanley from ACLU on this point:
“People don’t understand that when you use a QR code, it inserts the entire apparatus of online tracking between you and your meal,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. “Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”
I half agree here: it's true that this kind of QR code menu pulls you into the Web tracking ecosystem and it's likely that many people don't understand that. However, it's also the case that many people don't understand how much their behavior is already tracked on the Web even in cases where QR codes aren't involved (which is why it's so important for Web browsers to build in anti-tracking features such as Firefox Enhanced Tracking Protection and Safari Intelligent Tracking Prevention[6]).
In this particular case, however, these mechanisms aren't
as effective as you would like. The reason is that they are
designed to prevent you from being tracked across sites, but
(1) we are concerned about repeat visits to the same site and
(2) multiple restaurants might use the same Web site, or
at least bounce the use through them (with a URL like
https://example.com/?restaurant=pizza-palace
).
In either case, dining history leaks even if the
default anti-tracking mechanisms are on.[7]
Probably the best thing would be if devices were to open
QR codes in a new browsing context with new
cookie state. Some limited testing with my iPhone suggests
that it opens up URLs from QR codes in whatever mode you
are current using Safari in: If you are currently using Safari in Private mode,
it will open up URLs from QR codes in Private mode
which seems to do the right thing
but if -- as is more likely -- you are using Safari
in regular mode, then it will open up URLs in regular
mode, which allows you to be tracked.
Of course, there is a tradeoff here: if URLs were opened in private mode by default, then people who want their state to be maintained (for instance, if they have an account with the restaurant that lets them order without entering new payment information, or if they are part of a loyalty program) would be inconvenienced. This is probably a situation where the browser could help ("I see you have logged in here, do you want to let this site remember you for future visits?"). In my experience, however, most QR codes don't go to sites that actually need to track you, so it seems like there is an opportunity for better defaults here.
Interestingly, there doesn't seem to be any meta-information telling you that it's a URL, rather it's just that it looks like one because it has
http://
orhttps://
in front of it, though see here ↩︎Not truly arbitrary because they're not infinite sized so only somewhere in the 100-1000 character range, but for our purposes, plenty. ↩︎
As mentioned previously, this is actually an issue for some applications, like vaccine passports, whiere it would be convenient to be able to change the code later. ↩︎
As a real aside here, this non-changing property of paper stuff is why paper-based elections such as optical scan ballots are so popular with election security people. ↩︎
Think of all the business that restaurant must get! ↩︎
Sorry for the technical link there; this is what I could find. If someone sends me a more general Safari ITP link, I can update. ↩︎
I should mention at this point that if you're paying with a credit card, the privacy story is also quite bad ↩︎