Pandemic precautions made QR codes popular again, but privacy concerns remain
QR codes pose cybersecurity issues consumers should be aware of, especially as they are becoming more widespread outside of the service industry.
Research & Development
Risk & Compliance
Technology / IIoT
When Sasha Steinberg reopened Cider House after a COVID-19 shutdown last year, she erased the pub’s list of about 50 ciders from a wall chalkboard and stopped printing hundreds of menus, instead placing pixelated, black and white squares on tables.
When scanned with a smartphone, the QR (Quick Response) codes generate a COVID-19 screening questionnaire, and guests who report no symptoms can then click through to the west Toronto pub’s menu.
“It’s worked like a dream,” said Steinberg. In some ways it’s an improvement, she said, since it reduces the grunt work associated with constantly cleaning menus and updating the chalkboard.
“I don’t think that in the future we will go back to our regular menu.”
Scores of other businesses have made similar moves, finding the solution cost effective and easy to use, as QR technology can link to websites, forms or apps. It’s fast and often, free.
Dating back to the 1990s, QR code technology was originally developed for the automotive industry before disappearing. Thanks to the pandemic, they are now making a comeback, although data security and privacy concerns have emerged.
Saskatchewan removed QR codes from vaccination records last week after a privacy breach involving at least 19 codes displaying the wrong person’s health info.
Weeks earlier, there were reports in Quebec that the QR codes had been stolen from vaccine passports belonging to legislature members.
Across the border, Florida attorney general Ashley Moody warned scammers can use the technology to reroute consumers to malicious websites.
“The risks are out there,” said Imran Ahmad, a partner at Norton Rose Fulbright Canada LLP and co-head of the firm’s data protection, privacy and cybersecurity practice.
“Hackers are always evolving. They’re super sophisticated, they’re going to find a way to reroute you to a site that may be malicious or a site that looks legit but actually has bad things happening in the background that are maybe unbeknownst to you.”
He expects the implementation of vaccine passports in additional provinces and the introduction of such technology at more businesses to make privacy a hot topic.
The codes linking to web pages or apps made their debut in 1994, when Masahiro Hara, who worked for Toyota subsidiary Denso Wave, was asked by manufacturers to develop scanners that could read bar codes more quickly.
Denso Wave’s website said bar codes could store only 20 alphabetical characters at the time and workers had to scan as many as 1,000 per day, making work less efficient and tracking vehicles and parts during manufacturing difficult.
It took Hara and a two-person team a year-and-a-half to develop the codes, which could be scanned 10 times faster than bar codes and ended up being used for inventory management and shipment tracking.
The codes eventually cropped up in other industries, but didn’t become ubiquitous for consumers until the mid-2000s.
That was when smartphones became more commonly used, making users a target for marketers. Film distributors put QR codes on posters to link to movie trailers and BlackBerry promoted them as a way for users to quickly add each other as contacts on its messaging service.
But many smartphone users still didn’t have internet or data on their phones and QR code reading technology wasn’t as sophisticated as it is today, when all you need to do is aim your phone’s camera at the icon.
The technology languished until pandemic measures created a perfect niche for its use.
Ahmad recommends businesses seeking a QR code service look for white papers verifying the provider’s privacy policies, and inquire with other companies already using its products about their experience.
While he would be surprised to see restaurant QR codes used maliciously, customers who notice businesses like a bank using a QR code and feel it is out of the ordinary should call their branch and ask if the code is legitimate.
If you scan a code and it delivers malicious content or you have concerns after inputting information, he recommends reaching out to the Canadian Anti-Fraud Centre or a credit monitoring firm that can investigate abnormal activity in financial accounts.