Feels like sloppy journalism the way the article half-assedly doesn't explain how the magic works. The tracking occurs because many QR codes have URLs like some-analytics-server.tld/restaurant=mcdonalds&city=chicago&branch=downtown that record your scan and then redirect to maybe mcdonalds.com/menu/ . Instead the article writes:
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
Exactly. This is sensationalism. QR is merely a barcode capable of encoding rich data. It would be trivial, as you noted, to simply decode the QR code and use an alternate method of browsing. Furthermore, in the USA the ADA protects alternative methods of ordering, so you won’t starve to death because of “QR tracking”.
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
What a trainwreck of an article. The tracking is allowed by URLs, not QR codes. The title might as well have been 'Written text is here to stay. So is the tracking it allows.'.
It would have been so easy for the article to state upfront that QR codes are URLs coded as a monochrome patterns of squares. Scanning a QR code is like clicking on that URL. Nothing more, nothing less.
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
> Customers simply scan it with their phone camera to open a website for the online menu. Then they can input their credit card information to pay, all without touching a paper menu or interacting with a server
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
This is definitely already a thing. There were reports of that happening here in Japan when the QR code payment system PayPay took off a few years ago. People would paste their own QR code ontop of the store one
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
In 2011 I remember reading about “QR phishing”, where a transparency is overlaid on a QR code to completely change the data while barely modifying the representation.
NYT reporting at it's best. How come that a paper that is not small at all (I believe they even have a Tech department, from what i understand it's a low-budget one, but still) doesn't have any tech advisors that can do proofreading?
If they are this careless about technology, how can I trust them with reporting that touches other domains?
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
Dunno if the article mentiones that, since I dont have a nytimes sub, but the absolute worst thing about QR codes is that they make phishing very easy. Just slap a fake sticker on top of the genuine one, which looks the same save for the code.
Most places I've been to in the past year at least here in London (UK) didn't allow ordering at the bar due to restrictions around queues. Many also didn't allow paying with cash.
I don't believe that restaurants or other organizations should feel entitled to make me use my mobile data, which I pay for by the gigabyte, to access their services.
Oh fucking hell, of course these have tracking embedded in them. Here I was complaining just about not having a physical menu, but why not just slap some tracking cookies in there?
Honestly, this isn't really that effective a tracking system, retailers already use beacons that can track every phone that comes into an area, due to the nature of of the way mobile devices look for wifi signal, and in some extreme cases cell towers, a phones in a retail space can be tracked easily, and without consent, knowledge, or interaction of the consumer. These devices can also restrict the range of their signal, and multiple can be used in a location, to track what parts of the stores you are in, and be used at a register location to associate mobile devices to transactions.
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.
[+] [-] bellyfullofbac|4 years ago|reply
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
[+] [-] cyberge99|4 years ago|reply
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
[+] [-] rustybolt|4 years ago|reply
[+] [-] the-dude|4 years ago|reply
[+] [-] RajuVarghese|4 years ago|reply
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
[+] [-] teeray|4 years ago|reply
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
[+] [-] kalleboo|4 years ago|reply
[+] [-] captainbland|4 years ago|reply
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
[+] [-] KMnO4|4 years ago|reply
http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
[+] [-] tryingtogetback|4 years ago|reply
If they are this careless about technology, how can I trust them with reporting that touches other domains?
[+] [-] haspoken|4 years ago|reply
Michael Crichton explains:
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
[+] [-] dreen|4 years ago|reply
[+] [-] Meph504|4 years ago|reply
If I said go to amazon.cz/menu and asked you to put in your credit card, it really is no different.
[+] [-] JeanMarcS|4 years ago|reply
You just have to order at the bar, and boom, no tracking !
And then you pay with your card, or phone.
Oh, wait...
[+] [-] geoah|4 years ago|reply
[+] [-] olivierestsage|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] acheron|4 years ago|reply
“Don’t let restaurants track you. Let us do it instead!” - NYT
[+] [-] tester34|4 years ago|reply
[+] [-] imroot|4 years ago|reply
https://retailgeek.com/best-buy-deploys-qr-codes-to-enhance-...
This shouldn't be a surprise to anyone.
[+] [-] karmasimida|4 years ago|reply
But maybe in US, it is true.
[+] [-] minichiello|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] stoneroller|4 years ago|reply
[deleted]
[+] [-] stoneroller|4 years ago|reply
[deleted]
[+] [-] stoneroller|4 years ago|reply
[deleted]
[+] [-] aeoleonn|4 years ago|reply
[+] [-] stoneroller|4 years ago|reply
[deleted]
[+] [-] the-dude|4 years ago|reply
[+] [-] grenoire|4 years ago|reply
I want out.
[+] [-] Meph504|4 years ago|reply
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.