Oh fucking hell, of course these have tracking embedded in them. Here I was complaining just about not having a physical menu, but why not just slap some tracking cookies in there?
Honestly, this isn't really that effective a tracking system, retailers already use beacons that can track every phone that comes into an area, due to the nature of of the way mobile devices look for wifi signal, and in some extreme cases cell towers, a phones in a retail space can be tracked easily, and without consent, knowledge, or interaction of the consumer. These devices can also restrict the range of their signal, and multiple can be used in a location, to track what parts of the stores you are in, and be used at a register location to associate mobile devices to transactions.
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.
This doesn't seem to have have any technical [edited: implementation details]. It does imply that iOS cycles MAC addresses fairly often to mitigate wifi tracking.
I'm not sure what you are referring to about technical difficulties?
And yes iOS has tightened their controls on how their phones can be tracked. Most of these systems right upgrade or new piece of equipment that switches the tracking from wifi to Bluetooth or a combination of both
Sorry, I meant to right technical details [about the implementation]. Somehow I typed the wrong word.
I know that Bluetooth beacons are a thing, but presumably leaving your phone out of discovery mode and not having any active Bluetooth pairings mitigates that, right?
As far as the bluetooth side it, I don't have personal experience with them other knowing that they were added to systems I've worked on after the fact.
So your statement sounds logically, I just can't confirm it.
> Customers simply scan it with their phone camera to open a website for the online menu. Then they can input their credit card information to pay, all without touching a paper menu or interacting with a server
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
This is definitely already a thing. There were reports of that happening here in Japan when the QR code payment system PayPay took off a few years ago. People would paste their own QR code ontop of the store one
Seems like an opportunistic scam, and a great way to get caught if the would-be scammers do not previously put in place a serious money trail obfuscation system. The investigator has, as the first piece of evidence, basically a direct link to the criminals' bank/ccard acct, for which the bank is legally required to have owners' ID. The casual scammers get caught, the professionals/serious gangs easily obfuscate the trail, and trust in the systems declines further.
In 2011 I remember reading about “QR phishing”, where a transparency is overlaid on a QR code to completely change the data while barely modifying the representation.
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
Dunno if the article mentiones that, since I dont have a nytimes sub, but the absolute worst thing about QR codes is that they make phishing very easy. Just slap a fake sticker on top of the genuine one, which looks the same save for the code.
Yes, but mainly because it requires awareness and practice, two things a lot of people regardless of their position are naturally bad at. When we are busy or otherwise focus engaged elsewhere it becomes a bigger issue.
But QR doesn't change that, its the same root problem, that is little different that clicking a button in an email that obscures a URL.
I rarely use the phones built in QR readers, I have one that dumps the data, and then I'll copy and paste what I want.
I think it was on HN a while back, someone had made an app, that would serve to strip the tracking info off, by having the original launch done remotely, and then would send back just the secondary URL, basically blackholing the tracking part.
I did a quick search but can't find it, but using tools that either make clear what you are loading, or handle it for you, are effective at circumventing the tracking issue.
But it seems rather pointless how, there are so many other methods at play to track you.
Feels like sloppy journalism the way the article half-assedly doesn't explain how the magic works. The tracking occurs because many QR codes have URLs like some-analytics-server.tld/restaurant=mcdonalds&city=chicago&branch=downtown that record your scan and then redirect to maybe mcdonalds.com/menu/ . Instead the article writes:
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
Exactly. This is sensationalism. QR is merely a barcode capable of encoding rich data. It would be trivial, as you noted, to simply decode the QR code and use an alternate method of browsing. Furthermore, in the USA the ADA protects alternative methods of ordering, so you won’t starve to death because of “QR tracking”.
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
What a trainwreck of an article. The tracking is allowed by URLs, not QR codes. The title might as well have been 'Written text is here to stay. So is the tracking it allows.'.
The device you scan the QR code with will ultimately deal with it, as it would if you had clicked a hyperlink in the build in web browser. So if your device blocks tracking tech (cookies etc) then you'd be fine. There's no difference here between a QR and clicking a link though.
iOS's bult-in QR code detector, and others I've seen, only show the domain name of the code. To opt out due to tracking parameters, you have to be shown the full URL. To attempt removing the offending parameters, you need the option to copy the URL to the clipboard or otherwise get it into a text editor rather than simply requesting the URL in the browser.
I don't believe that restaurants or other organizations should feel entitled to make me use my mobile data, which I pay for by the gigabyte, to access their services.
Another template<typename Propaganda> article from the so specialized nytimes, so textbook it hurts.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
It would have been so easy for the article to state upfront that QR codes are URLs coded as a monochrome patterns of squares. Scanning a QR code is like clicking on that URL. Nothing more, nothing less.
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
NYT reporting at it's best. How come that a paper that is not small at all (I believe they even have a Tech department, from what i understand it's a low-budget one, but still) doesn't have any tech advisors that can do proofreading?
If they are this careless about technology, how can I trust them with reporting that touches other domains?
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
Most places I've been to in the past year at least here in London (UK) didn't allow ordering at the bar due to restrictions around queues. Many also didn't allow paying with cash.
Another templated article from the so specialized nytimes, so textbook it hurts.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
Another templated article from the nytimes, so textbook it hurts.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
P.S. every additional flag incurs you another scorching pan in one hot place, censors.
Another templated article from the nytimes, so textbook it hurts.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
P.S. My little silly flagger, don't you know that you'll be held liable for your zealous censorship one day? Nuremberg 2.0 is just around the corner. And it's little henchmen like you who won't be bailed out of this.
44 comments
[ 3.9 ms ] story [ 65.9 ms ] threadI want out.
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.
Don't phone's listen only for SSID beacons? Why would they be transmitting at that time?
And yes iOS has tightened their controls on how their phones can be tracked. Most of these systems right upgrade or new piece of equipment that switches the tracking from wifi to Bluetooth or a combination of both
I know that Bluetooth beacons are a thing, but presumably leaving your phone out of discovery mode and not having any active Bluetooth pairings mitigates that, right?
As far as the bluetooth side it, I don't have personal experience with them other knowing that they were added to systems I've worked on after the fact.
So your statement sounds logically, I just can't confirm it.
But maybe in US, it is true.
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
If I said go to amazon.cz/menu and asked you to put in your credit card, it really is no different.
But QR doesn't change that, its the same root problem, that is little different that clicking a button in an email that obscures a URL.
I rarely use the phones built in QR readers, I have one that dumps the data, and then I'll copy and paste what I want.
I think it was on HN a while back, someone had made an app, that would serve to strip the tracking info off, by having the original launch done remotely, and then would send back just the secondary URL, basically blackholing the tracking part.
I did a quick search but can't find it, but using tools that either make clear what you are loading, or handle it for you, are effective at circumventing the tracking issue.
But it seems rather pointless how, there are so many other methods at play to track you.
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
At that point, it hasn't even made a request to that website, so I _will_ know beforehand what I'm opening.
https://retailgeek.com/best-buy-deploys-qr-codes-to-enhance-...
This shouldn't be a surprise to anyone.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
If they are this careless about technology, how can I trust them with reporting that touches other domains?
Michael Crichton explains:
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
You just have to order at the bar, and boom, no tracking !
And then you pay with your card, or phone.
Oh, wait...
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
P.S. every additional flag incurs you another scorching pan in one hot place, censors.
Checkboxes checked, as coarse as they are:
Use maximum chutzpah implanting the idea that the new order of things is permanent and irreversible
Do that on every occasion, appropriate or not, ever so persistent
Briefly touch on the implications of a new idea, but paint a luring picture of alleged advantages to sell the idea
Describe how ostensibly eager people are to lap it up right now and en masse
Of course, don't hesitate to localize and amplify out-of-place alreadisms - "QR codes may be new to many American shoppers, but they have been popular internationally for years in Japan"
P.S. My little silly flagger, don't you know that you'll be held liable for your zealous censorship one day? Nuremberg 2.0 is just around the corner. And it's little henchmen like you who won't be bailed out of this.
“Don’t let restaurants track you. Let us do it instead!” - NYT