QR Codes Are Here to Stay. So Is the Tracking They Allow(nytimes.com)
nytimes.com
QR Codes Are Here to Stay. So Is the Tracking They Allow
https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html
44 comments
The Gell-Mann Amnesia effect is how.
Michael Crichton explains:
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
Michael Crichton explains:
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
Well, I don't see the problem.
You just have to order at the bar, and boom, no tracking !
And then you pay with your card, or phone.
Oh, wait...
You just have to order at the bar, and boom, no tracking !
And then you pay with your card, or phone.
Oh, wait...
Most places I've been to in the past year at least here in London (UK) didn't allow ordering at the bar due to restrictions around queues. Many also didn't allow paying with cash.
Speaking of allowing tracking, Ghostery shows 48 trackers on that article.
“Don’t let restaurants track you. Let us do it instead!” - NYT
“Don’t let restaurants track you. Let us do it instead!” - NYT
Here's a non-paywall version: http://archive.today/UbuUS
[deleted]
stoneroller(1)
Oh fucking hell, of course these have tracking embedded in them. Here I was complaining just about not having a physical menu, but why not just slap some tracking cookies in there?
I want out.
I want out.
Honestly, this isn't really that effective a tracking system, retailers already use beacons that can track every phone that comes into an area, due to the nature of of the way mobile devices look for wifi signal, and in some extreme cases cell towers, a phones in a retail space can be tracked easily, and without consent, knowledge, or interaction of the consumer. These devices can also restrict the range of their signal, and multiple can be used in a location, to track what parts of the stores you are in, and be used at a register location to associate mobile devices to transactions.
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.
This has been happening for years, and is used widely across the industry, more than a decade ago I worked with one of these systems to be able to associate face from a camera system with this system to add a facial identify to the data.
QR codes are seriously nothing compared to that, and the user has to actively interact with them.
> due to the nature of of the way mobile devices look for wifi signal
Don't phone's listen only for SSID beacons? Why would they be transmitting at that time?
Don't phone's listen only for SSID beacons? Why would they be transmitting at that time?
https://www.pointr.tech/blog/wifi-or-beacons-for-indoor-loca... this will likely provide a lot more details about how beacon frames are used for location tracking.
This doesn't seem to have have any technical [edited: implementation details]. It does imply that iOS cycles MAC addresses fairly often to mitigate wifi tracking.
I'm not sure what you are referring to about technical difficulties?
And yes iOS has tightened their controls on how their phones can be tracked. Most of these systems right upgrade or new piece of equipment that switches the tracking from wifi to Bluetooth or a combination of both
And yes iOS has tightened their controls on how their phones can be tracked. Most of these systems right upgrade or new piece of equipment that switches the tracking from wifi to Bluetooth or a combination of both
Sorry, I meant to right technical details [about the implementation]. Somehow I typed the wrong word.
I know that Bluetooth beacons are a thing, but presumably leaving your phone out of discovery mode and not having any active Bluetooth pairings mitigates that, right?
I know that Bluetooth beacons are a thing, but presumably leaving your phone out of discovery mode and not having any active Bluetooth pairings mitigates that, right?
No worries, I do that all the time myself.
As far as the bluetooth side it, I don't have personal experience with them other knowing that they were added to systems I've worked on after the fact.
So your statement sounds logically, I just can't confirm it.
As far as the bluetooth side it, I don't have personal experience with them other knowing that they were added to systems I've worked on after the fact.
So your statement sounds logically, I just can't confirm it.
Thank you!
I like how the title phrases this as something new.
But maybe in US, it is true.
But maybe in US, it is true.
> Customers simply scan it with their phone camera to open a website for the online menu. Then they can input their credit card information to pay, all without touching a paper menu or interacting with a server
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
It is only a matter of time before we end up with “digital skimming.” Spoof the site, ask for a CC number, forward the request onward. How would patrons know the QR code was not genuine?
This is definitely already a thing. There were reports of that happening here in Japan when the QR code payment system PayPay took off a few years ago. People would paste their own QR code ontop of the store one
Seems like an opportunistic scam, and a great way to get caught if the would-be scammers do not previously put in place a serious money trail obfuscation system. The investigator has, as the first piece of evidence, basically a direct link to the criminals' bank/ccard acct, for which the bank is legally required to have owners' ID. The casual scammers get caught, the professionals/serious gangs easily obfuscate the trail, and trust in the systems declines further.
In the current state of play you might be right.
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
I think many of the same rules apply to anti-phishing. A lot of it is about education: making sure that patrons know what a legitimate QR code domain is going to be in advance so they can check it, providing some reporting system for suspect ones (this probably just means telling a member of staff so they can scrape it off and tell the police).
There are some additional advantages afforded to us in the real world like, if the need arise, they could be made hard to forge by including custom holograms, embossed patterns and the like.
Although at the moment it seems not many places are taking advantage of these kinds of practices yet, probably because a high profile breach has yet to happen around it.
In 2011 I remember reading about “QR phishing”, where a transparency is overlaid on a QR code to completely change the data while barely modifying the representation.
http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/
Dunno if the article mentiones that, since I dont have a nytimes sub, but the absolute worst thing about QR codes is that they make phishing very easy. Just slap a fake sticker on top of the genuine one, which looks the same save for the code.
In most cases a QR code is just opening a URL, and if the URL seems sketch, don't put your credit card in.
If I said go to amazon.cz/menu and asked you to put in your credit card, it really is no different.
If I said go to amazon.cz/menu and asked you to put in your credit card, it really is no different.
That's true for all phishing yet people fall for it just the same, even tech people
Yes, but mainly because it requires awareness and practice, two things a lot of people regardless of their position are naturally bad at. When we are busy or otherwise focus engaged elsewhere it becomes a bigger issue.
But QR doesn't change that, its the same root problem, that is little different that clicking a button in an email that obscures a URL.
I rarely use the phones built in QR readers, I have one that dumps the data, and then I'll copy and paste what I want.
I think it was on HN a while back, someone had made an app, that would serve to strip the tracking info off, by having the original launch done remotely, and then would send back just the secondary URL, basically blackholing the tracking part.
I did a quick search but can't find it, but using tools that either make clear what you are loading, or handle it for you, are effective at circumventing the tracking issue.
But it seems rather pointless how, there are so many other methods at play to track you.
But QR doesn't change that, its the same root problem, that is little different that clicking a button in an email that obscures a URL.
I rarely use the phones built in QR readers, I have one that dumps the data, and then I'll copy and paste what I want.
I think it was on HN a while back, someone had made an app, that would serve to strip the tracking info off, by having the original launch done remotely, and then would send back just the secondary URL, basically blackholing the tracking part.
I did a quick search but can't find it, but using tools that either make clear what you are loading, or handle it for you, are effective at circumventing the tracking issue.
But it seems rather pointless how, there are so many other methods at play to track you.
Feels like sloppy journalism the way the article half-assedly doesn't explain how the magic works. The tracking occurs because many QR codes have URLs like some-analytics-server.tld/restaurant=mcdonalds&city=chicago&branch=downtown that record your scan and then redirect to maybe mcdonalds.com/menu/ . Instead the article writes:
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
> That’s because QR codes can store digital information such as when, where and how often a scan occurs.
Huh? QR codes can store anything, but how are these infos being stored on the codes themselves?
> They can also open an app or a website that then tracks people’s personal information or requires them to input it.
Yeah, if that tracking server also has Facebook/Google embeds they can probably have even more analytics about you.
I should write a "privacy protecting QR code scanner" and be... $4.95 richer from the people who care about privacy buying the $0.99 app.
Exactly. This is sensationalism. QR is merely a barcode capable of encoding rich data. It would be trivial, as you noted, to simply decode the QR code and use an alternate method of browsing. Furthermore, in the USA the ADA protects alternative methods of ordering, so you won’t starve to death because of “QR tracking”.
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
As long as unscrupulous businesses (not the restaurants in this case) abuse personal privacy, a market will exist that protects it.
I'm not a fan of the fact that world revolves around having smartphone
What a trainwreck of an article. The tracking is allowed by URLs, not QR codes. The title might as well have been 'Written text is here to stay. So is the tracking it allows.'.
Except an ordinary human can't decode a QR code, so you will only know after the fact.
The device you scan the QR code with will ultimately deal with it, as it would if you had clicked a hyperlink in the build in web browser. So if your device blocks tracking tech (cookies etc) then you'd be fine. There's no difference here between a QR and clicking a link though.
My phone always asks me "do you want to open somewebsite.com in the browser?" when I scan a QR code.
At that point, it hasn't even made a request to that website, so I _will_ know beforehand what I'm opening.
At that point, it hasn't even made a request to that website, so I _will_ know beforehand what I'm opening.
iOS's bult-in QR code detector, and others I've seen, only show the domain name of the code. To opt out due to tracking parameters, you have to be shown the full URL. To attempt removing the offending parameters, you need the option to copy the URL to the clipboard or otherwise get it into a text editor rather than simply requesting the URL in the browser.
And without reading the TFA of course, I assumed it was about the Corona vaccinated / clean 'passports' / 'certificates'.
BestBuy's been doing this since 2010:
https://retailgeek.com/best-buy-deploys-qr-codes-to-enhance-...
This shouldn't be a surprise to anyone.
https://retailgeek.com/best-buy-deploys-qr-codes-to-enhance-...
This shouldn't be a surprise to anyone.
I don't believe that restaurants or other organizations should feel entitled to make me use my mobile data, which I pay for by the gigabyte, to access their services.
[deleted]
It would have been so easy for the article to state upfront that QR codes are URLs coded as a monochrome patterns of squares. Scanning a QR code is like clicking on that URL. Nothing more, nothing less.
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
So users that scan a QR code have to be concerned like anyone clicking on a link. It has positives and negatives just like links. Nothing new there. I am just surprised that specialist companies have sprung up that capitalize on that simple idea.
If they are this careless about technology, how can I trust them with reporting that touches other domains?