Editorial Note: This article has been modified and embellished by NAPCO website publishers to relate to trial court leaders. The basic substance of the information, however, was drawn from Mr. Acello’s ABA Journal story entitled “Going Viral: Once unpopular, QR codes have taken off, thanks to the pandemic”.
QR (quick response) codes are the black-and-white barcodes resembling boxes full of squiggles, squares and dots that have become ubiquitous on many forms of advertising. Invented in 1994 by engineers at the Japanese company Denso Wave, a Toyota parts supplier, as a means of tracking those parts, QR codes became more widespread in the 2010s as companies started using them to provide users with access to a wide range of services, including restaurant ordering, electronic payments and gaming.
Even so, the technology didn’t quite catch on. Turns out, many people were confused by the codes and didn’t know what to do with them. Inc. Magazine found in 2012 that 97% of consumers did not know what a QR code was. Additionally, most smartphones at the time did not have a native app or scanner that could read the code, forcing users to download a special program, which led to even more confusion and inconvenience. According to a 2013 study by marketing analytics firm Marketing Charts, only 21% of smartphone users had ever scanned a QR code.
But then the pandemic hit, and QR codes became very popular as people looked for a contact-free way to share information. According to eMarketer, in 2019, 52.6 million smartphone users scanned a QR code. This year, it is estimated that 83.4 million will scan a code, and by 2025, QR codes will be scanned by 99.5 million smartphone users, nearly double the 2019 mark. To drive traffic, eMarketer encourages its readers to create QR codes that are innovative, such as games to obtain discounts or provide access to promotions and deals.
While many trial court leaders discovered the usefulness of QR codes along with the public during the pandemic, some cutting-edge, high-tech, user-friendly judicial systems discovered the value of them early-on. They understood that by embedding virtually any data, video or images in the code, the information could easily be distributed and processed by merely scanning it through various smartphone gadgets. Consequently, this technology has been used to e-file cases and pleadings; share PDF files, images, sound files and events; receive and send court documents digitally; share files during virtual hearings; share live-streaming of open court hearings; share direct information through websites; retrieve case law and law journal articles online; and authenticate court orders.
Privacy and Security Risks
Privacy advocates, however, see a darker side to QR codes, especially in the private sector. The risk in blindly following a link in a QR code is that it is akin to clicking on a malicious link found in a phishing or suspicious email, says LegalTech news in a March 2022 article. In both situations, the destination website can contain exploitable code which can execute malicious programs on the user’s system. Moreover, mobile devices like cellphones are at risk from maliciously designed QR codes which can trigger the host device to activate cameras, GPS tracking, and other features of the phone. While governments have gone to tremendous efforts to educate judges, employees and customers on the danger of phishing emails, there appears to be little effort made to educate them on the danger of QR codes.
“Really sensitive information about you is being collected and monetized by the QR-code generation company,” says Nicole A. Ozer, technology and civil liberties director of the American Civil Liberties Union of Northern California.
Ozer says QR generators can use the codes to get your phone’s unique device identifier and location information. “Companies share the information they retrieve with other marketing companies, so the big picture creates much more info than just when retrieve a menu,” she says. “Most of the restaurants have no idea that they are being used as a cog in this huge ecosystem.”
While that information may seem innocuous, Ozer cautions that companies can extrapolate all sorts of information from a given data point and make important assumptions about people that could have major repercussions in their lives.
“So now they know I like pepperoni pizza,” Ozer says. “That info could be provided to my health insurance or life insurance companies. Then if these companies get more information about someone—for instance, if they eat takeout every day or if they engage in risky behavior like skydiving—they can use it to determine how much coverage, if any, someone should have.” Ozer suggests that in the commercial world consumers pass on QR codes and request a paper menu instead.
Issuers of QR codes also must evaluate the risks to their clients, says Linn F. Freedman, chair of the data privacy and cybersecurity team at Robinson & Cole.
“Any technology that uses code, like phishing—or in this case, QRishing—presents the ability for bad actors to leverage the information. So as the issuer, you want to make sure you have sufficient security measures in place,” Freedman says. “Bad actors can victimize you or your clients. The information could be used to even perpetrate a fraud in your name.”
Pointing out the wide use of QR codes, Freedman referenced the bouncing QR code deployed by Coinbase in a February Super Bowl ad that was scanned by more than 20 million people in one minute. The traffic was so heavy, it caused the app to crash. “I am concerned that the Coinbase ad gave people a false sense of security,” Freedman says. “I’m concerned that people are getting comfortable with QR codes without understanding that they can be malicious, just like links or texts.”
The popularity of QR codes increases the possibility that consumers could unwittingly scan them, thereby giving access to a hacker to do all sorts of malicious things, like installing spyware or tracking consumer behavior or stealing sensitive information.
The situation is now such that governments are issuing QR code warnings. The FBI advises using caution when entering login, personal or financial information from a site navigated to from a QR code. Additionally, the Bureau says, do not download an app from a QR code or a QR code scanner app. If you receive an email saying a payment failed from a company with which you recently made a purchase, and the company states you can only complete the payment through a QR code, call the company to verify.
North Carolina Attorney General Josh Stein says QR codes can be helpful, “but like any technology, it can be used against us.” Stein advises that consumers should exercise caution with QR codes.
“If you order through the QR code, check the URL to make sure it’s really the restaurant,” he says.
When it comes to government use of QR codes, security generally is better. There have been problems, however, where cybercriminals have taken advantage of government technology through directing QR code scans to malicious sites to steal victim data or embed malware to gain access to a victim’s device,” the FBI recently noted in an article in Government Technology magazine (February 2022).
This cautionary advisory came soon after the Massachusetts State Police issued a warning that QR codes on parking meters in that state may link users to fraudulent payment sites. In these cases, instead of paying for parking, the victim ended up submitting payment information to scammers. Scammers tampered with both digital and physical QR codes to replace legitimate codes with malicious ones so that when victims thought they are scanning a real code, it actually directed them to a malicious site. Here, victims were prompted to enter login or financial information that gave cybercriminals access to funds from their accounts. Malicious QR codes may also contain embedded malware, the FBI warned, allowing scammers to gain access to the victim’s phone to steal personal information like their location. Stolen information can also be used to withdraw money from accounts.
“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer,” the Bureau said.
The FBI listed the following advice to help users protect themselves from QR code scams:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Not unexpectedly, all helpful technology benefits come with risks. That sentiment remains as true today about the digital age as it was a century ago in simpler times when the great American playwright and novelist Thornton Wilder (1897-1975) wrote, “Every good thing in the world stands on the razor edge of danger.”