Restaurant & Cafe QR Codes, Digital Menus, and Ordering

Slightly side topic of providing ID info. I won’t use the QR code readers on tables in restaurants/cafes, I go up to the counter to order. Often it’s quicker (than logging in and trying to put your order together on a phone) but also all the information required for that transaction is my table number (or give me a stick with a table number or a buzzer) and my money. When you do the QR code thing they want all your information to mine and sell - name, phone number, email etc. They can bugger off.


Welcome to the community @Katchmydrift1
Here’s a new topic for your first post grouped with other topics on Digital Privacy. Open for others to add their observations, experiences and thoughts.

Our experience suggests not all, however.
A further grumble when it is the only option if one intends to eat and the only way to access todays menu. One can also be asked to pay through the same service connection.

There are those who are adept at responding including booking on line. Often made all that more convenient by using one’s Google or Facebook or … other saved personal details to expedite identification and opening a lifelong connection. Exactly what is shared and or agreed to - how many look beyond the “Next/Continue/Accept” button?

1 Like

I’ll have nothing to do with scanning QR codes. For security reasons.

During the Covid thing, when people were required to scan codes all the time everywhere one went, I never did. For security reasons.

I thought I was the only person in Australia who owns a mobile and will not use QR codes. People are often amazed to hear that I never scanned once during the whole of covid, and don’t even have a reader app. Apart from the lack of security, and flawed ethics of forced registration, I object to a system that discriminates against people who choose not to have a mobile or cannot operate one. I took pleasure in making whatever manual alternative they had as time consuming and annoying as possible.

1 Like

This. You do not know where the code will send you. I understand that most phones will now give you a warning before you go to the destination, but that doesn’t help when a malicious website has access to the multitude of characters that make up Unicode/UTF-8, many of which appear identical to the human eye. paypaI. com, anyone? (And the space is so nobody accidentally clicks the automatically created link in which I used a capital i rather than lower case l.) (No, Internet URLs are not necessarily case sensitive - but they are able to use the entire Unicode character set.)

Why make a misery for someone who has no control over the circumstances nor ability to change the outcome.


Businesses were quite perplexed when I would pull out my phone and show some staffer my vax certificate as a PDF, but then I refused to do anything with their stupid QR codes.

Here is my name and contact number on a card. You sign me in.

My main bug bear is that the company that is providing this service often bears no obvious relationship with the restaurant. That is to say, the restaurant has just used a third party to provide that service. So there is no real way to verify that the QR code is legitimate, let alone that you want to trust that provider.

Secondary bug bears are that in order to use that service it is often necessary to create an account and to surrender private information. On top of that, the private information can include providing credit card details.

So, all in all, not an attractive proposition from a security and privacy point of view.

To put that more politely ;-), so far I have always declined to do this.

This. This is the sine qua non although that applies to every situation in which a QR code is used i.e. it is important to understand the potential implications of scanning the QR code before those implications become actual.

As an example, a QR code can be used to configure the details of a Wireless Access Point into your phone or to send an email or text message, just as a QR code can be a regular URL (and a URL can be an http/https URL or could be something else that your phone supports!).

To provide the documentary link for even more insidious variations: IDN homograph attack - Wikipedia

While that is true … the domain part is always case insensitive, and it is the domain part that is really what we care about with a QR code that represents a URL.

In the case of COVID, the government was always sensitive to that - and that’s why they mandated that a low-tech alternative exist.

That won’t happen in restaurants. That is, the government won’t mandate that a low-tech menu and ordering option exist. Government will leave it to the market.
(Edit: Edited previous paragraph for clarity.)

I can imagine a future where you won’t even be able to pay without having a mobile phone (and hence you can’t go to the restaurant at all). The problem here is that the government has a conflict of interest - because they benefit in terms of surveillance and control the more stuff is “online”.

1 Like

Why would that be? The primary reason the QR code scanning thing came about is because various governments mandated that businesses implement it.

Now all that is gone, my impression is that businesses are happy to see the end of them, but still offer it to the millenials who just love to get out the smart phone at every opportunity.

I would rather not make misery for those people, but there was no other way to make those in authority aware that their policy was unacceptable. It was a form of civil disobedience, and hopefully when managers saw that their innocent staff were bearing the load, they would look seriously at their practices.

The government always has to take into account that their “mandates” affect every person from all walks of life, from the wealthy to the homeless. Therefore, they always have to offer alternatives. Not so businesses, who will do only what is cost effective. It is important to push back against businesses who are lazy in recognising the diversity of their clientele. I am noticing this very often now with multifactor authentification, where online sites (eg telcos) refuse to offer anything but SMS as a method. I have terminated my relationship with a few who refuse to offer an email or other option. However, the government and banks know that they must be more flexible, because their services are required by every person in society.

If one has a problem with how an establishment is run, taking the complaint direct to management in person has always stood us in good stead. If one does not have the common decency to do so advisable not to offer one’s custom.

As to a business’ practices - a serious look due to misbehaviour by customers could lead to removal of any alternative.

In my case there was no notion of civil disobedience involved.

I simply reminded businesses that it was THEM that were required to record visitor details, and that they had to cater for those who couldn’t or wouldn’t use QR scanning. In many cases that was just a signin sheet near the entrance. Easy.

It all became a moot point when the Gov stepped in and mandated QR checkin apps. None of which worked on any devices I had.

But returning to the original topic of QR code usage post-pandemic, it is simply insecure and possibly hazardous to use. Which is why I never use it.

But I’m suggesting that in the case of interacting with a restaurant there will be no mandate from government.

I don’t know this for a fact but it is entirely possible that this is coming from government. In the heavily regulated banking and telco spaces, for every bad thing that happens, you should always ask yourself: did this come from government?

Market forces?
We’ve been to a number of different MacDonalds this year while travelling. In several a staff person near to the self service menus made an extra effort to direct us to use them. More than once the order has been entered for us. While on one occasion we were told this was the only way to order. It does avoid any perceived issue with QR codes.

It’s not my preference to self order, we’ve noted the franchisees in localities with significant numbers of older customers are still able to take orders in person. Although the menu is no longer displayed to aid selection?

OTOH there is also considerable encouragement to install the Macas App and order ahead using one’s personalised menu and payment details. Cynically a strategy supported IMO by the latest Monopoly give away promotion.

I don’t expect a mandate either way. It’s worth asking whether anti discrimination legislation ensures some in the community will still need to be offered the ability to order over the counter or person to person?

1 Like

Yes, possibly, in respect of disability. However cases take years, if they commence at all, and may have inconclusive and limited outcomes. Technology is a two-edged sword in this scenario i.e. sometimes it can be used to make things easier, not harder. for disabled people.

Having discussed this with a couple of financial organisations, you are correct, the government has specified that they must move to MFA. However, the government does not seem to specify how it is offered, although I believe that they “recommend” more that one option. The problem is then back with the organisations, who won’t make the effort/spend the money to serve their entire customer base. I have terminated my relationship with two in the past year because of this. IMO, the government, in their new requirements need to add the specification that at least two options must be offered.


It may be more appropriate to also nominate what one of the minimum of two must provide for.

A possible roadblock to any action is we already have governments imposing conditions/limitations on access for services they control. The most ubiquitous may be public transport. Cashless and ticketless travel is for many the only option. It’s up to the customer to choose the menu and pay staff-free on exit. IE the customer chooses which mode of travel (meal size), the desired serving (route), and on exit pays the bill (travel card debited).

One way forward:
We have used several establishments that do provide a tablet device at each table for use in ordering. This could offer a better alternative, especially since the table number is the only ID one needs to share. Payment via CC, Debit card, or for the moment cash on the way out.

Practically, though when there is more than one of us and just a single device it can take some time to work through the choices. Preferable still to standing for the similar experience at the “Laughing Clown” franchises. It may be older brain cell connections - I find their system more challenging than a ‘Where’s Wally’. :joy:
No need for anyone to mention the alternative all seeing and knowing MacDonalds App for the smartphone.

That digital customer self service has found it’s way from car parks, air travel, supermarket shopping, and public transport to sit down food service should not be a surprise. Unknown if the cost savings and shared data are going to the benefit of the customer or the owners SSF! Custom Sushi Train anyone?