Scan-to-order System May Serve More Than Just Spaghetti: Data-Hungry Apps Raise Privacy and Security Concerns

On: October 4, 2021
Print Friendly, PDF & Email


Though seen as a win-win proposition for businesses, the ethics surrounding online privacy and protection with scan-to-order systems are particularly pressing concerns, as some apps collect personal data such as order history, name, gender, and phone number. The emergence of Big Data is seen as a troubling manifestation of Big Brother, enabling invasions of privacy, increased state and corporate control (Gitelman, 2013), and privacy perception shift.


Built upon top of the mini-app and WeChat payment functions, the scan-to-order system has been widely adopted across Chinese restaurants as well as in the U.S. where the last 18 months saw a 750% increase in QR code downloads according to Bitly, a link management company. By scanning the pixelated square on each table, customers can view an up-to-date digital menu, order without having to flag down a waiter, and pay directly on their phone.

A customer scans a QR code for ordering food at a restaurant in China, 2018. Rayfoto/People Visual

However, to enjoy such convenience, customers are often being requested or demanded (Davis and Chouinard, 2016) to follow the restaurant’s social media accounts, or authorize access to their personal information such as phone number, name, gender, and date of birth to become members. Otherwise, they will be redirected to the previous page where they cannot take orders, leaving them no choice but to accept the hand-over of their data, an approach termed “resigned pragmatism” (Hargittai and Marwick, 2016). While systems barely nail down the privacy policy to explain how and why data are collected, stored, and protected, some users opt out by registering with falsehood or unsubscribing.

QR codes, as mediation of consumers and restaurant’s operating system, are regarded as a win-win proposition: diners could order food quickly, the restaurant would make savings by cutting the number and time investment of higher-paid staff, and businesses would harvest massive amounts of information about who diners are, and what they do/did – even when all diners want is just a meal. To see more engagement in restaurant’s public accounts, businesses would insert the machinery of online advertising ecosystem by streaming information on new menu items and promotions.

Big Data or Big Brother

Seen as a powerful tool to address various societal issues, Big Data is also a troubling manifestation of Big Brother, on the other hand, enabling invasions of privacy, increased state and corporate control (Gitelman, 2013), and privacy perception shift. Let alone the bothering push messages on social media, such practices as “informed authorization” should first be questioned. It is necessary to ask which systems are driving these practices, whether users are sufficiently informed to understand and consent to the process of dataveillance, and which are regulating them.

As what boyd and Crawford (2012) argue in CRITICAL QUESTIONS FOR BIG DATA that four forces of market, law, social norms, and architecture regulate the Big Data systems are at odds, there is a deep industrial drive toward generating and extracting maximal value from data. When data sets nowadays are being aggregated and made easily accessible and manageable to anyone who is curious, regardless of their training (boyd and Crawford, 2012), companies create and provide QR codes, meal-ordering systems, and databases to restaurants. They probably collect data on behalf of a whole bunch of restaurants, and while they’re at it, they can go ahead, take that data, package it up and resell it to others, making users vulnerable to hacks, data theft, or phone invasion.

Meanwhile, they can generate customized systems according to clients’ specifications by selecting which customer data they want to collect; create their own database; analyze user data on consumption histories and habits, form precise user profiles, and develop targeted marketing schemes with discounts, coupons, and points for customers, for example, customers who do not come that often could be filtered at the backend and then woken up through promotions. However, what has been missing is exactly who gets access to what data, and to what ends.

To protect informants’ rights and well-being, regulation issued by The Chinese Ministry of Industry and Information Technology has already been proposed to protect and manage the personal information on mobile internet applications based on two principles: “informed consent” and “collecting the minimum amount necessary.” In clear and understandable language, users should be informed of the rules around the processing of personal information and make voluntary and clear expressions of intention while apps should not operate outside the scope of the user agreement or irrelevant to the service provided.

Nonetheless the appropriate consensus duration of keeping online data is difficult to quantify, as boyd and Crawford (2012) also illuminate that privacy breaches are hard to make specific – is there damage done at the time? What about 20 years hence? To what extent the personal data collected in these mini-apps will be further analyzed or stored? The number of questions left by the scan-to-order system is growing as developing.

However, neither a lack of information necessary for informed consent nor inattention to their privacy, a marked shift of privacy understanding contributes to the ignorance of the multiplicity of agents and algorithms gathering personal data. Hargittai and Marwick (2016) contend in “What Can I Really Do?”: Explaining the Privacy Paradox with Online Apathy that understanding of privacy as a commodity was mostly seen as a tradeoff made by the individual — information disclosure in exchange for free personalized digital services. Instead, respondents now saw economic surveillance as something inherent to the digital world, which one needs to accept if one wants to participate in it. As one remarked: “This is capitalism. It is not illegal.”


Moving from an era of expanding data resources into an era in which we have become the resource of data collection that vampirically feeds off our everyday habits, we should be aware that “we are our tools” (Suchman, 2011); that “insist on a near-total inhabitation of the forcible frame” would help find a way to exploit dataveillance (Gitelman, 2013).




Afriat, H., Dvir-Gvirsman, S., Tsuriel, K. and Ivan, L., 2021. “This is capitalism. It is not illegal”: Users’ attitudes toward institutional privacy following the Cambridge Analytica scandal. The Information Society, 37(2), pp.115-127.

boyd, d. and Crawford, K., 2012. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society, 15(5), pp.662-679.

Chabot, H., 2021. QR codes may bring up more than just a menu–here’s how to protect your privacy. [online] News @ Northeastern. Available at: <> [Accessed 4 October 2021]. 2021. Guests dining in? Let them scan to order. [online] Available at: <> [Accessed 4 October 2021].

Davis, J. and Chouinard, J., 2016. Theorizing Affordances: From Request to Refuse. Bulletin of Science, Technology & Society, 36(4), pp.241-248.

Gitelman, L., 2013. “Raw Data” Is an Oxymoron. Cambridge: MIT Press, p.Introduction chapter.

Hargittai, E. and Marwick, A., 2016. “What Can I Really Do?” : Explaining the Privacy Paradox with Online Apathy. International Journal of Communication, 10, pp.3737–3757.

Lucas, A., 2021. QR codes have replaced restaurant menus. Industry experts say it isn’t a fad. [online] CNBC. Available at: <> [Accessed 4 October 2021].

Zhao, S. and Duan, J., 2021. In China’s Restaurants, Data-Hungry Apps Will Take Your Order. [online] Sixth Tone. Available at: <> [Accessed 8 October 2021].

Leave a Reply