Construction Tech Likes QR Codes, but are they Secure?

by | Oct 3, 2022

The resurgence of QR codes has started to raise data privacy concerns because anything cheap and easy on the internet usually means your data is at risk. An industry like construction with low net margins and high price sensitivity is especially vulnerable.

As noted in the NYT article, consumer privacy advocates are concerned about the data collected as people scan QR codes to enter public spaces or read restaurant menus. In these scenarios, QR codes fall into the same category as browser cookies and other such methods used by online businesses to track consumer behavior.

When QR codes are used as part of a business process, then protecting the data they collect, and the applications they are tied to is as essential as any other business application. Construction data security and privacy is extra complicated because so many construction tech users are not employees of the general contractor.

QR codes are widely used on construction job sites as a safety tool and profitability booster. For example, as a check-in/out alternative to paper logs, they ensure accurate attendance and billing records as employees and subcontractors. With digital check-in data, firms know who is or was on a job site at any moment in the past or present, employee, subcontractor or visitor. If you know who is onsite in real time, it’s easier to privately broadcast messages to everybody on site in case of emergency, accident or other risk events. A more user-friendly alternative to bar codes, QR codes are useful for tracking equipment stored at depots and for checking maintenance schedules.

Construction companies, like Landmark Builders, use a QR code to invoke an application asking everybody entering a job site if they’ve been vaccinated against COVID-19 and to provide, at some sites, proof thereof. Having QR code check in data provides construction site supervisors and owners with an additional view into their business from the perspectives of employee attendance, health, productivity, and profitability.

But the value of those perspectives is at risk if a general contractor ignores data security and privacy concerns. Or they’re rightfully concerned based on the misuse of QR codes for marketing purposes. Recently, a general contractor (GC) we talked to was shocked to discover that one of its vendors was reselling his company’s data to subcontractors. Essentially, this undercut the GCs ability to negotiate an optimal deal with its subcontractors. In an industry with thin margins, negotiation is critical to a project’s profitability.

While the GC was upset, the reality is everything about the transaction was completely legal. Both the GC and subcontractor agreed to the vendor’s privacy policy.

In another case, a quick-and dirty (and free) QR app for pandemic mitigation had no personal data protections at all — every person who checked in had their personal information stored in a publicly accessible web site. There are also dozens of QR code scan apps in the app stores, all free, and all based on advertising and user data brokering, even phishing attacks.

Everybody who’s been in tech knows that the reselling of data is a persistent issue, though not a new one. Yet for the construction industry, one that’s been slower to adopt technology, this issue is a new risk. Understanding it from a GC’s point of view is critical to overcoming the barriers to construction tech adoption, and for investors to realize the opportunities in the hot construction tech market segment. GC’s already have to manage dozens of risks, and now technology has simply brought in one more worry?  No wonder many field workers actively dislike technology.

For construction tech investors and vendors, now is the time to get data security, privacy and usability right. Construction tech investors and vendors must establish enterprise grade business processes and business models that are opposed to requiring, selling or brokering customer data. It’s time to get rid of complex data privacy policies that pop up on screens when customers are most vulnerable – clicking “I agree” when you know they really don’t. Sure, having your company’s privacy policy on your website legally protects the business. But there’s no excuse for not making the policy simple to understand and offer an opt-out option.

Of course, make sure the technology has the right data protections in place: Just because a construction management app is affordable doesn’t mean it can skimp on enterprise app security. Is the connection between the QR code URL and it’s related application secure? Can the QR code be high-jacked, and the user directed to the wrong site? Is the associated web app itself secure and regularly penetration tested? Is the data encrypted in the cloud, and properly backed up? Can the data only be accessed by authorized users in the app vendor’s firm and the GC’s firm? Multi-factor authentication?

The construction tech market is significant as more than $18B was invested in it in 2018, according to Crunchbase. It’s also a segment that’s underserved by technology vendors. The opportunities exist, but the old tech playbook of “move fast and break things” won’t work in an industry where one mistake can bankrupt a firm.

GCs need assurance that technology will make their projects more profitable and their workers more productive. Ease of use, adaptability to local needs and a per-use pricing model are key. The last thing a GC needs is another major risk to manage. Data security and privacy issues erode trust and delay realizing the benefits of exciting new technologies developed specifically for their industry.

As you can see, many factors constitute an optimal check in app for the construction industry. At Safe Site Check In, we deliver construction management software with QR code capabilities, so GCs can manage the access of workers, visitors, and clients through a safe platform. Schedule a demo with us to learn more.