Are There Privacy Issues With QR Codes?

Are there privacy considerations in the use of direct codes?

Example of a direct code
The direct QR Code on the left is one I generated to illustrate this post and if you scan it with any QR Code scanner it will take you to one of three places. If you use an iPhone or iPod it will be a YouTube video, if you use an Android device it will be Google News and if you scan with some other mobile device you will end up on the Ralph Lauren mobile commerce website.

How does it work? When you visit a webpage from any computer or mobile device your browser sends a user-agent string to the server hosting the site that you are visiting. This string indicates which browser you are using, its version number and details about your system, such as the operating system you are using. The server can then use this information to provide content that is tailored for your specific browser. The URL in this direct QR Code is a page with a few lines of code that examines the user-agent string and sends you off to various websites depending on what it finds.

It is worth saying at this point that user-agent strings are not unique and that there are probably a million devices with the same string as yours. I don’t think there are any privacy concerns with direct codes and if you want to know what your mobile device user-agent string looks like just visit UserAgentString.com.

Indirect Codes and unique identifiers.


The indirect QR Code on the left is the same one I referred to in a previous post direct and indirect Barcodes. It appears in the bottom right hand corner of this Neustar webpage and when scanned by 99% of QR Code readers it will decode as mc*neu*23 and do absolutely nothing. If you happen to scan the code with the i-nigma reader (i-nigma is a Neustar partner) it will resolve eventually to Neustar’s Facebook page.

So how does that work when there is no URL? Each Neustar text string is unique and must be obtained from them. When the i-nigma reader scans a Neustar text strings it sends it to a server where there is a database of actions for each text string that Neustar has allocated. In this case the action is to send the user to Facebook but it could be almost any action including exactly what happens with the direct QR Code that I generated earlier.

At this stage we may be tempted to say that there is no real difference in scanning a direct or indirect QR Code except that indirect codes will fail with the vast majority of reader apps. However there is another very real difference.

When you download a scanning app that can resolve proprietary 2d codes like Neustar’s it will contain a unique identifier. Every time you scan a code the app will send that unique identifier to be logged and passed on to whoever was allocated the code.

Why is this done? Because once a user has been tagged this way it is possible to monitor and record their scanning activity over time and user behavior data is of course valuable. This is the proprietary code business model, generate revenue from selling the code and provide tracking data to the purchaser.

Privacy Issues.

So where does the log of your scanning activity end up? The answer is – it could end up anywhere! For example, 3G Vision is the company that developed the i-nigma reader and here are two quotes from their privacy policy:

You acknowledge that 3GVision collects information in order to provide the i-nigma software and operate the i-nigma service, e.g. information that you have provided to us, or that we have obtained from your use of our products and services (such as the date, time and location of downloading the i-nigma handset software, or browsing activity when using i-nigma)”.

And

Such information collected may be stored and processed in any country in which 3GVision or its customers or partners operate. By using the service, you consent to any such transfer of information outside of your country”.

Microsoft and its proprietary barcode MS Tag have a similar privacy disclaimer:

Information about your device (“standard device information”) is sent to Microsoft each time you request content associated with a Tag or select Learn More, provide Feedback, or access the Privacy Statement and Terms of Use. Microsoft uses standard device information to provide you with the Tag Reader service, to help improve our products and services, to check for and notify you of available updates to Tag Reader, to help Tag creators provide more personalized content, and for statistical analysis. Standard device information includes information such as your phone model and version, Tag Reader version, browser version, regional and language settings, and a unique identifier that identifies your device. Microsoft may send this information to the Tag creator so that they can provide more personalized services based on your device and their other Tags that you have scanned. The use of this information is subject to the Tag creator’s privacy practices. Microsoft is not responsible for third parties’ privacy practices”.

These “we are going to pass your data to third parties and we are not responsible for what they do with it” privacy policy implications seem to be the norm for proprietary codes.

So if there is a problem is there a solution?

A possible solution to the privacy problem with indirect codes would be for the proprietary readers to introduce an obvious opt-in feature at the time the app is downloaded. While we are waiting for that to happen (and it could be long time) users who are concerned can simply avoid downloading indirect code readers.

12 thoughts on “Are There Privacy Issues With QR Codes?”

  1. QR codes should be readable by any QR code scanner. If a marketer employs a system that creates codes that can’t be read by most scanners, they are severly limiting the effectiveness of their campaigns. I don’t think the arguement is correctly framed as direct vs indirect. The example you give is probably just an ill concieved application of a particular code. It is incredible to me that some very basic mistakes are still being made with QR code applications, but I guess that these are mostly just growing pains.

  2. Proprietary code should be avoided.
    They only profit to their seller.
    Denso-Wave invented a wonderful technology within the reach of individual and very open it’s a pity to see proprietary code :(.
    We need standardization to make QR succeed everywhere.

  3. “If a marketer employs a system that creates codes that can’t be read by most scanners, they are severly limiting the effectiveness of their campaigns” (Tom)

    Echo that, and also think that such selfish practice cuts into the QR mass market awareness momentum. Consider a totally unexperienced mobile phone user tempted to take the first go with the QR code, and got rejected by (the other 99%) his/her QR reader! We simply lose this mobile phone user from the QR world from that point on! It’s more than selfish, it hurts everybody!

  4. QR code should be all direct, so that all scanners can read and reach their content. Second point is that indirect codes do not imply passing user data to the specific server. Indirect codes require going to a server and fetching a target from a table in that server. Not all readers know how to ‘talk’ to these servers from the code appearance – so not all readers will know what to do with such codes. In the specific example mentioned i-nigma does not pass to Neustar any private data when it goes to their server to fetch the target URL. Private user data is never used by 3GVision and as such cannot be passed to any third party. Although i-nigma currently supports the Neustar indirect codes, it does not like indirect codes (like any other reader). It is important to stress that indirect codes does not imply a privacy issue. It does imply chaos and frustrations on the side of users that should switch readers for being able to read them. This is the reason why indirect codes should not exist.

  5. i am surprised to read this info, i have always assumed they are uniform in their destinations ? i hope this gets sorted out by the time they get mainstream here in australia , we dont see many so hopefully we will start on the correct platform , i quite like the concept

  6. I believe there’s a reason that a QR reader provisioning company twists its QR reader to support some proprietary indirect code (and then forward to the proprietary service).

    Just like there are hundreds of free QR code generators around, there are also many many free QR readers available for download. QR reader companies are desperate in finding revenue under such open competition condition.

    Supporting proprietary indirect code is definitely a short-term money source for the QR reader company, but it really really stirs the water and makes the whole QR market muddy from the users’ perspective, and as such contributes significantly to the reduction of QR market momentum.

  7. @Haim If as you say “Private user data is never used by 3GVision and as such cannot be passed to any third party”, then why does the 3GVision privacy policy say “You acknowledge that 3GVision collects information …” followed by ” Such information collected may be stored and processed in any country in which 3GVision or its customers or partners operate”.

  8. Roger, first of all I’d like to thank you for pointing out the problematic text found in the 3GVision website, we are working to fix it. The text was initially written for legal purposes a couple of years ago when in real life this text is significantly different from what 3GVision actually do. Today 3GVision does collect clicks-data and use it to generate statistical reports. I would like also to point that unlike many other readers, i-nigma does not use today any location-data (which may link to privacy issues). 3GVision has nothing to do with private or sensitive user data, and never handed out (nor will hand out in future) such data to any third party -Neustar included.

  9. Haim, How does 3GVision make money on QRs? I like your scanner and find it to be the best at reading codes ( although sometimes it does not format the resolve to my mobile device as well as other scanners ).

  10. Tom, you mentioned that we are good at reading codes; well we sell our reading engine as an SDK with QR DM and 1D codes for apps developers. Our 1D reader is exceptionally good and our customers tell us that it performs better than other well known readers like Redlaser.
    We also provide end to end solution and consulting for campaigners, creating the codes, designing them and providing reports on number of clicks, timing slices, countries division and device types. This includes also enhancing the mobile sites.
    Another branch is branded readers, a whole reader application with branded logos colors and tailored functionality.

  11. Roger, Thank you for continuing to share your knowledge and helping educate us all on the use of QR codes! Privacy issues and the misuse of information gathered through scanning QR codes are of great concern! 3GVision’s i-nigma is a great scanner, but there are others that are just as good.

    Let’s stick with direct QR Codes! There is less confusion and should lead to higher read rates!

Leave a Reply

Your email address will not be published. Required fields are marked *