Are there privacy considerations in the use of direct codes?
The direct QR Code on the left is one I generated to illustrate this post and if you scan it with any QR Code scanner it will take you to one of three places. If you use an iPhone or iPod it will be a YouTube video, if you use an Android device it will be Google News and if you scan with some other mobile device you will end up on the Ralph Lauren mobile commerce website.
How does it work? When you visit a webpage from any computer or mobile device your browser sends a user-agent string to the server hosting the site that you are visiting. This string indicates which browser you are using, its version number and details about your system, such as the operating system you are using. The server can then use this information to provide content that is tailored for your specific browser. The URL in this direct QR Code is a page with a few lines of code that examines the user-agent string and sends you off to various websites depending on what it finds.
It is worth saying at this point that user-agent strings are not unique and that there are probably a million devices with the same string as yours. I don’t think there are any privacy concerns with direct codes and if you want to know what your mobile device user-agent string looks like just visit UserAgentString.com.
Indirect Codes and unique identifiers.
The indirect QR Code on the left is the same one I referred to in a previous post direct and indirect Barcodes. It appears in the bottom right hand corner of this Neustar webpage and when scanned by 99% of QR Code readers it will decode as mc*neu*23 and do absolutely nothing. If you happen to scan the code with the i-nigma reader (i-nigma is a Neustar partner) it will resolve eventually to Neustar’s Facebook page.
So how does that work when there is no URL? Each Neustar text string is unique and must be obtained from them. When the i-nigma reader scans a Neustar text strings it sends it to a server where there is a database of actions for each text string that Neustar has allocated. In this case the action is to send the user to Facebook but it could be almost any action including exactly what happens with the direct QR Code that I generated earlier.
At this stage we may be tempted to say that there is no real difference in scanning a direct or indirect QR Code except that indirect codes will fail with the vast majority of reader apps. However there is another very real difference.
When you download a scanning app that can resolve proprietary 2d codes like Neustar’s it will contain a unique identifier. Every time you scan a code the app will send that unique identifier to be logged and passed on to whoever was allocated the code.
Why is this done? Because once a user has been tagged this way it is possible to monitor and record their scanning activity over time and user behavior data is of course valuable. This is the proprietary code business model, generate revenue from selling the code and provide tracking data to the purchaser.
“You acknowledge that 3GVision collects information in order to provide the i-nigma software and operate the i-nigma service, e.g. information that you have provided to us, or that we have obtained from your use of our products and services (such as the date, time and location of downloading the i-nigma handset software, or browsing activity when using i-nigma)”.
“Such information collected may be stored and processed in any country in which 3GVision or its customers or partners operate. By using the service, you consent to any such transfer of information outside of your country”.
Microsoft and its proprietary barcode MS Tag have a similar privacy disclaimer:
So if there is a problem is there a solution?
A possible solution to the privacy problem with indirect codes would be for the proprietary readers to introduce an obvious opt-in feature at the time the app is downloaded. While we are waiting for that to happen (and it could be long time) users who are concerned can simply avoid downloading indirect code readers.