Do you use QR codes sometimes? Are you aware of their privacy implications?

Let me give you a few insights, and let me present a sweet and tidy solution that lets you profit from all the convenience and avoid all the problems:

QR Reader Web App

What’s a QR code?

You might be totally familiar with the QR codes (QR for «quick response») on billboards, ads, brochures, party invitations and business cards.

They have existed for many years, but widespread use has only picked up when popular operating systems and smartphones have started integrating readers into camera apps.

Today, you can point your smartphone camera at a QR code, and the intended action (or «quick response»…) is automatically launched: you are taken to a website, a sign-up form, an email draft, a phonecall directly.

What’s the problem?

First of all: Many people are unaware of how much information they inadvertently share whenever they visit any web page – even before QR:

  • Your internet connection’s so-called IP address pretty well locates you on the globe. It might not locate the exact building or even town you are currently in. But your region or country is usually pretty accurately known.
  • Your preferred languages can carry a lot of demographic information and are shared with any website you visit.
  • So is detailed information about your device (smartphone, laptop), its operating system (Windows, Mac OS, iOS, Android, Linux etc.) along with its version and the internet browser app you are using, again including the version you have last upgraded to.

This is all before all the additional information that can be indirectly detected with advanced methods that can be used by any web page without your involvement, including being tracked across the internet via cookies and the like. amiunique.org serves some interesting insights and examples if you are interested.

Now let’s add QR codes into the mix.

If a QR code contains an internet address, the above information can be enriched in simple, yet utterly effective ways. Let me try to walk you through an example.

Let’s say my website is example.com:

  1. If I would talk to you or share my websites address with you in an email or text message, you would see the domain name «example.com».
    • You can see the domain name, decide whether you trust it, and choose to look it up on wikipedia, ask others about it, or visit it directly by entering it into your browser’s address bar.
    • If you visit the URL example.com, its server is called and informed that a visitor wants to be served its home page’s content. The server is programmed to serve that content and will do that.
  2. If I share the website with you on another website, or in an «html» or «formatted» email, I can type «example.com», but set the link «URL» to https://exmple.com?secret=email.
    • In an internet address, anything after a question mark (?) or a hash character (#) is not part of the actual address, but is passed on to the server (?) or the web page (#), respectively. Additionally, parts of the internet address itself can also be used for tracking.
    • Now if you click or tap on that link (thinking you are visiting example.com), you are sharing even more information than what I just mentioned above: The server receives an additional data point through the «secret» parameter. I could program my server to track or even greet visitors differently depending on the values sent along.
    • This can be combined with cookies to link that additional shared information with any subsequent visits to my website, across all pages you pass through.

While no additional information is shared in example 1, you can still relatively easily detect the information sharing in example 2 by not just blindly clicking on the link I send or show you, but hovering over it or right-clicking it to look at the actual link.

With QR codes, this additional tracking is completely hidden:

  • Because we cannot read a QR code with our eyes, following a QR code is like a completely blind date: we have no indication what is contained. Is it a phone number? A website? An email address? A business card?
  • Incredibly, most current QR readers (including the ones integrated in your smartphone camera) just blindly and directly open any URL contained in the QR code you point at.
  • Because the QR code can be completely localised, it can contain way more relevant information than any of the above examples. Let me help your imagination:
    • The QR code I post to a physical bulletin board at the Roche canteen could contain the URL https://exmple.com?from=RocheCanteen. If someone scans and opens it, I know with high confidence that this person is actually at that canteen. Thanks to the time of the visit, I will even know the exact time the person is there.
    • On a billboard, the QR code could be individually set for each location the billboard is posted. Visitors could be mapped to the exact place they scanned the code.
    • I could post a QR code to any kind of compromising place like some night club’s bathroom. Never mind what the posting or sticker would say that the QR code leads to. «Get a free beer»…

The solution: look into the code first!

I have introduced QR codes in my most popular note taking web app shrib.com many years before QR readers where in ever smartphone. I was very enthusiastic about their potential and convenience. At shrib.com, it easily lets you take your notes with you when you leave your laptop, for instance.

But knowing the above privacy problems, I was increasingly reluctant to use (scan) them myself. I was very frustrated by the fact that the native intagrations in our smartphones are so careless by not letting you check a URL before opening the page. I ended up usually still typing in URLs on ads or billboards instead of using the QR codes.

Looking for third-party apps, I only found ones that either also go directly to the web page, or they had to be subscribed to even though this is all completely open and free technology.

So, as I often do, I just combined freely available open source code (jsQR in this case) to create this website qr.schucan.com:

  • While the page is served from my website, all data, including your camera stream and image data, remains 100% inside your browser and device.
  • You can directly use your camera in real time, take a picture to process, or read a QR code from a photograph on your device.
  • Once the QR code is read, the decoded content is displayed in plain text.
  • If the content is an internet address, phone number or email address, you are offered corresponding buttons.
  • The content can be edited (remember the URL parameters for tracking? Just remove them!) – and all buttons are updated correspondingly.
  • It is web app enabled, meaning you can simply «save it to your home screen» to make it feel like a native app on your smartphone.
Get the Web App

This is early days, expect the app to get a few more features and more polishing, and please share your experience and improvement ideas with me in a comment or by contacting me.

Schreiben Sie einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert