[Please welcome guest bloggers Eric Smith and Nina Kollars. Eric Smith serves as the Chief Information Security Officer (CISO) for a higher ed consortium with membership consisting of Bucknell University, Franklin & Marshall College and Susquehanna University. Nina Kollars is assistant professor of government at Franklin & Marshall college, where her scholarship examines the ways in which individual user creativity affects the development of technology and practices.]
QR (Quick Response) codes—the two-dimensional barcodes designed by the Denso Wave company in 1994—were originally intended to track and inventory millions of parts on assembly lines. Since then, these nearly ubiquitous black and white squares have been applied to an ever-broader range of uses including business cards, patient-tracking systems, and mobile coupon clipping. In order to make use of these codes, the vast majority of consumers utilize smart phone technologies in order to convert the codes into usable information. However, neither Apple’s iOS nor Google’s Android operating systems include a robust native capability to scan and decode printed barcodes. As a result, users of these devices must download third-party applications that will do this work for them.
Research Question and Findings:
Our research question was straightforward: are there privacy and security risks associated with this emerging QR app ecosystem? In an attempt to answer this, we installed and analyzed over twenty of the most popular QR code applications. Our findings suggest that a majority of the most popular QR code readers found in the Apple App and Google Play marketplaces are not passive systems of information routing, but instead capture and transmit additional data about the device and the user back to the application developer. (For full details see our paper.)
Our findings reveal that many smartphone barcode scanning applications represent a significant threat to the privacy and, potentially, security of their users. On both platforms studied, the most popular QR code scanning apps, according to search result rankings were shown to transmit the contents of all scanned QR codes, as well as GPS location data, to a third-party server.
Triangulation of Behavior:
Certainly the collection of user data by app developers is part of the consumer calculus of the cost of free tools. That is, in exchange for some of the users’ data, the tool becomes available for use. For the everyday user, QR codes are likely a tool for simple information seeking. In exchange, market-minded developers are given an opportunity to determine the preferences of the user. This, for most users, constitutes a reasonable trade off and the use of the tool represents a transaction between developer and the user.
However, the ethical contours and acceptable limits of this trade off remain unsettled, particularly if the type of data taken is not made explicitly comprehensible to consumers. Moreover, contemporary privacy norms are increasingly threatened as what initially appear to be signals of consumer preference slide further into determining bigger-picture life patterns and behavior. The question is, how much and what kinds of data tip the scale from reasonable transfer to privacy violation? We feel that the collection of data that combines content, location, date, and time begins to edge toward the triangulation of private behavior.
We feel that the QR case begins to tread beyond reasonable data collection toward behavior triangulation as a result of the intersection of three variables: the expanding purposes for which codes are used; non-explicit user notification by the software; and limitations of user knowledge in comprehending potential threats as a result of seemingly benign data transfer.
Of the applications tested, only a handful required the user to accept an end-user license agreement (EULA). The majority of apps studied provided no notification whatsoever. For those instances in which the application prompted the device, the language contained in the prompt was worded such that the user could not reasonably infer the immediate implications of that data collection. While many QR codes “in the wild” contain only public information, such as a web site or telephone number, others may contain confidential information such as the password to a wireless network or the code to deactivate a security alarm.
A particularly egregious, though not necessarily rare example of this intersection and confusion is the University of Alaska Anchorage’s research study on alcohol cessation and pregnancy. The study’s designers placed free pregnancy tests in the bathroom of a bar and then provided a QR code in order for the user to scan to get information and answer a questionnaire. In this case, unbeknownst to the researchers, the collection of this data literally works against the intent of the project hoping to reach information seekers anonymously and in the privacy of the bathroom stall. While the QR code itself may point to a location that fully intends to maintain the anonymity of the user, the scanner does not.
This is just one of many reasons why I refuse to use, or even scan QR codes. Without even digging into what information is being transmitted and to whom, the use of QR codes is simply an obfuscation method used by companies. Rather than just stating what they do, instead they encode some system that only a computer can read.
Take for instance the simple idea that a QR code will route to a website. Why not just put the web address in place of the QR code? Then it is transparent and you don’t need special software to read it. Same for anything else, I really cannot understand any use of a QR code in public that DOESN’T present real privacy concerns simply by the fact that one cannot tell what is in the QR code in the first place.
Not to mention the hacks that can be performed by routing someone to malicious software, storing private information thereon (mentioned in this article), and on and on including the very real fact that whomever makes the reader is simply in on the gig. I wouldn’t trust if Google nor Apple put a scanner in their own products either; they are just as bad at spying on consumers in the first place.
Companies that use QR codes are simply tools. They believe they are presenting an easier method for their users but at the sacrifice of the user’s privacy in the first place. It is the companies that use the QR codes that need to be preached to about privacy concerns; they should just be transparent and print the information they want users to know without doing some stupid black and white boxes that take computers to read.
On another front; but in the same vane. UPC barcodes are similar in nature right? They provide a rapid method of computers to track product (same as QR codes were originally designed for); but at least UPC barcodes you have the UPC number right there; its not a secret, it is open and transparent. QR codes however are not open, not transparent, and can be used to store anything which causes a whole slew of concerns.
I have no problems with QR codes being used as they were originally intended to track products (pieces in manufacturing); but they should stay out of the public realm; they serve no useful purpose to consumers. And the only useful purpose they serve is to those who like to bait and switch (bait users with the idea of easy of getting information, switch by selling information about the users to marketers).
Privacy preserving QR/bar code readers (eg. Barcode Scanner by ZXing Team) have an on-by-default option to present you with the contents of the scanned code before taking *any* action with that data. This addresses the substantive part of your objections.
Well, yes. But you have to believe them when they tell you that the app shows you the scanned data without taking any further action without your explicit authorization. Most normal users would be hard put to find out whether the app actually does what it says it does or whether it doesn’t pass on information about the device regardless.
“But you have to believe them…”
No. You can -as Smith and Kollars did in the research covered in their paper (discussed in this blog post)- inspect network traffic from the device running the QR scanning software as you use the software. Or you can -as is the case with ZXing’s Barcode Scanner, and (probably) some others- download the source code, inspect it, and then compile the software from that.
Will most folks do this? No. But, for any given version of the software, you only -realistically- need to perform a thorough test once. You can make a bunch of “What if?” arguments that attempt to counter this assertion. Most of those arguments will be either tinfoil-hat type arguments “But can we REALLY trust [X]?”, or you’ve-been-targeted-by-a-government-investigation type arguments “What if the FBI/DEA/NSA wants to get *my* secrets from *my* devices?”. In the case of the latter, there’s nothing a normal user will be able to do. 😉