by

[Please welcome guest bloggers Eric Smith and Nina Kollars. Eric Smith serves as the Chief Information Security Officer (CISO) for a higher ed consortium with membership consisting of Bucknell University, Franklin & Marshall College and Susquehanna University. Nina Kollars is assistant professor of government at Franklin & Marshall college, where her scholarship examines the ways in which individual user creativity affects the development of technology and practices.]



QR (Quick Response) codes—the two-dimensional barcodes designed by the Denso Wave company in 1994—were originally intended to track and inventory millions of parts on assembly lines. Since then, these nearly ubiquitous black and white squares have been applied to an ever-broader range of uses including business cards, patient-tracking systems, and mobile coupon clipping. In order to make use of these codes, the vast majority of consumers utilize smart phone technologies in order to convert the codes into usable information. However, neither Apple’s iOS nor Google’s Android operating systems include a robust native capability to scan and decode printed barcodes. As a result, users of these devices must download third-party applications that will do this work for them.

Research Question and Findings:

Our research question was straightforward: are there privacy and security risks associated with this emerging QR app ecosystem? In an attempt to answer this, we installed and analyzed over twenty of the most popular QR code applications. Our findings suggest that a majority of the most popular QR code readers found in the Apple App and Google Play marketplaces are not passive systems of information routing, but instead capture and transmit additional data about the device and the user back to the application developer. (For full details see our paper.)

Our findings reveal that many smartphone barcode scanning applications represent a significant threat to the privacy and, potentially, security of their users. On both platforms studied, the most popular QR code scanning apps, according to search result rankings were shown to transmit the contents of all scanned QR codes, as well as GPS location data, to a third-party server.



Triangulation of Behavior:



Certainly the collection of user data by app developers is part of the consumer calculus of the cost of free tools. That is, in exchange for some of the users’ data, the tool becomes available for use. For the everyday user, QR codes are likely a tool for simple information seeking. In exchange, market-minded developers are given an opportunity to determine the preferences of the user. This, for most users, constitutes a reasonable trade off and the use of the tool represents a transaction between developer and the user.

However, the ethical contours and acceptable limits of this trade off remain unsettled, particularly if the type of data taken is not made explicitly comprehensible to consumers. Moreover, contemporary privacy norms are increasingly threatened as what initially appear to be signals of consumer preference slide further into determining bigger-picture life patterns and behavior. The question is, how much and what kinds of data tip the scale from reasonable transfer to privacy violation? We feel that the collection of data that combines content, location, date, and time begins to edge toward the triangulation of private behavior.

We feel that the QR case begins to tread beyond reasonable data collection toward behavior triangulation as a result of the intersection of three variables: the expanding purposes for which codes are used; non-explicit user notification by the software; and limitations of user knowledge in comprehending potential threats as a result of seemingly benign data transfer.

Of the applications tested, only a handful required the user to accept an end-user license agreement (EULA). The majority of apps studied provided no notification whatsoever. For those instances in which the application prompted the device, the language contained in the prompt was worded such that the user could not reasonably infer the immediate implications of that data collection. While many QR codes “in the wild” contain only public information, such as a web site or telephone number, others may contain confidential information such as the password to a wireless network or the code to deactivate a security alarm.

A particularly egregious, though not necessarily rare example of this intersection and confusion is the University of Alaska Anchorage’s research study on alcohol cessation and pregnancy. The study’s designers placed free pregnancy tests in the bathroom of a bar and then provided a QR code in order for the user to scan to get information and answer a questionnaire. In this case, unbeknownst to the researchers, the collection of this data literally works against the intent of the project hoping to reach information seekers anonymously and in the privacy of the bathroom stall. While the QR code itself may point to a location that fully intends to maintain the anonymity of the user, the scanner does not.