QR Panopticism: User Behavior Triangulation and Barcode-Scanning Applications

The increasingly ubiquitous two-dimensional barcodes designed by the Denso Wave company, known as the QR code, were originally intended to track millions of parts as they moved about on high-speed assembly lines. Since then, these increasingly ubiquitous black and white squares have been applied to an ever-broader range of nonindustrial uses. In order to make use of these codes, the vast majority of consumers use smart phone technologies in order to convert the codes into usable information. However, neither Apple’s iOS nor Google’s Android operating systems include a robust native capability to decode printed barcodes. As a result, users of these devices must download and install third-party applications that will do this work for them. Our research question is straightforward: are there privacy and security risks associated with this emerging QR app ecosystem? We installed and analyzed over twenty of the most popular QR code applications. Our findings suggest that a majority of the most popular QR code readers found in the Apple App and Google Play marketplaces are not passive systems, but instead capture and transmit additional data about the device back to the application developer. The paper then considers the privacy and security implications of the QR code app ecosystem.