I had a meal at a relatively ordinary restaurant recently and was surprised when they brought the bill. It included a printed QR code. Out of curiosity, I took out my smartphone and used my camera app to "read" it. It took me to a website that asked for my credit card information. I followed the procedure on the website and paid my bill. Later, I realized I had no way of knowing where the QR code was going to take me or what else it might contain. There is no readily discernible information visible in a QR code (or many of its variations). You really have no way to tell whether it is potentially malicious. Originally intended for tracking purposes (for example, a package, a part in a manufacturing operation), this convenient mechanism for delivering digital information to a reader (for example, a camera feature) does not come with any human-readable way to ascertain safety.
Suddenly, QR codes on the sides of buildings, on magazine pages, or on websites all struck me as potentially threatening in the absence of any information to the contrary. Indeed, a casual web search for "QR codes threats" yields many hits raising this very issue. I read a few of these and began to wonder by what means users might be given more agency to determine the safety of information encoded in this fashion. A readable text associated with the QR code cannot really be trusted since the QR-coded information could be entirely distinct from the human readable part. Even human-readable URLs can range from misleading to malicious. Slight misspellings of domain names (for example, with lookalike Unicode characters) can take you to dangerous websites. Suitably composed malicious sites could automatically download malware as a result of activating a QR code (or clicking on a hyperlink).
Even if the QR-coded information is displayed to the user in readable form, there is no assurance it is safe or that its safety can be determined. A typical hyperlink could have a lot of unreadable but malicious content after the "?" in a URL, the safety of which is not obvious. So, the QR code safety question is, in a sense, comparable to the URL safety question which is, itself, a threat.
At the very least, maybe one wants QR readers to display the encoded material in as readable a form as possible before voluntarily following any encoded links? Perhaps there could be services that flag known-to-be-dangerous websites the QR reader could check? Perhaps a warning could be raised if an embedded domain name does not have a DNSSEC certificate? The browser used to interpret the input from following a URL might have a "sandbox" mode that would confine potential hazards.
It seems apparent that the convenience of digital services comes with potential hazards against which we all need training and tools to avoid.
In a recent essay,a I wrote about accountability and agency in the Internet, where I was concerned with identifying harmful actors and providing users with tools of protection. Perhaps safety-oriented QR code readers would fall into the latter category. It seems apparent that the convenience of digital services comes with potential hazards against which we all need training and tools to avoid. While it is apparent that people often give up privacy in exchange for convenience, we should not so lightly give up safety. This line of reasoning only further increases my growing belief we really do need the equivalent of "Internet driving courses" that conclude with the issuance of an "Internet driver's license." The license (or certificate) would simply be evidence that the student has been shown how to use the Internet more safely. We do not have Internet traffic cops to stop you from using the Internet in reckless ways, but perhaps we have an obligation to teach safety practices and provide tools that enhance them.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2023 ACM, Inc.