Privacy Issues with QR Codes

My basic philosophy of internet privacy is this: if you put it on the internet, it's not private. Period. Doesn't matter how many passwords, firewalls, or encryption keys you put in front of it, if someone somewhere can see it on their screen - including you - it can become front page news on Google tomorrow. As new internet technologies break out, it is important to remember this maxim applies to them as well. We may not understand what the privacy risks are with some new medium, but rest assured they exist; be careful about what you post, and as new privacy implications are discovered act accordingly.

Which is why this post on QR Code Magazine is a must-read; it highlights potential privacy risks in proprietary QR readers that most users may be unaware of:

When you download a scanning app that can resolve proprietary 2d will contain a unique identifier. Every time you scan a code the app will send that unique identifier to be logged and passed on to whoever was allocated the code.
As with much of this type of data collection there does not seem to be an overt connection with your personal identity (it won't be linked to your name or home address), but it will create a unique profile based on all QR codes scanned by your phone or other device. There is, of course, buried in the user agreement for these scanners, a line granting the company the right to sell and use your data as they see fit.

Roger points out that all QR codes send some form of identifying data - every visit to any webpage does - but for non-proprietary codes that data is non-unique and mainly used to help display the page correctly. My computer, for example, comes up as a laptop running WindowsXP browsing the web with Firefox 3.6 and displaying pages in English; not enough to build a strong profile around, in other words.

Implications for Marketers

The implications are two-fold: your prospects might block your message while protecting their own privacy, and there could be backlash if they later find out you helped "steal" their data.

First, many net citizens, and especially early adopters, are getting good at using privacy protection techniques, combining software and behavior. One way or another, this means they may be unwilling or unable to use your QR codes if they contain proprietary formats known to create and sell these unique user profiles.

Second, if it later comes to light that the QR codes they've been using for years - yours - have been building this profile all along there is potential for a major backlash. This is the type of thing that got Facebook into trouble this year; people started learning that their personal data was not as private as they expected, and they got pissed. It has not hurt Facebook's overall market position, but it generated tons of bad PR.

The indirect, proprietary codes are enticing to many companies because they come with strong campaign tracking and management tools. I understand that appeal; paying for a pre-made service can be much more attractive than trying to design your own system for free. Weigh in these hidden costs, though; what will the user experience be with the proprietary service? Are they getting a better experience in exchange for your money, or just the same service with more annoyances?