QR Codes: Obsession and Regulation

Can something as benign as a QR Code be malicious? They can. What we need is a bit of regulation. Self-regulation.
Written by Ken Hess, Contributor

Quick Response or QR Codes are these bizarre-looking, black and white, square bar code thingies that you see everywhere now. You see them in restaurants, on food product packages, in store windows, on plumber's vans and on websites. It's very odd and I'm absolutely and pathologically obsessed with the darn things. I've generated them for just about everything that I do.

Why praytell, would anyone use these things or have an obsession with them?

I can only speak for myself but they are intriguing in that they are a compact method of distributing information in a format that isn't human readable. I like that I can give someone my contact information in one, send a web address in one or even transmit a short text-based message in one.

I only find one thing to be wrong with the whole QR Code phenomenon: Digital signing.

Or, actually the lack of digital signing.

No, I don't mean digital sign such as ones that you see on new-fangled billboards or on the backs of trucks that roam around cities. By digital signing, I mean encryption. And, yes, I'm fully aware that you can encrypt QR Codes. But, what I'm talking about is the verification, third-party or otherwise, that signs codes as legitimate. Kind of like when you accept a certificate from a website.

I want to know, before I save a scanned QR Code, that it is legitimately created by the source. In other words, if I scan some random QR Code, how do I know that it's really a harmless bit of contact information, website or other packet of useful information? It could be a malicious hunk of code created to steal my Apple ID and password. It could be a "virus" that grabs my phone number, sends it to a spam site and then bombards me with unwanted advertisement texts.

I'd like to put forth the following ideas and suggestions to the people or industry or whomever is responsible for managing these things:

  • Code Digital Signing to legitimize the Code.
  • A pre-scan informative message describing the QR Code's contents.
  • A watchdog organization that exposes malicious QR Code generators.
  • A "Scan Ban" on those who create malicious codes.
  • A rating system for codes that might not be suitable for all audiences.

I've already described my digital signing idea, so let me explain the other points to you. A pre-scan message would provide a short description of the Code's contents and a symbolic system to let you know if it's a commercial Code, information only, website link, etc. A voluntary watchdog organization that exposes QR Code generators--allowing a feedback box for those who upload the codes to describe what happens when you scan it. Eventually, that database of information would be checked in the pre-scan phase on your device.

The "Scan Ban" would ban the code from being entered into your device and a recorded instance of the Code's location and creator would be automatically uploaded into the Watchdog database.

A rating system such as the MPAA's rating system would work pretty well for QR codes too. I just don't want my ten-year-old daughter scanning in some adult-oriented QR code that takes her to a site or downloading a movie that she shouldn't see. This sort of thing could be handled in the pre-scan phase, where a message would appear that warns you of age-related content.

I think QR Codes are cool and I'd like to see their use expanded. Just think of the possibilities. You could do a lot with them but unfortunately, since there are many 'less then savory' individuals out there, I'd like to see a bit of self regulation of them. After all, who wants to reset their device to factory defaults just because you scanned some malicious QR Code?

And, if it hasn't happened yet, it will.

It's really too bad that anything good can be twisted by evildoers and those who have too much time on their hands. I used to believe, naively, in the goodness of mankind but not so much anymore. I think that we have to regulate ourselves in these matters and take those few individuals to task who want to steal, defraud or harm us, whether in person or electronically.

I like the thought of using QR Codes even for simple communications but I think that we should be careful with them. With great power comes great responsibility. Peter Parker's uncle was a wise man.

And, now some completely harmless QR Codes, rated G, for all audiences.


What do you think of QR Codes and my ideas for a bit of self-regulation of them? Talk back and let me know.

Editorial standards