QR codes are innocent!

Two media articles crossed my desk this week screaming about how QR codes track you. First there was QR Codes Are Here to Stay. So Is the Tracking They Allow. Then there was a short video in a tweet from Gzero Media saying much the same thing.

Both raise a legitimate concern but do so in a misleading way that amounts to misinformation.

Should you be concerned about scanning a QR code?

No more and no less than usual — but this is nothing to do with QR codes. It’s about the fact that tracking you across the Web is at the heart of many online business models.

How many people concerned about being tracked every time they scan a QR code use HTML email? Defeating the trackers is just one of the reasons I use plain text email.

How many people concerned about being tracked every time they scan a QR code read what they’re agreeing to when Accepting Cookies? This is usually safe but not always. You can find that you just agreed to all sorts of other things as well as accepting cookies.

How many people concerned about being tracked every time they scan a QR code will sign into other sites with their Facebook or Google account (thus sharing information from that smaller site with those online giants).

How many people concerned about being tracked every time they scan a QR code will happily click a short link on bit.ly or Twitter's URL shortener t.co, not caring that every click is tracked?

The problem with the NYT article and Gezero piece is not that they’re wrong to highlight the dangers of being tracked. Those dangers are real and everyone online should be acutely aware of them. It’s that they suggest that QR codes themselves are inherently dangerous and that QR codes are doing the tracking.


QR codes contain a string of characters. That’s all. None of the three QR codes below will track you and only one contains a URL.

Scan this QR code if you want to connect to the wifi at the Hintlesham & Chattisham Community Hall
Scan this QR code for my contact details
The URL encoded in this QR code, https://id.gs1.org/01/09506000134352?17=221225, follows the GS1 Digital Link standard. It includes the GTIN and expiry date for a fictitious product used in examples. But no tracking.

Unless you take steps to avoid it, your online activity leaves a trail and exposes information about you as you go. Each of us needs to find the balance between the effort required to defeat the trackers and the convenience of accepting tracking as a fact of life.

If, like me, you use a laptop issued by your employer, you’re almost certainly being monitored to some degree by that employer. Microsoft has had to do some heavy PR around the privacy issues surrounding the ubiquitous Teams following articles like Wired's All the ways Microsoft Teams tracks you and how to stop it.

If there is an increased ‘danger’ associated with scanning a QR code it’s that you probably won’t do it on your corporate laptop but on your phone. That’s likely to have more personal data on it. What apps do you have installed? Where have you been? Who are your contacts? Who do you call most? And so on.

The tech industry is acutely aware of this and working to improve privacy all the time so, yes, be careful. But don’t blame the QR code — QR codes are innocent.