QR Code Privacy: Generate and Scan Codes Safely

QR codes are now everywhere you look — restaurant menus, street posters, business cards, payment terminals, you see them just about anywhere. But the content they can encode within them in fact goes well beyond merely a simple URL. Figuring out exactly what is hidden inside a QR code before you go scanning it, and learning to generate your own QR codes safely, is precisely what can genuinely protect you from all manner of tracking and phishing attacks.

What Can QR Codes Actually Contain?

A QR code, at its very core, is nothing more than a machine-readable format that is capable of encoding and carrying any arbitrary text string. Its common uses are wildly varied, and include: URLs (this is the most common kind of all), plain text, contact cards (vCard), Wi-Fi credentials, calendar events, and all manner of payment information, among others. The privacy risks lurking within, meanwhile, are genuine and absolutely not to be underestimated. A malicious QR code can quietly redirect you to phishing sites that look exactly like the legitimate ones, convincing enough to pass for the real thing. QR codes posted in physical, real-world spaces can have tracking parameters embedded within them, thereby precisely identifying exactly when and where you did your scanning. And some QR codes route and redirect through URL-shortening services, using this to quietly collect analytics data about every single scan. Meanwhile, on the QR code generation end, the vast majority of QR code generation websites actually create the QR code on their server side, and will conveniently log all of the data you encoded into it. Just imagine: if what you are generating is a QR code containing a password, a Wi-Fi key, or personal contact details, then all of that highly private data has to pass through their servers, and the risk is plain to see.

Using QR Codes Safely

  • 1Before scanning any QR code of unknown origin, be sure to use a QR scanner that can show you the full URL behind it in its entirety before it actually opens the link. Keep firmly in mind: never let a QR code automatically jump to the browser without confirmation — you must always first see clearly and verify exactly what the final destination address it points to really is.
  • 2Try to generate QR codes locally wherever possible. PrivaQR creates QR codes entirely within your local browser — the data you want to encode (whether it is a URL, contact information, or a Wi-Fi password) never leaves your device for an instant from beginning to end. For QR codes that contain sensitive content, this point is, you could say, absolutely critical and not open to compromise.
  • 3For important use cases (such as business cards, Wi-Fi sharing, or accepting payments), be sure to use a static QR code that you yourself can personally verify and reproduce again at any time. Try to steer clear of those third-party dynamic QR services that route through their own servers, because the final destination of that sort of QR code can at any time, without your knowledge, be arbitrarily changed or deactivated and invalidated by the provider.

QR Code Security Tips

Be especially suspicious and on guard about those suspicious QR codes in public spaces that look as though they have been deliberately stuck over and covering an existing QR code — this is a fairly common physical-world phishing attack technique that you need to guard against carefully. For Wi-Fi QR codes (which directly encode your password in plain text within the pattern of that QR code), share them only with people you trust, and if you are worried about the scope of their spread and circulation becoming too wide, then afterward promptly change the relevant Wi-Fi password to be on the safe side. When sharing personal contact information by way of a QR code, consider encoding only the non-sensitive fields (such as your name and website), rather than taking the easy route and cramming your full phone number and home address all in there as well. In addition, get into the good habit of checking regularly to confirm that the QR codes you have previously printed out or shared still point accurately and without error to the correct destination address.

Generate QR codes privately — no data sent to servers

Try PrivaQR
All Guides