The Third-party Barcode-Scanning Applications (Part two)
Certainly the collection of user data by app developers is part of the consumer calculus of the cost of free tools. That is, in exchange for some of the users’ data, the tool becomes available for use. For the everyday user, QR codes are likely a tool for simple information seeking. In exchange, market-minded developers are given an opportunity to determine the preferences of the user. This, for most users, constitutes a reasonable trade off and the use of the tool represents a transaction between developer and the user.
However, the ethical contours and acceptable limits of this trade off remain unsettled, particularly if the type of data taken is not made explicitly comprehensible to consumers. Moreover, contemporary privacy norms are increasingly threatened as what initially appear to be signals of consumer preference slide further into determining bigger-picture life patterns and behavior. The question is, how much and what kinds of data tip the scale from reasonable transfer to privacy violation? We feel that the collection of data that combines content, location, date, and time begins to edge toward the triangulation of private behavior.
We feel that the QR case begins to tread beyond reasonable data collection toward behavior triangulation as a result of the intersection of three variables: the expanding purposes for which codes are used; non-explicit user notification by the software; and limitations of user knowledge in comprehending potential threats as a result of seemingly benign data transfer.
Of the applications tested, only a handful required the user to accept an end-user license agreement (EULA). The majority of apps studied provided no notification whatsoever. For those instances in which the application prompted the device, the language contained in the prompt was worded such that the user could not reasonably infer the immediate implications of that data collection. While many QR codes “in the wild” contain only public information, such as a web site or telephone number, others may contain confidential information such as the password to a wireless network or the code to deactivate a security alarm.
The study’s designers placed free pregnancy tests in the bathroom of a bar and then provided a QR code in order for the user to scan to get information and answer a questionnaire. In this case, unbeknownst to the researchers, the collection of this data literally works against the intent of the project hoping to reach information seekers anonymously and in the privacy of the bathroom stall. While the QR code itself may point to a location that fully intends to maintain the anonymity of the user, the scanner does not.