Photo of Terence Eden. He has a beard and is smiling.

What the UK Government gets wrong about QR codes

· 12 comments · 700 words · Viewed ~757 times.

One of my most memorable experiences in the Civil Service0 was discussing link shortening services with a very friendly1 person from the Foreign and Commonwealth Office.

I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack.

"So, you know how .uk is the UK and .de is Germany, right?" "Yes." "What country do you think .ly is for?"

There was some consulting of ISO 3166-1 alpha-2 whereupon the blood drained from their face and they stepped outside to make a phone call.

A little while later, the National Cyber Security Centre published an explainer about why they weren't using bit.ly any more.

Throughout my time in the Civil Service I advocated for the use of .gov.uk URls everywhere. They're a trusted destination for users, they're under Government control so are less likely to be hijacked, and they don't require users to give their data to third parties.

I helped the Government Communication Service write "Link shorteners: the long and short of why you shouldn’t use them."

Today, in the post, I received six QR codes for Government services. Let's take a look at them.

The Good

Policing Surrey have a QR code which points to surrey-pcc.gov.uk/...

A leaflet for Surrey Police.

Excellent! 10/10! No notes.

Woking Council send out this code which use qr.woking.gov.uk

A letter about council tax.

Brilliant! The use of the qr. subdomain means they can easily track how many people follow the link from the code.

The Bad

Childcare Choices is a leaflet which is, I assume, shoved through everyone's letterbox. All the URls in the leaflet say gov.uk2 - but what happens when you scan?

A leaflet for Childcare with a prominent QR code.

Our old friend enemy Bitly. A user scanning this has no idea where that code will take them. They cannot access the content without giving their data away to Bitly.

Surrey also sent me a leaflet with two different QR codes.

A leaflet for Surrey - the QR code points to scnv.io. A leaflet for Surrey - the QR code points to scnv.io.

There are many reasons not to use .io. Of particular interest is the scnv.io privacy policy which, if you click that link, you will see is missing from their website! What does this company do with the data of people who scan that code? No one knows!

The Ugly

Surrey police started so well, but the back of their leaflet is a major disappointment.

A police leaflet. The QR code is almost invisible.

Aside from using an unintelligible Bitly link, the QR code is inverted. The QR standard is very clear that the codes should be black-on-white. Some scanners will have difficulty scanning these white-on-dark codes. They may look æsthetically pleasing, but it's a pretty rubbish experience if you can't scan them.

Now What?

I've been writing about QR codes for 17 years! I'm thrilled that they've finally caught on. But, like any piece of technology, they need to be used sensibly. The rules are pretty straightforward - mostly boiling down to testing your codes and keeping them simple.

Is there a risk risk of QR hijacking? Possibly. The best defence is to train users to look for a trusted URl.

In this case, using link shorteners is training users to be phished. If they are used to official Government QR codes going to weird locations, they won't notice when a scammer tries to send them to a dodgy site.

Please practice safe QR generation!

  1. I am no longer a Civil Servant. The Government's views are not my own. And vice-versa. ↩︎

  2. But not so friendly that they'd tell me their surname... ↩︎

  3. When I was there, the "Brand Police" were insistent that it should be referred to as GOV.UK in all-caps. The leaflet exclusively uses the lower-case version. Sorry Neil! ↩︎

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

12 thoughts on “What the UK Government gets wrong about QR codes”

  2. @edent says:

    True - but Woking will have had to deliberately set up the CNAME. So they presumably have a contractual relationship with them.
    Reply

  3. says:

    I've had a few instances (usually from schools) of being sent a QR code in an attachment to an email. With no URL provided as alternative. Heck am I supposed to do with that on a phone?!? Maybe this is a use case for foldable phones...
    Reply

  5. says:

    Chrome browser has a good QR code generator in its sharing options. Links don't go via 3rd parties,. including Google itself.
    Reply

  6. said on mas.to:

    @Edent Ah yes, we had a near-incident at $dayjob when the URL shortener that marketing were using to direct users to the correct iOS/Android app store inserted a deceptive interstitial ad, which tricked people into signing up for a scammy online entertainment package. We weren't the only ones, a few of the parking app companies had the same problem.
    Reply | Reply to original comment on mas.to

  9. said on mastodon.scot:

    @Edent this has honestly been annoying me so much. There’s literally no need to shorten a URL in a QR code, you can even put all the tracking you want in there! I got annoyed a couple of weeks ago when my employers phishing tests started using QR codes. Not because they did, but because they felt they had to. And because people seem to have forgotten the value of a domain name. Even if not typed in, I bet most will recognise a legit one if known https://mastodon.scot/@thatdamnqa/112060202034560152 Dan (@thatdamnqa@mastodon.scot)
    Reply | Reply to original comment on mastodon.scot

  10. says:

    The .ly is just like how CoreDNS stopped building for me last week because it has a dependency on a package listed under inet.af. Guess what .af stands for? These silly DNS hacks are amusing once,the fallout outlives them.
    Reply

  11. Mike says:

    I might try asking “why are these people allowed to make parts of our website navigation dependent on something controlled by Libya?” about the people where I work who use bit.ly URLs on our website to link to other pages on our website. (Their justification is something about being able to track how many times certain links are clicked, even though that information is available without involving a third party service.) The .io story is worse that I remembered it being.
    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">