QR abuse...

I'm known for QR code stuff, and my library, but I have done some abuse of them for fun - I did round pixels rather than rectangular, for example.

The latest abuse was inspired by https://mathstodon.xyz/@divbyzero

His idea was a Truchet style...

I have done some more work on the idea. For a start I did not like the harsh edges and cut circles, so made it slightly different. I also had concerns on the circle hitting the targets as this may cause timing issues perhaps.

Looks good. But I also tried larger and it had trouble reading at an angle, and I think because I had Truchet coded the alignment marks needed on larger codes.

So I made them rectangular, e.g. same code as above with alignment mark intact.

Now it reads better at an angle. (tested on iPhone camera and an app). This allows the 45 degree shown at the top of this blog post.

Do not blame me if you now have a migraine, please.

Oh, and if you are interested, this is created as a proper QR code, but with a grid of black/white circles on top... I have made a video https://www.youtube.com/shorts/9ufN2cpsbPA

How not to QR (again)

I have mentioned a bit about QR codes before (here).

But today I saw an example of a QR done badly!

The QR code contains a reference, an alphanumeric code and number, and name of student. But the passcode is just the first part (8 character code).

So what is wrong here?

1. The machine readable part, the QR code, has the redundant extra information of student name, why? QR has error check and correction code, so no need.
2. People expect a QR code to be scannable, and for that to be anything useful it is best done as a URL. This is just text.
3. The instructions ask you to go to a web site, and enter a pass code.

This could be so much better as a URL with a passcode on the end, perhaps as a query.

1. The user could scan it, and even if it only went to the web site, that saves a lot of typing.
2. The web site could use the query on the end to actually do the next step and save typing the passcode.
3. If they need the QR for face to face stuff, collecting photos, whatever (which does not seem top be the case, so why even have the QR code at all on the paperwork), then scanning can easily skip the URL part and read the passcode part. Though the wording sounds like this may be printed first and scanned as part of taking photos - fine, scan with a URL in it, that does no harm.

And example of a case we have is serial numbers on FireBricks.

The QR code contains HTTPS://FB0.UK/900000050159 which serves two purposes. When scanned by a user it goes to the product page, but when scanned by my staff for a serial number on a delivery note or invoice, the HTTPS://FB0.UK/ is skipped by the system and the serial number correctly recorded.

QR marketing

QR codes are great, aren't they?

I'm not going to go in the the technical aspects here, I have done that before, but more about actually using them.

We see them on everything, from shop windows to packets of crisps.

But there are some guidelines that are worth considering if you are planning on playing with QR codes. This is very much a top level explanation, and as I say not very technically.,

Starting with what is a QR code?

It is simply a standard way to represent data in a machine readable format that can be printed or displayed on a screen, and these days almost any phone with a camera can "read" them.

Why use them?

Well, the main reason is to allow people to get to a web site, that is pretty much the main "marketing" use of QR codes.

There are a load of more technical reasons to use them, tracking products and deliveries and all sorts, even COVID related stuff, but from a marketing point of view it is pretty much "a web site" without the typing, and more importantly the "mistyping" of some URL.

Of course someone could put a sticker over your QR with another one, how would people know until they try it?

Silly graphics in them?

One of the annoying things from a technical point of view is people putting silly images and graphics in the middle, or changing them to be round dots or some such. They are designed to tolerate a lot of errors, so these generally work, but they are not close to being standard. Also they are meant to have a 4 unit white border which is often reduced to 1 unit or not at all. Again, people "get away with it", but it is not right. Properly they are a grid of black or white squares with a 4 unit white border.

But what to put in them?

This is where it gets fun - you typically put a web site, a URL, and that is it.

Start it properly HTTP:// or better HTTPS:// though again you "get away" with just WWW.

But there is more to it!

1. There is no point putting a silly long URL with loads of extra query fields, really, that makes for a dense QR code which may be harder to read. Don't do https://www.amazon.co.uk/Faikin-Alternative-Daikin-WiFi-controller/dp/B0C2ZYXNYQ/ref=sr_1_1?crid=216EE7WGMZ221&dib=eyJ2IjoiMSJ9.XweYjNYnMX2FDmEgANqtjLiG7EHQIhpAHquJL8qCQ74Nr4YyT0zmkbk9467lCnQEb862FHm0WxqOGwExyaAH8JP42vCPVbInuwGvXc5MduR3JtainfYF4sz3oXKDZrVvA81M5J9-Ro5CIDRtqDictRG7E_GGusC-wTDynho5VPmjb4R-00iqmk26qH04W9nRkcYdt7pvh2HMGyh53iA4pPdQcVPNx2Q6B2_T2DDDULQ.qMn3ZtO7J7xmPu_bSUUilYAZ64X_8IK_MAJgIaqpQM0&dib_tag=se&keywords=faikin&qid=1708887615&sprefix=faikin%2Caps%2C81&sr=8-1
2. You can use some sort of URL shortening thing, but that means on phones the preview shows some URL shortening domain and so no way to know it is "genuine". Don't do http://tinyurl.com/yrescvrw

I have seen both extremes!

The middle ground is using your proper domain name, and then a short additional path. This can make a compact URL, and show your domain as the preview for the link on phones, but still get to where you want. You can also make it all upper case which actually makes the QR code less dense. E.g. HTTPS://FAIKIN.REVK.UK

Using your actual domain means you control it and are not subject to some third party, and also the preview on a QR code on the phone shows your domain, not tinyurl.com.

I have actually seen this for some locals shops, with QR codes, that are via some site, and worked when printed, but when I scanned came up with "your free trial is over, choose a package for your QR link" or some such. Totally useless for the shops in question, when just a QR to their own website (which they have) would have worked fine.

For comparison, the above URL examples as QR codes.

1. Long URL (harder to scan)

2. Short URL (no obvious preview before following link)

3. Proper URL (clear preview and easy to scan)

4. Make it a URL!

The above is an example of a dual purpose QR. Scanned, it goes to the product site, but it includes a serial number, so when we scan it on a delivery note, etc, the URL part is ignored and the serial number is read in to to document. Customers expect a QR to be a URL, so why not use that fact.

And don't forget - check it works!

Having made the QR code, check it, pretend to be a customer/user.

• Check what the preview shows on your phone
• Check the link goes where you expect

(Yes, I ballsed that step up making this page the first time, thanks for letting me know)

Proposal: Updates to the QR specification.

I'd love to know where one can formally make a proposed change to the QR code spec, a new version.

What I think is needed is these very simple changes.

1. The whitespace border of a QR code is defined as four units. This takes up a lot of space, and is ignored by a *LOT* of people. Clearly readers cope with only a one unit white border, so I'd like to see that defined as "valid" in the QR code spec, even if a four unit border is "recommended".

2. I'd like to see the padding after the end of the QR code content to be defined as allowed to be arbitrary unused data. This allows QR codes to be made with silly graphics in them and be 100% valid if done correctly. At present, this works, and people love doing this stuff, but technically is not what the padding should be.

3. I'd like to see an additional coding, using a base64 alphabet, coded (obviously) to 6 bits. The reason for this is that whilst QR codes can be used to carry binary data, they are more commonly embedded binary data as part of a format like JSON. Other formats like base45 are also used. Allowing a base64 alphabet means that raw binary data or embedded binary data in JSON, etc, can be coded 100% efficiently in the QR code, but is defined as printable text. It can be used for parts of JSON that are binary coded as base64. Even a 100% binary data QR code would read as a printable string if using such a coding, which is far easier to handle in general applications. Given the way codings work, this would be simple to add. It would mean base64 coding would be better than base45, for example.

4. I'd love to see UTF-8 make the default character coding.

Impact of these ideas?

The change of border, and padding data has basically no impact, readers already cope, so this is a no-brainer.

The additional of a new coding is more complex. It is not backwards compatible. However, it fits well with the possible use cases. The usage would be where raw binary would be better handled as printable data, and where using coding like JSON to carry binary data in parts. These are both cases that need a specific application to use the data. I.e. they are not some generic use case like a URL. So these are cases that are likely to be read by a specific application, and the application could be one that is designed to use a new version QR reader library. Even so, it probably makes sense for such a change to have a future date by which readers are expected to have been updated, and QR codes should not use the new coding before then unless intended to be used only with a specific application designed to read it. QR encoders should have an option to use the new version or not as well, obviously. The standard can state all of these objectives.

Now, daft question - where do I send my proposal?

P.S. I have had an email now confirming exactly how the process works, thank you (happy to quote you name, let me know). Also, I did not know this about my Datamatrix coder... "you wrote the Data Matrix library that was adopted by Zint and is probably (?) the most pervasive DM encoder in use today", nice.

Other ideas

One idea I did not mention, but do now as mentioned in that email, is the notion of an additional coding for URLs. This would be a subtly different set of characters to be URL friendly. For example, the "alphanumeric" alphabet coding has / and : and . but no ? or _ and no lower case. A new coding could make URL encoding better. Indeed, including a single character for "https://" even would make sense, or some other coding (like FC1) to indicate https:// at the start, would also make sense. It would take some research to work out the best way to do this, analysing lots of URLs.

Also, to be fair, anyone putting a URL in a barcode is mad to not do a bare minimum such as https://domain/argument which are all within the standard alphanumeric coding already (i.e. upper case) - putting a long complex URL in a QR code is generally a daft idea and makes for a big QR code anyway. A web server can easily handle a simple URL even if it then redirects to some more complex one internally. It is also worth having a short domain for such use.

The big issue I see with this, which is not a show stopper in itself, is that URLs tend to be used more generically - i.e. in the camera app on a phone, and not by specific applications. This would mean the new coding is no use until almost all readers understand it.

The good news is we live in a world of software updates, largely for security and vulnerability reasons, so things like a phone camera app would be updated. What is more difficult is hardware scanners, as used in supermarkets. But again, the good news is that those are generally used for specific applications that know what QR codes they are going to see and those QR codes could be coded not to use the new standard.

NHS covid pass

I decided to check how I get an NHS COVID19 pass / QR code.

Update: Thanks to all that pointed out the couple of subtle clues on how to get an NHS login, which I missed initially.

I googled, and it seems you can ask for a letter or get it digitally, cool. But you need an "NHS login".

Well, I don't know what an NHS login is, but there is this helpful site, https://help.login.nhs.uk which tells you all about it. Nice.

This looks comprehensive. But I don't have an "NHS login", so let's try the "How to set up [an] NHS login"... https://help.login.nhs.uk/setupnhslogin/

OK, we have "What is NHS login" and "What you need to set up an NHS login" (yes, an "an" this time). There are other pages with more information on how to prove who you are, etc. There is the "Where can you use NHS login". OK, good.

Update: For those saying "just use the NHS app", I'm in Wales now, and it does not work!

Update: Oooh, it says clicking the button lets you create a login there, missed that the first time, but the the actual login page does not say that.

But call me thick, and maybe I am being blind here, but where is the "Register for an NHS login" or "Create an NHS login" link or "how to" on that? I looked around and cannot find it. It does not seem to actually tell you "How to set up NHS login" at all, missing that one crucial step of how you start the process!

I kept looking and I found the NHS COVID pass page, https://covid-status.service.nhsx.nhs.uk which has a login link.

Nothing about registering or creating an NHS login on there either. What am I missing.

Well, on a whim, I clicked on the "Continue with NHS login" link, even though I don't have one. Is continuing with NHS login when I don't have one "hacking"? A breach of The Computer Misuse Act 1990 maybe? You then get a login page...

Well, I don't have an "NHS login". What I did not spot initially was the "If you do not have an NHS login" bit. This seems to be the first clue that maybe I can make one if I enter my email address anyway. Why is this hidden away behind a "Continue with NHS login" link?

So now I get the option to "Set up a new NHS login". This is what I had been looking for all along. How the hell is this not on the the help site, or, well, anywhere before you actually try and "login"?

Update: One page for COVID19 Pass does say "You will need an NHS login to use these services. You'll be asked to create one if you do not have an NHS login already" but the page you then go to does not say that, just "continue with NHS login".

Anyway, I continued to create an NHS login. You go on through a few info pages, and create a password, and then this error...

Well, that is helpful. Giving that the previous page was password selection, and I used the browsers password manager to make a "secure" password, I naturally assume it is as password issue. So I try entering a password manually. I tried several passwords, simpler and simpler, and no joy. It simply would not work.

Then, on a whim, I tried a different email address. Just to be clear, that first page does do some validation on email addresses, e.g. ...

So I really had no reason to expect that it was unhappy with my valid email address. But indeed, using a different email address, it actually allowed me to proceed beyond the password set up. I have emailed them asking that they correct my email address, obviously.

When it came to mobile checking, I decided to use an 07 number, rather than trying 01 number, as clearly it is a stupid web site.

The domestic (48 hour!) QR code does not need any more than name, DOB, NHS number. The other longer pass needs ID image and a video and I'm waiting for that to be confirmed now. However, having seen someone else's, I note that the document says this...

OK, so it has an expiry, but how exactly does that expiry "protect you data privacy". The barcode does not fade after 30 days. The "data" is still in the expired barcode, and can still be read. So how exactly does the expiry protection anything - how does it do any more than cause inconvenience for the user?

Indeed, I am told if you request a COVID letter, there is no expiry - so do they not care about your data privacy when sending a letter, or was that just a lie? Having an expiry actually makes "data privacy" worse - if you printed the QR code, you will have to dispose of that securely somehow every time it expires. Why not just be honest?

And finally... The Welsh site https://gov.wales/nhs-covid-pass-prove-your-vaccination-status says :-

But the "domestic" QR code it gives you says ...

So how do I get a QR code valid in Wales?

More magic QR codes

It seems that permits for lorries in to Kent are a QR code as well, and it seems they are really good at validating number plates?!

This decodes as:-

PMRHMMJCHJNSEYJXMQYWCYLCGEWTMMZVG4WTIYJYGYWTSMJZMIWTSYZXGIZWKMJWGAZGKMBCFQREET2SJFJU2T2MIVJVIU2GJFJUQIRMEIZTONJUHAYDAIRMEI4DMMZUGARCYIRRGY2DCNRRGYRCYISLEIWCERZCFQREWIRMEIWSEXL5.XOHIQXDGEYPNAN6WKHZTSQFTAZUIHOJJCTQF7AIWDDT5GALD7S4LCPVCQXLJLA5PCEY3NIMBKHU5BNF7JPLX25KVFUMF2NIQ6H6JAFQ

This is base32, which is somewhat nicer for QR code encoding as it fits entirely in the alphanumeric coding (which is digits, upper case, and a few symbols).

It decodes as two parts: some JSON and a binary block.

{"v1":["a7d1aab1-6357-4a86-919b-9c723e1602e0","BORISMOLESTSFISH","3754800","86340","1641616","K","G","K","-"]}

So, once again, a digital signature, but made to be a smaller code than the NHS codes.

Fun with QR library

My QR code generation library works well, but one of the features was generating a "colour" QR code. No, QR codes are not normally coloured, the idea is to just show the anatomy of a QR code, which parts are which. Wikipedia does a good job too.

As part of generating the code I have to create the data part, and padding, and then generate the error correction code (ECC) part, and apply various format control bits and fixed black/white units to make the image.

I have updated the library so it will make a QR code which shows what is what. It was a tad complicated by the fact that the error correction code is interleaved. This means that blocks of data and ECC are scrambled so that each block is actually spread out over the QR code. This means you can remove a chunk of the code - e.g. tear off a corner, and that is a small part of several separate blocks. You will notice the padding (green) below is spread out because of this interleaving.

Each block of data and ECC allows recreating of the data from a relatively small part of the overall block, so the distinction between data and ECC is not that relevant. But the colour coding shows how much is used for what quite nicely even so.

This has colour coding for :-

• Blue: the actual data for the content
• Green: padding bytes and bits
• Red: the ECC code
• Grey: formatting/control
• Black/White: the fixed pixels in this size QR code

So that is it, just in case you wondered...

(That one above is an NHS COVID-19 QR code).

P.S. I have been having more fun with custom padding bytes. This is not just changing units within the tolerance of the ECC (which can be done, if careful), it is changing padding so that the ECC is still valid.

Of course, if you want to get a bit meta, you can put one type of barcode in the padding of another type. This is a Datamatrix barcode in a QR barcode. A real Frankenstein barcode!

Technically the padding is meant to be a repeating pattern EC/11, and surprisingly this is not just a recommendation in the spec. But obviously nothing checks the padding on read, so allowing pretty padding and hidden data in the padding to work.

UK government digitally signed my penis!

It appears that the COVID-19 QR code generator government web site does not allow emojis, but it does allow hieroglyphs, so it seems I have managed to have the UK government digitally sign a penis.

The QR code, signed by the government/NHS, includes

{"id":"53WVKKW5","opn":"𓂸","vt":"005","pc":"SW1A2AA"}

I know it is childish, sorry, and you definitely should not check in to 10 Downing Street by using this barcode, obviously. That would be bad. It does show how daft it is making these QR codes so huge by digitally signing them though.  See the other blog post for more details on these QR codes, and what else is wrong with them.

There is a practical use though - making a QR code for your own home will allow you to "check out" of where you have been, otherwise the app assumes you were there until Midnight.

For those with character set challenges, this is what it looks like

How not to QR (NHS COVID-19 App)

There is now law requiring (from 24th Sep) a QR code to be displayed in various premises so people can scan it in to the NHS COVID-19 App. See The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020. The law has plenty of issues, but let's look at those QR codes...

It seems you can request the QR code poster for your venue, see here. The poster is emailed to you.

This is an example.

This is not how you do it - and I wonder if they got any technical advice from anyone on the matter first.

What's in this huge QR code?

The content of that QR code is: UKC19TRACING:1:eyJhbGciOiJFUzI1NiIsImtpZCI6IllycWVMVHE4ei1vZkg1bnpsYVNHbllSZkI5YnU5eVBsV1lVXzJiNnFYT1EifQ.eyJpZCI6IlJLWTMyV01SIiwib3BuIjoiUFVCTElDIFRFTEVQSE9ORSIsInZ0IjoiMDA1IiwicGMiOiJMRTE4M1RFIn0.ix66d7uRe_vhpB4BPb0Nzbq2vEC3IShdX7UOqfp0XVyg7YI88R_bOCY1DpgQZo9dy07xcga4e1MTmcKV9ZHi1A

The data contained is an RFC7515 JSON Web Signature (JWS) base64 coded string which contains:-

• {"alg":"ES256","kid":"YrqeLTq8z-ofH5nzlaSGnYRfB9bu9yPlWYU_2b6qXOQ"}
• {"id":"RKY32WMR","opn":"PUBLIC TELEPHONE","vt":"005","pc":"LE183TE"}
• Binary signature

So what's wrong?

• It is not user friendly - and requires the app installed first so you can use it (see below). This is perhaps the biggest issue. P.S. even with app installed, they have not hooked the QR code to the app, as they could have, so could be used from camera app - just lazy!
• This QR code is far too big (i.e. dense)! The denser the code the harder to read reliably. There is no need for it to be this dense. A small code is quicker and easier to read.
• One reason it is dense is poor choice of QR encoding options. It could be less dense with exact same content easily.
• Another reason it is too dense is that the content is base64 coded JSON which itself contains base64 binary. This is crazy. The actual underlying data is quite small, and even signing it, it does not have to be anywhere near as big.
• Another reason it is too dense is they have chosen to sign the data, which is pointless (see below)
• Another reason it is too dense is they have chosen to encode some simple data (venue ID and name) in JSON, when there really is no need.
• You have to use the gov web site to make the QR code, a large company could not, for example, automate making posters for all their sites centrally.
• This is not actually a valid QR code! Yes, pretty much everything will read it, but the specification requires a 4 unit white space all around, and this does not have that - it has grey at 2 units and text within the whitespace area.
• If you request a poster more than once for a venue, you get a different venue code, so the app will see each poster as a separate venue, it seems. I can easily see that happening as it may be easier to request a new poster than to find the PDF / email you previously saved if you need to print more.
• Oh, and the instructions are to display the poster and ask people to scan it with the app, as soon as you get it, even though the app is not actually working yet, so people cannot scan it with the app!
• The poster has no link to where to get the app, just the store you have to search, and guess what, searching does not work (depending on exactly what you type):-

In summary this is thrown together with some standard libraries and very little actual thought - is not even a valid QR code, and is going to be a mess with every waiter now expected to provide tech support on app installation on Android and iPhone to every customer that comes along - but this is very much what we have come to expect.

On another small technical point, base64 is a bad choice in a QR code. If designed for just the app to read, use binary coding which is 100% efficient (one dot per bit, before any ECC). Base64, however, uses byte coding, so 8 bits for each base64 character which holds 6 bits of data, so 75% efficient. If you don't want to use binary, use base32 which uses alphanumeric QR coding, 5½ bits for each character which holds 5 bits of data, so 91% efficient.

How to make it more user friendly

Many people have QR readers built in to their phone, for example an iPhone will pop up with a link from the camera app itself, so there is a really simple trick for this - make the QR code a URL which the app can read as data, but if used simply as a URL itself you end up going to a web site which redirects you to the app or the app store to download the app. The data can be after a # in the URL so not even sent to the server when used as a URL. This allows it to be used from the app or from the camera, and helps for people that don't yet have the app, and those that mistakenly did not realise they have to launch the app first. It makes it a lot simpler to use.

It is not hard, basically, instead of UKC19TRACING:1:blah use https://c19qr.uk/#blah
(well, obviously, an nhs.uk domain would be used)

(Update: Just to clarify, the use of a URL at the start is not to make the QR code usage rely on an internet connection or a web site in any way. If the app is installed it would be used purely as a version/ID confirmation, like the UKC19TRACING:1: string, and the app would then just use the data in the QR code, not visit a web site. The URL is there to make it easy for people to use from camera, and to install the app in the first place).

Why is a "big" QR code a bad idea?

I have added this to clarify a little why the large / dense QR code is not ideal.

For a start, from a purely technical point of view, it is just unnecessary. You need some extra data to avoid confusion with other uses of QR codes, which is what the UKC19TRACING: is for, and ideally a version, which is what the 1: is for. Beyond that you just need the actual data (location code, postcode, and venue name, in this case). There is no need for extra syntax (e.g. JSON). Indeed, some careful choice of data (e.g. using digits, or upper case letters and digits) can make the QR coding even more efficient. But this is far from the only reason.

In ideal conditions it does not matter if you have a large/dense QR code. As someone that has been messing with barcodes for around 40 years, I have no trouble using a camera phone to read a barcode. I know what hoops the phone / software is going through to make it work and how best to position the camera. But I cringe watching people do this and struggle (notably, someone I know reading lottery ticket QR codes). They (understandably) don't know how these things work and will randomly try getting closer or further away, usually the wrong way, not waiting for camera to focus, etc, eventually reading the code.

The way it works is the camera has to be able to see the units, i.e. the black and white squares that make up the code. The camera itself has pixels (dots) with which it can see. If the camera was perfectly aligned and square you could read a QR code with one such pixel per unit, but that never happens, and in practice you need a lot more. Throw in the possibility of poor focus, glare and reflection from glass / perspex, dirty lens, and the QR code at an angle, and you need even more. Thankfully most modern camera phones are high resolution enough to cope and read a very large and dense QR code. Not all phone cameras are made equal and some are much lower resolution and slower to focus. Print quality also matters, and whilst most printers are very good, remember this is also intended to be used displayed on a screen. The QR code itself includes error correction which allows some imperfections and errors to be corrected, but this can only help so much.

Even so, perhaps the biggest issue with a large and dense QR code is the range of distance between the code and the camera. This is a thing I observe people struggling with, for some reason. With a low density QR code the camera can read it when it is small in the view of the camera. Also, when it is small in the view, they do not have to point directly at it, it can be off to one side, etc. With a large / dense QR code the camera needs to be closer, with the QR code filling more of the frame. So the usable distance range where the code can be read relates directly to how dense the QR code is. The more usable range, the easier it is for the user to get it right first time and not hold up a queue of people trying to get in to a bar.

Of course the other issue is how big you print it. The guideline for this is to print at least A4. Why? Because it is so dense. A smaller code could be printed much smaller and still be easy to use. I note, for example, Costa have small table menu cards with the check-in QR codes they used (which are nice and small) on them, and they are much smaller than A4.

One final reason is confusion and paranoia. I already see people on twitter asking what the hell is in this huge QR code. People are concerned that it obviously contains a lot of data and it is not obvious why. The whole project has suffered from privacy concerns already, and this does not help.

Why is signing daft?

Signing means that there is an extra chunk of information in the QR code (making it a lot bigger/denser) that ensures the data is genuine, i.e. that it definitely came from the government QR code generator web page. There are many good reasons to sign things, but not in this case.

The signing a tad daft as :-

• Anyone can make a code for anywhere on the gov web site, and it gets signed.
• You can copy a code from somewhere else and it is signed.
• It makes the QR massive! and so harder to scan.
• Obviously not done to try and avoid vulnerabilities, as one can get 
  سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتخ signed, no problem (which some may remember would crash iPhones).
• To be quite frank, it would not be as fun making a barcode for Specsavers in Barnard Castle if the QR code was essentially just a postcode and name, and not government signed.
• If, instead of signing, they just published a specification (as done by other countries), large companies with lots of sites could have made posters for all their venues centrally and easily as well as allowing individual posters via the gov website.

Whilst this is not quite the way the track and trace process works, if some establishment did not want to risk being shut down, they could put the barcode for a competitor, maybe with a vague establishment name in the QR code, so not obvious when using the app. The gov website lets you make a signed QR code for anywhere, and even if they did not, you can literally copy a signed QR code you can see anywhere, and it is still signed.

A further update (Oct 20th) shows the signing checking did not even work on Android!

What I couldn't say in this discussion before, and can say now, is that the signature verification was fluffed on the Android app: https://t.co/zmJ55fyPQk

— zofrex (@zofrex) October 21, 2020

And yes, they will sign almost anything. Emojis seem to be banned, but hieroglyphs are not. So I seem to have got the UK Government to digitally sign a penis!

{"id":"53WVKKW5","opn":"𓂸","vt":"005","pc":"SW1A2AA"}

How it could be a lot less dense, so easier to read

As an example, if I just include the actual data, and some sort of signature (an MD5 in this case, there are many ways to sign things), and a URL prefix to get the app (which acts as ID/version), you could make a code like this... Way less dense, and easier to use.

If you don't sign the data (and why would you?)

All that is really needed in the code is the location, a postcode with DPS, e.g. LE183TE9Z, or maybe just a UPRN (Unique Property Reference Number), e.g. 100032050996. The postcode/DPS may be better as you can then quote the venue postcode in the app. You probably do need the venue name as well to quote in the app. That is not a lot of data that is actually needed.

If you do that, you can make a code like this which has a URL, UPRN, and premises name in it, and is way less dense and easier to scan.

With just a postcode/DPS it is possible to go even smaller!

Is the app OK though?

Just to be clear, this is criticism of the QR code not the track and trace app. There is a blog on that which is quite interesting, but does not explain why they felt it necessary to sign the QR codes, or why they did not make them a URL format for easy access to the app. Here: https://www.ncsc.gov.uk/blog-post/nhs-test-and-trace-app-security-redux (the previous app described here https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app)

P.S. I have a QR code generation library available free on GitHub. here.

EICAR test QR

It seems there is something of a standard test string for anti virus (wikipedia has more on this).

The idea is that systems that look for viruses will have this string loaded as a signature of a valid virus, and so react as such. This allows you to test virus checking systems without an actual virus being used. Obviously some systems may flag as "test virus" or some such, and some may not have this "standard" string.

The string is :-

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

So far, so good, but what people are doing (see tweet) is putting that in a QR code, e.g. this (feel free to copy this image).

[note the white space around the image is part of the QR code spec]

And then sticking it on a car, or a hoody, etc..

The result is that some systems that happen to log the content of QR codes they see, e.g. on CCTV and the like, promptly trip their virus detection systems. Ooops.

Of course this does raise questions of whether this could count as Computer Misuse, but then should such systems be reading QR codes off a hoody anyway?

P.S. My QR code generator is on GitHub if you want... It seems to be more efficient than most (though no advantage for this particular case), and has a lot of options (png, svg, text, binary, eps, ps, hex, data URL). Have fun.

Bleeding time and motion

I have a blood test every year, sometimes more often, and that means going to Heatherwood phlebotomy clinic.

They open at 08:30, and at that point there are typically 30 or more people waiting already (which is about capacity for the waiting room). They have numbered cards you take, and they call a number. If you are lucky then there are two of them taking blood.

First off, they really should have a second set of cards (maybe just for the first hour of the day), perhaps in red or something, for fasting blood tests. I was feeling hypo as it was, but had to wait over an hour to be seen. Luckily my test was not a fasting one, but had it been I could well have been collapsing. Normally a fasting test is not a problem for someone, but I have daily insulin, and that can mean some times I have to eat - such as when I have not eaten for 12 to 14 hours for a fasting test. Even though, in my case, it would have put people ahead of me in the queue - a priority queue for fasting would make sense. The blood test form says if fasting or not, so not like people could game the system and take the wrong card.

They are pretty efficient, check your name and DoB, strap arm, clean, find vein, take blood, tape dressing over it, and then spend about 50% of the overall time, or more, writing your name, and details (about 4 lines of text) on each of the blood sample containers (in my case, two).

It strikes me that the system could be massively better with a simple barcode readers and label printer. Even with nothing needing to be on-line, just a QR code on the blood form the doctor sends that when read provides the lines of text to print on the sample label, just that. Such a device would not be expensive (well, not compared to staff time over its operational life) and could mean processing at roughly twice the rate, by my estimate. A simple fall back to writing means not building in a dependancy on technology.

Of course the printed label could also have a QR code which probably then saves time when the samples are processed later, as well as reducing transcription errors.

Don't the NHS have people whose job it is to think of things like this?

P.S. I am surprised someone does not make a small label printer with QR reader that literally just prints the QR label content on a label on each scan. Must have loads of applications just like this!

Dual purpose QR codes

We used to include a QR code on product labels with the serial number. This is so that sales staff can scan in serial numbers to delivery notes and track stock. This is not uncommon.

This example barcode has a simple serial number 2900-0000-0000 which is great if you want to know the serial number, as we do.

However, QR codes are starting to be quite common and most phones will just read them, even in the camera app. This is somewhat boring being just a serial number. People are actually used to QR codes having useful URLs to take them to a web site.

So, we came up with a cunning plan. This was actually to help one of my friends with some work he is doing for a customer, and we came up with this plan between us, and it works quite well.

The trick is making the barcode useful to us as a serial number but also useful to random people reading it on their phone.

To that end, we make a slight change to the content of the barcode, and now it has HTTPS://FB0.UK/290000000000 in it, as an example.

As you see, you can fit a short domain like that, and 12 digits of serial number, in the same minimum size QR code. We had to lose the hyphens, and stick to upper case, to fit without being a more dense QR code or taking more space.

When scanned, you get to the FireBrick web site, and indeed to the FB2900 product page which includes a link to the quick start guide, etc. This makes it actually a useful barcode for anyone pointing their phone at it.

For our systems, we can easily make them strip the initial HTTPS://FB0.UK/ (and add in hyphens to look nicer). So we can use it as a serial number just as we did before.

Bingo, dual use QR codes.

Printing, and microscopes!

I got a small £15 USB microscope off Amazon, as you do. Great fun, but there was a practical reason.

I have been trying to work out the logic of the printing from my Mac to a Brother QL-700 printer. I have this sussed when it comes to using linux (finally) with a lot of careful arguments to ghostscript and inkscape to take my initial SVGs and print them with no dithering. That is working well. But I am trying to work out how to print from a Mac when printing something that is fussy, like a bar code.

Printing PDFs

The most obvious choice was to make a PDF. I had carefully made the barcodes in the PDF to the exact print resolution of 300 dpi. Everything was vector based. On screen it is perfectly crisp and clear.

However, the printing from the Mac constantly insisted on scaling to fit page. Even when I put 100% scale the printing was not spot on, and did not read very well, if at all. In fact it was slightly better printed at 101%. This is silly.

Printing PNGs

So I tried PNGs. The good news is that by default, where the PNG has a resolution set, it defaults to print at 100% and seems to have the sense to align pixels well. I thought my problems were solved, and to the naked eye, the QR codes looked fine.

But I decided to check, which is where the microscope comes in!

I generated a PNG with a QR code at 100dpi with one PNG pixel per QR code unit/pixel.

This was the result!

As you can see, there are bits sticking out all over the place. It took me a while to work out what was happening! Basically, something in the process has decided to soften the edges of the pixels, and then something has decided to dither the greys that are then produced. Even tinkering with the dither settings I could not make it stop doing this. Surprisingly it does read, usually. (Yes, I also bought a 2D barcode reader from Amazon).

However, one small change makes it massively better. By making a PNG at 300dpi, and using 3x3 PNG pixels per QR unit/pixel I get this!

No bits sticking out. It is not quite perfect, but that may be the printer - it seems to bleed on the trailing edge of printing making all black slightly wider. I may be able to do something to compensate for that. This reads much more reliably than the previous one.

However, making a 600dpi image and 6x6 pixels did not help - it created anti-aliasing greys which dithered, though not as bad... If I was able to align this properly it would probably work as well.

So, the moral of the story is to make PNGs that match exactly the printer resolution, and ensure you have way more than 1x1 pixels for the bar code units. For this printer I would say at least 3 print pixels per unit.

P.S. linux pdfinfo command shows resolution in DPI and then has "(pixels per meter)" which is very confusing.

2D bar codes

I have done a lot on barcodes on my blog, and I am sure I have mentioned the URL shortener I made that is www.4.gg in the past.

It allows you to provide a URL and gives you a barcode for that in a variety of formats. Some time ago I changed from IEC16022 (DataMatrix) codes to IEC18004 (QR) codes simply because this is a tad like betamax vs VHS, and clearly QR codes have won. Shame, in my view, but they work. It's is even possible to script it to get codes for URLs from automated systems.

I was looking today at some of the stats on the site. It collects very few pieces of data - obviously it has a log of the mapping from an assigned code to a URL, it has to have that, and it records the date/time it was made, and the IP from which it was made and a hit count and latest time of use, and well, that is it.

It was never any attempt to collect data, personal or otherwise. I intended it to be useful, and well, we (A&A) use it for things like barcodes on invoices.

What makes it special is that the barcode is designed to fit the minimal QR code format, so is compact and/or easy to read. For example :-

That is the size of all of the barcodes it makes, the smallest allowed in normal IEC 18004 QR codes. But the URL shortener aspect means that can be any URL you like.

I checked, and was amazed that there are literally millions of hits on these codes now. It has been working for like 9 years now. We actually have over a 1000 new codes created a day now, which shocked me! When I started some camera phones had QR or data matrix readers, and even the Nokia phone had a bug that did not like a "z" in the code. These days phones have QR code readers in the camera apps, and iPhones just "see" QR codes when taking a picture...

So then comes GDPR, and I am concerned - we collect IP address when codes created and hit counts. Importantly we could collect way more if we wanted to. Some may count as "personal data" though that is questionable. So do I have to worry.

Well, best plan is make this an official free service by A&A and include in GDPR privacy statements. Annoying we have to do this crap in many ways, but let's do the right thing shall we.

BTW, the most popular code is some site that is now a parked domain, over 500k hits and even one today, so someone has put that barcode somewhere massively popular and I know nothing about it. Amazing how a free service I have not even advertised has taken off.

What is especially amusing is Facebook hampering my freedom of speech talking about it!

First time I have ever been accused of spamming... What is amusing is that I could post that screen shot on Facebook and a QR code of my post and the various comments and replies in QR code with no problem. Shows how effective Facebooks policies are in practice. LOL.

svg inkscape and ghostscript...

Very technical one this time.

As I have blogged before, a lot of things are now being created as a master in SVG format. It's one failing is blocks of wrapped text, but apart from that it works really well.

So, the new FireBrick serial number labels are done in SVG, and they include a QR code of the serial number. Simples. Well, you would think.

The target printer is 300dpi, and so the design has all been done on nice hard integer units at 300dpi. This is especially important for things like bar codes which need to be pixel aligned. In this case 4 prints pixels wide per QR pixel. If this is not perfectly scaled or aligned the QR code gets all aliased in nasty ways and is not as readable.

The svg uses width/height and viewPort to ensure we can use 300dpi units but be the right size, e.g. height="27.940000mm" viewBox="0 0 1185 330" width="100.330000mm"

The SVG looks perfect, obviously, whatever scale...

I can use inkscape to convert that to a png at 300dpi and it looks perfect...

We are using a Brother QL-700 which installs nicely on (32 bit) linux using the provided drivers and operates like a normal Linux printer as postscript (using ghostscript behind the scenes). So I use inkscape to make an EPS for printing. Again, simple.

This is where it goes wrong. inkscape is making postscript using default (72 dpi) units and 3 decimal places. e.g.  28.801 28.16 m 35.52 28.16 l which means a gap there of 6.719 pt which is 27.995 pixels at 300dpi, that is 7 QR code pixels. The issue is rounding. Sometimes it would be 3.995 pixels and sometimes 4.005 and so on, so you end up with a badly aliased QR code.

The fix was to make the SVG not scaled to the right size but just using the 300 dpi units. In fact, better would have been to scale to 72 dpi units default for EPS but as it happens the default units of SVG (96 dpi) work to produce integer values. This, of course, makes a much bigger image, so a bit of sed to add a 96 300 div dup scale was all that was needed.

What an annoying mess. If only inkscape understood that EPS can have a scale command, and it could have maintained the original units from the SVG in the EPS rather than converting to 3 decimal places. I may find the developer forum and suggest a change!

Here are the before and after - the bottom is before which as you can see from the checker board is rather broken. Now we have nice readable QR codes, yay!