I recently read about a cyberpunk author focusing on fictional graffiti artists who use code stencils to overwrite existing QR codes. The author, Tim Maughan, didn’t know about my hack showing that there’s actually a generalizable method for making QR code stencils work. In Maughan’s book, street artists do things like replace a Coca-Cola QR code advertisement with subversive virtual art. It’s a cool concept, and the author deserves props for nailing the edge of current and future cyber-reality so well. But “replacing” QR codes in public places is a notion that myself and others have been toying with in the non-fiction world.
“Toying” and “doing” are different things, of course. For example, I’ve toyed with the idea of covering some of the Transportation Security Administration’s (TSA) QR codes with my own because it wouldn’t be hard to do. You could create stickers for your TSA QR Code prank, and while waiting in line at the airport, you’d — theoretically — put your stickers over the QR codes on the TSA’s posters. The TSA QR codes link to boring and bland websites about how much safer we all are because we have to buy $5 bottled water on the other side of the X-ray scanner. These aren’t the most popular links, so it’s unlikely anyone at the TSA would quickly notice that the QR codes have been replaced. This is a prank that could hang around for a very long time.
So, why haven’t I started doing this? I have a strong aversion to jail time. I have seriously considered using Post-It notes or something that would clearly not count as defacement. Permanent stickers might technically be defacing federal property, and they could easily figure out who added the stickers through video recordings. So, while it might be hilarious and completely awesome, I am not going to try it. For the record, neither should you for all of the same reasons.
In any case, now you can understand why I scan the QR codes at the TSA lines. There’s always the chance someone with more courage/foolishness than me had the same idea.
And then one day while traveling in Orlando, I scanned the following sign:
TSA poster with QR code. Click to enlarge.
I’m surprised that what happened next didn’t result in a full pat-down for me. The QR code I scanned didn’t go to a tsa.gov site, so I started flipping out. I told my traveling companion that I would meet them on the other side of the scanners, and I just stood there in front of this sign trying to figure out if someone else had beat me to my own “hack.”
The QR code linked directly to the site justinsomnia.org. I rubbed the poster to see if I could detect a sticker. No sticker. The QR code was in the poster. Had someone replicated the whole poster and just changed the QR code? What a far more elaborate hack! How had they replaced the whole poster without anyone noticing? I took several minutes trying to get a decent photo, and the picture you see above is the best I got. You can still scan the QR code from the photo if you’re patient, but trust me, it goes to justinsomnia.org.
It took me a while to figure out what happened. Justin Watt, the owner of justinsomnia.org, had discovered QR codes relatively early, in 2007. He wrote about how his QR code blog post eventually earned the No. 2 spot in the Google image search for “QR code.” The first spot belonged to the BBC, but they had put “BBC” in the center of the code, making his image the first “normal” one. You can see his code here.
Justin’s QR code is identical to the code in the TSA poster. So, this wasn’t a hack. What happened is that the designer of this poster put a “stock” QR code photo, pulled from Google’s image search, into the poster as a placeholder. All of the placeholders in all of the posters were later replaced with Google short links to tsa.gov web pages. Except for this one. Apparently, no one bothered to check that the QR code links work. As far as I know, this poster is still sitting in the Orlando airport and pointing to the wrong website. (Note: I’m assuming that an image swap is what happened. It’s really the only assumption that makes any sense. Plus, it’s happened before.)
Could this flub get any better? Turns out, it can.
Like many people, Justin thinks the TSA is pretty silly. A quick site-search from Google reveals that Justin has very little patience for all of the mind-numbing things that the TSA regularly does. He even links to this article about Bruce Schneier that is every bit as juicy as the one that I was fantasizing about “hacking” into the TSA’s posters.
So, the TSA accidentally linked its poster to a TSA critic. Awesome.
Why would anyone like me take the risk of making the TSA look ridiculous when they’ve done such a careful job themselves? They could not have done a better job here if they linked to the best way to support the Electronic Frontier Foundation. In fact, because he completely controls the domain, Justin can re-route the QR code to whatever he likes. I wonder what he’ll do with his super power.
I will leave it to the readers to discuss the social implications of all of the English language QR code content working, while the Spanish language QR code poster was not checked before it went out. Suffice to say, I think there are some implications there.
I also wonder how long it will take for this poster to be pulled from the TSA screening lines. So, let’s do this: Post your sightings of the flubbed QR code poster on Twitter using the hashtag #tsaflub. I will try to create a collection of the “sightings” so we can see how quickly the TSA takes these down.