The Transportation Security Administration's QR code flub

Prank or mistake? A QR code on a TSA poster links to a non-TSA site.

I recently read about a cyberpunk author focusing on fictional graffiti artists who use code stencils to overwrite existing QR codes. The author, Tim Maughan, didn’t know about my hack showing that there’s actually a generalizable method for making QR code stencils work. In Maughan’s book, street artists do things like replace a Coca-Cola QR code advertisement with subversive virtual art. It’s a cool concept, and the author deserves props for nailing the edge of current and future cyber-reality so well. But “replacing” QR codes in public places is a notion that myself and others have been toying with in the non-fiction world.

“Toying” and “doing” are different things, of course. For example, I’ve toyed with the idea of covering some of the Transportation Security Administration’s (TSA) QR codes with my own because it wouldn’t be hard to do. You could create stickers for your TSA QR Code prank, and while waiting in line at the airport, you’d — theoretically — put your stickers over the QR codes on the TSA’s posters. The TSA QR codes link to boring and bland websites about how much safer we all are because we have to buy $5 bottled water on the other side of the X-ray scanner. These aren’t the most popular links, so it’s unlikely anyone at the TSA would quickly notice that the QR codes have been replaced. This is a prank that could hang around for a very long time.

So, why haven’t I started doing this? I have a strong aversion to jail time. I have seriously considered using Post-It notes or something that would clearly not count as defacement. Permanent stickers might technically be defacing federal property, and they could easily figure out who added the stickers through video recordings. So, while it might be hilarious and completely awesome, I am not going to try it. For the record, neither should you for all of the same reasons.

In any case, now you can understand why I scan the QR codes at the TSA lines. There’s always the chance someone with more courage/foolishness than me had the same idea.

And then one day while traveling in Orlando, I scanned the following sign:

TSA poster with QR code
TSA poster with QR code. Click to enlarge.

I’m surprised that what happened next didn’t result in a full pat-down for me. The QR code I scanned didn’t go to a site, so I started flipping out. I told my traveling companion that I would meet them on the other side of the scanners, and I just stood there in front of this sign trying to figure out if someone else had beat me to my own “hack.”

The QR code linked directly to the site I rubbed the poster to see if I could detect a sticker. No sticker. The QR code was in the poster. Had someone replicated the whole poster and just changed the QR code? What a far more elaborate hack! How had they replaced the whole poster without anyone noticing? I took several minutes trying to get a decent photo, and the picture you see above is the best I got. You can still scan the QR code from the photo if you’re patient, but trust me, it goes to

It took me a while to figure out what happened. Justin Watt, the owner of, had discovered QR codes relatively early, in 2007. He wrote about how his QR code blog post eventually earned the No. 2 spot in the Google image search for “QR code.” The first spot belonged to the BBC, but they had put “BBC” in the center of the code, making his image the first “normal” one. You can see his code here.

Justin’s QR code is identical to the code in the TSA poster. So, this wasn’t a hack. What happened is that the designer of this poster put a “stock” QR code photo, pulled from Google’s image search, into the poster as a placeholder. All of the placeholders in all of the posters were later replaced with Google short links to web pages. Except for this one. Apparently, no one bothered to check that the QR code links work. As far as I know, this poster is still sitting in the Orlando airport and pointing to the wrong website. (Note: I’m assuming that an image swap is what happened. It’s really the only assumption that makes any sense. Plus, it’s happened before.)

Could this flub get any better? Turns out, it can.

Like many people, Justin thinks the TSA is pretty silly. A quick site-search from Google reveals that Justin has very little patience for all of the mind-numbing things that the TSA regularly does. He even links to this article about Bruce Schneier that is every bit as juicy as the one that I was fantasizing about “hacking” into the TSA’s posters.

So, the TSA accidentally linked its poster to a TSA critic. Awesome.

Why would anyone like me take the risk of making the TSA look ridiculous when they’ve done such a careful job themselves? They could not have done a better job here if they linked to the best way to support the Electronic Frontier Foundation. In fact, because he completely controls the domain, Justin can re-route the QR code to whatever he likes. I wonder what he’ll do with his super power.

I will leave it to the readers to discuss the social implications of all of the English language QR code content working, while the Spanish language QR code poster was not checked before it went out. Suffice to say, I think there are some implications there.

I also wonder how long it will take for this poster to be pulled from the TSA screening lines. So, let’s do this: Post your sightings of the flubbed QR code poster on Twitter using the hashtag #tsaflub. I will try to create a collection of the “sightings” so we can see how quickly the TSA takes these down.


tags: , , ,
  • This is absolutely hilarious.

  • Great post. While we’re considering conspiracy theories, is it just me, or does Officer Smith bare a striking resemblance to Charlyne Yi?

  • Wow, it seems there are more wrong than acceptable ways to use QR codes.

    Btw, as if you didn’t already bring this story full circle by pointing out he enjoys heckling the TSA, I’ll mention that Justin is a former O’Reilly Media colleague.

  • I have to add, it never occurred to me before reading this post that QR codes in public places were so ripe for “hijacking”. Sadly this instance is far more benign.

    Secondly I didn’t quite realize that I’d been so outspoken about the TSA over the years. That certainly adds an interesting dimension.

    I was first notified about the QR Code back in Orlando back in August, 2011. So it’s been up for several months now.

  • Just to let you know, the “real” QR code that they use isn’t much better. It uses the QR shortener – which means anyone can see the TSA’s usage statistics.

    I’ve done a full write up at

  • M. D.

    Interesting mishap.

    They should have used – which lets anyone create a collection of free QR codes attached to various content – allowing corrections and updates on the fly…

  • This is becoming more of an issue with QR codes these days. You can hijack a code simply by putting a sticker over it or, as the author suggests, just reproducing the entire advert.

    We’re working on a secure QR code specification that includes digital signatures so that you can verify that the code hasn’t been tampered with. This should help in gaining back a little trust.

    I feel bad for the TSA on this one. It’s incidents like these that give QR codes a bad name. They simply weren’t designed for the broader use they’re seeing these days.

  • It looks like there may be a new job opening at the TSA – Executive Director of QR Code Quality Control!

    Where do I apply?

    No self-respecting designer should ever submit files for approval or print before they run a spell-check, check all of the listed links and scan any QR Codes or Tags to make sure that scan result opens the intended result! Not creative, but necessary.

    It’s the misuse of QR Codes that help lead to the confusion and misunderstanding that people have about QR Codes.

  • Nice story, from I hear these QR Codes are the best.

    You can get a secure QR Code from

    This QR Code comes with a website for mobile phones where the person can get directly in contact with you via phone, email, web, facebook, linkedin, twitter etc.