After 50 years, GS1 is replacing the barcode with QR codes. That matters for devs, for consumers, for brands, for retailers, for trust on the Web.

13 September 2023


ben_tillyer, Sebastian Crane
Phil Archer

Meeting minutes

Slideset: https://philarcher.org/gs1/files/2023/09/qr-gs1.pdf

Testing 123...!

<labrax> ghdot68KjM - I did not do that by hand :D

Q: If you have the list of properties - is there a way to define the source of data such as nutrition info?

A: GS1 manages Link Relation Types ('linktypes') - a linktype coming soon is regulated information. The link can then be to a verifiable credential if needed.

A: We would leave that information and mechanisms to the destination URL.

Q: Is it still the case that GTIN is regulated by GS1? (yes)

A: GS1 does not know about all the GTINs, just the prefix (license) component.

Q: I am leaving it up to my web browser to follow the link - I have to trust it?

A: It's no less secure than any apps you need to trust when scanning a barcode today. Members licensing GTINs can control the web link

Q: (Sebastian) - why are using http and urls? Why not use query strings

A: Consumer device cameras already recognise URLS in QR Codes already - we are leveraging that capability. Consumers seeing the URL can see the brand in the URL (e.g. id.kelloggs,com) - no consumer knows 'GS1' - and the whole world coming to one domain of servers would create a traffic issue.

Q: (Ben - accessibility guidelines WG) - P&G were going to use another 2D code for vision-impaired consumers, but this put a lot of retailers off. (GS1 DIgital Link) solves this for blind customers, very interesting

A (as a Q!): Accessibility is an important use case - how easy is it for a vision-impaired consumers to find the QR Code?

Ben: 'Navi lens'(?) enables ability to find Navi codes and QR Codes don't really work like that via cameras. Could a solution be that the QR Code is always in a certain place on the pack?

Q (Wolfgang) - GTINs are managed by GS1?

A: GS1 manages the numbering space.

Q: (Wolfgang) - how about type instance?

A: IN the GS1 Digital Link URI, the identifier comes first (the GTIN number) then some qualifiers follow it such as serial number, and some attrivutes are in query strings such as expiry date,.

Q: (Sebastian) - Brands could design their own URLs so why use this strict format?

A: It's about minimising the codes on the pack - ideally only one - so it can be resued by many systems. So a checkout only looks for the number following the fourth forward-slash to get the same number as the 1D original barcode.

A: If you have a serial number it can be that instance of the product, and you can also get basic info for just the GTIN.

A: Each scanning application can lok in different parts of the URL to find the data they are looking for. E.g. A retailer staff app could just look for for expiry dates

<Zakim> Wolfgang, you wanted to comment on attack surface and to proxy Pat

(I'm getting names mixed up - sorry thanks for fixing!)

Q: (Wolfgang) - there may be many ways a scanner could implement parsing GS1 Digital Link incorrectly exposing an attack surface. Does the spec come with recommended implementations, etc?

A: A woman went to a coffee shop, scanned the coffee cup's QR Code. Web page says 'download this app and ignore any warnings'. A rogue app is then downloaded. The person should have adhered to the warnings but the 'news' is that the QR Code is the issue.

A: The attack surface we are being told we are opening is not new - and most scanners simply want to get just part of the data. A rogue actor could stick a 1D barcode over an existing one.

A: We are looking at hashing and verifiable credentials as possible future answers.

Q: (Wolfgang) I would disagree that just parsing a number is not a security issue.

<phila> acl labrax

A: We do offer C code to scanner manufacturers

Q (Sebastian) Are existing laser-based barcode scanners going to keep up with the latest generation of QR codes?

A: We are working with manufacturers toimplement this. The 1D barcode is not going to disappear. There are securer QR Codes but these are proprietary and often require licensing.

Q: (Sebastian) - what about speed and throughput?

A: Yes we have tested in a lab the 1D vs QR Code parsing speed is 10-20 milliseconds. This is 'longer' but we still can get 70 items per minutes through a scanner as needed by supermarkets.

<benoit_> wouldn't something like "gtin:09123123123?expiry=xxxx&something=else" resolve all of these concerns? the only objection I have heard is "your phone can't scan it by default", but if standardized, wouldn't that change more quickly than education?

Q: (benoit) - having a GTIN scheme gets around web domains expiring.

A: Not hopeful that Apple and Android would support this. Example is data matrix barcode which is on billions of medical products and they are still not interested because they would not know what fo do with it,

A: If you can persuade Apple and Google to raise an 'intent' (default app) when a GTIN: scheme is used then excellent.

<Zakim> Wolfgang, you wanted to proxy Pat

<Wolfgang> [next speaker is Pat, not Wolfgang]

<labrax> That is an unintended advertisment for DisplayPort :)

Q: Big concern for me is being able to identify an individual. My TV gets updates from the internet but it means my TV brand could recognise 'me' uniquely. Could a system work out the individual if they scan QR Codes from their device? Privacy element is biggest concern,

A: At GS1 we don't collect data. The logs are lost deliberately.

<labrax> Thank you!

<phila> https://philarcher.org/gs1/files/2023/09/qr-gs1.pptx

<phila> https://philarcher.org/gs1/files/2023/09/qr-gs1.pdf

<ben_tillyer> Thank you for organising the session!

Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).


Succeeded: s/(Wolfgang)/(Sebastian)/

No scribenick or scribe found. Guessed: nick_lansley_gs1

Maybe present: A, Ben, Q

All speakers: A, Ben, Q

Active on IRC: ben_tillyer, benoit_, labrax, nick_lansley_gs1, phila, sebastian, tidoust, Wolfgang