How QR code readers work

TThe QR Code (Quick Response Code) was invented in 1994 by Denso Wave, a Toyota subsidiary, to track auto parts on the factory floor. Traditional barcodes stored ~20 characters and had to be read at the right angle. QR solved both problems: stores up to 4,296 alphanumeric characters and reads from any angle (full 360°).

In 2002 Denso Wave waived royalties (they hold the patent but decided not to charge). That's why QR became a global de facto standard — anyone can generate and read them for free. Result: ~10 billion QRs scanned daily worldwide today.

Look at any QR. You'll see 3 large squares in the corners (top-left, top-right, bottom-left). These are finder patterns — they help the reader locate and orient the QR even if you photographed it tilted.

Near the bottom-right corner there's a smaller square: the alignment pattern. It helps in larger QRs (version 2+) correct perspective distortion.

Between the finders, alternating black/white lines — the timing patterns. They define the QR's "grid" (how many rows and columns it has). And the individual modules (each black or white square) carry the actual data.

• —Numeric only (0-9): up to 7,089 digits
• —Alphanumeric (A-Z, 0-9, basic symbols): up to 4,296 characters
• —Bytes (any extended ASCII): up to 2,953 bytes
• —Kanji (Japanese characters): up to 1,817 characters

For context: 4,000 characters is the size of a short book chapter. A LOT fits in a QR. But in practice, larger QRs become dense and harder to read in poor conditions (low light, folded). That's why most real-world QRs carry 50-200 characters — enough for a URL or a PIX/EMV payment payload.

The reading process has 5 super-fast steps (happens in < 100ms on a phone):

• —1. Locate the finder patterns — the algorithm searches for 1:1:3:1:1 ratio patterns (black-white-black-white-black) in any direction.
• —2. Compute perspective — using the 3 finders, applies geometric transformation to "stretch" the QR into a perfect square even if photographed at an angle.
• —3. Read the timing patterns — discovers the QR size (version 1 to 40).
• —4. Extract modules — scans each square, decides if it's 0 (light) or 1 (dark), forms a bit sequence.
• —5. Decode — applies the Reed-Solomon algorithm (error correction) to recover data even if up to 30% of modules are damaged.

URL

The simplest and most common. The QR contains just the URL string (https://...). When the reader decodes it, the OS or app asks "open this URL?" and the user decides.

WiFi

Google standard format: WIFI:T:WPA;S:MyWifi;P:password123;;. The reader recognizes the WIFI: prefix and offers "connect to this network". Useful at hotels, cafes, friends' houses — no need to type long passwords.

vCard (contact)

BEGIN:VCARD ... END:VCARD format with FN (name), TEL, EMAIL, ORG fields, etc. The reader offers "save this contact". Modern business cards use this.

Payment (PIX, UPI, EMV)

Each country/region has its standard. PIX in Brazil, UPI in India, EMV-MPM globally. All follow the same TLV (Tag-Length-Value) format with fields for recipient key, amount, description. The bank app recognizes it and opens the payment flow.

Plain text

When the content has no recognized prefix, it's shown as text. Useful for short messages, instructions, coupon codes, or internal system IDs.

On its own, NO. A QR is just a string. It doesn't send pings, has no JavaScript, stores no cookies. When you read a QR, NOTHING is sent anywhere until you click/act.

The privacy risk comes from the QR's CONTENT. If the QR points to a URL with tracking parameters (UTM, unique ID), the server knows you opened it. But that's normal URL tracking — not the QR doing anything special.