[jabbany]

That still implies that you are actively "using" the messaging application. Just because it is listening to messages in this case doesn't mean it's inactive, you still expect it to push stuff to you.

However in the case of the QR code, just because you "have" the QR code on your disk, doesn't imply you have an intent to visit a link it. That would be like if you had a .txt file with a string that looked like a URL inside and somehow the system while indexing the body also somehow visits the supposed URL despite it not even being a real link.

Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.

[jdminhbg]

> Like imagine you download a restaurant menu to check out the food and they provided it as an image (pretty standard). As a part of that image is a QR code to their Facebook page (also usually benign). In this case, let's say you are uninterested in sharing your (or specifically your IP's) interest in that restaurant with Facebook, this feature as described would share the info for you without consent.

This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there, so I'm not sure why I would care either way; if anything, downloading the menu is more intent on my part than being sent it by someone (who I may or may not even know).

[jabbany]

No. In this example your IP is shared with a third party "Facebook" simply because of the embedded QR code to a social page hosted by them. This is something very different from, say, the website of the restaurant you downloaded the menu from knowing your IP.

The privacy implication is very different. If you enable link previews in a messaging app, you consented to any potential site getting your IP. If the restaurant adds a tracker on their page, they've consented to the 3rd party tracking from their end. But with the QR auto-loaded by the OS, neither you nor the first part have explicitly consented to the additional information being shared. There is strictly more information being shared.

> This isn't any different from someone sending me a link to the menu at their website and them seeing my IP hit the preview there

Again this is an inaccurate comparison. The closer analogy would be someone sending a link to a website and somehow your IP is exposed not only to the website that was shared, but also to every other website that the shared website links to.