I am aware of several ways QR code generators could pass "hidden" information "around" the QR spec. For example, if you can use the masking in a spec to ignore an area where you plan to put a logo, then you could just as easily put information there.
However, in any of these schemas, the "hidden" information would only be useful to someone who knows how to read "around" the spec too. For example, humans recognize logos as a visual language that has nothing to do with the QR code spec. But, for the QR code generator to pass info around the spec, something would have to read around the spec, which I'm not really worried about.
I'm more worried about the analog of a cookie or google analytics code or something that passes information about me when I use an online generator to create QR code, but is never shown to me explicitly. For example, if the generator encoded their address and then my QR code reader (say in chrome on my phone), colluded to pass information back to the code generator about me (or my users of my code) when they scan it without showing that information to me or the user of my QR code. (Obviously, I could QR encode a link with query parameters in it or something that could be used to gather information, but I would see that when I create the link and my user would see that when they use the link (if they stop to actually inspect it)).
My concern is if there is any allowance in the spec or if there's any known commercial practice between generators and scanners to collude in passing around information they don't show to me or my users.
