The latest version of Norton Snap, 2.0.0.71, does not provide a means to stop navigation to a site deemed "safe" by Norton. While I might not mind visiting "www.safesite.org", I may want to prevent visiting "www.safesite.org/sentby/?qr=cleverpolitician". IIRC, earlier versions displayed the results of the scan and allowed me to decide whether to follow the link.
Is there a fix, or is the solution to remove Norton Snap?
Let's say you receive an unsolicited email message, e.g. spam or a phishing expedition, that contains "helpful" links. The sender cannot tell whether or not the message was received by an active email account. Being somewhat curious, you want to visit one of the linked websites. Do you just click on "www.cuddlypuppies.elbonia/id=br549-gu-m4-666" to confirm the validity of your email address, try "www.cuddlypuppies.elbonia/id=br549-gu-m4-999BISCUIT" to throw them off the scent, or visit "www.cuddlypuppies.elbonia" and maintain plausible deniability? Or use <your favorite search engine> to look for additional information?
A QR code can come from anywhere and may include any information. An ad on a bus shelter may include the physical location. A piece of bulk rate mail may contain a unique identification. An item you consider purchasing might link to the manufacturer, but include the store in which it is stocked. Use any of them and you have handed over some information.
Norton Snap doesn't give you a chance to minimize the data that you offer. It's a product from a security company. Seems a bit odd. But then, no one could use something trivial, e.g. your physical location or choice of browser, against you: https://www.washingtonpost.com/posteverything/wp/2014/11/03/if-you-use-a-mac-or-an-android-e-commerce-sites-may-be-charging-you-more/?utm_term=.a343dc1195b0
I have to admit I have no real world experience with QR codes. I was not aware they could contain personal information. Although if you get this code with personal information from some supplier, they already have the information. It is not something else you are being asked for or that is being collected.
The same for tracking information. When the code is read, it opens your browser. The Chrome browser has a do not track option, so that would protect you. The code itself cannot access any location information.
In cases where the QR code just supplies a website it isn't as troublesome. (Granted, there may still be reasons not to visit "www.gobblebandwidth.com" that uses a few GB of LTE data to load the home page.)
My concern is when the QR code contains tracking information that I may wish to decline to supply. Whether it is a receipt that contains an order number, a print advertisement that identifies the publisher, a mail piece that includes my address, ..., the choice to supply the additional data should remain mine.
Maybe I just have an incorrect view of what purchased security software should do in a world of monetized personal data. A configuration option that allows me to select between "if Norton says it's safe, it must be" and "always confirm before browsing" would be a splendid thing.
It seems that the latest update changed how Norton Snap works. As you say, it takes you directly to the site if Norton Safe Web deems the site safe. It seems to me that this should not really create a problem. If you are scanning a code, it seems you would want to look at the associated site, as long as it is safe.
In your example of sub pages of a main web site, which one is referenced by the QR code?