Nordstrom tracking customer movement via smartphones’ WiFi sniffing

Wifi in shopping cart. Image from Shutterstock“You’ve spent quite some time in the lingerie department, but you haven’t even peeked at our display of Bose® ‘OE2′ Audio Headphones, which were $149.95 but are now ONLY $134.96! Can we talk?”

OK, so that’s not exactly what Nordstrom says it’s planning to do with the information it gleans from tracking customers’ movements throughout their stores.

But it certainly could market that aggressively, now that the department store – purveyor of apparel, shoes, jewelry, and the like – has implemented technology to track how much time you spend in specific departments within 17 stores in the US.

Tara Darrow, a company spokeswoman, told CBS DFW that sensors in the stores are collecting information from customers’ smartphones as those phones automatically scan for WiFi service.

Darrow said that the sensors monitor which departments you visit and for how long, but the sensors don’t actually follow your phone from department to department, and they don’t identify personal information tied to a phone’s owner:

"This is literally measuring a signal. You are not connected to the signal."

Nordstrom plugged in the technology in October but hasn’t yet done anything with the data it’s collected.

It’s referring to that data as “anonymous aggregate reports that give us a better sense of customer foot traffic”.

Nordstrom says it will eventually use these anonymous aggregate reports to enhance the shopping experience by, for example, increasing staffing during high-traffic times, keeping more registers open, or by tweaking a department’s layout.

The store is posting signs to alert customers and to tell them that if they want to opt out they can turn off their phones.

CBS DFW spoke to John Fu, marketing director of Euclid, the company that provides the tracking service. Apparently, while the company provides technology to collect information about us, it’s wary about disclosing information about its clients, citing, ironically enough, privacy concerns.

Fu did tell CBS DFW that Euclid serves a “variety of different kinds of retail stores, ranging from mom & pop stores and coffee shops to large department stores.”

Fu said that Euclid doesn’t collect names, addresses, phone numbers or email.

Well, I guess that’s better than what Google was doing with WiSpy, when its StreetView cars were roaming neighborhoods worldwide, collecting emails, text messages, browsing histories and passwords from unsecured wireless networks.

If anything, this is a clear reminder regarding how much information our smartphones leak about us.

Smartphones constantly ping for WiFi service if you have WiFi turned on, whether you use it or not, as long as the phone isn’t shut down.

Smartphone with wifi. Image from ShutterstockDo they stop pinging once they’re powered down?

That depends, according to Tom Henderson, principal researcher at ExtremeLabs, who tells me that phones that come back on instantly after being shut down haven’t actually been powered off; they’re just in a very-low-power-consumption mode.

A fast start indicates standby mode and a possible periodic location beacon. For that fast-start type of phone, users need to take the battery out if they’re worried about locational privacy.

As Julian Bhardwaj wrote about for Sophos last October, leaving WiFi turned on can let your phone leak all sorts of useful things for malicious actors to intercept and act upon.

One example: smartphones often broadcast the names (SSIDs) of your favorite networks for anyone to see.

That’s enough for someone to figure out where you work, where you live or your favorite coffee shop.

Worse still, it could allow an attacker to set up a rogue WiFi with the same SSID as one of your preferred networks, so as to launch a man-in-the-middle attack and thereby intercept data sent between you and others.

There’s no easy way to disable active wireless scanning on Androids or iPhones, but Bhardwaj did suggest two steps that can help keep your smartphone data safe:

  • Tell your phone to forget networks you no longer use, so as to minimise the amount of data leakage.
  • Configure your phone to automatically turn on/off wireless in certain places using a location-aware smartphone app.

In the meantime, if you like to shop at Nordstrom but don’t like the idea of location tracking, turn your phone off and take the battery out if it’s a fast-start phone before you head into one of the stores that are equipped with these sensors.

Image of WiFi, shopping cart, and smartphone courtesy of Shutterstock.