Is your smartphone broadcasting your movements when you shop?

Red radar screen

RadarNext time you’re in a public place, have a good look around you and see if you’re being followed.

You (probably) won’t see anyone actually tailing you, but if you have your smartphone with you it’s possible that your movements are being keenly observed.

A couple of months ago we reported on the sinister and faintly Dr Whoish tale of London’s spying rubbish bins. These uncannily observant, space-age trash cans were part of a trial by advertisers that monitored peoples’ movements by tracking the unique IDs of their mobile phones.

All WiFi-capable devices broadcast a unique ID, a Media Access Control (MAC) address, when they’re looking for networks (and so long as WiFi is enabled they are always looking for networks).

Which means that if you walk around carrying a smartphone with WiFi enabled then you are broadcasting your own unique radio beacon and it’s easy to track your movements.

MAC address tracking, also known as Mobile Location Analytics (MLA), is of serious interest to companies trying to sell you things.

MLA in the wild

It’s early days but according to the Washington Post there are as many as 40 MLA companies in the USA, some with sizable venture capital funding, and they’re already logging thousands of customer interactions every day on behalf of retailers.

And it’s going on in the UK too. After we published the spying bins story our editor mentioned in passing that The Oracle, a large but not especially remarkable shopping mall in the UK town of Reading, had signs saying it was tracking customers’ mobile phones.

A few days later she took a photo of one of the mall’s signs.

Photo of the MLS message at the Oracle Shopping Centre, Reading, UKThe text reads:

To provide a better shopping experience for our customers we anonymously survey the movement of mobile phones to help show us how the centre is used.

No personal data is recorded at any time.

The Oracle, like the London bins, is apparently only surveying anonymous data. However turning e4:ce:8f:1f:f7:ba into Mark Stockley by cross referencing existing personal data would be trivial in a retail environment.

Some retailers already use purchase data from store cards to produce detailed personal profiles and highly targeted, personal advertising.

Their pockets are deep and their appetite for knowing all about you is well established so if retailers aren’t already combining MLA data with the personal information they have on you it’s just a matter of time – the analytics industry certainly thinks so.

MLA code of conduct

On October 22 a group of the leading MLA companies announced they had agreed an industry code of conduct. The code, which may be an attempt to head off more draconian FTC regulation, is light on detail but it sets out a number of important principles:

  1. Users of MLA technology will have to provide clear signage, with an industry standard symbol, in a conspicuous location.
  2. Data will be de-identified and de-personalised unless a consumer has provided affirmative consent.
  3. Affirmative consent is required for:
    • linking personal information to a MAC address.
    • contacting a consumer based on MLA data.
  4. Users will be able to opt-out of MLA by adding their MAC addresses to a central registry of devices that shouldn’t be tracked.

The MLA industry should be congratulated for proactive self-regulation like this and for avoiding the quagmire that has engulfed the Tracking Protection Working Group tasked with drafting similar Do Not Track rules for the web.

Particularly noteworthy is their approach to combining MLA data with personal information; it will require consumers to explicitly opt-in.

Unfortunately when it comes to basic, anonymous, tracking the code says you’re fair game until you opt out.

Using your phone’s MAC address broadcasting to track your movements is a serious subversion of the purpose of that broadcast. Even if it shortens the waiting time at your favourite store, it should, in my opinion, require your permission rather than your forgiveness.

We should also be very cautious when it comes to claims of data anonymisation. As AOL famously demonstrated, anonymous data can turn out to be a lot less anonymous than you think.

Luckily there is an easy way for smartphone users to defeat the anonymous tracking; simply turn off WiFi and Bluetooth on your mobile phone.

Please tell us what you think about this in our comments below. I’m very curious to know if any of you have encountered this kind of tracking already or if there are MLA signs in public places you visit. If you see one and you have a camera handy take a photo and share it with us on Twitter.

Finally, since it’s National Cyber Security Awareness Month and you’re reading about smartphones why not take a few minutes to check that you’re following our 10 tips for securing your smartphone too.