Sophos Cloud Optix
In May 2013, retailer Nordstrom said that yes, it was sniffing customers’ WiFi to track their movement through 17 US stores.
Nordstrom was collecting anonymised, aggregate information, a spokeswoman said at the time, and wasn’t identifying personal information tied to a phone’s owner.
Therefore, Nordstrom said, it wasn’t using the WiFi data to market specific products at specific individuals.
Tracking customers and not using the data to target marketing and advertising might sound innocuous, but there are those who question the privacy ramifications as the technology begins to proliferate.
As the Wall Street Journal reports, location analytics companies are now creating portraits of some 2 million people’s habits as they go about their daily lives, traveling from yoga studios to bars to sports stadiums to nightclubs and everywhere else in between.
The WSJ says that one of those analytics companies, Turnstyle Solutions, is at the forefront of the trend.
The company’s about a year old. One of the uses of its location-tracking technology has been to place sensors at some 200 businesses in downtown Toronto, to track shoppers as they move around the city.
One of Turnstyle’s customers is Fan Zhang, owner of the Asian restaurant Happy Child in downtown Toronto. He told the WSJ that he knows that 170 of his customers went to nightclubs in November, 250 went to gyms, and 216 came from the upscale neighborhood of Yorkville.
What has he done with that information? He ordered in workout tank-tops with his restaurant’s logo, catering to his customers’ tracked gym visits.
Turnstyle’s not the only one doing this, of course.
Verizon Wireless, for its part, last year began to run location analytics on its own rich store of data to help retailers see information such as what neighborhoods their clients arrived from or what restaurants they drove past to get there, the WSJ reports.
The weekly reports Turnstyle sends to clients rely on anonymised, aggregate numbers, though the company does collect names, ages, genders and social media profiles of some people who log in with Facebook to a free WiFi service it runs at some restaurants and coffee shops.
It’s becoming increasingly common for data firms to collect information about shoppers based on cellphone location and how they use their phones while in stores or other businesses – information they could use to better target their marketing and advertising.
This is yet another reminder of how much information our smartphones leak about us.
Smartphones with WiFi turned on regularly broadcast their MAC address (a more-or-less unique device ID) as they search for WiFi networks to join. That address acts like a unique cookie that can be used to identify an individual over repeated visits. In an area with a few detectors in place it can also be used to determine a device’s location.
The only way to stop a phone broadcasting its MAC address is to turn off WiFi and only use it when you need it.
Privacy advocates are concerned about this tracking being done without consumers’ permission.
For its part, the City of London in August told a trashbin company to stop its practice of collecting MAC addresses broadcast by the phones of passersby.
The company, Renew, had rigged the bins with gadgets to sniff passing mobile phones, and was selling advertising space on the the internet-connected bins.
The collection of anonymous data through MAC addresses is legal in the UK, though it exists in a grey area.
That’s because the UK and the EU have strict laws about mining personal data using cookies – small bits of data sent from a website that can be used to uniquely identify people and then monitor their behaviour across different websites.
Under UK and EU law, companies that want to use cookies to track us in the virtual world must gain our consent to do so.
However, no such consent is required by UK and EU law to track us in the real world using our devices’ MAC addresses.
As far as the US goes, privacy groups, along with New York’s US Senator Charles Schumer and a number of location analytics companies, in October unveiled a new code of conduct so that shoppers will clearly know when they’re being tracked through their phones in stores and will receive instructions for opting out, according to TechCrunch.
Some don’t like the notion of being tracked even if the data is anonymised. As AOL and others have shown, making data truly anonymous is hard and leaked data that isn’t quite anonymous enough cannot be un-leaked.
But Schumer’s code of conduct isn’t going that far. As far as the Schumer code is concerned, data collection without opt-in can continue if it’s not tied to specific users.
It’s the targeted data collection that should be opt-in, the Schumer code stipulates.
Turnstyle and other location analytics companies are OK with this approach.
But as TechCrunch points out, there was a notable absence among the groups who came with Schumer to sign on to the code: namely, the retailers who would use targeted data for marketing purposes.
Until all the parties involved sign on to a code that requires an opt-in model for targeted marketing, our choices are either to turn off our mobile phone’s WiFi when we step foot in or drive by a retailer, or brace ourselves for a future of some eerily well-informed advertisements.
Images of smartphone and WiFi courtesy of Shutterstock.
How long until you can get an app to spoof a false MAC address and mess with these systems? If we can render this data truly unreliable, its value will drop and with a bit of luck it will not be worth collecting.
If there was such an app, would you (the user) trust it?
Depends on the device. If you don’t have root access to the network software it’s hard to change the MAC.
If you do have root access, (e.g. a laptop, rooted Android) it’s easy. Trivial, really. There are loads of software tools to let you do it.
Incidentally, the ease of changing your MAC is why using MAC addresses on your Wi-Fi router for “security” is insecure – a crook can monitor (automatically) what MAC addresses you’re using, and clone one of them (automatically). You can see me do it by hand to prove the point in this video:
http://nakedsecurity.sophos.com/2013/05/22/busting-wireless-security-myths-video/
Same holds true for all WiFi connections, so using MAC filtering is no less a securioty or safety measure as using any currently available ‘security’ system.
People who use MAC address filtering in a private network, rather than a public or business environment are making it one step more for the nefarious to get past – small step but prevents the casual connection. The intentionally nefarious will always find ways past/round security measures eventually but they are generally not very interested in private home systems.
The app is called “Turn off Wi-Fi”.
I just think it’s so hypocritical of people to feint indignation at the NSA for (among other things) surreptitiously tracking cell phones, but when a retailer does it to boost sales and profit… mmm it’s OK, no worries.
I couldn’t care about the NSA either. If people really think they’re sooo important that the NSA are tracking their individual movements and correspodence then they’re suffering from delusions of grandeur. Can you imagine how boring most of our correspondence must be? So, the NSA are reading about Tommy the tabby who needs more cat food? Or what a couple are having for dinner tonight.
They can read my messages, I don’t care. I find it amusing.
The implication is that a connected device no longer broadcasts it MAC address. I think that’s not so (i.e. MACs can still be sniffed from traffic).
Isn’t is true for Bluetooth connections? (But unrelated to the broadcast-your-home-router-and-maybe-location bug/feature of WiFi)
What they have in common is very bad (old) protocols. Why aren’t discardable GUID used? I’m holding hope for the Open Wireless movement.
“Therefore, Nordstrom said, it wasn’t using the WiFi data to market specific products at specific individuals.”
So why track them at all?
to track shopping trends — knowing immediately when things start to shift helps plan the next advertising campaign and change what’s stocked at local stores. It can also help with store expansion decisions.
“So why track them at all?”
Because if you know that a group of customers go from store A to R to F and another group go from A to R but not F you may be able to get them to make the third stop.
Another group of customers may not do a certain type of shopping in your mall at all, what changes can be made to encourage them to do so.
Same reason most stores will try and increase the customers minimum path to do their weeks shopping, which helps as thye pass loads of stuff they didn’t want to buy but may end up buying as a result. That has been done for decades by looking at receipt, now mall owners and oters can look at customers calling points and try to increase the number of these as well as the ttime spent in the mall.
Isn’t this tracking being done within the Cell Phone network as well?
But that tracking is the cell phone network companies internal to their system gathering…whereas this WiFi tracking can be done by anyone.
“So why track them at all? ” Very good question, give the student a thumbs up!
A customers physical movement through the store is valuable information. This includes the dwell time in particular areas, and the observed patterns of movements of customers. This is important to assess the effectiveness of visual marketing (store displays) or determine which departments have higher traffic to sales ratios. Appropriate wireless network design accommodates the collection of this information. Typical wireless network designs are not so good for with this type of usage; “typical” wireless designs are based on providing coverage for actual wireless connections. Data collection wireless designs use MUCH smaller coverage areas, or “cells”, and a higher number of access points to sniff. Detailed analysis of the movement is then possible.
Turn off the Wifi and save battery power and energy – cheaper too! They ‘they’ can’t follow you around. Only turn WiFi on at known secure locations, such as at home.
It is also trivial to associate the Wifi MAC address with a particular shopper. This is performed by placing a very short range access point directly at the checkout, perhaps under the counter. When the access point picks up that MAC, it can be temporarily associated to a card purchase. After about three or four instances, the association can become definite. This eliminates the possibility of associating a MAC with the card of a shopper in front, or behind the customer in line. This is especially useful on “in store” credit accounts or “club/membership” cards. Not useful for cash sale customers, but those are the minority by a wide margin.
When will people learn? Walking around with a smartphone is like walking in a crowd of who knows how many people, all of them watching you like a hawk and taking notes. I’m sticking with my TrakFone flip phone sans GPS and Wi-Fi and I only turn it on when I need it. A Blackphone might be in my future if it lives up to it’s claims. I’m tired of being under the microscope of people I don’t trust.