FTC sanctions phone location tracking company for not allowing customer opt-out

Phone. Image courtesy of ShutterstockReaders of Naked Security might be familiar with how retail businesses are taking advantage of mobile phone technology to track customer movements while they shop.

Now, one of the companies that tracks consumers’ smartphones for its retail clients has received a strong telling off from the Federal Trade Commission (FTC) after failing to inform in-store customers that they could opt out of being tracked.

The company, Nomi Technologies, places sensors in participating stores to collect the Media Access Control (MAC) addresses of smartphones in the vicinity, allowing it to analyse the movements of anyone passing by those sensors.

The MAC address is sent out to nearby routers when a device searches for a Wi-Fi signal (and Wi-Fi enabled devices are always searching for hotspots unless Wi-Fi has been turned off).

And because MAC addresses are unique to each device, your phone’s MAC address can be used to identify you and track your location whenever you pass a Wi-Fi hotspot.

According to the complaint from the FTC, Nomi misled consumers over their ability to opt out of tracking in-store – because they were never informed that they were being tracked at all.

Consumers who did not opt out on Nomi's website and instead wanted to make the opt-out decision at retail locations were unable to do so, despite the explicit promise in Nomi's privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used.

The MAC addresses collected by Nomi were cryptographically hashed, but that still allowed the company to recognise each smartphone when it showed up again in an area it was monitoring.

According to the FTC, Nomi’s “Listen” service for retailers provided them with information about a total of 9 million mobile devices in the the first nine months of 2013.

The FTC claims Nomi also acquired information besides the MAC address hash, allowing it to gauge the shopping habits associated with each phone, including how many customers passed by stores without entering them, how long people remained in-store and how many times they had entered tracking-enabled stores within a particular time frame.

The FTC said the data was shared with Nomi’s 45 unnamed clients, although the Commission recognised that Nomi was not passing on information on an individualised basis.

With the proliferation of mobile tracking devices in all manner of locations from retail stores to rubbish bins, the settlement between the FTC and Nomi could signal further interest in the way so-called marketing location analytics firms track their own customers and the population at large.

Nomi said it was satisfied with its agreement with the FTC, telling Ars Technica:

We are pleased to reach this agreement. We continually review our privacy policies to ensure that they follow best practices and had already made the recommended changes in pursuit of that goal by updating our privacy policy over a year and a half ago, while we were still an early-stage startup that was less than a year old.

Under the terms of the settlement, Nomi must not misrepresent the extent to which consumers will be notified about the tracking, and it must give clear information about consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices.

Wi-Fi security tips

If you don’t want to be tracked where you shop, opt out of such schemes where possible or, better yet, disable Wi-Fi and Bluetooth on your smartphone whenever you aren’t using them.

You should also turn off the setting that remembers Wi-Fi networks and connects you to them automatically – if you automatically connect to networks you could leave yourself vulnerable to Wi-Fi sniffers, including marketing firms but also spies or criminals.

You can learn more about MAC addresses, and how they can be used to track you, in the short video below, “Busting Wireless Security Myths.”

Image of phone courtesy of Shutterstock.