Businesses are building shopper profiles based on sniffing phones’ WiFi

library
crime | hacking | security

In May 2013, retailer Nordstrom said that yes, it was sniffing customers’ WiFi to track their movement through 17 US stores.

Nordstrom was collecting anonymised, aggregate information, a spokeswoman said at the time, and wasn’t identifying personal information tied to a phone’s owner.

Therefore, Nordstrom said, it wasn’t using the WiFi data to market specific products at specific individuals.

Tracking customers and not using the data to target marketing and advertising might sound innocuous, but there are those who question the privacy ramifications as the technology begins to proliferate.

As the Wall Street Journal reports, location analytics companies are now creating portraits of some 2 million people’s habits as they go about their daily lives, traveling from yoga studios to bars to sports stadiums to nightclubs and everywhere else in between.

The WSJ says that one of those analytics companies, Turnstyle Solutions, is at the forefront of the trend.

The company’s about a year old. One of the uses of its location-tracking technology has been to place sensors at some 200 businesses in downtown Toronto, to track shoppers as they move around the city.

One of Turnstyle’s customers is Fan Zhang, owner of the Asian restaurant Happy Child in downtown Toronto. He told the WSJ that he knows that 170 of his customers went to nightclubs in November, 250 went to gyms, and 216 came from the upscale neighborhood of Yorkville.

What has he done with that information? He ordered in workout tank-tops with his restaurant’s logo, catering to his customers’ tracked gym visits.

Turnstyle’s not the only one doing this, of course.

Verizon Wireless, for its part, last year began to run location analytics on its own rich store of data to help retailers see information such as what neighborhoods their clients arrived from or what restaurants they drove past to get there, the WSJ reports.

The weekly reports Turnstyle sends to clients rely on anonymised, aggregate numbers, though the company does collect names, ages, genders and social media profiles of some people who log in with Facebook to a free WiFi service it runs at some restaurants and coffee shops.

It’s becoming increasingly common for data firms to collect information about shoppers based on cellphone location and how they use their phones while in stores or other businesses – information they could use to better target their marketing and advertising.

This is yet another reminder of how much information our smartphones leak about us.

Smartphones with WiFi turned on regularly broadcast their MAC address (a more-or-less unique device ID) as they search for WiFi networks to join. That address acts like a unique cookie that can be used to identify an individual over repeated visits. In an area with a few detectors in place it can also be used to determine a device’s location.

The only way to stop a phone broadcasting its MAC address is to turn off WiFi and only use it when you need it.

Privacy advocates are concerned about this tracking being done without consumers’ permission.

For its part, the City of London in August told a trashbin company to stop its practice of collecting MAC addresses broadcast by the phones of passersby.

The company, Renew, had rigged the bins with gadgets to sniff passing mobile phones, and was selling advertising space on the the internet-connected bins.

The collection of anonymous data through MAC addresses is legal in the UK, though it exists in a grey area.

That’s because the UK and the EU have strict laws about mining personal data using cookies – small bits of data sent from a website that can be used to uniquely identify people and then monitor their behaviour across different websites.

Under UK and EU law, companies that want to use cookies to track us in the virtual world must gain our consent to do so.

However, no such consent is required by UK and EU law to track us in the real world using our devices’ MAC addresses.

As far as the US goes, privacy groups, along with New York’s US Senator Charles Schumer and a number of location analytics companies, in October unveiled a new code of conduct so that shoppers will clearly know when they’re being tracked through their phones in stores and will receive instructions for opting out, according to TechCrunch.

Some don’t like the notion of being tracked even if the data is anonymised. As AOL and others have shown, making data truly anonymous is hard and leaked data that isn’t quite anonymous enough cannot be un-leaked.

But Schumer’s code of conduct isn’t going that far. As far as the Schumer code is concerned, data collection without opt-in can continue if it’s not tied to specific users.

It’s the targeted data collection that should be opt-in, the Schumer code stipulates.

Turnstyle and other location analytics companies are OK with this approach.

But as TechCrunch points out, there was a notable absence among the groups who came with Schumer to sign on to the code: namely, the retailers who would use targeted data for marketing purposes.

Until all the parties involved sign on to a code that requires an opt-in model for targeted marketing, our choices are either to turn off our mobile phone’s WiFi when we step foot in or drive by a retailer, or brace ourselves for a future of some eerily well-informed advertisements.