The ‘spying billboards’ that track you as you walk by

library
crime | hacking | security

Anybody who walks or drives past new tracking billboards with a mobile phone in their pocket can be spied on without their knowledge or consent: a potential invasion of privacy that US Senator Charles E. Schumer wants the US Federal Trace Commission (FTC) to investigate.

Schumer, a Democrat from New York, delivered a briefing in Times Square on Sunday, electronic billboards blinking and scrolling behind him.

From his remarks:

A person’s cell phone should not become a James Bond-like personal tracking device for a corporation to gather information about consumers without their consent.

No one wants to be followed or tracked throughout their day, electronically or otherwise.

These new “spying” billboards raise serious questions about privacy, Schumer said. They should be investigated by the feds, and the companies behind them should be required to offer an opt-out option for consumers who feel that they violate their privacy.

The billboards can be found at roadsides, airports, commuter hubs, and, of course, Times Square – where Schumer gave his briefing. Some are even equipped with small cameras.

This sort of data collection is nothing new, of course.

All WiFi-capable devices broadcast a unique ID – a Media Access Control (MAC) address – when they’re looking for networks (and so long as WiFi is enabled, they’re always looking for networks).

So if you walk around carrying a mobile phone with WiFi turned on, you’re broadcasting your own, unique radio beacon, and it’s easy to track your movements.

And boy, have we seen marketers go to town on all that freely broadcast data.

MAC address tracking, also known as Mobile Location Analytics (MLA), is of serious interest to companies trying to sell us things. As of October 2013, the Washington Post reported that there were at least 40 MLA companies logging thousands of customer interactions every day on behalf of retailers.

Nothing is sacred: MLA companies have even rigged up spying rubbish bins in London, all the better to track MAC addresses of people as they passed by.

It’s common for these companies to say the data they collect is anonymous and aggregated.

But just because data is “anonymized” doesn’t mean it can’t be used to track us. As both AOL and researchers have shown, making data truly anonymous is hard.

And as Naked Security’s Mark Stockley has pointed out, turning a MAC address such as e4:ce:8f:1f:f7:ba into “Mark Stockley” by cross referencing existing personal data would be “trivial” in a retail environment – where stores already stockpile data on us through loyalty programs and data purchased from store cards to deliver highly targeted, personal advertising.

In June 2014, Apple made the news with a simple privacy enhancement that promised to throw a monkey wrench into phones’ promiscuous MAC address broadcasting when it tweaked iOS 8 so that it used randomly generated MAC addresses to mask a phone’s true MAC address.

It wasn’t perfect: Once you decided to connect to a hotspot, iOS 8 would then use your real MAC address. But imperfect as it was, it was quite a gauntlet to throw down in front of data-hungry marketers.

Schumer said that by using the data and analytics, the companies will be able to amass information such as viewers’ average age and gender, and about individuals who view a given billboard in a particular place at a given time.

Schumer urged the FTC to allow consumers to opt-out of the billboard tracking program. But given that people are likely unaware that they’re even being tracked, he also urged the FTC to make companies notify consumers when they do use the tracking technology.