Retailers tracking customers via Wi-Fi suggests that privacy really is dead

Not only does your smartphone track you, it lets others track you -- like retailers in their stores

"Privacy is dead -- get over it," has been a mantra of private investigators for years.

But continuing revelations about how many different ways personal privacy is still disappearing are still enough to unnerve people. It is not just about the trail everybody leaves from the websites they visit, or from security cameras in public places. It is also about smart cars. It is about the cellular towers that serve their smartphones. And it is now also about their friendly brick-and-mortar retailer.

[Location-tracking turns your smartphones into your stalker]

One example of many is clothing retailer Nordstrom, which began tracking shoppers in its stores about a year ago through the Wi-Fi signals from their smartphones.

At least the company was somewhat transparent about it -- it posted a sign telling customers what it was doing. But that generated enough complaints for it to end the program in May.

Of course, Nordstrom is not the only retailer looking to track shoppers in its physical stores. And at one level, they and their defenders argue that this is not a big deal -- that they aren't doing anything more intrusive than those in the online world who track the activities of shoppers and then try to pitch them ads that will be more "relevant." They're just catching up.

They could argue that it is less intrusive than plenty of other data collection, from social networking sites like Facebook to government, in the form of the National Security Agency (NSA). Stillman Bradish, co-founder of The Wireless Registry, a D.C.-based start-up that is reportedly designing ways for consumers to opt out of the tracking, told the Washington Post that, in general, Wi-Fi tracking doesn't collect PII (Personally Identifiable Information).

And, as plenty of privacy experts have pointed out, the "new normal" today is for people to spill every detail of their lives online, including where they shopped and what they bought.

Veteran private investigator Steven Rambam has been telling audiences for years that the logical result of all that voluntary sharing is that, "Privacy is dead, and you guys murdered it."

At one point in a presentation to The Next HOPE (Hackers On Planet Earth) conference three years ago, Rambam asked how many had Facebook pages. Every hand went up. Then he asked those who had read Facebook's Terms of Service to keep their hands up. Every hand went down.

[Chomsky, Gellman talk Big Data at MIT conference]

He was even more critical of users of social networks like Swipely, designed for friends to share their purchase history. "Why would you put your shopping history on (things like that)?" he said. "You deserve every bit of screwing that you get."

Still, consumers have a sense -- logical or not -- that they have some control over the voluntary sharing they do, while they have little or none over a retailer tracking their movements in a store.

The tracking is possible because of the MAC (Media Access Control) address that all Wi-Fi or Bluetooth-enabled devices have -- a unique, 12-digit code to help routers send data to the right recipient. When a Wi-Fi card is on, looking for networks to join, it is detectable by local routers, such as those in a retail establishment.

Through that, the company can learn how long people stand in line at a cash register, what aisles they visit and for how long, what promotions are more effective, who visits their stores more than once, what spot in the store draws the most people and much more.

This information is logged and uploaded to third-party companies that conduct data analytics. According to Jules Polonetsky, executive director of the Washington, D.C.-based think tank Future of Privacy Forum (FPF), nine firms have most of the market for analyzing tracking data, but there are 40 or more in the field.

[The autonomous, hackable car]

The obvious goal of all this is, on its face, rather benign. "They want to sell you stuff," said Rambam. But privacy advocates say it can and does go well beyond that.

"This tracking is happening generally without people knowing, and it doesn't even leave cookies or make connections that you can monitor," said Parker Higgins, an activist with the Electronic Frontier Foundation (EFF).

"It also ignores that different norms govern what's reasonable in different environments. Your doctor can ask questions that would seem much more invasive asked by your mechanic," he said.

They also contend it is not as benign as simply providing consumers with more relevant ads. "Threats to our privacy aren't isolated -- they work together," Higgins said. "A tracking device that catches you walking regularly past the door of a store next to a medical clinic may reveal a lot more than intended."

Rebecca Herold, CEO of The Privacy Professor, said that kind of tracking, especially after it is in the hands of third-party firms, "no doubt will be used by many other entities to prove a person was located at a certain place at a certain time, along with what they were looking at. 'Gee, look! Father O'Malley spent 15 minutes reading Hustler magazine right after church! He's a pervert!'" she said is one possible scenario.

"But, you may be implying something that is not the case in real life," she said. "Big Data analytics will be used to reveal a huge amount of perceived activities by individuals, but it will not always be correct."

Presumably, smartphone users could defeat the tracking simply by disabling the Wi-Fi when they are shopping. But Higgins and Herold both contend that the burden should not be on users. "Privacy conscious users shouldn't have to turn off basic features just to avoid excessive tracking," Higgins said.

And Herold said according to some reports, smartphones may be trackable even when they are turned off.

There are some organized efforts being made to give control over tracking back to mobile device users. The FPF and The Wireless Registry are reportedly working to build what would amount to a "Do Not Call" registry for MAC addresses. It would let device owners visit a web site, enter a MAC address, and be assured that tracking companies that have committed to the project will no longer track them.

But it is not certain how soon that will come into being. While the Post reported on Oct. 22 that the site was, "set to launch within the next few weeks," there is little evidence of that. The Wireless Registry website was, as of this week, nothing more than a page with the name of the company on it. Bradish and co-founder Patrick Parodi could not be reached for comment. A public relations spokeswoman said both were attending a conference.

[Every move you make...]

The FPF also did not respond to multiple requests for comment.

And Chris Calabrese, legislative counsel to the American Civil Liberties Union (ACLU), is dubious about the value of such a registry anyway. He notes that joining the project would be voluntary -- there will be no law requiring that companies refrain from tracking users who sign up. "The danger is that it leads to more tracking rather than keeping you from being tracked," he said.

Another effort is an agreement announced last month between FPF and seven major location analytics companies -- Euclid, iInside, Mexia Interactive, SOLOMO, Radius Networks, Brickstream and Turnstyle Solutions -- to a Code of Conduct that will include, "in-store posted signs that alert shoppers that tracking technology is being used, and instructions for how to opt out."

The standards also limit the use and sharing of the data and how long it is kept. It requires the companies to de-identify the data and says it, "cannot be collected or used in an adverse manner for employment, health care or insurance purposes."

However, noticeably absent from that list of prohibited uses is law enforcement. So the agreement is small comfort to advocates like Higgins. "When a company starts collecting this data, it becomes a very attractive target for law enforcement," he said.

Herold adds that, "historically, new technologies such as this were viewed as privacy-benign -- until something bad happened." She said this is the kind of information that would be very attractive to law enforcement, divorce lawyers and criminals.

"Using the data to improve the retailer environment can be very beneficial. But you cannot ignore all the other possibilities for how that data may be used," she said.

Herold called the Code of Conduct "a good start," but said it is only a start. "We all need to be more aware of ways in which we are giving out our personal data, and limit that significantly," she said, "but we also need to establish information security and privacy standards by which Big Data can be used. There's scarcely anything being done like this now that I'm aware of."

Join the CSO newsletter!

Error: Please check your email address.

Tags NordstromretailNetworkingsecuritywirelessWLANs / Wi-Fiindustry verticalsprivacy

More about EFFElectronic Frontier FoundationFacebookInteractiveMITNational Security AgencyNordstromNSARadius

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place