Retailers’ use of smartphone tracking raises privacy concerns
03/04/2014 12:39 AM
03/04/2014 12:39 AM
Signals emitted by your smartphone leave a digital trail that retailers can follow to find out how long you lingered in front of a sales rack or languished in a checkout line.
A growing number of mobile analytics companies use the Bluetooth and Wi-Fi beacons tucked in smartphones to help retailers monitor customers’ movements in shopping centers, casinos, restaurants, hotels and airports.
Mobile carriers such as Overland Park-based Sprint Corp. and Verizon use location data gleaned from cell towers. They deploy it to send ads for nearby businesses to customers’ phones, for example, or to learn how many subscribers visit a city’s football stadium — and what kinds of apps they use during the game.
On a narrower scale, iInside of Yorba Linda, Calif., boasts on its website that its sensors can pinpoint a customer’s location within a single meter.
Brick-and-mortar retailers hope to use the technology to compete with online rivals by personalizing and streamlining the customer experience. But consumer advocates warn that the mobile tracking trend underscores the need for stronger privacy laws.
Federal regulators are taking a closer look at the practice.
“In many cases, this is basically invisible to consumers,” said Amanda Koulousias, a staff attorney with the Federal Trade Commission, which recently hosted a seminar on mobile tracking in Washington. “So we want to look at whether retailers or the companies they’re using are notifying customers of what’s going on.”
Businesses that collect and sell mobile location data are eager to demonstrate that they’re capable of self-regulation. In a move timed to coincide with an FTC seminar, the Future of Privacy Forum research center in Washington announced the creation of a website (www.smartstoreprivacy.org) that allows consumers to opt out of having their locations mapped by participating companies.
The same group of companies signed a voluntary code of conduct. The firms agreed to collect only “depersonalized” location information unless customers give consent and to alert customers to the use of tracking technologies with data collection signs in stores.
“Market forces prevail, and those retailers and other businesses that violate the trust of their consumers will be punished by the marketplace more than anything else,” said Jim Riesenbach, the chief executive officer of iInside, who was a panelist at the FTC seminar.
Riesenbach said surveillance in stores is nothing new, although mobile technology allows retailers to analyze customer behavior in greater detail than ever before.
“There have been camera systems in stores for many years, not only for surveillance standpoint but also from a traffic-counting standpoint,” he said. “What we’re doing is taking that to a much more granular level.”
Here’s how it works: Riesenbach’s company sets up sensors in clients’ stores. The sensors pick up probes emitted about every 60 seconds from Wi-Fi-enabled smartphones and continuously by Bluetooth-enabled smartphones. The probes include a 12-digit code, known as a MAC address, unique to each phone.
Using a scrambled version of the MAC address, the sensors can monitor how long a customer waited for a cash register, which aisles the customer browsed and how many times that customer returned to a store or visited different stores in the same chain.
The data compiled don’t include personally identifiable information such as users’ names or addresses. In that sense, proponents say, it’s similar to a real-time traffic map that shows cars identified by license plates or vehicle identification numbers but not by drivers.
More retailers are testing the technology. The number of stores that installed iInside’s sensors grew eightfold last year. Riesenbach declined to identify any of his company’s clients, however.
His reticence speaks to the sensitivity of mobile tracking.
“Our clients are basically private about what they are doing,” he said. “They’re worried that things can be taken out of context.”
Sprint also declined to identify clients who use its mobile advertising or analytics programs, which launched in 2012.
The carrier uses only anonymous, aggregated data. It protects subscribers’ privacy by allowing them to opt into personalized mobile advertising or opt out of mobile analytics reports, said spokeswoman Stephanie Walsh. Users are notified of their choices by text message, on bills and via Sprint’s website.
“Before I’m a businessperson, I’m a human, and I care very much about my privacy and how my data is used,” said Evan Conway, vice president of strategy for Pinsight Media+, a Sprint subsidiary that handles mobile media projects for the carrier.
“We are so much more careful than any of the experiences that people are used to online,” Conway said. “If you look at the online world, they’re busy dropping cookies all over your computer, sharing where you’re going with whoever is interested. That’s kind of diametrically opposed to the whole approach that Sprint takes.”
While it’s commendable that some companies limit the ways they use tracking, the barriers to entry are very low and the temptations are great, said Seth Schoen, senior staff technologist for the Electronic Frontier Foundation, a digital civil liberties group.
“You don’t need more sophisticated hardware than a regular laptop,” Schoen said.
There’s very little consumers can do to protect themselves other than disabling Wi-Fi and Bluetooth on their phones or turning them off completely, he said.
The fact that mobile devices are easily trackable is a fundamental security problem, Schoen said.
“Mobile phones were nominally built to enable communications at the user’s request, (but) they’re effectively shouting into the radio spectrum to announce the user’s presence all day long,” he said.
“That state of affairs isn’t what users want, it isn’t something they mostly are aware of and it’s something that needs to be fixed.”