Imagine you're in a store and you sense someone following you. That person is watching your every move and taking notes on how often you come shopping, which sections of the store you visit more, and how long you stay.
Sounds creepy, doesn't it? Some of us might even feel threatened enough in that situation to contact store security. The problem is, the store itself is the one tracking your every move. These stores don't have actual people following shoppers around, but instead rely on technology that the shoppers themselves carry into the store.
Your smartphone has a unique identifier code -- a MAC (media access control) address -- for Wi-Fi and Bluetooth. This address is linked to a specific phone, and when your smartphone is turned on it sends out signals with that MAC address as it searches for Wi-Fi or Bluetooth. Those signals can also be captured by sensors in stores that track shoppers' movements.
Companies that provide "mobile location analytics" to retailers, grocery stores, airports, and others say they capture the MAC addresses of shoppers' phones but then scramble them into different sets of numbers and letters to conceal the original addresses -- a process called hashing. Mall managers could learn which stores are popular and which ones aren't. A retailer could learn how long the lines are at a certain cash register, how long people have to wait -- or whether more people visit on "sale" days at a store.
Sounds like a great tool for retailers, but what about consumers?
The companies collecting the information say it's anonymous, can't be traced to a specific person and no one should worry about invasion of privacy, according to an Associated Press story. But consumer advocates aren't convinced. It's spying, they say, and shoppers should be informed their phones are being observed and then be able to choose whether to allow it.
Privacy advocates argue that the scrambled or "hashed" MAC addresses aren't completely secure. They can be cracked, Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, told the AP. And that could reveal data that people may not want to share. While not necessarily worried about foot traffic at a mall, Schoen raised concerns about down-the-road scenarios, like apps that could track where a person goes, whom that person is with -- possibly the kind of information a divorce lawyer or law enforcement might seek.
Retail tracking is a relatively new technology. Nordstrom tried a small pilot test in 17 of its more than 250 stores in September 2012, AP reports. The company posted signs at doors telling shoppers they could opt out by turning off their Wi-Fi. Nordstrom ended the trial in May 2013 after some customers complained, saying they felt uncomfortable.
In some cases, though, consumers may not even be aware that the store they're visiting is using tracking technologies. The Future of Privacy Forum, a Washington, D.C., think tank, estimates that 1,000 retailers, from tiny boutiques to Macy's, have outfitted their aisles with sensors, the Wall Street Journal reports.
The Future of Privacy Forum and the Wireless Registry, a company building a list of wireless names and identifiers, have launched a new website to help consumers who don't want companies to follow their movements. The site, www.smartstoreprivacy.org, went live Tuesday.
Consumers who visit the site can plug in their MAC address, which signals to participating companies that a device owner doesn't want their phone to be tracked. Eleven location analytics companies have so far agreed to take part in the program. The companies will begin processing opt-outs within 30 days, and have agreed to delete the MAC addresses of users whose information had already been collected.
That's a great start, but unfortunately participation by these location analytics companies is optional at this point. Likewise, the Federal Trade Commission recommended recently that companies involved in mobile phone tracking give consumers "timely, easy-to-understand disclosures about what data they collect and how the data is used," but the companies aren't legally required to do so.
More needs to be done to protect Americans' privacy -- whether it's from a retailer tracking shoppers' movements or from a government agency monitoring millions of phone and Internet records. As this technology has proliferated in recent years, laws to protect privacy and other technologies to block such intrusions have been slow to keep up.
The FTC is only just now holding a series of privacy seminars looking at emerging technologies and the impact on consumers. Also, some members of Congress are working on introducing legislation to address the use of location data as well as the National Security Agency's phone and Internet spying.
We suppose it's better late than never.