Stores can see where you go by tracking your phone

Retailers say the data is "hashed" to make it anonymous, but privacy advocates aren't so sure
Associated Press
Feb 19, 2014


Should shoppers turn off their smartphones when they hit the mall? Or does having them on lead to better sales or shorter lines at the cash register?

Retailers are using mobile-based technology to track shoppers' movements at some malls and stores. The companies collecting the information say it's anonymous, can't be traced to a specific person and no one should worry about invasion of privacy. But consumer advocates aren't convinced. It's spying, they say, and shoppers should be informed their phones are being observed and then be able choose whether to allow it.

The Federal Trade Commission held a workshop Wednesday on the issue, part of a series of privacy seminars looking at emerging technologies and the impact on consumers. FTC attorney Amanda Koulousias says the commission wants to better understand how companies are using phone-location technology, how robust privacy controls are and whether shoppers are notified in advance.

Here's how the technology works:

—Your smartphone has a unique identifier code — a MAC address — for Wi-Fi and Bluetooth. It's a 12-character string of letters and numbers. Think of it like a Social Security or vehicle identification number, but this address is not linked to personal information, like your name, email address or phone number. The numbers and letters link only to a specific phone.

—When your smartphone is turned on, it sends out signals with that MAC address (for media access control) as it searches for Wi-Fi or Bluetooth. Those signals can also be captured by sensors in stores that could tell a department store how often shoppers visit, how long they stay, whether they spend more time in the shoe department, children's clothing section or sporting goods, or whether they stop for the window display, take a pass and decide to move on.

Companies that provide "mobile location analytics" to retailers, grocery stores, airports, and others say they capture the MAC addresses of shoppers' phones but then scramble them into different sets of numbers and letters to conceal the original addresses — a process called hashing. This is how they make the data they collect anonymous, they say.

The companies then analyze all the information those hashed numbers provide as shoppers move from store to store in a mall, or department to department in a store. Mall managers could learn which stores are popular and which ones aren't. A retailer could learn how long the lines are at a certain cash register, how long people have to wait — or whether more people visit on "sale" days at a store.

"We're in the business of helping brick and mortar retailers compete" with online retailers, said Jim Riesenbach, CEO of California-based iInside, a mobile location analytics company. "The retailers want to do the right thing because they know that if they violate the trust of consumers, there will be a backlash."

Privacy advocates, though, argue that the scrambled or "hashed" MAC addresses aren't completely secure. They can be cracked, says Seth Schoen, senior staff technologist at the Electronic Frontier Foundation.

And that could reveal data that people may not want to share.

"There might be some place that you go that you wouldn't want people to know about," said Schoen. While not necessarily worried about foot traffic at a mall, Schoen raised concerns about down-the-road scenarios, like apps that could track where a person goes, whom that person is with — possibly the kind of information a divorce lawyer or law enforcement might seek.

The retail tracking is a relatively new technology.

Nordstrom tried a small pilot test in 17 of its more than 250 stores in September 2012. The company posted signs at doors telling shoppers they could opt out by turning off their Wi-Fi. Nordstrom ended the trial in May 2013 after some customers complained, saying they felt uncomfortable, spokeswoman Brooke White said.

An AP-GfK poll in January found half of Americans were extremely or very concerned about the ability of retailers to keep their personal information secure.

Older Americans were far more concerned about the safety of that information than younger ones — 59 percent of those age 50 or over said they were extremely or very concerned about it, compared with 46 percent age 30 to 49 and 32 percent of people under age 30.

Some of the major players in the field of mobile location analytics — iInside, Euclid, and Mexia Interactive — have agreed to a "code of conduct" advanced by a Washington-based think tank, Future of Privacy Forum. It calls for "hashing" MAC numbers, notification signs in stores and an opt-out website for consumers to enter their phones' MAC addresses to prevent companies from tracking them. The website .


Stop It

This is nothing new at all. The only way to prevent your phone from being tracked is to remove the battery.


You can't pull the batteries on some cells like the unpopular iPhones & a few others plus who wants to take their phone apart on a regular basis

Stop It

This is true, atroublemaker. There are always ways to get around things though I don't think iPhone is unpopular. I really don't care much about them tracking me. My driver's license, a couple of cards and my mobile devices all have RFID chips in them. There is no escaping this, unless one doesn't ever want to use those items.

Also, simply turning a mobile device off is not enough. Try turning your driver's license off. Not gonna happen.


Escaping the driver's licenses, etc. is easy enough. Get one of those metal wallets made specifically to prevent remote reading. They're helpful where the bad guys with readers are concerned, but they'll work just as well against the supposed good guys.


I do know Home Depot uses a program to track customers while in the store for the purpose of seeing what items they are shopping for.

While we are speaking of technoloy a puzzling question to me is the big box stores such as Meijer, Walmart, Target, etc etc etc. They will have 25-30-35 checkout aisles in the store. Other than Kroger at rush hour none of these other retailers ever use move that 1/3 or so of the checkout EVER...........what do they have that number for????? I have often wondered if its for some state requirement you know so many sq feet you need so many checkouts etc or some federal tax deduct they get etc ....A lot of money for checkouts they never ever use.


Oh, sure, the data is "hashed," and your personal data will be "safe." Sort of like, you know, Amazon has secure servers, and Target kept your credit card data from theft.