Signals emitted by your smartphone leave a digital trail that retailers can follow to find out how long you lingered in front of a sales rack or languished in a checkout line.
A growing number of mobile analytics companies use the Bluetooth and Wi-Fi beacons broadcast by smartphones to help retailers monitor customers’ movements in shopping centers, casinos, restaurants, hotels and airports.
One such company, iInside of Yorba Linda, Calif., boasts on its website that its sensors can pinpoint a customer’s location within a single meter of floor space.
On a larger scale, mobile carriers such as Sprint, AT&T and Verizon also use location data gleaned from cell towers to send ads for nearby businesses to customers’ phones, for example, or to prepare marketing reports on how many subscribers visit a city’s football stadium – and what kinds of apps they use during the game.
Proponents of the technology say the data gathered helps brick-and-mortar retailers compete with online rivals by personalizing and streamlining the customer experience. But consumer advocates warn that the mobile tracking trend underscores the need for stronger privacy laws. Federal regulators are taking a closer look at the practice.
“Our understanding is that in many cases this is basically invisible to consumers, so we want to look at whether retailers or the companies they’re using are notifying customers of what’s going on,” said Amanda Koulousias, a staff attorney with the Federal Trade Commission, which recently hosted a seminar on mobile tracking in Washington.
Businesses that collect and sell mobile location data are eager to demonstrate that they’re capable of self-regulation. In a move timed to coincide with the FTC’s seminar, the Future of Privacy Forum, a research center in Washington, announced the creation of a website (www.smartstoreprivacy.org) that allows consumers to opt out of having their locations mapped by participating companies, including iInside, the California firm.
The same group of companies signed a voluntary code of conduct, agreeing to collect only “depersonalized” location information unless customers give consent, and to alert customers to the use of tracking technologies by promoting the use of data collection signs in stores.
“At the end of the day I think market forces prevail, and those retailers and other businesses that violate the trust of their consumers will be punished by the marketplace more than anything else,” said Jim Riesenbach, the chief executive officer of iInside, who was a panelist at the FTC seminar.
Riesenbach pointed out in an interview that surveillance in stores is nothing new, although mobile technology allows retailers to analyze customer behavior in greater detail than ever before.
“There have been camera systems in stores for many years, not only for surveillance standpoint but also from a traffic-counting standpoint,” he said. “There’s systems in stores that allow retailers to check how many people walk in the door and how many people walk out the door and things like that, and so what we’re doing is taking that to a much more granular level.”
Here’s how it works: Riesenbach’s company sets up sensors in clients’ stores. The sensors pick up probes emitted about every 60 seconds from Wi-Fi-enabled smartphones, and continuously by Bluetooth-enabled smartphones. The probes include a 12-digit code, known as a MAC address, which is unique to each phone.
Using a scrambled version of the MAC address, the sensors can monitor how long a customer waited for a cash register, which aisles the customer browsed and how many times that customer returned to a store or visited different stores in the same chain.
The data compiled don’t include personally identifiable information such as users’ names or addresses. In that sense, proponents say, it’s similar to a real-time traffic map that shows cars identified by license plates or vehicle identification numbers but not by drivers.
More retailers are quietly testing the technology. The number of stores that installed iInside’s sensors grew eightfold last year. Riesenbach declined to identify any of his company’s clients, however.
His reticence speaks to the sensitivity of mobile tracking, as businesses try to take advantage of the new technology without alienating customers.
“Our clients are basically private about what they are doing,” he said. “They don’t know how it’s going to be reported; they’re worried that things can be taken out of context.”
Sprint also declined to identify clients who use its mobile advertising or analytics programs, which launched in 2012.
The carrier uses only anonymous, aggregated data, and it protects subscribers’ privacy by allowing them to opt into personalized mobile advertising or opt out of mobile analytics reports, said a corporate spokeswoman, Stephanie Walsh. Users are notified of their choices by text message, on bills and via Sprint’s website.
“Before I’m a businessperson, I’m a human, and I care very much about my privacy and how my data is used,” said Evan Conway, vice president of strategy for Pinsight Media+, a Sprint subsidiary that handles mobile media projects for the carrier.
“Frankly, we are so much more careful than any of the experiences that people are used to online,” Conway said. “If you look at the online world, they’re busy dropping cookies all over your computer, sharing where you’re going with whoever is interested. That’s kind of diametrically opposed to the whole approach that Sprint takes.”
While it’s commendable that some companies limit the ways they use tracking, the barriers to entry are very low and the temptations are great, said Seth Schoen, senior staff technologist for the Electronic Frontier Foundation, a digital civil liberties group.
“Anyone can set up location tracking sensors at any time. You don’t need more sophisticated hardware than a regular laptop,” Schoen said.
There’s very little consumers can do to protect themselves other than disabling Wi-Fi and Bluetooth on their phones or turning them off completely, he said.
The fact that mobile devices are easily trackable is a fundamental security problem, Schoen said.
“Mobile phones were nominally built to enable communications at the user’s request, and for what are sometimes obscure technical reasons and unintended consequences of engineering decisions, they’re effectively shouting into the radio spectrum to announce the user’s presence all day long,” he said.
“So I think we have to articulate that that state of affairs isn’t what users want, it isn’t something they mostly are aware of and it’s something that needs to be fixed.”