

Malls track shopper cell phones on Black Friday. To opt out? Turn off your phone - pavel_lishin
http://money.cnn.com/2011/11/22/technology/malls_track_cell_phones_black_friday/

======
tghw
Just to play devil's advocate, how is this any different from running
analytics on your websites? They are keeping track of where people go, just
like most people on HN do with their own users. And to be honest, I think it's
a clever hack that could give them information about how to improve the layout
and offerings at the mall.

So why are people having a negative reaction to this? Because they can track
your purchases? Websites could easily be doing that too, if they were willing
to cooperate (the same way the stores would have to cooperate with the malls
by giving records of all purchases, which seems unlikely). Or is it creepier
just because it's your physical location?

~~~
lawnchair_larry
It isn't, which is why I'm surprised more people don't opt out of those
things.

Both physical analytics and electronic analytics are reprehensible, imo.

~~~
superuser2
Really? It's "reprehensible" for a website to know how many people visit, what
countries they come from, what pages they spend most time on, what buttons are
most effective, etc?

Tracking between unaffiliated websites is a different story, but the mall is
only tracking our movements around the mall, just like any website that gives
a damn about user experience is going to track you around its pages.

~~~
politician
This information is sufficient to track you through unrelated visits to the
mall, and paired with CCTV video, sufficient to associate you with your face.
It's also a small step to associate you with your credit card purchases at
various stores.

~~~
nl
_It's also a small step to associate you with your credit card purchases at
various stores_

You do realize that they (the credit card companies) already do this (and have
for years), right?

~~~
politician
Do they have your face on file? Do they provide this purchasing information to
malls?

------
blahedo
The particular reason this opt-out is odious is that opting out requires you
to _stop participating_ in a service the mall _has nothing to do with_. If an
opt-out is, "to opt out, press this button before entering the mall", or, "to
opt out, stay at least ten feet away from our mall maps", or, "to opt out, do
not enter the food court", then they could sorta kinda make a case for
legitimacy. (Those would be somewhat bizarre, admittedly, but at least they're
directly related to the mall in some way.)

The "but I need my cell phone" objections are missing the point here: the opt-
out is policy is bad not because it's making you forgo a convenience or even a
necessary item, but because it's hijacking your commercial relationship with
someone else entirely. Kind of like the technological underpinnings of the
tracking, which are mitm-ing on the signal itself.

I wonder what the cell companies have had to say about this?

~~~
boredguy8
The high school production of King Lear has nothing to do with your cell
phone, either. But you should still turn the damn thing off. Having to forgo
one relationship to participate in another is neither surprising nor odious.
You don't have to shop at this mall.

~~~
pavel_lishin
> The high school production of King Lear has nothing to do with your cell
> phone, either. But you should still turn the damn thing off.

Nope. You should simply set the ringer to silent.

------
mortenjorck
I really want to know more about how they're accomplishing this technically,
and what kind of carrier cooperation is required.

If all they're doing is putting up Rx antennas and using them to intercept
subscriber IDs from the non-encrypted part of the handshakes with the towers,
without any cooperation from the carriers themselves, I guess I'm not too
concerned, as a subscriber ID alone is meaningless without carrier records.

If they're doing something that requires carrier cooperation, however, that's
something different entirely. Suddenly we go from "anonymous by nature" to
"trust us, we're anonymizing it."

Any wireless engineers want to weigh in on this?

------
jacquesgt
Once you have this data, you can correlate it with records of purchases to
link a given phone to a given credit card number. I'm guessing it would take
just two or three purchases at the mall to be able to do a match with high
confidence.

But we all know retailers care too much about their customers' privacy to pool
that kind of information, so there's really nothing to worry about. And
anyway, the fact people are reading the little signs and then continuing to
shop without turning off their phones is a pretty clear indication that
they're opting into this kind of data collection anyway.

------
epochwolf
This technology makes me uncomfortable. By itself it's rather harmless but
it's not a huge leap to imagine a network of surveillance cameras using this
technology.

Stuff like this makes me think I'm living in a scifi novel and I'm not sure
that's a good thing.

------
npollock
There's a startup in Palo Alto that uses phone signals to track consumers and
generate analytics. Perhaps their technology is being used.
<http://euclidelements.com/>

~~~
mortenjorck
Interesting. Euclid only works with smartphones, in that it appears to simply
sniff MAC addresses, and triangulate them with off-the-shelf wi-fi equipment.

I'm guessing the mall tracking systems are using something on the GSM and CDMA
spectra, and are sniffing UDIDs?

------
jleader
Isn't this similar to the way phone data is used to estimate traffic speeds on
streets and highways?

Also, when I saw this: "To make it harder for hackers to get at this
information, Path Intelligence scrambles those numbers twice", my first
thought was "with XOR?".

And third, are these the same malls and retailers that want to block data
connections to prevent people from doing on-line comparison shopping while in
the store?

~~~
seanp2k2
>"XOR"

Probably using 2ROT13 because they heard it was more secure.

------
aptimpropriety
No, the title is incorrect. Opting out is not going to the mall (private
property).

I kind of see it like saying "I want to buy something on your website - but I
don't want to give you an email address or credit card!" Obviously not a
perfect analogy, but really, you are going on their turf and utilizing their
services. If you don't want to play by their rules, don't patronize them.

~~~
dalke
That's an entirely different discussion on the increasing privatization of
public space.

We've long established that companies don't have a right to "play by their
[own] rules." For example, in the US a mall cannot discriminate on basis of
race, and it must follow ADA, OSHA, and other requirements.

Remember, companies exist only because of government regulation. They exist
because otherwise individual people (the owners) would be responsible for
mishaps and debts, and that's too much risk for most people. Since we set the
law, companies must abide by our rules.

And that leads to an entirely different discussion on the influence of
companies on lawmaking.

------
libraryatnight
I shouldn't have to turn off my phone, I should be able to shop (using the
malls services) and use my cell phone (a service entirely unrelated to the
shopping mall) without having to worry about this nonsense.

I honestly don't see what business the mall has using a tactic like this. I
hear the 'it's no big deal' argument, but something about the path we're on
with this feels sinister.

I don't have a technological, philosophical, political argument for not liking
this, I just do not want to be tracked. I feel akin to a toddler throwing a
tantrum, I want to heap all of my electronics in a pile and stomp up and down
on them screaming "I DON'T WANNA BE TRACKED!"

Unfortunately gadgets, phones, etc have a pretty good hold on me so I'm stuck
grumbling on the internet, where I'm tracked.

edit: changed reason to argument, since thinking about it I probably do have
some philosophical reasons but not anything broad and clear enough to form an
argument.

~~~
geon
Then don't go there. Seriously.

~~~
libraryatnight
I don't plan to, but that's not really the point. Because at some point it
becomes, "Don't go where?"

~~~
ams6110
Yeah I don't go to malls because they seem like disease incubators and smell
like human flatulence. But it's really not about the malls.

------
recursive
The privacy concern should be on the part of the cell phone holder. Blaming
the mall for using data that you are transmitting is like firing someone for
finding a security hole in the corporate web site. If you don't want anyone to
know your top secret phone id, stop transmitting it. You should be much more
worried about the people who aren't telling you that they are collecting it
than the mall that's announcing the fact that it is.

~~~
trotsky
And if you don't want your private conversations recorded simply refrain from
speaking? There is a long history of privacy protections afforded to the
general public.

~~~
recursive
What do you mean by private conversations? If you're trying to transmit
sensitive information, you don't use a postcard. People are jumping on the
wrong bad guy here. "If we can just stop the people who are admitting to
tracking us in ways we don't like, we can drive back this menace."

The reality is that if you don't like the idea of people doing this kind of
tracking, stopping the people that are publicly admitting to doing it is the
least of your concerns.

------
edw519
Turn off your phone in the mall? Yea, right. Now there's great advice from
someone who's in touch with modern reality:

1985 - If I don't see you again, I'll figure you ran into your friends and
went home with them.

1989 - Meet me at the fountain at 6:00.

1992 - If you need anything, see Linda at the Gap. She'll know where to find
me.

1996 - If there's an emergency, beep me and go to mall security.

1999 - Find a payphone and call my mobile phone when you get hungry.

2003 - Call my cell when you're ready to leave.

2006 - Post any good bargains on my Facebook wall.

2008 - Follow me on Twitter to see what I'm up to every 7 minutes.

2009 - Foursquare will let you know where I'm at.

2010 - Just check the Groupon emails I sent you to see where I plan to shop.

2011 - Text me immediately if you see a line _anywhere_. It's probably an
early unpublished Black Friday special and we should get into that line _now_.
I'll stop by REI and buy a tent and sleeping bags; you get some protein bars
and Gatorade.

~~~
pavel_lishin
> 2011 - Text me immediately if you say a line anywhere.

Wow. I'm getting flashbacks to growing up in Soviet Russia. The irony is
hilarious.

------
ChuckMcM
This is a pretty bold move. It would be fun to have a basket of say 500 pre-
paid phones scattered around so that folks could pick up a phone and drop it
off to poision the data with a bunch of bogus stats. Except you could probably
defeat that with ESID or IMEI filtering.

I am surprised that this is legal in California, there is legislation that
forbids this sort of thing.

~~~
mikedougherty
Even with the pre-paids, they'd stil be able to see where a person with one of
those is going and their shopping patterns, therefore giving them exactly what
they're looking for. They're tracking the movement of dots to analyze shopping
patterns. If a dot is prepaid it doesn't make it a "fake" dot. What would
really confuse them (maybe?) is getting as many phones on your person as
possible then running around in circles.

Why they would choose to attempt to discover patterns on black friday though
is beyond me - consumer behavior on that day is completely wacky and
inconsistent with any other day of the year.

~~~
seanp2k2
This makes me want to invest in a CDMA/GSM dev kit so I can spoof IMEIs and
ESNs. I'd send them:

AA-BBBBBB-CCCCCC-'); DROP TABLE imei;--

EDIT: another thought would be to use a directional antenna with a high-power
transmitter (should only take a few watts with a +23DB panel or something) and
have a script run through IMEIs and ESNs a few hundred a second, then just
wave the thing around wildly.

If you want to stop this, you have to make it not economically viable for
them. Real-life tracking calls for real-life DoS.

------
zitterbewegung
Well, if you are doing comparison shopping by scanning in the barcode using
your phone it seems like you can't have your privacy and try to get a better
deal at the same time.

------
shoota
Is this even legal?

My question is if they are just monitoring cell phone signals they must have
some way of intercepting them. Is this not akin to wire tapping?

------
strickjb9
I'm only 5 miles away from Short Pump mall... this is really interesting. I'm
pretty confident that they don't even care about attaching this kind of
information to an actual person's identity or purchases. Still, even if I was
concerned the likelihood of me turning my cellphone off just to avoid being
tracked is close to nil. It's something that needs to be watched closely...

------
wallflower
Many years ago, before smartphones, my family was entertained by a group of
families that were using long distance walkie talkies (multi-mile range, no
FCC ham radio license required) to communicate.

"(BOOP) Where are you?"

"I'm near The Gap"

------
kbanman
Seriously? This is a privacy concern? I really should get into the tin foil
hat business.

~~~
epochwolf
It's not a privacy concern until someone takes the small step of being able to
track a phone with surveillance cameras. With technology like this, I can't
imagine it being much more difficult than plotting the viewing areas of the
cameras and then overlaying the positions of various phones on the same map.
This approach won't immediately point out the person the phone belongs to but
you could easily have video coverage of the person available for review. You
can always pick them out of the imagery later.

~~~
politician
It's trivial to associate people with CCTV ...

    
    
       1. Point a camera down a narrow traffic area -- like each door to the mall.
       2. Capture their cell signal at the entrance.
       3. Correlate using face-tracking.
       4. Prune errors by tracking exits and entrances.
    

Now you have a pretty good idea of which face has which phone, for that visit
and all future visits to anywhere the mall sells their tracking database to.

------
feralchimp
You'd think that in a soft retail economy they'd be less brazen. Well, time to
teach them a lesson, I suppose.

------
winternett
Its completely amazing to me how companies fooled us into paying for devices
which are used to expose our habits. If cell phones were free, perhaps there
would be less complaints. The fact that we each finance devices that can be
used against us by companies and even government is bewildering. Make no
mistake, turning off your phone does nothing.

~~~
politician
Actually, this is true, you need to disconnect the battery. Which, of course,
is impossible on many smartphones.

~~~
stock_toaster
what about 'airline mode'?

------
mildweed
Isn't this prohibited by the FCC?

------
cbs
_"We won't be looking at singular shoppers," said Stephanie Shriver-Engdahl,
vice president of digital strategy for Forest City. "The system monitors
patterns of movement. We can see, like migrating birds, where people are going
to."_

Read: We're invading your privacy, but in a good way.

------
billpatrianakos
"It's nt a privacy concern" What?! Depends who you ask! Since when are the
people collecting data the ones who decide what a privacy concern is? I don't
mind right now but others might and I may change my mind!

"Hardly anyone opts out". This one is disgusting! Of course they won't opt
out! Do I lose touch with the people I need or want to co,mini ate with and
lose the ability to comparison shop as I go or do I opt in to being tracked by
default?

They've done this totally backwards. People should have the option to opt _in_
not out. There really isn't much choice here. It all seems innocent enough
right now but we all know it'll start going further as the years go by.

~~~
mirkules
How do they know if someone opted out if their phone is off? Do they divide
the number of cell phones by the total number of people in the mall? What if I
forget my cell phone in the car or at home? Am I considered an "opt-out"?

When I see this kind of stuff, I always think what is the best way to disrupt
this kind of technology. The ideas that come to mind is to organize a bunch of
people to randomly walk in the mall, or to leave a bunch of cell phones lying
around to skew the data (although the first would be a LOT more effective).

~~~
click170
If you were determined you could jam the wireless spectrum, as long as your
signal was strong enough you might be able to block subscriber IDs from making
it to the tracking antennas.

