
Attention, Shoppers: Store Is Tracking Your Cell - tippytop
http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html
======
at-fates-hands
While still in college, one my senior papers involved analysis of patterns of
movement in a large local bar/nightclub. The owners had changed the layout of
the club several times and were losing money every weekend. After spending
time doing some simple observations, I made a few suggestions and after a two
week period of implementation, they were making 8-10% more per weekend.

I'm always surprised when I see people who are convinced technology can solve
their woes when all you need to do is make some observations. No wi-fi
tracking will tell you there's a huge clearance rack blocking your view of
several other items. It also won't tell you if a merchandise row is so narrow
only one person can stand in front of a display.

Technology is great, but in most retail or commercial environment's, you still
need feet on the ground.

~~~
mgurlitz
It doesn't make sense for Nordstrom to hire a consultant for each
underperforming store -- they can save money and make better decisions by
using data collection technology. Anyone could go to a retailer on a slow
afternoon, see open registers with no one in line, and determine that they
could save money by having fewer cashiers. But having the data allows the
company make those decisions with much more confidence.

~~~
chrischen
Exactly. Wifi tracking is built into enterprise wifi systems like meraki or
aerohive. It's basically already there, so it's going to be way cheaper to
implement than having dedicated people eyeballing every store constantly.

------
gojomo
To opt out, before entering a store, turn off your phone and put on a ski
mask.

"Are you here to rob us?"

"No, I'm just opting out of your facial-tracking systems. Which way to kitchen
appliances?"

~~~
scrrr
There's a business opportunity. Rent-a-shopper. Anonymize your purchases by
having another person do your shopping. Pick up your purchases at a rent-a-
shopper pick up point near you.

I wonder what percentage of the population cares about being profiled though.
Less than 5%?

It's a niche business opportunity.

~~~
adrianb
Why would I trust the rent-a-shopper pick-up point? They might be tracking me
as well. Once started, paranoia goes all the way.

------
Amadou
_But while consumers seem to have no problem with cookies, profiles and other
online tools that let e-commerce sites know who they are and how they shop,
some bristle at the physical version_

That is a profoundly ignorant statement to make - the vast majority of web
users have no concept of the scope at which they are being tracked online.

If there was a sign spelling out all the trackers on every web page like there
was a sign in the store, you can be sure a whole lot more people would be
"bristling."

~~~
llamataboot
Every friend I have gotten to install ghostery has been pretty shocked.

------
darxius
I wonder why they're using WiFi signals instead of just analyzing the video
feeds from their surveillance systems. It would probably glean the same
information.

Either way, I don't have a problem with this as long as they aren't
intercepting communications or anything private like my name and recognizing
me every time I enter the store. If it's information that they can obtain
without identifying me, there isn't much I can complain about. It's their
store and as long as my rights are intact I'm cool with it.

~~~
AlexandrB
> I wonder why they're using WiFi signals instead of just analyzing the video
> feeds from their surveillance systems. It would probably glean the same
> information.

With WiFi signals they can uniquely identify a single customer (by MAC)
without having to rely on facial recognition or complex image processing. I'm
guessing that's the reason.

~~~
darxius
Ah, that makes sense. Don't know how I feel about being uniquely identified
though. I thought they were just gathering things like movements and gender.

~~~
nairteashop
Only your device MAC is collected though, to track things like repeat visits,
so I think it's similar to how websites track your IP. There is no "database"
today to associate the device MAC back to any personal information.

~~~
bigiain
"There is no "database" today to associate the device MAC back to any personal
information."

You can _say_ that, but the marketing-hacker in me is already thinking about
how to hook the wifi MAC address to the credit card payment database, and how
to run in-store specials "Like us on Facebook via our free wifi to get $super-
special-deal!"

I think saying "There is no "database" today … " is disingenuous at best. I
would bet with 100% certainty that someone, somewhere, has been collecting and
correlating MAC addresses and individual's identities, and is almost certainly
selling access to exactly that database.

(Cynical thought, what're the chances that Apple aren't, right now, already
doing realtime lookups on the purchase histories of the original owners of
wifi capable iOS device that arrive in their stores with the wifi switched
on?)

~~~
nairteashop
I should've clarified - there is no database today that is accessible to
retailers and/or tracking software vendors. Device vendors like Apple
certainly have a database that maps device UDID/MAC to your personal
information, but they are very serious about protecting it. Today :)

------
dm2
Here is a video about the Euclid software. This service makes the Wifi
tracking even scarier because it can track across different stores, then they
probably sell that data.
[http://www.youtube.com/watch?v=q4W1GIRHC_4](http://www.youtube.com/watch?v=q4W1GIRHC_4)
[http://www.youtube.com/watch?v=k86DxCqfHjY](http://www.youtube.com/watch?v=k86DxCqfHjY)

Here is a way to opt-out of this particular service.
[https://signup.euclidelements.com/optout](https://signup.euclidelements.com/optout)

It seems like it would be trivial to tie in the location tracking with the
products someone purchases and if you are using a rewards card (like most
grocery stores have) then the store has all of your information tied to your
MAC address.

It's not just stores, any place could have these systems set up. Malls,
airports, stadiums, schools, or even your workplace.

Is it possible to obscure or modify a phones wifi strength when not connected
to a network to prevent this tracking?

~~~
pdx
I just watched the video. They mention that they use equipment from
[http://www.aerohive.com/](http://www.aerohive.com/), which just seem to be
normal wifi infrastructure.

It seems like only people who actually connect to the wifi can be tracked.
There's no way to harvest the MAC address of a wifi device that hasn't
connected to your network, is there?

As a store, this seems to be not that valuable to me. I can't imagine that
very many shoppers actually take the time from shopping to decide to connect
to your wifi. I get that they only need to do this once, and after that, it
will auto-reconnect. I'm still not buying it as an effective tracking method.

~~~
napoleond
_There 's no way to harvest the MAC address of a wifi device that hasn't
connected to your network, is there?_

Yes, there is. If you set your WLAN interface to monitor mode and run tcpdump
or similar, you can look at packets passing by, even if you're not connected
to a network at all. I built a Wifi tracking system this way when I was in
school.

~~~
pdx
Thanks for that. I wanted to understand how this was working.

This seems like a pretty powerful data source to use for all sorts of things,
if it's always accessible like that. A world readable cookie for every yuppie
and hipster on the planet!

------
nness
I don't particularly see an issue with this, but I welcome any insights to
convince me otherwise.

You have no expectation of privacy when in public. My question is whether
there is any difference to someone following you around a mall as you go
through your shopping journey (whether with cameras or in person even), as
compared to someone following your phone?

~~~
obituary_latte
Someone following you in person takes...well...a person. Following you
digitally takes some electricity, bandwidth, storage, and code.

~~~
superuser2
I've always hated this argument.

Banning _efficiency_ , of all things, seems counterproductive. If someone (or
a government) really cares, they can simply spend the resources to do full-
scale surveillance and tracking the old-fashioned way. It's not like we'll
refuse to pay for it, given budgets what they are today. Lack of technology
didn't stop the surveillance apparatuses of the USSR or East Germany. They
just had larger staffs than we do.

Either something is okay, in which case it's okay to do with a machine, or
it's not, in which case it's not okay to do at all. If it's okay to tail
someone with a police car, it's okay to follow them with a drone. You stop
mass surveillance not by making it cost the taxpayer more, but by outlawing
mass surveillance and requiring some sort of suspicion or probable cause for
each individual case.

People who want to track and surveil others like efficiency, but are in
general still capable of hard work. Raising the effort required stops only the
most pedestrian violators.

~~~
obituary_latte
Whoa. Once the code is written and so long as the rest of the infrastructure
is in place, it can be done wholesale. Cheaply. In perpetuity. To anyone.

To do so sans technology requires an undue amount of resource. Ie the energy
required to surveil 1x1 personally vs algorithmically is substantial and one
is much more feasible than the other (especially if you don't read the TOS -
and who does?)

All that said, though, I think we are mostly on the same page: you have to
accept responsibility for your actions in public. I think where we differ
though is that the majority of people don't have a clue wtf is actually going
on.

PS the argument doesn't hate you. It's willing to take any and all input,
process it, and maybe come out changed. It loves, respects, and thrives on
you.

~~~
superuser2
Responeded to your comment pre-edit.

If the U.S. Government wants to know who is communicating with whom in a world
without modern technology, it can hire n government workers to sit at a desk
and write down the address information on all the envelopes passing through
USPS in a day. Expensive? Yes. Impossible - to the entity that fought WWII,
landed on the moon, and continues to maintain a pretty much stable country of
300 million people? No. Our government may suck at cost-efficiency, but it is
_great_ at throwing resources at things that scale O(n), like the number of
postal workers required to handle n letters.

There are good arguments to be made that it's not the government's place to
know who is communicating with whom anyway, so it shouldn't be allowed to. If
this is the case, than it shouldn't be allowed to _by any means_.

But how does a shopping mall _not_ have the right to watch people move through
its store? If it's wrong to watch the EM signals people emit as the move
through, then is it also wrong to watch the light they reflect? I've seen
employees doing traffic analysis in museums pretty frequently - in fact art
museum security guards do it all the time. They could do the same in a mall.
They could even park an employee with a clipboard on the second level and map
out people's movements between stores below. Focus on one store at a time,
find out where all the people leaving that store go. You'd still get the same
result - the general trends of how people move around the stores, based on our
evolutionary "tracking" ability - the Orwellian step of correlating neural
impulses from the eye as belonging to the same object in different positions.
Which is exactly what this cell phone tracking system does, except with MAC
addresses instead of faces and hairstyles.

I say this to emphasize that not all tracking is bad. Correlating different
sensory input with past and future inputs is a large part of being human.
Hell, in a small town 50 years ago, the general store owner probably _knew_
you and what you've bought before and who your friends are. The post office
worker could recognize a scandalous pattern of letters are tell your family
about it. That's _way_ more invasive than this. Involvement of machinery is
not the difference between good and bad tracking.

~~~
bigiain
"I've seen employees doing traffic analysis in museums pretty frequently - in
fact art museum security guards do it all the time. They could do the same in
a mall. "

Fundamental difference though: a security guard with a clipboard jotting
something down as I go past is one thing. I can come back tomorrow or next
week, and he can jot something down again - but it's very difficult to
correlate the two. If you're capable of grabbing my phone's wifi MAC address
though, you know (with a reasonably high degree of certainty) that both visits
were me. And you can share that data with the other museum across town without
me knowing (and they can share it with my insurance company, and my insurance
company can be targeted by hackers working for art thieves… Not _super_
plausable, but what if we subsistute "museum" with "bike shop" and "art
thieves" with "criminal bike gangs"? Or substitute "museums" with "gun shows"
and "art thieves" with "gun thieves"?
[http://www.themercury.com.au/article/2013/05/17/379402_tasma...](http://www.themercury.com.au/article/2013/05/17/379402_tasmania-
news.html)

~~~
superuser2
No, they can't share it with your insurance company, because your MAC address
is never correlated to other personally identifying information. Best they can
do is the brand of your smartphone.

~~~
bigiain
Yeah, but he whole "pervasive surveillance" thing means there's no meatspace
equivalent of Perfect Forward Security here. It only takes _one_ instance
where someone can map my MAC address to an identity for the entire recorded
chain to lose it's anonymity - one venue "in the system" where I make a credit
card purchase or divulge my identity. Hell - if we're being paranoid, a
sufficiently determined wifi access point operator has a _lot_ at their
disposal to attempt to de-anonymise a specific phone. iOS for example under
some conditions transmits the MAC addresses of the last 3 access points its
connected to. There's a reasonably high chance on of them's my home and/or
work wifi - use some tool that'll sniff all those ARP requests and geolocate
them[1] to get partial address data. A determined enough attacker might be
snooping any traffic that the phone puts through the network. Using non SSL
protected POP3 or IMAP - guess who's got your email address (and password!)?
Does your Twitter/InstaGram/Pintrest/4Square/SnapChat/whatever client always
use SSL? Are ay of them vulnerable to sslstrip or MITM-able with unsigned
certs? How many websites does your phone browser happily send unencrypted
cookies to that're capable of providing strong hints to your identity? (Even
HN did this up to a few months ago. "superuser2" doesn't reveal much about
you, but knowing I'm "bigiain" in HN is enough to uniquely identify me.)

Now you've got me wondering just how many of the widespread free wifi rollouts
are relying on this as part of their monetisation. McDonalds free wifi would
be a great network to do this on. My local shopping center free wifi is almost
certainly run by the same company as all of the othe AMP Capital shopping
centers in Australia. And now that I think about it, they're pushing the
center wifi hard, with things like Pinterest promotions and "like us on
Facebook" and "download our iPhone app" \- all things that could easily
deanonymise my MAC address...

[1] [https://github.com/hubert3/iSniff-GPS](https://github.com/hubert3/iSniff-
GPS)

------
jlgaddis
Who's going to build the mobile application that monitors the user's location
(via GPS) and automatically sets the wireless NIC's MAC address to a specific
value whenever the user is near one of these stores (and isn't connected to a
real wireless network)?

Surely having a handful of shoppers who all have the same MAC address in one
store at one time would screw up their analysis a little bit, no? It would
certainly make it much more difficult to track a specific individual.

~~~
informatimago
MAC addresses are unique, unless hacked.

~~~
jlgaddis
That's kinda the point of setting everyone's to the same value.

------
Houshalter
I'm not as disturbed by them tracking their customers (I mean they've always
had cameras in stores and recorded all your purchases anyways), as I am to the
amount of effort and efficiency that goes into maximizing the amount of stuff
they sell people. Like putting the milk in the back of the store so you see 50
other things on the way that you also might want to get, or putting ".99" at
the end of the price tag to abuse our inability to estimate numbers.

It's the same tricks basically, just far more efficient. Making the optimal
store layouts so customers spend as much time inside as possible or get
exposed to as many other items as possible. Use machine learning algorithms to
set the prices so every price is as high as it can be before people stop
buying it entirely.

~~~
bad_user
Meh, these same tricks have always backfired.

Yes, they've been placing food/beverages at the back since years ago.

This also means that customers that are in a hurry to buy
bread/food/milk/whatever are more likely to go to their local grocery store.
As we, the customers, may be stupid enough to buy into their .99 tricks, but
we aren't so stupid as to not notice that it took 3 hours to buy milk or
bread, as many times you're really not in the mood to gape at useless shit.
It's interesting though that local grocery stores are not so common in the
U.S., compared to Europe. To get food, I only need to cross the street.

Also, setting the prices dynamically will not work in an online world. What if
customers had a mobile app with which they could compare prices with other
retailers just by scanning the bar code? Again, customers aren't so stupid -
they may not notice that the price of individual items has gone up, but they
do notice fluctuations in their monthly spending.

~~~
Houshalter
I can testify that the milk trick does work, at least with my own family. They
say they will promise to only spend a minute getting milk and end up buying a
bunch of other groceries as well.

Dynamic price setting works because people are not perfect rational actors
that compare every single item they look at to the lowest price in town. I
don't know if _anyone_ does that actually.

People might notice a bigger shopping bill, but they are more likely to
attribute it to buying more than slightly higher prices on every single item,
which they might not even notice.

In any case they wouldn't be doing this if it didn't make them more money.

------
waster
So at the cost of usability (for the cell user), wouldn't a product (or
homemade solution: Hello, tin foil!) that blocks RFID/wifi signals wrapped
around the phone also foil (ouch) this tracking? I'm thinking something like
Blokket ([http://howsyourrobot.com/2012/09/26/blokket-blocks-rfid-
wifi...](http://howsyourrobot.com/2012/09/26/blokket-blocks-rfid-wifi-
signals/) \- I have no direct knowledge of this product, BTW; just googled
RFID/wifi blocking).

Obviously this won't work for facial recognition, but I see that's discussed
in other comments.

------
16s
Were it not for their name, "Cookies" would not be generally accepted. We
should have named them "Roaches", then no one would say, well it's just a
roach.

------
lifeisstillgood
How does wifi tracking work? How do you do directional finding? I assume they
cannot have a thousand access points per store?

Frankly I would assume using computer vision to track heads like molecules in
Brownian motion would be cheaper simpler in all cases.

However this one creeps me out far more than NSA. Odd really

~~~
rwg
You don't need a super-dense AP deployment for location tracking of clients to
work.

A client that's actively looking for networks to join will occasionally
broadcast a probe request frame on all of the channels it can transmit on,
trying to get nearby access points to respond. If you have at least three
access points that "hear" the same probe request and you know where those
access points are located, you can use the position information of the access
points combined with the received signal strength of the probe request frame
at each access point to compute that client's position.

~~~
lifeisstillgood
It still sounds unlikely without working it through.

I guess the inverse power law applies, and signals are pretty weak to start
with, so differences of a few metres will make a big drop.

How accurate are these systems (someone implied it came as standard on certain
APs)? what is the density for say 50cm resolution - any papers on this?

thank you

~~~
lifeisstillgood
just a quick follow up - I noticed that "is sounds unlikely" is doubting your
statement - I am sure the directional / location of wifi is pretty accurate -
its just my intuition about such things is so wildly off I would need to do
some cacls on signal strength over metres of distance.

Interesting thanks

------
p6rny
can Google be doing this to the whole city where they provide free WIFI for
the city?

