Retailer beacons track your phone as you shop, raising privacy issues
By Dinah Wisenberg Brin | Published: November 12, 2014
When you walk into a department store or pump gas on your way to work, your mobile phone may be communicating with that business in ways you don't realize, and in the process helping retailers gather data on your activity -- perhaps how long you spent in a certain aisle or whether you bought a cup of coffee after filling the tank.
Merchants increasingly are using technology based on electronic sensors and transmitters, or beacons, to analyze consumer behavior and improve service by, say, better understanding when checkout lines are likely to grow. Beacons can work with retailer apps to remind you of items on your shopping list or send you customized messages and offers. But the technology, which can identify and follow your phone in the store, also raises privacy concerns.
"We were really hoping that this kind of a day wouldn't come, when people, just by using their mobile phones ... would be tracked," says Pam Dixon, executive director of the nonprofit World Privacy Forum, which objects to the idea that consumers, including children, are giving passive consent to tracking.
Here's how indoor location technologies such as beacons work: The antennas in your mobile phone send out signals that help your phone connect to the Internet via Wi-Fi, or to other nearby smart devices using Bluetooth. When you walk into a store that's been equipped with beacons, that equipment, depending on the type, can pick up on your phone's signal as the device looks for wireless or Bluetooth connections.
Both Wi-Fi and Bluetooth transmitters can identify your device by its unique Media Access Control (MAC) address, a 12-digit string of letters and numbers assigned to your phone by its manufacturer. It reveals the device maker but not your name, email address or other personal information. A store could identify you only if you voluntarily downloaded an app to send you promotions when you're in or near the store, industry representatives say.
No longer a distant
Apple, Macy's and Lord & Taylor are among the retailers who have embraced this technology, known as proximity marketing. They're not alone. Technology market intelligence firm ABI Research in April forecast there would be more than 30,000 indoor location installations of tracking technology this year, calling 2014 a "breakout year for indoor location technologies in retail environments."
We were really hoping that this kind of a day wouldn't come, when people, just by using their mobile phones … would be tracked.
World Privacy Forum
Apple has been a leader in the field. Its iBeacon technology was built into its iOS7 operating system and lets iPhones and iPads constantly scan for nearby iBeacon transmitters. Once the device identifies an iBeacon sensor, it can wake up an app on the phone, even if that app is closed.
For instance, iPhone users who have Bluetooth enabled, have the Apple Store app installed and have given that app permission for the iBeacon technology to work could receive notifications when they walk through an Apple Store. Stand in front of the latest iPhone display and you might get an alert on your phone saying you're eligible for an upgrade.
iBeacon isn't just for iPhones or Apple stores, though. Any Android phone with Bluetooth and Android 4.3 or above can also pick up the iBeacon transmitter signals. Whether anything happens then depends on whether you've downloaded apps that are developed to take advantage of the technology.
Macy's parade of beacons
Getting poll results. Please wait...
Customers who have downloaded the Shopkick app and turned it on may receive promotional offers or messages with product information as they approach merchandise areas, Macy's spokesman Jim Sluzewski says. Macy's will monitor whether shoppers activate the coupons, but won't track other customer activity through mobile phones, he says. "Of course, we track the number of customers who activate Shopkick at Macy's and sales associated with those visits."
The move is part of a Macy's strategy to create a unified shopping experience as you go from online to mobile to the real world. It includes use of the new Apple Pay mobile payment system in Macy's and Bloomingdale's stores, and the stores' new mobile wallets, which allow loyalty rewards customers to store offers electronically to use at checkout, the company says.
In July, HBC Department Store Group announced it was deploying Swirl's iBeacon-based platform in U.S. and Canadian Lord & Taylor and Hudson's Bay stores, allowing the retailers to send tailored messages and promotions through various apps based on a consumer's location and behavior in stores.
Does it pass the
Online retailers have been gathering data on customers for years, and consumers have grown to accept the trade-off of some privacy for relevant content and customized offers. In a 2012 survey by Accenture of 2,000 U.S. and U.K. consumers, two-thirds of respondents said it's more important for retailers to present them with relevant offers than to stop tracking their online activity.
But watching customers' footsteps, then acting on that information, creeps some people out. In 2012 and early 2013, Nordstrom tested in-store Wi-Fi sensors in 17 of its stores and received negative customer feedback when it posted signs saying it was tracking their movements. The signs told shoppers that the retailer wasn't collecting personal data, and that they could opt out by turning off their phones or Wi-Fi.
Nordstrom tested the technology "to gather information about customer foot traffic," said Nordstrom spokeswoman Tara Darrow in an emailed response to questions from CreditCards.com. Darrow said the sensors provided information in anonymous, aggregate reports that did not allow the company to tie the information to individual customers.
It was a fairly benign experiment, as data-gathering goes these days. And the company has not continued with the practice, though Darrow didn't say whether Nordstrom would be using in-store sensors again. "Though we did get some feedback from customers at the time, it was always meant to be a test and that test simply came to an end," she said.
Consumers have the ability to turn that stuff off if they don’t want to engage in that type of marketing.
Some say consumer fears are unfounded. The technology "generally isn't as invasive as one might think," says Robert Siciliano, CEO of IDTheftSecurity.com. Siciliano notes that consumers have to opt in by downloading an app if they want to receive in-store marketing messages. "Consumers have the ability to turn that stuff off if they don't want to engage in that type of marketing," he says.
Beacons and other sensors, however, can detect a phone's MAC address and register its location without any apps or even consumer knowledge. Even so, the technology won't know the customer's identity, Siciliano notes. "The beacon sniffing your MAC address is no different from a security camera seeing you. It's there. It's not punching you in the face, it's not harming you. It's passively monitoring," he says.
"It's only when you've opted into an app that I know it's you," agrees Elizabeth Powers-Trupp, a partner at Nodify, a company that makes equipment for detecting smartphone Wi-Fi signals.
Consumers are willing to download those apps, and will respond to a proximity marketing message if it's not intrusive, she says. There is some research to back her up. A 2011 survey by mobile media company JiWire, now called NinthDecimal, found in that 75 percent of shoppers take action after seeing a location-specific advertising message.
Objections to stealth
But privacy advocates see problems with retailers tying data to your phone's MAC address. "The MAC address is a unique identifier," says the World Privacy Forum's Dixon. "It's very simple at this point to attach a MAC address with a unique user."
Location tracking is a particularly invasive and risky form of tracking because it has almost unbounded potential to reveal sensitive private facts about individuals' lives.
Lee Tien and Seth Schoen
Electronic Frontier Foundation
Consumers should have the choice to actively opt in to tracking, and retailers should disclose how long they might store the data and whether they're merging it with other information to identify consumers, she says.
In February 2014, the Federal Trade Commission held a workshop and analyzed privacy issues surrounding mobile device marketing and analytics, including worries that outside parties might obtain information that businesses collect and store.
"Location tracking is a particularly invasive and risky form of tracking because it has almost unbounded potential to reveal sensitive private facts about individuals' lives," Electronic Frontier Foundation senior staffers Lee Tien and Seth Schoen wrote to the FTC in March. Online and offline activities could be merged into a single profile, they wrote.
Location privacy "is a crucial aspect of personal privacy," they say, because location data could reveal or implicate a person's intimate and social relationships, medical privacy, religious practices, sexual interests, physical safety, attendance at protests and attorney-client relationships.
The Center for Digital Democracy warned that geo-locational data gathering could lead to "digital redlining" and other discriminatory practices, and urged the FTC to examine how tracking identifies people by race, ethnicity, economic class and age.
For the moment, it's incumbent on consumers to make themselves invisible if that's what they want. You can visit the Smart Store Privacy website to opt out of tracking by 14 companies that have signed a code of conduct created by the industry-backed Future of Privacy Forum. Beyond that, if you want to make sure stores don't detect your phone, turn off your Bluetooth and Wi-Fi signals when shopping or turn off your phone completely.
Privacy advocates say that's not a real solution. "We don't think people should have to turn off their phones to avoid tracking," says the WPF's Dixon. The idea isn't to stop stores from using technology to enhance services, she says, but "to give consumers the rights over their digital exhaust, over the digital breadcrumbs they leave behind."See related: Do predictive scores violate your privacy?, 6 ways to outsmart data brokers, 12 creepy details data collectors know about you
- Debt relief firm that claimed ties to US government sued by CFPB – The Consumer Financial Protection Bureau sued two companies both known as FDAA for an allegedly illegal debt relief scheme targeting credit card debtors ...
- In the wake of Equifax hack, Congress proposes credit bureau reform – Lawmakers call for changes in credit report system to protect people's data, or at least give them more control over it ...
- Poll: 1 in 4 Americans checked their credit after Equifax breach – The flood of post-breach consumer action is encouraging, but many still didn't check their credit ...