Readers of Naked Security might be familiar with how retail businesses are taking advantage of mobile phone technology to track customer movements while they shop.
Now, one of the companies that tracks consumers’ smartphones for its retail clients has received a strong telling off from the Federal Trade Commission (FTC) after failing to inform in-store customers that they could opt out of being tracked.
The company, Nomi Technologies, places sensors in participating stores to collect the Media Access Control (MAC) addresses of smartphones in the vicinity, allowing it to analyse the movements of anyone passing by those sensors.
The MAC address is sent out to nearby routers when a device searches for a Wi-Fi signal (and Wi-Fi enabled devices are always searching for hotspots unless Wi-Fi has been turned off).
And because MAC addresses are unique to each device, your phone’s MAC address can be used to identify you and track your location whenever you pass a Wi-Fi hotspot.
According to the complaint from the FTC, Nomi misled consumers over their ability to opt out of tracking in-store – because they were never informed that they were being tracked at all.
Consumers who did not opt out on Nomi's website and instead wanted to make the opt-out decision at retail locations were unable to do so, despite the explicit promise in Nomi's privacy policies. Consumers were not provided any means to opt out at retail locations and were unaware that the service was even being used.
The MAC addresses collected by Nomi were cryptographically hashed, but that still allowed the company to recognise each smartphone when it showed up again in an area it was monitoring.
According to the FTC, Nomi’s “Listen” service for retailers provided them with information about a total of 9 million mobile devices in the the first nine months of 2013.
The FTC claims Nomi also acquired information besides the MAC address hash, allowing it to gauge the shopping habits associated with each phone, including how many customers passed by stores without entering them, how long people remained in-store and how many times they had entered tracking-enabled stores within a particular time frame.
The FTC said the data was shared with Nomi’s 45 unnamed clients, although the Commission recognised that Nomi was not passing on information on an individualised basis.
With the proliferation of mobile tracking devices in all manner of locations from retail stores to rubbish bins, the settlement between the FTC and Nomi could signal further interest in the way so-called marketing location analytics firms track their own customers and the population at large.
Nomi said it was satisfied with its agreement with the FTC, telling Ars Technica:
We are pleased to reach this agreement. We continually review our privacy policies to ensure that they follow best practices and had already made the recommended changes in pursuit of that goal by updating our privacy policy over a year and a half ago, while we were still an early-stage startup that was less than a year old.
Under the terms of the settlement, Nomi must not misrepresent the extent to which consumers will be notified about the tracking, and it must give clear information about consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices.
Wi-Fi security tips
If you don’t want to be tracked where you shop, opt out of such schemes where possible or, better yet, disable Wi-Fi and Bluetooth on your smartphone whenever you aren’t using them.
You should also turn off the setting that remembers Wi-Fi networks and connects you to them automatically – if you automatically connect to networks you could leave yourself vulnerable to Wi-Fi sniffers, including marketing firms but also spies or criminals.
You can learn more about MAC addresses, and how they can be used to track you, in the short video below, “Busting Wireless Security Myths.”
Image of phone courtesy of Shutterstock.
Reader
I have walked into some businesses and later realized that the WiFi on my phone was turned on, although I could swear I’d not turned it on. Is this possible? If so, how might I prevent my WiFi from being remotely activated in the future?
Paul Ducklin
Take a quick look to make sure?
Here’s one way it’s happened to me. On my iPhone, I can turn Wi-Fi off by enabling Aeroplane Mode, which shuts down all radio transmissions – GSM, 3G, Bluetooth, Wi-Fi, etc. Very handy, and a little plane icon appears at the top of the screen.
Then I turn Wi-Fi on, without thinking about it, perhaps from a popup somewhere that tells me “Wi-Fi is off, turn it on?” But Aeroplane Mode is still active, and the little plane icon lulls me into a false sense of security.
(“Aeroplane Mode on” puts Wi-Fi off, so I tend to assume that “Wi-Fi on” puts Aeroplane Mode off, which would make the plane icon a handy telltale for any and all wireless technologies in the device. Not so!)
Robert
There are root apps like “Pry-Fi” that change MAC addresses to spoil this type of marketing.
Paul Ducklin
And, of course, iOS 8 does it for you:
https://nakedsecurity.sophos.com/2014/06/12/apples-ios-8-will-help-keep-out-wi-fi-marketers-and-snoops-but-not-totally/
Though once you do connect, your MAC address goes back to what it was, thus sidestepping any problems from possible collisions in made-up MAC addresses. A legally-formed 48-bit MAC address has 24 bits locked to “vendor,” and thus only 24 bits for uniqueness, or 16 million. Collisions therefore already exceed a 50-50 likelihood when there are more than about 12 bits’ worth of devices (i.e. 212, just over 4000) devices in proximity.)
Jim
I wish there were a way to tell my phone (Android) that I only want to connect to certain Wi-Fi networks. A white-list of Wi-Fi nets.
That would crush all such apps immediately.
Paul Ducklin
Not really…when your Wi-Fi is looking to find what networks are there (so it can build a list to see if one of your allowed networks is present), it’s revealing its MAC address. So a location tracker knows you’re there simply because you are there. That’s why Apple randomises your MAC address unless and until you are actually trying to connect to a specific network. That helps.
Jim
Bummer.
But, on the bright side, couldn’t Apples (or Androids) “buy” another set of MAC addresses, that have the vendor ID part essentially faked? I mean, it would still say Apple, but it wouldn’t be a “real” set of MAC addresses. They would still use the randomize process, but using a useless set of MACs.
Another option would be to create an on-demand-only version of Wi-Fi. In other words, Wi-Fi is on, but it doesn’t search until you click a button and tell it to do so.
I don’t know, I’m just trying to come up with an idea. This MAC-tracking galls me, and especially so when they don’t tell you about it.