Skip to content
Naked Security Naked Security

The ‘spying billboards’ that track you as you walk by

The billboards raise serious questions about privacy, US Senator Charles E. Schumer said. They should be investigated by the feds, and the companies behind them should be required to offer an opt-out option.

Anybody who walks or drives past new tracking billboards with a mobile phone in their pocket can be spied on without their knowledge or consent: a potential invasion of privacy that US Senator Charles E. Schumer wants the US Federal Trace Commission (FTC) to investigate.

Schumer, a Democrat from New York, delivered a briefing in Times Square on Sunday, electronic billboards blinking and scrolling behind him.

From his remarks:

A person’s cell phone should not become a James Bond-like personal tracking device for a corporation to gather information about consumers without their consent.

No one wants to be followed or tracked throughout their day, electronically or otherwise.

These new “spying” billboards raise serious questions about privacy, Schumer said. They should be investigated by the feds, and the companies behind them should be required to offer an opt-out option for consumers who feel that they violate their privacy.

The billboards can be found at roadsides, airports, commuter hubs, and, of course, Times Square – where Schumer gave his briefing. Some are even equipped with small cameras.

This sort of data collection is nothing new, of course.

All WiFi-capable devices broadcast a unique ID – a Media Access Control (MAC) address – when they’re looking for networks (and so long as WiFi is enabled, they’re always looking for networks).

So if you walk around carrying a mobile phone with WiFi turned on, you’re broadcasting your own, unique radio beacon, and it’s easy to track your movements.

And boy, have we seen marketers go to town on all that freely broadcast data.

MAC address tracking, also known as Mobile Location Analytics (MLA), is of serious interest to companies trying to sell us things. As of October 2013, the Washington Post reported that there were at least 40 MLA companies logging thousands of customer interactions every day on behalf of retailers.

Nothing is sacred: MLA companies have even rigged up spying rubbish bins in London, all the better to track MAC addresses of people as they passed by.

It’s common for these companies to say the data they collect is anonymous and aggregated.

But just because data is “anonymized” doesn’t mean it can’t be used to track us. As both AOL and researchers have shown, making data truly anonymous is hard.

And as Naked Security’s Mark Stockley has pointed out, turning a MAC address such as e4:ce:8f:1f:f7:ba into “Mark Stockley” by cross referencing existing personal data would be “trivial” in a retail environment – where stores already stockpile data on us through loyalty programs and data purchased from store cards to deliver highly targeted, personal advertising.

In June 2014, Apple made the news with a simple privacy enhancement that promised to throw a monkey wrench into phones’ promiscuous MAC address broadcasting when it tweaked iOS 8 so that it used randomly generated MAC addresses to mask a phone’s true MAC address.

It wasn’t perfect: Once you decided to connect to a hotspot, iOS 8 would then use your real MAC address. But imperfect as it was, it was quite a gauntlet to throw down in front of data-hungry marketers.

Schumer said that by using the data and analytics, the companies will be able to amass information such as viewers’ average age and gender, and about individuals who view a given billboard in a particular place at a given time.

Schumer urged the FTC to allow consumers to opt-out of the billboard tracking program. But given that people are likely unaware that they’re even being tracked, he also urged the FTC to make companies notify consumers when they do use the tracking technology.

The FTC has yet to respond to Schumer’s request.

22 Comments

So, turn off Wifi when you’re not using it, then? Wifi eats up battery anyway, I only turn it on if I need it, and I’m not gonna connect to some strange network without knowing who owns it.

It just shows the state of things….Have Mobile, Will Connect!
I see plenty of people walking down the road staring aimlessly at their phones even when they’re with their friends. I bet if you were to publicly announce that you’re supplying Free Wi-Fi but it’s not safe, people would still log in with all their details on show.

The fact is these days if you remove someone’s S(elf).M(onitoring).A(nd).R(esponse).T(ool) phone they no longer no what the world is or even looks like (metaphorically speaking).

Mr Lizard alien god, the free range prisoners are whining again. This time about their tracking devices. Should we sprinkle more Kardashians and war on them to distract them? or release a new virus scare?

If this was a consumer-friendly effort, it would require opt IN, not opt out.

I still don’t get it. So what if someone tracks me walking or driving down the street? So what?
If someo0ne is standing on a street corner and watches me walk down the street should their eyes be banned because watching me walk is an invasion of my privacy? Pul-leese!

I take it you oppose Stalking laws then, Ken?

If a billboard gets up and starts to follow me then I might be concerned. Other than that, believe me when I say I am Mr. Uninteresting.

No one is “Mr Uninteresting” to the large-scale data collectors of the world. And no one is “Mr Uninteresting” to the cybercrooks, either.

They’re not after you just because you’re a celebrity, or have $1,000,000s, or whatever. They’re after you because you have $10 and there are 1,000,000s of people just like you. They’re after you because you have a social media account that was established some time ago and thus looks more believable than one created yesterday. They’re after you because you work somewhere, have colleagues with whom you share a network, because you have lists of other people’s email addresses on your computer, because your computer would make a handy zombie for sending spam…

…and so on. An injury to one is an injury to all.

Indeed, so what. But it isn’t one person watching you walk down the street so it isn’t a fair comparison.

It’s one person who takes intense interest in watching *and recording* you walk down the street. And everyone else. Every day.

And they’re not alone, they have friends who are just as interested and they’re also recording you and everyone else too on other streets, shops, malls and websites and conferring with each other to match up your journeys and online habits to figure things out that you didn’t know you were revealing about yourself.

And they’d love to match it up with purchase data, perhaps through store cards or contactless payments (and with it your address and DOB by the way).

Because that’s what Big Data is – it’s about extracting intelligence that doesn’t exist or isn’t discoverable in individual moments by collecting a lot of it so they can send catalogues full of offers for nappies and baby clothes to women who figured out they were pregnant after their grocery store did (and that was done with just a store card, based on changes in purchasing behaviour that Big Data revealed were correlated with people who later bought nappies and baby clothes).

Now you could say that all of that’s fine, there’s no conspiracy, they just want to show you better adverts.

But you have to trust them to honour that now and under different ownership later, forever, and to not sell it on to people you don’t trust, forever. You have to anticipate how they might use your data it in future, in combination with other data and other algorithms that don’t yet exist. All the while the stash of data gets bigger.

And more than all of that, you have to trust them not to lose it.

And more than all of that, they didn’t even ask if that was OK first.

And even more than all of that, you have to assume the data was immediately copied to every major government surveillance program in the world.

I’m tracking you so I know when you are where, so I know when it’s safe to break into your house, what day/time you go to the bank/ATM so I know when you have cash on you. I’m selling your data to telemarketers that will call you to sell you things. I’m getting enough data to take out an insurance policy on you so at 5:36 when you cross that road every day and I accidently hit you I can collect it. But that’s just a Tuesday to me.

Big difference if someone is watching *everyone* walking down the street and commercialising the collected database of those comings and goings. Who knows where that data will end up? Who might but it? Or steal it? Who might use it to figure out lifestyle informarion about you that makes it easier to trick you online in the future by knowing just enough to build a sneakier and more believable scam? And so on…

Not hard to tell that Schumer’s up for re-election, is it? He’s grandstanding again.

I’m almost at a loss for words!!! Where are the big government haters?? so its ok for Apple, Google and every other corporation on earth to track you (anonymously or not) but if the government does this to find a bad guy they need a warrant / order from a judge to “ping” your cell phone to find out where the criminal or alleged criminal is located???? but do it for profit it’s okay???
Albeit one is in a public place and everyone around you sees the same thing as the “billboard” and there will be those that say you are on a public street and have no “reasonable expectation of privacy” as the law always states…but the people on the street don’t collect the data for later use do they? Also what if the government want to serve a subpoena on the corporation to find out if a bad guy was in fact at the very spot at a particular time/date??? what about a hack/ what about a rogue employee? i agree with ejhonda above why not have an “opt in” program code? but everyone knows the data would be quite sparse indeed and therefore less profit for the Apples, Googles, etc.etc…this way they just “sneak it in” rather surreptitiously without really telling you much…and they all then say “its for a better shopping / browsing experience for you…trust us we do all this hiding behind BIG CORPORATE walls while those big bad government people do it openly in a public court room that is later provided to the defense attorney …they are the ones you have to fear and be careful of…

Good afternoon, Mr. Yakamoto. How did you like that three-pack of tank tops you bought last time you were in?

Love the reference. Soon we’ll have chips in our hands to pay for things linked to our bank account.

If you turn off WiFi scanning on your Android device, will that prevent marketers from picking up your MAC address? And is MAC masking still a feature in iOS 9?

The bottom line is you are tracked wherever you go. This is nothing new. Every time you buy something with a credit/debit card, every time you sign up for an email list, every time you shop online, or even browse, you are being tracked. All this information is being collected about everyone everywhere who uses modern technology. If you don’t want to be tracked, don’t go outside. Don’t use a phone, or email, or the internet. There are also ways around this. Programs/apps that can limit what information is tracked/shared, but in the end it will be futile. I can go online right now and find out everyone who ever owned your home, how much they paid for it, how much they paid in taxes, etc. I can pay $30 and with only your first and last name I can find out every address you ever lived at, every phone number you ever had associate with you, any bills you are past due on, where you shop, what crimes you’ve committed and so much more. Say I’m a criminal and I’m scoping out a neighborhood. I look up an address. Find out who you are. Look you up and find your information, find out where you work. Look at your social media profiles. Learn everything about you. Learn you habits, track you myself. Hack your wireless internet, plant a bug in your router, or hack into your computer sitting in my car in the front of you house. Seriously. All it takes a malicious intent. So, MAC address tracking is by far the LEAST of your concerns about privacy.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?