Forgot your password?
typodupeerror
Privacy Cellphones Wireless Networking Your Rights Online

Have a Wi-Fi-Enabled Phone? Stores Are Tracking You 323

Posted by Soulskill
from the my-decoy-phone-will-fool-them-all dept.
jfruh writes "Call it Google Analytics for physical storefronts: if you've got a phone with wi-fi, stores can detect your MAC address and track your comings and goings, determining which aisles you go to and whether you're a repeat customer. The creator of one of the most popular tracking software packages says that the addresses are hashed and not personally identifiable, but it might make you think twice about leaving your phone on when you head to the mall."
This discussion has been archived. No new comments can be posted.

Have a Wi-Fi-Enabled Phone? Stores Are Tracking You

Comments Filter:
  • first (Score:5, Informative)

    by Anonymous Coward on Tuesday January 22, 2013 @07:34PM (#42662849)
    To turn off the wifi
    • by pikine (771084) on Tuesday January 22, 2013 @08:32PM (#42663497) Journal
      Actually, you don't even need to turn off wifi. Just set your phone to not automatically join any public wifi. Wireless clients, including the phone, compiles a list of access points you can join using the ESSID broadcast from the access point. In other words, the access points just dumbly advertise their presence and don't know who are looking until your device tries to join.
      • This is WRONG. Almost all 802.11 a/b/g/n devices will actively probe for ESSIDs that they have previously used. Your phone is constantly broadcasting for access points.
        • by Chuckstar (799005)

          Why can't the phone just listen? Are WiFi access points quiet until they are actively probed? (I believe you that the phone broadcasts something, just wondering why it was done that way.)

      • by Maow (620678)

        Actually, you don't even need to turn off wifi. Just set your phone to not automatically join any public wifi.

        Wireless clients, including the phone, compiles a list of access points you can join using the ESSID broadcast from the access point. In other words, the access points just dumbly advertise their presence and don't know who are looking until your device tries to join.

        If they're running something like Kismet, then I don't think you need to join anything; they just sniff packets being sent over the air, grab the MAC, and they know your device manufacturer and have a unique ID for you. If I'm not mistaken, a phone with Wifi on will broadcast it's MAC while looking for access points.

        I doubt their ability to determine which aisles of a store you're traversing unless they have a *lot* of antenna set up.

    • by Cammi (1956130)
      Exactly this. And the fact that with Wifi, you use up your battery quicker.
    • No kidding. How valuable is this research?

      "Well Bob, we've determined the spending habits of the demographic stupid-people-who-leave-their-wifi-enabled-and-set-to-auto-connect-to-any-public-hotspot."

  • Turn off wifi (Score:5, Insightful)

    by Anonymous Coward on Tuesday January 22, 2013 @07:35PM (#42662867)

    Most smart phones allow you to turn off wifi.
    I keep mine off most of the time unless I need it that also includes GPS and Bluetolth

    • Of course marketing guys are going to be more creative in tracking you. I automatically turn off my WiFi when I hit the road. I use a car dock with my Droid, and I use a simple app that detects when I put it in the car dock. It will turn off WiFi, and turn on Bluetooth. When I remove it from the car dock, I could either restore the previous WiFi setting, or leave it off. I generally leave it off unless I'm going somewhere I trust the WiFi, like home or the office.
      • Re:Turn off wifi (Score:5, Informative)

        by Spiridios (2406474) on Tuesday January 22, 2013 @08:11PM (#42663241) Journal

        Of course marketing guys are going to be more creative in tracking you. I automatically turn off my WiFi when I hit the road. I use a car dock with my Droid, and I use a simple app that detects when I put it in the car dock. It will turn off WiFi, and turn on Bluetooth. When I remove it from the car dock, I could either restore the previous WiFi setting, or leave it off. I generally leave it off unless I'm going somewhere I trust the WiFi, like home or the office.

        Android has a nifty little program called Llama [google.com] that I use for pretty much the same thing. Get home, WiFi on, leave the house, WiFi off. The tool has other benefits too, like going into silent mode when home at night so random emails don't wake me. But thanks to Llama, I usually don't have to mess with my WiFi settings unless I'm in a strange place that I know has free WiFi and I want to leech off of it instead of my data connection.

        • Re: (Score:3, Informative)

          by javaguy (67183)

          The permissions for the Llama app include:
            - Read calendar events plus confidential information
            - Add or modify calendar events and send email to guests without owners' knowledge
            - Read your contacts
            - Pair with Bluetooth devices

          That seems to be excessive given the functionality of the app.

          • by reboot246 (623534)
            I've noticed that most apps abuse the permissions. Even a freaking flashlight app! Surely they don't need to read my contacts.
          • Re:Turn off wifi (Score:4, Interesting)

            by Spiridios (2406474) on Wednesday January 23, 2013 @12:56AM (#42665747) Journal
            I've been using Llama pretty much since I got my first Android phone almost two years ago and they've been pretty open about why they need such and such new permission. In fact, if you read through the description, instead of jumping to the permissions directly, you'll see a description of why they need a few of the permissions, including calendar access. Put simply, if you want a 3rd party program to do things, you kind of need to grant permission to do those things. Granted, it would be nice if Android allowed you to grant subset permissions only for the things you use, but this is unfortunately how Android is.
          • From their Google Play page [google.com]:

            Llama DOES NOT have internet permission. Your data isn't going anywhere

            Whether or not you believe them is a different issue, but that reassured me at least somewhat. I've been using Llama for a few months now, and really enjoy its functionality.

    • Yeah I don't really see the big deal. WiFi serves to kill your battery if you're not using it anyway, why would you leave it on all the time?
      • by micheas (231635)
        Because wifi kills the battery much slower than 4G? If you have a large number of hotspots that you have access to you can get better battery life than using 4G constantly. (At least I do.)
        • by davidwr (791652)

          Turn off "location" and other "always want the network" apps that you don't need. Put your mail in "on demand" rather than "periodically polling" mode. Set your phone so the only thing it's routinely monitoring for over the air are incoming phone calls and texts.

          At this point your WiFi will be a waste of battery when you aren't actually using your phone.

          Now you can turn off your WiFi and save your battery.

          • by Jafafa Hots (580169) on Tuesday January 22, 2013 @08:36PM (#42663543) Homepage Journal

            Me, I leave my cell phone at home.
            First, I never have a problem with the battery running out during a call...
            Plus I never have calls come in at inconvenient times.
            Also, I don't have to remember to shut it off in movie theaters and doctor's offices.

            These advantages are so great, I'm thinking of inventing a cell phone that can't be taken from your home. Maybe use some kind of tether.

    • Get a decent phone and it doesn't matter because it won't kill the battery. I leave wifi on because I use it so much (even the bus has it) and I don't care if a store tracks me. Given all the other ways they can and do monitor you with that's the best one, imo.
    • This is for my N900 and increases battery life to 3+ days at low usage.

      http://talk.maemo.org/showthread.php?t=45053 [maemo.org]

      Presumably, Droid and Apple with their 100,000 fart apps have something similar.

    • by Darinbob (1142669)

      Even if the wifi is on, how do they know the mac address unless you use their wifi network? You'd have to be a bit naive to just allow your phone to associate with any open point it finds.

    • *all* smartphones allow you to turn off WiFi.

      However, for most people, it's easier to just leave it on all the time, so that it autoconnects to known networks. Just turn off connection to unknown, unlocked networks and you'll be fine.

  • by Anonymous Coward on Tuesday January 22, 2013 @07:37PM (#42662877)

    Change your MAC address to a pseudo-random one every time you go out of your main home or work environment. It's possible on android and iOS devices.

    • by Jane Q. Public (1010737) on Tuesday January 22, 2013 @08:47PM (#42663673)

      "Change your MAC address to a pseudo-random one every time you go out of your main home or work environment. It's possible on android and iOS devices."

      This would be of absolutely no help with an in-store tracking system. They don't care what your MAC address IS, they just use it to track you in the store.

      And despite what the software vendors claim: a tracking system that assigns a MAC address to you walking down an aisle *IS* personally identifiable... as long as you are in the store.

      • It would prevent them from seeing that you're a returning visitor, and while you were looking at computers last time, this time you're in sporting goods, looking at baseball bats to use on said computer.
        I'd imagine that would be the major benefit to these types of a system like this, rather than what you do within any given visit, which makes it a significant help against this type of system.
        Since it would also fill their databases with noise, it would make it much harder for them to get any useful informat

      • by Idbar (1034346)

        They don't care what your MAC address IS, they just use it to track you in the store.

        This is an easy one. If you're in Costco, you'd probably go back to get the toilet paper or paper towel and to the front to get a hot dog.(i.e. If you don't know what your customers visit, based on what they regularly buy you're probably not running your business right).

  • The store gives me free internet access. I don't turn my wifi off in the parking lot.
  • by FSWKU (551325) on Tuesday January 22, 2013 @07:40PM (#42662905)
    Avoid places where this kind of garbage is known to be in use. Turning off the wifi means you have to sacrifice some of the functionality of your phone just to not be tracked. Similarly, the op-out is crap as well. Why should I have to opt out? And what's wrong with the door sensors that have been in use for years to figure out conversion ratios?

    Not that I've gone into a mall recently, but seeing any of the stores using this system would be the best way to make sure I never come back.
    • by LordSnooty (853791) on Tuesday January 22, 2013 @07:53PM (#42663041)
      You're wandering around shouting "i am this address, do you have service" so you can't be surprised if some recipients note that down.
  • Who taped a phone to a blind wombat on PCP?

    That's what my track would look like. I just wander all around the store, grabbing stuff as it catches my eye, contemplating items I'll never purchase, backtracking and crisscrossing the store at random.

    • by hawguy (1600213)

      Who taped a phone to a blind wombat on PCP?

      That's what my track would look like. I just wander all around the store, grabbing stuff as it catches my eye, contemplating items I'll never purchase, backtracking and crisscrossing the store at random.

      That's exactly the kind of information they want: "Customers keep moving from the tools department to kitchenwares, then back to tools. Maybe we should move the two closer together.. or, luggage sales are slow so lets put the luggage between the two departments to get more walk-by traffic".

      You may think your behavior is unique, but aggregated against tens of thousands of people, you might be part of the larger trend.

      • You assume that it matters what I'm looking for and where that stuff is located. It doesn't. Even if I know exactly what I'm buying and where it's located in the store, I still shop like a bump-n-go.

        If "They" can take my data and do something useful with it, resistance is futile.

    • by TimHunter (174406)

      High five, bro! That's exactly what I do. I usually wander randomly around a store for 30 minutes or more before I pick up the thing I came for. Throws 'em off the scent.

      "Always keep 'em guessing!" That's my motto.

  • by AmiMoJo (196126) * <(mojo) (at) (world3.net)> on Tuesday January 22, 2013 @07:45PM (#42662941) Homepage

    Most phones turn wifi off when idle to save power. All the time the wifi is powered down they can't track it.

  • by Anonymous Coward

    Some people say it's time to turn off wifi.

    Not me. I can't wait to hack the o/s to absolutely fuck with this as hard as I can. I hope the phone's drivers support messing with signal and power level.

    I've done it with wardriving, I've done it with my laptop before connecting to any type of wireless point. I've even done it with wireless on my desktop, spoofing a specific authorized mac address of a piece of hardware I no longer own so I didn't have to log in to my access point and add it to the authorized l

    • Make a simple device that sets a new MAC every minute (or whatever their poll time is) and plug it in at the store somewhere unnoticeable. Fill up there their database with crap.

    • by hawguy (1600213)

      Some people say it's time to turn off wifi.

      Not me. I can't wait to hack the o/s to absolutely fuck with this as hard as I can. I hope the phone's drivers support messing with signal and power level.

      I've done it with wardriving, I've done it with my laptop before connecting to any type of wireless point. I've even done it with wireless on my desktop, spoofing a specific authorized mac address of a piece of hardware I no longer own so I didn't have to log in to my access point and add it to the authorized list.

      I'll sniff for MAC addresses, I'll fake them, spoof them, build in a list of different hardware vendors. You'll see the same person in two different isles. You'll see 5000 people enter the store as I cycle through and sequential addresses as fast as I can for five minutes.

      The analytics person is going to have so much fun. 0xdeadbeefbabe all over the place.

      Sure, they'll filter me out. Or notice me as one oddball. But soonr or later those stats are going to get mass corrupted because it's my radio and I can broadcast anything I want as long as it's in FCC regs.

      To whoever it is that'll be debugging that... i'm 20% sorry in advance, and 80% amused at the thought of the hair pulling this is going to cause.

      Uhh...filtering noise like from the data is trivial. The software must already do filtering to filter out devices picked up from users out on the sidewalk passing by the door... when they see a MAC address with a very short track through the store, or a MAC that's moving faster than walking speed, they delete it.

      But soonr or later those stats are going to get mass corrupted because it's my radio and I can broadcast anything I want as long as it's in FCC regs

      You can broadcast anything you want as long as it's withing FCC regs, but if you broadcast something that's not 802.11, you'll automatically be ignored. And the store is most interested in aggregat

  • Gas points (Score:3, Insightful)

    by badford (874035) on Tuesday January 22, 2013 @07:49PM (#42662971)

    They will track your movements with facial recognition cameras.

    Insurance company will know how much butter, beer and beef you are buying.

    Your car will track your driving habits and your TV will track your entertainment.

    They will know when you are happy, sad, indifferent or lonely and will provide a product or service that will hit the spot.

    Just relax. They have your best interest firmly in mind

  • Why do wifi devices broadcast anything when they are not in range of a known SSID? That seems a bit pointless to me.

    Bluetooth tracking like this is very common, because Bluetooth needs to constantly announce its existence so that paired devices know that they must respond. Wifi access points need to broadcast for almost the same reason. But why do regular non-AP non-peer-mode wifi devices broadcast anything? They ought to be silent until they find something to speak to.

  • ...until some one starts spoofing multiple devices just to mess with their data? It would serious mess up their day to see 128 devices in the store but only see 5 people on the cameras.
     
    \would buy that app.

  • by neiras (723124) on Tuesday January 22, 2013 @07:52PM (#42663035)

    Any smartphone can see all the MAC addresses of all phones and access points around it, bluetooth or WiFi (if enabled of course). With GPS positioning on most of those devices and a Giant Corporate Big Brother aggregating the results, all of us are reporting on our proximity to each other.

    We all know that Google's wifi geolocation stuff works this way - by tracking which fixed wifi base stations are in range and correlating with a GPS fix. People forget that Google can also identify other phones within range of your phone, and they know which Google accounts are attached to those devices.

    Google really does know who is sitting next to you on the train or in the coffee shop, who your jogging partner is, and which whore you visit when your wife leaves your general vicinity.

    I bet they do some amazing automated profiling. This guy is a garbage man and works with these people, that guy likes to sit in coffee shops and this woman is usually also present, she's not his wife, so lets advertise couples vacations and cheater sites, this other woman visits a preschool every day and is probably a parent, let's suggest other parents from the same preschool as her Google+ friend...

    • by Jah-Wren Ryel (80510) on Tuesday January 22, 2013 @08:18PM (#42663331)

      We all know that Google's wifi geolocation stuff works this way - by tracking which fixed wifi base stations are in range and correlating with a GPS fix. People forget that Google can also identify other phones within range of your phone, and they know which Google accounts are attached to those devices.

      While that is certainly a possibility, I doubt that it is currently happening because it requires putting the wifi nic into monitor mode in order to sniff for wifi packets from nodes that are not associated with the same access point or ad-hoc network. The vast majority of wifi nics can not transmit when in monitor mode - thus making it useless for normal networking, which would tend to tip people off pretty quickly that something wasn't kosher.

      If you have documented evidence of google using monitor mode on people's phones, bring it on. That is the kind of thing that needs to be widely publicized if it is happening.

      • by jonbryce (703250)

        Supposing I visit some tax-dodging coffee shop. My phone picks up the free wifi there, and reports its location back to Google. Lots of other people who are there enjoying their tax-free coffee flavoured drink have phones which also pick up the free wifi and report the location back to Google. Google therefore knows who is in the coffee shop at the same time as me without my phone picking up other phones directly.

      • by neiras (723124)

        While that is certainly a possibility, I doubt that it is currently happening because it requires putting the wifi nic into monitor mode in order to sniff for wifi packets from nodes that are not associated with the same access point or ad-hoc network.

        No reason at all why this couldn't be done. It's a single command on most Linux systems with a wireless card.

        The vast majority of wifi nics can not transmit when in monitor mode - thus making it useless for normal networking, which would tend to tip people off pretty quickly that something wasn't kosher.

        So do it while the wifi connection is not in active use and the phone is idle in your pocket. Extra credit for enabling wifi without showing an activity indicator. No reason this couldn't be done, either. Quick bursts at idle when phone is not in active use.

        If you have documented evidence of google using monitor mode on people's phones, bring it on. That is the kind of thing that needs to be widely publicized if it is happening.

        I have no such evidence, but I'll be damned if I'm not going to investigate now. I'm guessing that the Google Location Services TOS that every An

    • by _avs_007 (459738) on Tuesday January 22, 2013 @08:19PM (#42663345)
      Not that it matters, but it doesn't work that way... (My full time job involved researching proximity algorithms)... Using Wifi as proximity, you can tell that say these 5 particular people are in a room, but you have zero idea the spatial relation of each of these 5 people to each other, without the aid of other sensors. Wifi or bluetooth will not give you spatial relationships in any meaningful manner.

      For example, if my signal strength to the AP is 80%, and your's is 80%, that does not mean we are next to each other. We can be on opposite sides of the AP, or we can be at some other arbitrary location, where each of us has a different obstacle blocking the direct line of site to the AP, reducing the signal strength by differing amounts. Plus we have no idea what the transmit power is on each device.

      You may be able to get a reasonable guesstimate of proximity to the AP, but not spatial orientation to the AP. (ie, you are within 20 ft of the AP, but you don't know in which direction), and certainly not between each peer. The phone will not be able to give you proximity information to another phone using wifi, because the stock chipset on Android and iOS does not give you access to read these beacon packets from arbitrary un-connected devices. I've been able to get it to work in the lab, but only when I use specific hardware/chipsets, with special drivers/firmware.

      So all I'm saying is that people are making this to be a bigger deal than it is.
      • Not that it matters, but it doesn't work that way... (My full time job involved researching proximity algorithms)... Using Wifi as proximity, you can tell that say these 5 particular people are in a room, but you have zero idea the spatial relation of each of these 5 people to each other, without the aid of other sensors. Wifi or bluetooth will not give you spatial relationships in any meaningful manner.

        The problem is that this is all happening over a long period of time, with a constant location fix. So you're right that a one-time scan of nearby devices is pretty much useless - but looking at who was near me every time I go to my favourite Starbucks over the course of a year will give you a pretty good idea of who is actually there with me.

        Spatial relationships in a room less to Google than knowing who is part of my life, and who to suggest I might want to make part of my life.

      • by jonbryce (703250)

        If there is more than one AP within range, which is quite often the case, I can currently see 7 of them, then it would be possible to figure out whether you are next to each other or opposite sides of the AP.

      • by LurkerXXX (667952)

        All they need are two or more access points and they can triangulate by signal strength.

  • by sigipickl (595932) on Tuesday January 22, 2013 @07:54PM (#42663051)

    Cisco's acquisition of ThinkSmart Technologies was all about leveraging WiFi for customer analytics. http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/thinksmart.html [cisco.com]

    It's more than just tracking who goes in and out of a store- it's about dwell time, product placement and spot marketing.

  • I Smell a DOS prank (Score:5, Interesting)

    by Jah-Wren Ryel (80510) on Tuesday January 22, 2013 @07:58PM (#42663117)

    Presumably they are looking for the initial broadcast packet that starts the handshake to establish a wifi connection with a base station. Seems like you could mess with these guys if your phone had an app to dynamically change the MAC address on every handshake, you could also speed up the rate of such handshake initiations. Wander the aisles for a half hour and the store's now got a million bogus entries in their tracking database.

  • I find WiFi sucks the life out of my phone batteries, it is only ever on when I am specifically using it. Do others really leave it on all the time?
    • by DeeEff (2370332)

      3g/HSPA+/4G sucks more out of your phone than Wifi. Access Point scanning is trivial to your battery life, so if you're always at home or near an access point you can use, you would save battery life by keeping wifi on.

      Also, GPS doesn't turn on unless requested by a process (not service). So leaving GPS on all the time does not affect your battery whatsoever, unless you like to open Maps all day with GPS off.

      • 3g/HSPA+/4G sucks more out of your phone than Wifi.

        True.

        It goes something like:
        1. C/GPU
        2. Screen + backlight
        3. Calls or sending/receiving data
        4. Camera
        5. Vibrate
        6. Screen no backlight
        7. GPS continuously receiving ... with GPS using 10x lower power than C/GPU.

        When idling, your smartphone is using maybe 2 orders of magnitude less power than eg browsing. Since smartphones are idling a lot of the time, these numbers become significant.

        8. Automatic checking whether anyone's messaged you on FB/Twitter is a significant battery killer. I don't have figures for th

    • by mattack2 (1165421)

      Not *all* the time, but e.g. you can get better location data (for your mapping use, not others tracking you) by using the WiFi networks' locations as well as GPS, as the iPhone tells you if you have WiFi off.

      I turn off GPS & cell service (though often including WiFi, in "airplane mode") more often to save battery.

  • That you have WiFi turned on. I leave mine turned off. In fact I only ever turn it on if I want to use a WiFi network. Otherwise 4G service is widespread enough I don't have to do so unless I'm in steel frame buildings.

    So imagine my surprise when I saw at Macy's last night - they have in store WiFi! The evil in my wants to war drive it and see what else I can access.
  • by retchdog (1319261) on Tuesday January 22, 2013 @08:21PM (#42663369) Journal

    if tracking were only ever used for advertising, i would not have any problem with it. my concern about tracking is that people with the power to fuck my life over will get a hold of it and use the data irresponsibly. sorry, but i just don't see how "walked down aisle 3 five times on Sunday" can contribute to that.

    when i see people who are deathly afraid of advertising, i wonder why. there's an old saying among door-to-door salesmen that you hit the houses with signs reading "no solicitors," exactly because the occupants are easily influenced; after all, that's why they put the sign up.

    with two exceptions, i research my purchases meticulously before making them. the exceptions are a limited amount of impulse buys (for example, i know they put the candy bars exactly in that spot to maximize sales, but i don't care; i knew that i'd be buying the damned candy bar before i entered the store) and... actually that's about it. the other exception involves my hobbies, but it's not like i ever go to a fountain pen or book store without a budget anyway. i just let myself enjoy the experience more than other places.

    i'm fairly confident that i am mostly resistant to advertising. in fact, i can identify the ubiquitous re-use of phrases and images that are "proven" by marketing psychologists to influence people and it's just mildly nauseating. now maybe this is the dunning-kruger effect, but looking around my home, i don't see much stuff that i regret buying, so i'm either making good decisions or i am completely brainwashed. i suspect the former.

  • Tasker.... My wifi is turned off unless I am at a location that I want it on. If you own an android phone and dont use tasker, you deserve to be tracked.

  • by matunos (1587263) on Tuesday January 22, 2013 @09:53PM (#42664343)

    That makes up for me stalking their aisles for products and then buying them online for cheaper.

  • by Anonymous Coward

    We had someone vandalize one of our cars. Long story short, it was my sons X girlfriend. See lives about 60 miles away but at 3:20am, I saw her iPhone attach to my access point. I knew it was hers because I've seen it in the logs from when she was welcome in the house. That time in my logs matched the time frame a neighbor saw someone running through our yard. It never actually made it to a court but she admitted it when questioned by the police.

    I live in a pretty rural area and you have to be much clo

Whoever dies with the most toys wins.

Working...