Have a Wi-Fi-Enabled Phone? Stores Are Tracking You

jfruh writes "Call it Google Analytics for physical storefronts: if you've got a phone with wi-fi, stores can detect your MAC address and track your comings and goings, determining which aisles you go to and whether you're a repeat customer. The creator of one of the most popular tracking software packages says that the addresses are hashed and not personally identifiable, but it might make you think twice about leaving your phone on when you head to the mall."

Change your MAC address

[Anonymous Coward]

Change your MAC address to a pseudo-random one every time you go out of your main home or work environment. It's possible on android and iOS devices.

Re:Why does this matter?

[Jah-Wren Ryel]

No, that's not what it means at all. It means they'll be able to better tailor their store to profit off of you. Generally, that's not a good thing for you.

That is worth repeating. All of this "personalization" stuff is not about making your shopping experience better, it is about maximizing the amount of money you spend. Any benefit to you is purely incidental.

I Smell a DOS prank

[Jah-Wren Ryel]

Presumably they are looking for the initial broadcast packet that starts the handshake to establish a wifi connection with a base station. Seems like you could mess with these guys if your phone had an app to dynamically change the MAC address on every handshake, you could also speed up the rate of such handshake initiations. Wander the aisles for a half hour and the store's now got a million bogus entries in their tracking database.

Re:Why does this matter?

[calzones]

The trouble starts when all mac address's activity gets logged into big data and stays there.
Then later on, your mac address gets cross-referenced with your real name and phone number and personally identifying data some day (because, for example, you may frequent Starbucks or locations that feature free wifi).

Suddenly, without anyone really trying, your every movement throughout the day just became trackable and they know how to reach you.

Re:Here's what's really scary... not really...

[_avs_007]

Not that it matters, but it doesn't work that way... (My full time job involved researching proximity algorithms)... Using Wifi as proximity, you can tell that say these 5 particular people are in a room, but you have zero idea the spatial relation of each of these 5 people to each other, without the aid of other sensors. Wifi or bluetooth will not give you spatial relationships in any meaningful manner.

For example, if my signal strength to the AP is 80%, and your's is 80%, that does not mean we are next to each other. We can be on opposite sides of the AP, or we can be at some other arbitrary location, where each of us has a different obstacle blocking the direct line of site to the AP, reducing the signal strength by differing amounts. Plus we have no idea what the transmit power is on each device.

You may be able to get a reasonable guesstimate of proximity to the AP, but not spatial orientation to the AP. (ie, you are within 20 ft of the AP, but you don't know in which direction), and certainly not between each peer. The phone will not be able to give you proximity information to another phone using wifi, because the stock chipset on Android and iOS does not give you access to read these beacon packets from arbitrary un-connected devices. I've been able to get it to work in the lab, but only when I use specific hardware/chipsets, with special drivers/firmware.

So all I'm saying is that people are making this to be a bigger deal than it is.

Can be used to catch people too..

[Anonymous Coward]

We had someone vandalize one of our cars. Long story short, it was my sons X girlfriend. See lives about 60 miles away but at 3:20am, I saw her iPhone attach to my access point. I knew it was hers because I've seen it in the logs from when she was welcome in the house. That time in my logs matched the time frame a neighbor saw someone running through our yard. It never actually made it to a court but she admitted it when questioned by the police.

I live in a pretty rural area and you have to be much closer to my house than to anything else in the public right of way to get my signal. I've thought of and have done some research about scanning and looking for devices in the area just like the article describes. I have an open wi-fi AP that goes no where now but logs and I don't actively probe yet.

Re:Turn off wifi

[Spiridios]

I've been using Llama pretty much since I got my first Android phone almost two years ago and they've been pretty open about why they need such and such new permission. In fact, if you read through the description, instead of jumping to the permissions directly, you'll see a description of why they need a few of the permissions, including calendar access. Put simply, if you want a 3rd party program to do things, you kind of need to grant permission to do those things. Granted, it would be nice if Android allowed you to grant subset permissions only for the things you use, but this is unfortunately how Android is.

Re:just don't automatically join public wifi

[fearofcarpet]

Still it seems like collecting data for no obvious reason, just to know that some one came into the store who spent time in the Shoes department 6 weeks ago.

I think the idea is that information now has value, particularly when it can be associated with consumer habits. Whether or not the grocery store cares how frequently a particular MAC address visits their store, when compiled into a large enough data set--so the logic goes--and cross-referenced with other large data sets, you can mine information that would be otherwise impossible without something intrusive like a survey. The MAC address also contains information about the chipset in your phone, when it was manufactured, etc. It isn't that much further to guessing your income, where you live, and eventually your shopping habits. Even without knowing your name, you could imagine a "smart" grocery store adjusting prices in real-time just, sort of like how airlines drop cookies to see if you have already searched for a ticket so they can keep the price high just for you. It's the high-tech version of the Ralph's Club Card; they want you to use it when you make purchases to track you, but now they can do it without your name or any personal information or anything proactive on your part.

My feeling is that people find it creepy when a computer knows their name. Not many people wants to walk into the grocery store and hear a computer say "Hey Bob Smith, nice to see you again! Pizza bagels are on sale, and I know how much you like those." But if the grocery store sees "consumer type A431" approaching, the sign for pizza bagels may light up and blink "Sale! Sale! Sale!" which is intrinsically less creepy despite accomplishing the same thing. I could imagine doing that just with you MAC address and your approximate height and weight, which is easy to get from the self-checkout machine (it has a camera and weights things). The computer says "5'9", 235 lbs, $500 phone; clearly a Slashdot reader. I'll put the Hot Pockets, Mountain Dew, and hand lotion on special next time I see that MAC address hash."

Your phone still scans

[dutchwhizzman]

Your phone will still occasionally be sending packets to see if a known access point/SSID will reply. This is so access points with "hidden" SSIDs will still be found. Most devices just do this and there is no option to disable it, apart from disabling wifi completely. This is enough to see if someone with wifi enabled on their device is hanging around.

Even more disturbing, if an access point with the correct SSID replies with no encryption, a lot of devices will automatically try to attach to that AP. By mimicking the identification protocol the device asks to use, you can even get it to attach to your rogue access point; just tell it it's credentials are accepted and it will merrily use your AP without any user interaction.