back to article Looking for laxatives, miss? Shoppers stalked via smartphone Wi-Fi

The FTC has now settled with a New York startup that stealthily tracks the movements of Americans around stores using their smartphones' Wi-Fi signals. The regulator alleged [PDF] in late 2013 that Nomi Technologies broke the FTC Act by not being totally upfront with shoppers. Nomi's Listen service is used by retail chains to …

  1. John 104
    Coat

    What Stores....

    I'd like to know what stores employed this snooping so I can stop shopping there...

    Oh, and first post.

    Mine's the one with the 386DX-40 in the pocket...

    1. Antonymous Coward
      Thumb Up

      Re: What Stores....

      Ahhh.... you've reminded me of the days when AMD (and Cyrix) were competitive and interesting progress made desktop processing exciting!...

    2. DropBear
      Happy

      Re: What Stores....

      "Mine's the one with the 386DX-40 in the pocket..."

      Yeah, but does it come with a "Turbo" button and jumpered LED display to show the clock frequency...?

    3. Mark 65

      Re: What Stores....

      Who cares what stores, just turn off your wi-fi. When you're not in range of a known point it is just an attack vector and battery drain.

  2. Neil Barnes Silver badge
    Paris Hilton

    Am I the only person in the world

    who has both WiFi and Mobile Data turned *off* unless and until I want to use it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I the only person in the world

      No, you're not.

      1. Triggerfish

        Re: Am I the only person in the world

        No but its unusual, people at my place think my phones locked down to paranoid levels (its not btw, just things like location, etc turned off when not in use). There's becoming a changing attitude to privacy especially the younger generations, who seem to have grown up without knowing what it really was.

        1. frank ly

          Re: Am I the only person in the world

          As well as sensible paranoia, I like to keep the battery charge up rather that drain it for no good reason. If I want to check e-mail, I'll turn mobile data on. The last time I tried to use free WiFi, I saw banner adverts for the WiFi provider across the top of the screen on every browser page.

    2. M Mouse

      Re: Am I the only person in the world

      Not the only person wrt Wi-Fi (and in my case Bluetooth), but I don't turn mobile data off very often (2 contracts with unlimited data, one with unlimited tethering option).

      Just seems daft to have GPS, Bluetooth and Wi-Fi enabled if you are out shopping, simply for battery life.

      In the USA, I thought the FCC had plans to require all handsets to be trackable to about 50 meters, or 50 feet, though I don't know if that is current or future for coming into effect, but clearly it's only when you want to be "registered on the network" to send/ get calls, texts, data.

      1. Antonymous Coward
        WTF?

        Re: Am I the only person in the world

        "one with unlimited tethering option"

        Who? Where? How much? Still accepting subscribers?... or are you one of the jammy s*ds who got on "the one plan"?

      2. Phil O'Sophical Silver badge

        Re: Am I the only person in the world

        Just seems daft to have GPS, Bluetooth and Wi-Fi enabled if you are out shopping, simply for battery life

        I was quite surprised how much difference turning off bluetooth made to battery life, when I was travelling and had a hire car with no hands-free. As for WiFi I'd say it's off 95% of the time, for the same reason.

    3. Adam 1

      Re: Am I the only person in the world

      >Am I the only person in the world

      who has both WiFi and Mobile Data turned *off* unless and until I want to use it?

      Yep. It's how we know it's you wandering around.

  3. The Man Who Fell To Earth Silver badge
    WTF?

    WiFi only?

    Or did they use StingRay tech to spoof cell towers to track those people who don't walk around with their phones WiFi turned on?

  4. Notas Badoff
    Childcatcher

    Opt Opt Opt

    So does the implicit extension of this ruling require stores to say how many people are watching the in-store security cameras and for what purposes? Given the number of anti-shoplifting cameras that already exist in these stores, if you simply temporarily hired enough 'researchers' to report on shoppers 'footfall' by watching the monitors and making manual notes, that would be the same thing as just ruled ilegal?

    Would stationing an employee outside on a mall bench and having them manually note 'walk-bys' vs. 'walk-ins' vs. 'window-shopping' be a violation of people's legal rights?

    This really seems like "technology is evil!" so rule against them.

    1. Vector

      Re: Opt Opt Opt

      Two differences with this Nomi thing:

      1) Hiring enough "researchers" to track people across security feeds would be prohibitively expensive and hugely error prone, possibly to the point of making the data useless in addition to the expense.

      2) Such a program would only provide a profile from your company's stores not the multi-client profile I suspect Nomi is providing.

      Funny thing about all this: The FTC didn't do a damn thing about the privacy invasion. They just made Nomi stop claiming that an opt-out was available. whee. Way to have our backs, guys!

    2. dan1980

      Re: Opt Opt Opt

      @Notas Badoff.

      Technology isn't evil but it can change a situation enough that analogies with more 'conventional' methods and scenarios can fall down.

      This is an area where laws haven't kept pace but, unlike copyright - where there there is huge money to line politicians' pockets - there seems to be no push to 'fix' things.

      As Vector has said, collecting and collating all this data manually, while possible, is simply not practical as it would cost more than they would earn and indeed be very error-prone.

      Tracking shoppers manually in the manner you have identified has indeed been possible for a long time but the fact that it is not actually done shows that it isn't feasible. Thus, there is an inherent barrier that protects people from this type of monitoring. This technology drastically lowers that barrier so that it is now profitable for companies to undertake such monitoring.

      This is similar to the bullshit that people like Malcolm Turnbull and the Attorney General were spouting here in Australia about how the new metadata retention laws were really nothing beyond what is already permissible.

      One of the analogies given was that, as it is fully permissible to watch people going in and out of a lawyer's offices, there is really no problem in collecting data about people accessing a lawyer's website. This falls down as soon as you give it any though for the same reason as the idea that this Wifi-tracking technology is no different to watching a security camera - you can't task police officers to stand outside every lawyers office in the country and record who goes in and out.

      So, while 'technology' does not necessarily provide a specific feature (e.g. tracking a customer around a store) that was not previously possible, it does allow these features to be used across-the-board, which is rather a different proposition.

      That said, as this specific technology tracks people via a unique value, it does provide something that a manual process doesn't - correlation between multiple locations. Sure, you might always get your groceries from the same local supermarket but what happens when that supermarket is owned by a group that also owns hardware stores and service stations and convenience stores and bottle-shops and department stores and so on?

      So, this technology allows stores to match up data across different locations and businesses that they operate - something that would not be possible manually.

      Even more basic, manually monitoring would not (reliably) allow you to track people across multiple visits to the same store, which is something that is extremely useful - how often do individual people shop and how does this vary by area? Are people doing smaller, more frequent shops or fewer, larger shops?

      It really is a level of tracking that has not previously been available - it is creating a profile of people.

      The other obvious point is that the use of security cameras is usually advertised and even when it isn't, they are often visible (that's part of the deterrent) and are expected anyway. I would suggest that most normal people expect that they will be filmed on a security camera as they walk around a store. I doubt any 'normal' people knew they were having their phones tracked.

  5. This post has been deleted by its author

  6. ecarlseen

    Apple fixed it for you.

    Use an iPhone - they now randomize MAC addresses when scanning for WiFi networks to avoid just this sort of tracking.

    1. Harry the Bastard

      Re: Apple fixed it for you.

      unless/until you connect to free wifi, at which point the device's true mac is used and trackable

      afaik apple hasn't published details of how these 'random' mac addresses are generated and shuffled, if it were truely random within mac space they'd risk duplication of legitimate macs, so presumably they instead use a smaller block registered to apple, but if they use a small fixed per-device pool then over time it'll still be possible to infer device id

      but it's no big deal, mac anonymity is a red herring, idevices are still trackable by other means

      more interesting is that apple introduced the feature around the same time that ibeacons were launched, a cynical person might think there was a connection and that apple's motivation was not this sham privacy but simply to disrupt established companies with push wifi tracking and boost a new imonopoly for app-based pull tracking via the beacon (if you use the app, you're agreeing t&c and you are then 100% trackable), though of course ibeacon has no special appleness, any ble beacon plus app will do the trick irrespective of platform

    2. Alan Brown Silver badge

      Re: Apple fixed it for you.

      [apple mac randomisation]

      There are android apps for this too (standard in quite a few roms).

      As noted, the caveat is that this only works until the phone connects to an access point, which is why at least one of the android apps periodically flips the MAC unless the AP is trusted.

      > afaik apple hasn't published details of how these 'random' mac addresses are generated and shuffled

      With 48-bit address space, being truly random is fine. All you need to do is check for any MACs within earshot and not use those.

  7. elDog

    So everybody could also set up these wifi spying stations?

    Thanks for giving me some great ideas!

    Anybody (not me) could plant a cheap ($20?) access point in front of every porn venue, mistress's home, bookie shop, dope joint, foreign consulate, etc. and be able to track the Johns that visit? Of course the (un)intelligence agencies are already doing this but it's a bit inconvenient to get them to divulge their stash.

    1. DropBear
      Trollface

      Re: So everybody could also set up these wifi spying stations?

      "in front of every porn venue, mistress's home, bookie shop, dope joint"

      I'm hereby filing a FOIA request for that list to be publicly released forthwith because... ummm... reasons. Purely academic interest, of course.

  8. Spaceman Spiff

    If you aren't using it

    If you aren't using the WiFi on your phone, then disable it! Nomi isn't the only one tracking you via WiFI!

  9. wyatt

    I used a wifi sniffer on a trip to Asda, the number of access points went on for pages.. They're all doing it, turn it off if you don't want to be tracked seems to be the only way to escape.

    1. M Mouse
      WTF?

      Um, 'Nomi' tracking or WAP ?

      a) Asda offers free EE Wi-Fi to customers (so there are bound to be some access points)

      b) I'm betting that while some of the bar code reader kit will have internal storage, some lookups may be done via Wi-Fi if an item isn't found in local storage, so there'd be Asda staff-only WAPs possible, too.

      c) How can you be sure all the access points are from Asda?

      Only ask (c) because on my way to Asda there are 6 blocks of flats (and another 2 that I don't pass). I expect that a few signals from nearby homes/ offices would be detected in Asda (I'm at the end f a cul-de-sac but have identified at least a dozen different routers (mix of Sky, TT, VM, BT and some where I have no idea - not been nosy either. Then again, there are 6 SSIDs from my neighbour's property (not included in the dozen I mentioned earlier).

      1. John Brown (no body) Silver badge

        Re: Um, 'Nomi' tracking or WAP ?

        "c) How can you be sure all the access points are from Asda?"

        That's easy. They are enormous warehouses surrounded by car parks and WiFi doesn't reach all that far.

        You do raise a good point in that it's quite likely that there are WiFi points for the hand held readers/pricing printers.

  10. Tony W

    An app for that

    There are Android apps that will turn WiFi off and on depending on what cell tower you're connected to, so you don't have to remember to turn it off when you leave home. I installed one to save battery and control attempts to connect to open networks. Takes a couple of seconds to override when I want to. Don't know about iPhone.

  11. Donald Atkinson

    Never heard of them

    But thanks for the link to the opt out page. That's done & dusted.

    Assuming that they aren't just collecting and selling the opt out list......

  12. MrDamage Silver badge

    Erm, what?

    "and the number of people walking past a storefront without entering."

    So let me get this straight. You have to go into a store that you have no intention of visiting, in order to find out they are using privacy snooping tracking system, so you can then spend ages trying to find a way to opt out of it on one of their hidden web pages?

    Nuke the twunts from orbit.

    1. Azzy

      Re: Erm, what?

      Well, according to this order, they can go ahead and do that, as long as they don't tell you that you can opt out, if I read that correctly...

  13. Anonymous Coward
    Anonymous Coward

    Startups:...... Any chance of inventing Hover cars?

    Guess that's too much to ask... So endless Tracking & Ad-Slinging it is then...

  14. John Brown (no body) Silver badge

    "We are pleased to reach this agreement. "

    Really? It seems the public statements made by companies who get caught are always "pleased" at the outcome.

    Although in this case the only thing they got told off for was claiming there was an opt-out without telling people how to find it. As others have mentioned, not having an opt-out at all seems to be all fine and dandy.

    I take it the USA has no "personal data privacy" laws or doesn't recognise a MAC address as personally identifiable data, even when married to all the date/time/location data being collected at the same time. I wonder if they track your location to the tills and match your MAC to your credit card transaction? That would be creepy.

  15. Ian Michael Gumby

    There is no opt-out.

    You go to the website you're now tying the mac address to an IP address and to you.

    Just think... what if a government did this?

    You'd be screaming bloody murder.

    Some tech should be left alone.

  16. Anonymous Coward
    Anonymous Coward

    lose-lose either way

    I had no idea this spyware existed - until I read this article. So, as I understand it, I have two choices:

    - [ default ]: allow Nomi to spy on me, because I had no idea Nomi was tracking my MAC address without my permission.

    - provide Nomi with my mobile device's MAC address, at Nomi's website, in order to 'opt-out' of being spied on.

    Either way, Nomi gets my device's MAC address. As to what Nomi does with the MAC addresses it collects as part of its 'opt-out' program, that's just about anyone's guess.

    Why is this even legal? Since when do we have to explicitly opt-out of being spied on?

  17. Nameless Faceless Computer User
    Big Brother

    You will never win

    The company failed to see what Apple did years ago - offer a shiny "apple" in exchange for loss of privacy. Want album cover art? Let them snoop your music collection. Want to use Siri? Let the company monitor your social habits. Want live traffic updates? Let the company sniff your GPS location.

    You don't need high tech gadgets to track people movements. Casinos have been tracking people using facial recognition for years. Kraft and Adidas are on record that they will be installing this technology in the future.

    Turn your wifi and location services off for all anyone cares. Try turning off your face.

  18. Simon Jones [MSDL]

    De-anonomising data

    Theoretically, I suspect they could have really-short-range wifi hotspots at each till and collect the hashed MAC address seen at the time the payment was processed and so get your name, card details, purchase history, even a photograph "from the security camera" , etc. If the store was like PC World, etc where they ask for your address "for the warranty" they'd get that too.

    Can you be too paranoid these days, short of wearing a tin-foil hat?

  19. EngineerAl

    MAC addresses - so what?

    OK, so MAC addresses can be picked up and tracked around the store, or in front of the store. I don't think there is any list anywhere of what person has what MAC address, so the address itself is anonymous. If I worked for the company or maybe the store I could maybe work out what the hashed value of my own MAC address is, but without getting a match between randomly observed addresses and real people, so what?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like