Smartphone Tracking: How Close Is Too Close?
There you are, strolling down the coffee and tea aisle at the supermarket when you get an alert on your smartphone that you can get extra points in the store's reward program if you purchase a certain brand of coffee. Are you annoyed -- or perhaps really vexed -- that you have been tracked with such precision that the merchant knows not only that you are in the store -- but also which food aisle you are in? Or are you pleased to take advantage of the extra reward points?
The U.S. Federal Trade Commission recently launched an initiative to figure out whether the increased precision of smartphone location tracking -- almost to the point of continuous monitoring of a person's movements -- raises legitimate privacy issues. The agency earlier this year conducted an open forum on the issue of mobile device privacy and invited public comment through mid-March.
The FTC focused on the functioning of the Media Access Control, or MAC, address installed during the manufacturing of smartphones. When smartphones are turned on, the devices emit signals that facilitate WiFi and Bluetooth connectivity. As a result, the location of the phone -- and the person carrying it -- can be followed electronically.
Most of the commercial location tracking discussed at the FTC forum involves a signal called a "probe packet" that is transmitted even if the device owner is not actively connected to any particular WiFi network, according to Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, who spoke at the forum. The probe is tracked because it's transmitted under all circumstances, even when the device isn't connected to a WiFi network.
Electronic Eavesdropping Worries
Commercial data collection firms tap into the MAC signals emitted from mobile devices and obtain location information that can be used by retailers and others. Marketers use the information to find individual consumers via their smartphones in real time.
"The open WiFi network and any parties eavesdropping on local WiFi communications can learn the MAC address of your mobile phone," noted Latanya Sweeney, chief technologist at the FTC.
"It's not just a commercial marketer who can access this data in conformity with some business protocol. At the FTC forum, it was shown that it's fairly easy for anyone using a laptop to gain access to MAC addresses," Schoen told the E-Commerce Times.
Retailers and other businesses have begun tracking consumers' movements throughout and around retail stores and other venues using signals emitted from mobile devices, according to the FTC.
Companies can use these technologies to reveal information about consumers including the path taken throughout a location, length of time in one location, whether a visitor is new or returning, and the frequency of visits to a location. In most cases, this tracking is invisible to consumers and occurs with no consumer interaction. As a result, the use of these technologies raises a number of potential privacy concerns and questions, the agency said.
In seeking comments, the FTC posed some questions that it felt needed exploring:
- What types of mobile device tracking are companies currently implementing and what are the potential future uses of these technologies?
- What are the similarities or differences between mobile device tracking and online tracking?
- What types of information and benefits do retailers gain from these technologies?
- What benefits do consumers derive from these technologies?
- What are the privacy and security risks associated with these technologies and what information and choices are provided to consumers about this type of tracking?
The Legal Connection
One question discussed at the FTC forum was whether consumer privacy was significantly affected by tracking MAC signals.
Tracing a mechanical product rather than a person does not necessarily compromise privacy, some representatives of the retail sector contended.
"There's a lot of discussion in this field about tracking," Mallory Duncan, senior vice president and general counsel for the National Retail Federation pointed out at the forum. "One could just as easily substitute the word 'observing' and it sounds less scary."
Location data can be used by retailers to improve store layout, reduce congestion within a store, and implement other efficient practices that benefit both the store owner and the consumer, Duncan noted.
Retailers who track signals from smartphones or tablets through a store to see where customers are stopping or lines are forming aren't doing any more than they could by observing customers visually, he said.
MAC location data arguably could be used for purposes that are potentially far more intrusive than just checking traffic flow in stores.
"Even though the MAC address identity is for the phone device and not the person, there is still a privacy issue, because many consumers have their smartphone on almost continuously, such that the phone and the personal identity are virtually the same," Gautam Hans, a fellow at the Center for Democracy & Technology, told the E-Commerce Times.
When MAC tracking firms supplement location information with related demographic and geo-data, the threats to personal privacy expand dramatically, both Hans and Schoen noted.
The FTC has addressed privacy issues from the perspective that collecting personal data could be a "deceptive practice," under federal law, unless consumers are made aware of it.
"We feel that the FTC has a proper role here from its standing authority on privacy issues stemming from the unfair and deceptive practices component of the Federal Trade Commission Act," Hans said.
Debating Whether a Fix Is Necessary
Various consumer protection approaches were discussed at the forum, including the use of signage in stores, providing electronic notices to consumers, and opt-in or opt-out choices.
A group of companies that track smartphone signals, known as "location analytics" firms, last year adopted a voluntary code of conduct for mobile privacy. The code calls for store signage notices, and it requires that companies using the technology to collect data limit how the information is used and shared, and how long it may be retained.
The FTC itself has not proposed any specific rules regarding the MAC address issue. The FTC conducted the forum "in order to educate the agency and all relevant stakeholders on this emerging area," Amanda Koulousias, a staff attorney at the FTC, told the E-Commerce Times.
"The forum and comment period are not related to a rulemaking. We will use the information gathered to learn about the issues from a variety of perspectives and to inform a staff report on this topic," she said.
The NRF feels that the adoption of government regulations or industry codes is premature.
"The overwhelming majority of the industry is not at a point that we think this code has all the elements that we think are necessary or appropriate," Duncan said.
"To suddenly proliferate whole bunches of new signs -- either for this technology or for other technology that is used to accomplish essentially the same thing -- strikes me as a bridge too far at this point, in light of what is actually happening," he remarked at the forum.
One question regarding notification -- whether through voluntary codes or regulation -- is how enforcement can be implemented. Another factor is that consumers are currently inundated with so many permission notices that such techniques are losing their effectiveness.
Addressing the issue from the context of a legal disclosure may simply be inappropriate, while a technology approach would be worth exploring, EFF's Schoen noted. He questioned why device makers and their standards organization opted for a single, unchanging MAC signal for each phone in the first place.
"My suggestion is that mobile device MAC addresses should change frequently, such as when a device moves from one network to another, or when it's not connected to any network, or perhaps on some fixed-time schedule," he said.
"I also think it would be useful to build into mobile operating systems a feature to let a user easily change their MAC address to a new random one," suggested Schoen, "although the privacy benefits would be much greater and much more widely enjoyed if this were automatic rather than manual."