Slashdot Mirror
Have a Wi-Fi-Enabled Phone? Stores Are Tracking You
jfruh writes "Call it Google Analytics for physical storefronts: if you've got a phone with wi-fi, stores can detect your MAC address and track your comings and goings, determining which aisles you go to and whether you're a repeat customer. The creator of one of the most popular tracking software packages says that the addresses are hashed and not personally identifiable, but it might make you think twice about leaving your phone on when you head to the mall."
To turn off the wifi
Most smart phones allow you to turn off wifi.
I keep mine off most of the time unless I need it that also includes GPS and Bluetolth
Change your MAC address to a pseudo-random one every time you go out of your main home or work environment. It's possible on android and iOS devices.
Avoid places where this kind of garbage is known to be in use. Turning off the wifi means you have to sacrifice some of the functionality of your phone just to not be tracked. Similarly, the op-out is crap as well. Why should I have to opt out? And what's wrong with the door sensors that have been in use for years to figure out conversion ratios?
Not that I've gone into a mall recently, but seeing any of the stores using this system would be the best way to make sure I never come back.
"So after all this, you make my case for me. To end this stalemate, you must die..."
Most phones turn wifi off when idle to save power. All the time the wifi is powered down they can't track it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Some people say it's time to turn off wifi.
Not me. I can't wait to hack the o/s to absolutely fuck with this as hard as I can. I hope the phone's drivers support messing with signal and power level.
I've done it with wardriving, I've done it with my laptop before connecting to any type of wireless point. I've even done it with wireless on my desktop, spoofing a specific authorized mac address of a piece of hardware I no longer own so I didn't have to log in to my access point and add it to the authorized list.
I'll sniff for MAC addresses, I'll fake them, spoof them, build in a list of different hardware vendors. You'll see the same person in two different isles. You'll see 5000 people enter the store as I cycle through and sequential addresses as fast as I can for five minutes.
The analytics person is going to have so much fun. 0xdeadbeefbabe all over the place.
Sure, they'll filter me out. Or notice me as one oddball. But soonr or later those stats are going to get mass corrupted because it's my radio and I can broadcast anything I want as long as it's in FCC regs.
To whoever it is that'll be debugging that... i'm 20% sorry in advance, and 80% amused at the thought of the hair pulling this is going to cause.
I would have thought they'd already be doing this with credit card details since forever anyway, and getting much more informative data to mine as a result.
// MD_Update(&m,buf,j);
They will track your movements with facial recognition cameras.
Insurance company will know how much butter, beer and beef you are buying.
Your car will track your driving habits and your TV will track your entertainment.
They will know when you are happy, sad, indifferent or lonely and will provide a product or service that will hit the spot.
Just relax. They have your best interest firmly in mind
-badford
No, that's not what it means at all. It means they'll be able to better tailor their store to profit off of you. Generally, that's not a good thing for you.
Any smartphone can see all the MAC addresses of all phones and access points around it, bluetooth or WiFi (if enabled of course). With GPS positioning on most of those devices and a Giant Corporate Big Brother aggregating the results, all of us are reporting on our proximity to each other.
We all know that Google's wifi geolocation stuff works this way - by tracking which fixed wifi base stations are in range and correlating with a GPS fix. People forget that Google can also identify other phones within range of your phone, and they know which Google accounts are attached to those devices.
Google really does know who is sitting next to you on the train or in the coffee shop, who your jogging partner is, and which whore you visit when your wife leaves your general vicinity.
I bet they do some amazing automated profiling. This guy is a garbage man and works with these people, that guy likes to sit in coffee shops and this woman is usually also present, she's not his wife, so lets advertise couples vacations and cheater sites, this other woman visits a preschool every day and is probably a parent, let's suggest other parents from the same preschool as her Google+ friend...
Isn't a hashed MAC address going to be the same every time? Seems like it would be easy to match the phone to a person if they made a couple credit card purchases on separate trips into a store.
Correct, hashing does not do anything useful here except keep up the pretence. Well it prevents multiple-vendor networks from combining logs from different vendors, but I bet all monitoring devices from a single vendor use the same hash.
Finally! A year of moderation! Ready for 2019?
Cisco's acquisition of ThinkSmart Technologies was all about leveraging WiFi for customer analytics. http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/thinksmart.html
It's more than just tracking who goes in and out of a store- it's about dwell time, product placement and spot marketing.
Never trust anyone who takes pride in being called a 'geek'....
No, that's not what it means at all. It means they'll be able to better tailor their store to profit off of you. Generally, that's not a good thing for you.
That is worth repeating. All of this "personalization" stuff is not about making your shopping experience better, it is about maximizing the amount of money you spend. Any benefit to you is purely incidental.
When information is power, privacy is freedom.
Presumably they are looking for the initial broadcast packet that starts the handshake to establish a wifi connection with a base station. Seems like you could mess with these guys if your phone had an app to dynamically change the MAC address on every handshake, you could also speed up the rate of such handshake initiations. Wander the aisles for a half hour and the store's now got a million bogus entries in their tracking database.
When information is power, privacy is freedom.
The trouble starts when all mac address's activity gets logged into big data and stays there.
Then later on, your mac address gets cross-referenced with your real name and phone number and personally identifying data some day (because, for example, you may frequent Starbucks or locations that feature free wifi).
Suddenly, without anyone really trying, your every movement throughout the day just became trackable and they know how to reach you.
Asking people to think is like asking them to buy you a new car
Not that it matters, but it doesn't work that way... (My full time job involved researching proximity algorithms)... Using Wifi as proximity, you can tell that say these 5 particular people are in a room, but you have zero idea the spatial relation of each of these 5 people to each other, without the aid of other sensors. Wifi or bluetooth will not give you spatial relationships in any meaningful manner.
For example, if my signal strength to the AP is 80%, and your's is 80%, that does not mean we are next to each other. We can be on opposite sides of the AP, or we can be at some other arbitrary location, where each of us has a different obstacle blocking the direct line of site to the AP, reducing the signal strength by differing amounts. Plus we have no idea what the transmit power is on each device.
You may be able to get a reasonable guesstimate of proximity to the AP, but not spatial orientation to the AP. (ie, you are within 20 ft of the AP, but you don't know in which direction), and certainly not between each peer. The phone will not be able to give you proximity information to another phone using wifi, because the stock chipset on Android and iOS does not give you access to read these beacon packets from arbitrary un-connected devices. I've been able to get it to work in the lab, but only when I use specific hardware/chipsets, with special drivers/firmware.
So all I'm saying is that people are making this to be a bigger deal than it is.
if tracking were only ever used for advertising, i would not have any problem with it. my concern about tracking is that people with the power to fuck my life over will get a hold of it and use the data irresponsibly. sorry, but i just don't see how "walked down aisle 3 five times on Sunday" can contribute to that.
when i see people who are deathly afraid of advertising, i wonder why. there's an old saying among door-to-door salesmen that you hit the houses with signs reading "no solicitors," exactly because the occupants are easily influenced; after all, that's why they put the sign up.
with two exceptions, i research my purchases meticulously before making them. the exceptions are a limited amount of impulse buys (for example, i know they put the candy bars exactly in that spot to maximize sales, but i don't care; i knew that i'd be buying the damned candy bar before i entered the store) and... actually that's about it. the other exception involves my hobbies, but it's not like i ever go to a fountain pen or book store without a budget anyway. i just let myself enjoy the experience more than other places.
i'm fairly confident that i am mostly resistant to advertising. in fact, i can identify the ubiquitous re-use of phrases and images that are "proven" by marketing psychologists to influence people and it's just mildly nauseating. now maybe this is the dunning-kruger effect, but looking around my home, i don't see much stuff that i regret buying, so i'm either making good decisions or i am completely brainwashed. i suspect the former.
"They were pure niggers." – Noam Chomsky
Turn off "location" and other "always want the network" apps that you don't need. Put your mail in "on demand" rather than "periodically polling" mode. Set your phone so the only thing it's routinely monitoring for over the air are incoming phone calls and texts.
At this point your WiFi will be a waste of battery when you aren't actually using your phone.
Now you can turn off your WiFi and save your battery.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Actually, you don't even need to turn off wifi. Just set your phone to not automatically join any public wifi. Wireless clients, including the phone, compiles a list of access points you can join using the ESSID broadcast from the access point. In other words, the access points just dumbly advertise their presence and don't know who are looking until your device tries to join.
I once had a signature.
They are looking at the beacon packets your device is sending out when it does a scan of the network. Most OS's will do a periodic passive scan to look for networks.
There is no maybe about it, tracking is the primary reason for loyalty cards. The other reason is that people love "points"; they will often go for points valued at 1% of the purchase rather than pick a competing brand which is 10% cheaper...
Finally! A year of moderation! Ready for 2019?
That makes up for me stalking their aisles for products and then buying them online for cheaper.
3g/HSPA+/4G sucks more out of your phone than Wifi.
True.
It goes something like: ... with GPS using 10x lower power than C/GPU.
1. C/GPU
2. Screen + backlight
3. Calls or sending/receiving data
4. Camera
5. Vibrate
6. Screen no backlight
7. GPS continuously receiving
When idling, your smartphone is using maybe 2 orders of magnitude less power than eg browsing. Since smartphones are idling a lot of the time, these numbers become significant.
8. Automatic checking whether anyone's messaged you on FB/Twitter is a significant battery killer. I don't have figures for this but it at least halves battery life.
Apart from that, from highest to lowest:
9. 3G
10. BT
11. Wifi
12. 2G
So 3G + BT + Wifi consumes roughly 3x just 2G.
So your battery may last 3x longer with just 2G active when idling.
http://wiki.maemo.org/N900_Hardware_Power_Consumption#Some_preliminary_numbers_using_the_battery_monitor_chip.
We had someone vandalize one of our cars. Long story short, it was my sons X girlfriend. See lives about 60 miles away but at 3:20am, I saw her iPhone attach to my access point. I knew it was hers because I've seen it in the logs from when she was welcome in the house. That time in my logs matched the time frame a neighbor saw someone running through our yard. It never actually made it to a court but she admitted it when questioned by the police.
I live in a pretty rural area and you have to be much closer to my house than to anything else in the public right of way to get my signal. I've thought of and have done some research about scanning and looking for devices in the area just like the article describes. I have an open wi-fi AP that goes no where now but logs and I don't actively probe yet.
Do you operate purely on cash? If not then they know exactly what you buy and who you are. There was an article a couple years ago where they were sending targeted adds to people based on previous purchases. They even started sending adds for baby stuff to women before other people knew they were pregnant.
GENERATION 27: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Your phone will still occasionally be sending packets to see if a known access point/SSID will reply. This is so access points with "hidden" SSIDs will still be found. Most devices just do this and there is no option to disable it, apart from disabling wifi completely. This is enough to see if someone with wifi enabled on their device is hanging around.
Even more disturbing, if an access point with the correct SSID replies with no encryption, a lot of devices will automatically try to attach to that AP. By mimicking the identification protocol the device asks to use, you can even get it to attach to your rogue access point; just tell it it's credentials are accepted and it will merrily use your AP without any user interaction.
I was promised a flying car. Where is my flying car?
When I was young I used to have mod points, just like you. But then I took an arrow to the knee.
I was promised a flying car. Where is my flying car?