[liberationtech] My phone at your service | Federal Trade Commission

Thu Feb 13 14:45:08 PST 2014

http://www.ftc.gov/news-events/blogs/techftc/2014/02/my-phone-your-service

My phone at your service

By: Latanya Sweeney, Chief Technologist | February 12, 2014
*This post provides an opportunity for you to brainstorm at the
intersection of technology, policy, and business. Before I begin, let me
advise you that I am solely responsible for this blog's content,
characterizations, ideas and choice of topic. This blog may not reflect the
views of the FTC or any of its Commissioners.*

What is the latest technology related to loyalty programs and in-store
purchases? Your mobile phone. As you carry your phone throughout the day,
it is constantly emitting wireless probes to find local networks with which
to connect. These probes, more formally known as "probe requests", include
a unique number - called a media access control address or "MAC address"
(having nothing to do with Apple Inc). Manufacturers install unique MAC
addresses in each phone during fabrication. Anyone can setup wireless
sensors to record the appearance of your phone's probes to track where you
are and where you have been -say, where you are when you're ambling through
store or mall, or when you're walking or driving down a street. Some retail
stores are experimenting with this technology to track your whereabouts.
Stores currently use loyalty programs to link your purchases together. By
tracking your MAC address, stores can also learn your shopping and in-store
browsing patterns, even if you do not sign-up for a loyalty program or make
a purchase. Therefore, the time seems ripe to brainstorm on the best
integration of technology, policy and business that maximizes benefits to
stores and consumers while minimizing potential harms.

Retailers could use the technology to modernize their loyalty programs so
that your phone's probes replace the assortment of tokens and cards you may
currently carry to earn discounts and rewards. Or, because your phone's
probes are freely available, stores could just use them to learn more about
your shopping habits to improve store layout. As one proposal posits, if
you don't want to be tracked, you can turn off your phone while shopping,
or enter your phone's information in a "do not track" registry. Under this
proposal, you would not have the option of signing up like you do with a
loyalty program nor would you necessarily receive discounts or rewards. Of
course, countervailing technologies exist that can change a phone's MAC
address to made-up aliases and that can cease probing while shopping.

The key stakeholders are consumers, brick and mortar retailers, and mobile
analytics companies. Consumers and retailers already engage in loyalty
programs and retailers want to learn more about consumer shopping habits
using mobile location tracking technology offered by mobile analytics
companies. Negative impacts may occur when a MAC address relates to you by
name.

Where are possible "sweet spots" -those arrangements where consumers and
retailers can enjoy benefits without adverse consequences? Perhaps you will
construct a solution, comment below, or attend the FTC Mobile Device
Tracking seminar on February
19<http://www.ftc.gov/news-events/events-calendar/2014/02/spring-privacy-series-mobile-device-tracking>
.

*Loyalty Programs*

Many retailers spend marketing dollars on loyalty programs and most of us
participate in them using our phone numbers, tokens, cards, and even mobile
phone apps to identify our purchases as belonging to us over time. In
exchange, we get discounts and other benefits.

According to an industry watchdog group, there were 2.65 billion loyalty
card memberships in the United States last year [1]. That is the highest
number ever reported by the group since it began tracking in 2006. Still,
many consumers are getting weary of the cards and tokens, and retailers
have mixed reactions. Some grocery chains that started the trend more than
a decade prior have recently dropped their programs, citing the data is not
as useful as one might think [2]. Other grocers have reportedly intensified
efforts to relate shopping histories to more personalized deals and pricing
[3].

This may be a quality versus quantity proposition. By creating a meaningful
and engaging loyalty program, where the benefits of membership are
transparent and relevant to consumers, can a business generate more
dedication among customers and improve its bottom line?

Consider Starbucks. According to an article in a leading trade magazine,
there are more than 6 million loyalty card members registered at Starbucks,
with about 80,000 joining each month. Members use loyalty cards in about 25
percent of all purchases [4]. Starbucks expanded its loyalty program to
include a small program ("app") that can run on some phones. The app
features direct pay for purchases and offers rewards of free drinks and
other benefits. The company reported a stellar 9% increase in sales for the
quarter ending June 30, 2013, which its executives attributed to its
loyalty program with mobile app payment capabilities [5].

*Layouts of Retail Stores*

Local retailers are in intense competition with online retailers, so brick
and mortar stores really need to think about how they differentiate
themselves. We live in an information-rich environment, where we can know
the reviews, features and prices of a product before we ever touch it, but
whether the product is "right" remains unknown until we actually handle it.
We try on clothes to see how they fit and we want to know how a laptop
feels in our hands. Once we travel to a store, we have made more of an
investment than visiting a web page, so local retailers may be able to
compete with online merchants by taking advantage of the physical act of
shopping.

A recent paper in the academic journal, *Marketing Science*, points out
that a retailer can affect the way a consumer searches for products in a
store, and by strategically controlling the consumer's travel costs within
the store, the retailer may influence a consumer's purchase decision [7].
For example, displaying all television brands side by side in one place
allows shoppers to easily inspect various brands and make fully informed
choice decisions. In comparison, placing one brand of sweaters in one
place, together with the other clothes of the same brand, and displaying
other brands' sweaters elsewhere is likely to get shoppers to inspect
additional kinds of items by the same brand before investigating other
sweaters.

In comparison, an online merchant can customize a product's web page to
suggest related products the merchant believes may be of interest to you.
No two pages for the same product may have the same suggestions depending
on what the online merchant thinks it knows about you. The brick and mortar
merchant cannot dynamically change the store layout for each person.
Instead, the local retailer seeks to have a store layout that optimally
boosts point-of-sale and impulse purchases across all shoppers. Having
detailed travel patterns of physical shoppers should help a retailer
improve its layout.

*The New Technology*

Some retailers and mobile analytics companies propose to track the unique
MAC addresses your mobile phone emits when it searches for nearby local
wireless networks (Wi-Fi) or Bluetooth devices to learn more about your
shopping patterns. Wi-Fi sensors would cover the area of the store,
sidewalk or mall. When your mobile phone emits probes to discover which
Wi-Fi networks are available, the WI-Fi sensors record the unique MAC
address associated with your phone. The sensors use the strength of your
phone's signals to compute your location within the space, with greater
accuracy than global positioning systems (GPS). By tracking your phone's
MAC address, a store can learn how often you visit and where in the store
you roam, regardless of whether you make a purchase.

*How Tracking MAC Addresses Works*

During manufacture, a mobile phone gets its own unique MAC addresses, one
for communicating over local wireless networks (Wi-Fi) and the other for
communicating with Bluetooth devices like wireless earphones. When you
connect the phone to the Internet, you may use its cellular connection
through your telephone company or you might use a local wireless Wi-Fi
network. If you connect your mobile phone to the Internet using Wi-Fi, you
will see a list of available networks. To generate this list, your phone
sends probes that include the MAC address of the phone. Depending on your
phone's settings, your phone may automatically connect to a network that is
open to anyone that doesn't require a password or purchase to join. In both
cases -actively locating available networks and connecting to networks-
your phone sends and receives packets of information that includes your
phone's unique MAC address. The open Wi-Fi network and any parties
eavesdropping on local Wi-Fi communications can learn the MAC address of
your mobile phone (e.g., [8] and [9]). The full technical specifications
for Wi-Fi communication are publicly available [10]. The MAC address, which
is unique to your phone, is not the same as an IP address. The latter is
unique to your phone while it connects to the Internet on a particular
Wi-Fi or broadband network. Your phone's IP address changes from one Wi-Fi
network to another, but your phone's MAC address remains the same
regardless of the network and transmits even without actually connecting to
the Internet.

*Trial Runs*

A company reportedly put the technology in recycling bins in London to
record the unique addresses of smartphones carried by pedestrians and
displayed responding ads on the sides of the bins; authorities subsequently
halted the system [11]. Last year a leading newspaper reported that
Nordstrom tested the technology in some of its stores in the United States
but ended the experiment due to concerns raised by its customers [12].
Other stores are experimenting with the technology to track customer visits
and roaming patterns.

*Future Benefits and Risks*

If tracking MAC addresses in retail spaces becomes common, then an obvious
benefit to retailers would be tracking MAC addresses across stores. Then, a
store could learn which of its customers also visit competing or
complementary stores and how often.

Another benefit to stores may be to identify the person associated with the
MAC address by associating MAC addresses with purchases. If associated with
identifying information, tracking retail purchases can cause harm.
According to a press report, one major retail chain that did not have a
consumer-facing loyalty program realized its customers tended to make
purchases using the same credit or debit card, Therefore, it organized its
analysis of purchases around profiles it constructed from data associated
with payments and enriched its data with supplemental information it
purchased from data brokers [13]. Analysts learned many generalizable
habits of its customers; some allowed the company to predict pregnant
customers. The store sells everything for new parents, from formula to
toys, so the company sent coupons to people its analysts determined were
likely to be expecting a child. One of these coupons arrived at the house
of a man who prior to receiving the coupon did not know his teenage
daughter was pregnant [13].

Anyone can harvest probe requests for many possible uses. This is not just
for retail stores or loyalty programs. Students in Italy organized a
3-month long campaign in a public plaza in Italy, during which they
collected around 11M probes sent by more than 160K different mobile devices
in order to construct social networks of co-locating MAC addresses [9]. The
students also found that mobile phones may share a historical list of the
other networks the phone has previously encountered, suggesting the list of
known networks may help build location-based profiles.

*What Current Actions Can Consumers Take*

Not everyone will want to be included. What technical options exist for
exclusion and how onerous are those options for consumers?

To stop your Wi-Fi MAC addresses from transmitting, you must change
settings on your phone before you get too close to the store because the
range of the sensor may extend beyond the store's physical boundaries.
Either you have to turn off Wi-Fi or turn the power off on your phone. Just
because the screen is off does not mean the phone is off. Similarly,
putting a phone in airplane mode does not turn off the Wi-Fi. Once Wi-Fi is
off or the phone's power is off, your ability to use the phone while you
are in the store diminishes and you have to remember to restore the
settings after you are some distance from the store. This seems
inconvenient for a phone you purchased and pay for its service. Why should
shopping reduce the utility of your mobile phone?

AVG Technologies offers a free smartphone app that turns off Wi-Fi and
Bluetooth to thwart Wi-Fi tracking [14]. With Bluetooth off, your external
earpiece will not work, but having Wi-Fi disabled should not be too
inconvenient. *Mac Address Ghost* is an app that replaces your MAC address
with a made-up alternative [15]. This allows you to leave your phone
settings untouched while shopping. Your phone still sends Wi-Fi probes, but
the MAC address used in the probes is not the one installed on the phone.
Later, when you want to use the Wi-Fi, you would want to make sure you turn
this feature off, else you risk colliding with someone on the network whose
machine has the same MAC address, thereby causing communication confusion.

*Approaches*

Wi-Fi tracking should be able to allow willing consumers and stores to
enjoy many worthy benefits without the kinds of adverse consequences
mentioned previously.

Below are four competing approaches to ignite discussion. The first stems
from the Starbucks app. The second is a straw man approach of my own
design, presented solely to round out discussion. These two provide
examples of deploying the technology in a way in which consumers take an
action to participate ("opt-in"). The third approach technically supports
the first two by reversing the Wi-Fi communications default. The fourth
approach assumes everyone participates and consumers must take an action to
be excluded ("opt-out"). Together, these four approaches give you some
initial thoughts for brainstorming.

*Approach #1: Loyalty Apps*

This approach encourages loyalty programs to replace the array of tokens,
cards, and phone numbers we now use to participate in loyalty programs with
store-specific apps or even shopping apps that work across multiple stores,
providing a *quid pro quo* between consumers and stores. By running a
"loyalty app", you give permission to participate in the program.
Store-specific apps with GPS location enabled can identify the store's
location and in large stores, roughly where in the store you may roam.
Location tracking in small spaces using GPS is not as precise as using MAC
address tracking. This approach allows the store to not only learn about
your purchases, but also something about your shopping patterns. An
advantage of using apps and GPS is that you can enable or disable them
without reducing the utility of your phone.

*Approach #2: Store Wi-Fi*

In this approach, a store hosts its own open Wi-Fi network in the store.
Promiscuous phones would automatically connect and phones set to ask you
before joining Wi-Fi networks would need your permission. The store's Wi-Fi
is not a pathway to the Internet; instead, it provides one-on-one
communication between you and the store through your phone's web browser
(or loyalty app). The store would display its policy about tracking, and if
you proceed, the store will track your physical location and unique MAC
address and provide perks and discounts to your phone directly. Because the
tracking can be specific to items geographically near you in the store, the
Wi-Fi can send targeted just-in-time specials. When used with a loyalty
app, the store can learn about both your purchases and your detailed
shopping patterns. This approach also features a *quid pro quo* advantage
between consumers and stores, but unlike the prior approach that only works
with smartphones, this approach would work with virtually all phones
because it uses web browsers.

*Approach #3: Passive Search for Wi-Fi Networks*

Manufacturers of mobile phones, or possibly app developers, could provide
an option to make mobile Wi-Fi "passive" in locating nearby Wi-Fi networks.
Mobile phones actively emit probe requests to learn about nearby Wi-Fi
networks so that you do not have to wait to discover available networks
when you want to connect. However, the technical specification [10] also
provides a passive option. Instead of actively sending probe requests, the
mobile phone could wait to receive beacons from nearby networks. At timed
intervals, Wi-Fi networks broadcast their presence by emitting beacons. A
mobile phone that is passively accumulating a list of nearby networks does
so by listening for beacons. Of course, not all Wi-Fi scanning should be
passive, so a configuration setting could exist to allow consumers to
select active or passive scanning. This approach requires your permission
to participate, and therefore, can technically support the previous two
approaches. An advantage of this approach is that it maintains the utility
of phones of consumers who do not want to participate without
inconveniencing those who do want to participate.

*Approach #4: Do Not Track*

The Future of Privacy Forum has created a voluntary Code of Conduct for
companies that wish to track consumers' location in stores [16].
Participating stores post signs in stores to alert they are using mobile
tracking technology and to offer instructions for how to opt-out using a
website where you enter the MAC addresses of any phone you do not want
tracked. The Future of Privacy Forum worked with companies that offer
mobile location tracking technologies to develop an industry best practice
[17]. A commentary noted that privacy-concerned consumers must locate and
then enter their MAC addresses into a database in order for retailers to
ignore their captured information (being listed in the database does not
stop the information from being captured) [18]. An advantage of this
approach is that it does not require any new technology or technical
changes to implement.

In comparison, none of the approaches stop the local capture of MAC
addresses completely, but approach 3 limits the capture to networks
consumers elect to join. Otherwise, consumers may elect to power off Wi-Fi
networks to avoid having MAC addresses captured or use MAC address spoofing
to get different identities at stores in approaches 2 and 4. Approaches 1
and 2 allow stores to make a value proposition to consumers and they
provide consumers control over being included (or excluded) without having
to reduce the utility of their mobile phones. Approach 4 unto itself offers
no value proposition to consumers, but a store could give coupons or
rewards for participating. If approach 2 were widely adopted by stores,
retrieving the phone's historical list of known networks would provide a
list of stores visited.

*What You Can Do*

This inquiring mind wants to know what you think. Perhaps you have a
proposal of your own design or a comment to make.

On February 19, 2014, as part of its Spring 2014 Seminar Series on Emerging
Consumer Privacy Issues, the FTC will host a public seminar related to
commercial tracking using Wi-Fi addresses on mobile phones. None of the
parties or organizers of the seminar are responsible for the content or
appearance of this blog. For more information, see theSeminar events
page<http://www.ftc.gov/news-events/events-calendar/2014/02/spring-privacy-series-mobile-device-tracking>
.

*References*

1. Berry J. Bulking Up: The 2013 COLLOQUY Loyalty Census.
https://www.colloquy.com/files/2013-COLLOQUY-Census-Talk-White-Paper.pdf

2. Orgel D. Albertsons Move Sparks Great Loyalty Debate. Supermarket News.
July 1, 2013.
http://supermarketnews.com/blog/albertsons-move-sparks-great-loyalty-debate

3. Choi C. How loyalty programs can influence the way you shop. Associated
Press. May 19, 2013.
http://www.lowellsun.com/business/ci_23277858/how-loyalty-programs-can-influence-way-you-shop

4. Bhasin K. Starbucks Exec: 'We Know Who You Are, We Know How You're
Different From Others'. Business Insider. March 25, 2013.
http://www.businessinsider.com/starbucks-exec-on-loyalty-card-data-tracking-2013-3

5. Tierney J. Thanks to Loyalty Program and Mobile Capabilities, Starbucks
Registers Record Q3. Loyalty 360. August 13, 2013.
http://loyalty360.org/resources/article/thanks-to-loyalty-program-and-mobile-capabilities-starbucks-registers-recor

6. Wallace G. Starbucks app leaves passwords vulnerable. CNN Money. January
16, 2014.
http://money.cnn.com/2014/01/15/technology/security/starbucks-app-passwords/

7. Gu Z and Liu Y. Consumer fit search, retailer shelf layout, and channel
interaction. *Marketing Science*. Vol. 32, No. 4, July-August 2013, pp.
652-668. http://dl.acm.org/citation.cfm?id=2509090

8. Cunche M. I know your MAC Address: Targeted tracking of individual using
Wi-Fi. International Symposium on Research in Grey-Hat Hacking - GreHack
2013.
http://hal.archives-ouvertes.fr/docs/00/85/83/24/PDF/Wi-Fi_Stalking.pdf

9. Barbera M, Epasto A, et al. Signals from the Crowd: Uncovering Social
Relationships through Smartphone Probes. Association of Computing Machinery
(ACM) *The Internet Measurement Conference* 2013.
http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf

10. IEEE Standard 802.11 for Wireless Local Area Networks (WLANS). 2012.
https://standards.ieee.org/findstds/standard/802.11-2012.html

11. Datoo S. This recycling bin is following you. Quartz. August 8, 2013.
http://qz.com/112873/this-recycling-bin-is-following-you/

12. Clifford S and Hardy Q. Attention, Shoppers: Store Is Tracking Your
Cell. New York Times. July 14, 2013.
http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all

13. Duhigg C. How Companies Learn Your Secrets. New York Times. February
16, 2012.http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html

14. Olson P. Security Firm AVG Launches First Service To Block Mobile
Location Tracking. Forbes. December 9, 2013.
http://www.forbes.com/sites/parmyolson/2013/12/09/security-firm-avg-launches-first-service-to-block-mobile-location-tracking/

15. diewland. *Mac Address Ghost*. February 11, 2013.
https://play.google.com/store/apps/details?id=diewland.changemac

16. *Mobile Location Analytics Code of Conduct*. Future of Privacy Forum.
October 22, 2013.
http://www.futureofprivacy.org/wp-content/uploads/10.22.13-FINAL-MLA-Code.pdf

17. *Schumer, Tech Companies and Privacy Leaders Announce Important
Agreement to Ensure Consumers have Opportunity to "Opt-Out" before Stores
can Track Their Moverment via Their Cell Phones - A Practice that is
Becoming Increasingly More Common*. October 22, 2013.
http://www.schumer.senate.gov/record.cfm?id=346912&

18. Higgins P and Tien L. *Mobile Tracking Code of Conduct Falls Short of
Protecting Consumers*. October 26, 2013.
https://www.eff.org/deeplinks/2013/10/mobile-tracking-code-conduct-falls-short-protecting-consumers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140213/4f6fb739/attachment.html>