Attention shoppers: Retailers can now track you across the mall

Your favorite big box retailer or discount warehouse will soon be able to track your movements via your smartphone. Meet the next big thing in analytics: You.

shoppingflickr/David Blackwell.

There’s a common argument against online tracking that goes something like this: When you shop at your local mall, nobody is following you around recording the name of every store you enter and what you did there. When you shop on the Web, there are dozens of trackers recording your activities on every site you visit. So why can’t shopping online be more like shopping at the mall?

Well, it soon may be, but not in a way most privacy advocates would endorse. Retail stores will soon be able to follow you around the store –  or even outside the store if you just walk by without entering – using the WiFi antenna built into your smartphone.

How would they do it? Pretty simple really. When you come within range of a properly configured WiFi access point, it can record the wireless MAC address of your phone – a unique 12-digit number. Every time you pass by, that AP can log that number. If you enter that store or café every day, it will soon have a detailed record of when you (or at least your phone) entered and departed.

[Congress considers ban on smartphone tracking apps and Mickey Mouse knows what you did last summer]

Think of it as Google Analytics for people; instead of measuring Web traffic, they’re measuring foot traffic. Why would stores want to do this? More on that in a minute.

I recently spoke with John Madison, VP of technical marketing for Fortinet, which builds network security appliances for major enterprises. At this week’s National Federation of Retailers conference, Fortinet unveiled a new line of WiFi security products for store owners that provide firewall, anti-malware, and intrusion protection services for their networks.

But these devices also contain work with software from a company called Euclid Analytics that allows stores to collect data on actual and potential customers. (Fortinet is hardly alone in this; Aerohive, Aruba, and Xirrus also build routers that can take advantage of Euclid Analytics software.)

euclid analytics dashboard.png

Image: Euclid Analytics

From the retailer’s perspective, this information can be a virtual gold mine. For the first time they can easily track where customers go after they enter the store. They can identify repeat customers and first timers. They can find out whether shoppers are spending a lot of time in the toy aisle but rarely visit sporting goods or home appliances, and reconfigure the store layout accordingly. They can share data across different locations – to gauge whether the same customers spend more time in their discount outlets or shop at the locations closer to major freeway exits. They can even track people who walk by the store every day but never go in, or if more people enter after a window display is changed.

Like every Web tracker on the planet, Euclid’s privacy policy states that it only collects this information anonymously and in aggregate. It stores the MAC address in a one-way hash, so nobody can go backwards and figure out your actual MAC address. It doesn’t snoop around your phone to collect other information, like your contacts or Web history. And you can opt out of its databases at any time, though the chances of someone going to Euclid’s site to find out whether they’re in those databases is pretty much nil.

But even if Euclid doesn’t know who you are, the store does – the moment you plunk down plastic to buy something. Correlating that purchase with your location (ie, near the register) is probably as simple as matching time stamps between the transaction and the analytics log. And as mobile payments using Near Field Communications chips built into phones becomes more common, that process becomes even simpler.

Once the retailer has tied your MAC address to your identity, all kinds of fun things can happen. The store can send you discount coupons to entice you into aisles you rarely visit. If they have your phone number, the store could send you a text when you walk by, trying to lure you in. A retailer can marry that data to your online activities to further analyze who you are and how it can get you to spend more time and money in its stores, or sell that information to a third party.

And, assuming the retailer stores that data, it can hand it over to any legal authority with the appropriate paperwork.

[Update: Euclid has responded to -- and corrected -- some of these hypotheticals here.]

Madison says Fortinet has a working proof of concept of this in its labs, but has yet to see the technology deployed in an actual retail environment. One of the reasons is privacy: Retailers have not yet worked out how to obtain permission from customers to track them, let alone people who are merely passing by. Of course, that’s assuming retailers will bother to do that; there is no law compelling them to.

Other barriers are more technical. Getting down to tracking customers inside the store requires multiple APs and some tricky triangulation. But it can be done, Madison says.

What’s the big deal? You may not mind the fact that stores know when you enter and leave, how long you stayed, and whether you made a purchase. And it is true that you already give up a fair amount of privacy when shopping in public. For example, most stores also record your face via CCTV security cameras. But identifying you via facial recognition is far more time consuming, expensive, and error prone than simply matching MAC addresses.

My hunch is that the first deployments of this will be to track employees, where privacy matters are much easier to deal with – a couple of lines in the employee handbook and you’re done. So if Johnny from sporting goods is spending too much time flirting with Sally in lingerie, his manager can show him the numbers before he shows him the door.

But if you do mind that stores can follow you around, there isn’t much you can do about it. You can of course turn off your phone’s WiFi when in public. I don’t know about you, but the only time I remember to do that is when I get a low battery warning. You can always pay cash (at least, until that practice becomes a quaint remnant of our pre-digital past). You can opt out as noted above, but you’ll need to do it for every mobile device you own and with every analytics company out there. (Had you heard of Euclid Analytics before you read this? I hadn’t. Are there others? Beats me.) In that way it’s much like opting out of Web tracking – an onerous chore where the burden is entirely on the person being tracked.

So the question for today is: Who’s minding the store when the store is minding you?

See also Part II: If you shop til you drop, will they track when you get back?

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

The new MySpace: I like it, I really do. What's wrong with me?

Why Facebook is full of it

Q&A: Privacy Pioneer Ray Everett

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies