If you shop til you drop, will they track when you come back?

In our last episode of TY4NS, I explored the exciting world of retail WiFi tracking. More specifically, I talked about how security vendor Fortinet was deploying devices using software from Euclid Analytics that collects data from shoppers using their smartphones’ WiFi antennae.

Today I spoke with John Fu, Euclid’s director of marketing, who wanted to provide a reality check to some of the hypotheticals I presented in my last post. Are retailers really following you around like a store detective, recording the brands of beer you buy or the dainty underthings you’ve fingered? Not exactly.

[Attention shoppers: Retailers can now track you across the mall and Mickey Mouse knows what you did last summer]

“There are some powerful and potentially scary things you could do with this data if you wanted to,” says Fu, “but I want to clarify that we are not doing any of those things. We anticipated these scenarios and came up with ways to prevent them from happening.”

For example, when a sensor using Euclid’s technology collects your device’s MAC address, it creates a one-way hash of it and throws the address away so it can’t be reverse engineered. Euclid doesn’t track individuals through the store but instead aggregates the data of all shoppers, then presents it to retailers on a daily basis.

Most important, retailers who use Euclid’s technology are contractually obligated to not combine the behavioral data they collect with information they have about an individual’s identity, says Fu. The kind of anonymous aggregate data Euclid presents in its reports makes it nearly impossible for them to do so in any case, he adds.

Still, to make it harder for smaller stores to associate hashed MAC addresses with actual sales – say, by comparing time stamps on transactions or using security camera footage -- Euclid salts its data with a “statistically insignificant” number of fictional customers. It doesn’t affect the overall reports, says Fu, but that does make it impossible to know with 100 percent certainty who anyone is.

Another thing I got wrong in the last post is that this technology isn’t merely coming, it’s already here. Euclid’s technology has been deployed in well-known national clothing and department store chains, as well as smaller regional outlets. Most of Euclid’s customers prefer to remain anonymous, seeing this kind of foot traffic analysis as a competitive advantage, Fu explains. But not all.

Philz Coffee, a popular Bay Area café chain, uses Euclid’s software to analyze which of its 11 shops cater to frantic commuters who need their nonfat mocha soy lattes in a hurry because they’ve got a train to catch, and which locations are havens for unemployed hipsters who like to hang out all day with their iPads. Using that data, Philz can optimize staffing and customer flow in its commuter centric locations to get people on their way quickly, while offering more comfy places to sit and expanded menus to get the slackers to make a second purchase.

Or, says Fu, a large chain can analyze why Store A only converts 15 percent of its foot traffic into transactions, while Store B converts 30 percent. In these cases, the store merely takes the raw numbers of people who entered the store and divides by the number of transactions. There’s no way for Euclid to track actual purchases, Fu explains.

Still, one of the problems that remain with this form of tracking is most shoppers have no clue it’s happening. And people who pass by the store --but whose MAC addresses are captured anyway -- are completely in the dark.

Fu says Euclid requires retailers to place a sign or sticker in the windows of its stores (see above), alerting customers to the tracking and directing them towards a site where they can opt out. Once they do opt out, any previous data associated with their MAC address is erased, he adds.

But Euclid is only one of a half dozen companies using different techniques to help retailers track shoppers, most of which don’t bother to tell you.

“To be honest, the industry standard is no disclosure whatsoever,” says Fu. “Whether they’re using cameras, infrared, Bluetooth, or WiFi, no one is doing really good notification. While we require our customers to put stickers on the windows of their stores, we can’t say we have a perfect the best solution.”

The other thing to keep in mind is that, while it’s not possible to take a one-way hash and recreate your MAC address, it is still possible to do the opposite – take your MAC data and recreate the hash. If legal authorities have your name and MAC address, they could approach Euclid with a court order and demand your location data.

Fu says that while this is theoretically possible, it has yet to happen. He adds that the authorities would get much better location tracking by obtaining cell tower data from your wireless carrier. That would include nearly everywhere you've been, not just the stores that use Euclid's technology.

On the scale of privacy threats, retail tracking like this is pretty far down the list. The apps we all blithely install on our phones and tablets, many of which collect location data and other personal information for no good reason, are much worse. And apps from retailers such as Orvis and Cabelas can send coupons or discounts directly to your phone – tracking you with much greater precision than a WiFi signal ever could.

At least in those cases we’d have no one to blame but ourselves.

Does retail tracking bother you? Post your thoughts below or ping me on Twitter.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

The new MySpace: I like it, I really do. What's wrong with me?

What's the freakin' deal with all these LinkedIn endorsements?

Mickey Mouse knows what you did last summer