If this becomes the trend (which in my opinon would be nice) it will become a big problem for companies that specialise in customer tracking e.g. for supermarkets and big department stores. Previously it was quite easy to track a customer, how long he or she spends time in the store, which floors he or she visits, etc. by putting up dummy WiFI-networks that the customers phones find by giving out their MAC-addresses.
It's disturbingly creepy to think that stores would even think of doing this, but on the other hand it's also an indication of how clueless the general population is about the amount of identifiable data they're unconsciously "leaking" through personal, (nearly) always-on devices. My laptop is setup with a random MAC precisely to prevent this sort of tracking.
Interestingly, the unbranded Android phones I have (one looks very much like an iPhone, ironically enough) all came with this "feature" of a random MAC every time the WiFi is turned on/off, although that was more likely the manufacturer not bothering to give each one a unique MAC.
All the more reason to keep the WiFi turned off unless you're actually using it, and this might be a bit on the paranoid side, but I do the same for the cell radio (airplane mode) - it's on only when I'm expecting a call or making one.
At the other end of the scale, this tracking via MAC almost invites making them think several million customers have suddenly entered the store...
I'm a technologist and I didn't know that devices advertise their MAC addresses when scanning for WiFi until someone in that business told me. I always thought it was the other way around (base stations advertise themselves and devices affiliate with ones they recognize).
Though accurate, "clueless" is a bit harsh. I don't expect the general public to know the implementation details of WiFi any more than I expect them to understand how a catalytic converter works. The beauty of an abstraction is that you get to reap its benefits without understanding precisely how it works.
The beauty of an abstraction is that you get to reap its benefits without understanding precisely how it works.
...and get to be manipulated and screwed over by the people who do.
While I don't expect the general public to know the details of WiFi down to e.g. the level of the 802.11 spec, I think that some general ideas, like the difference between passive/active scanning, are both simple enough to be understood by analogy and critical to privacy that they should be known more prominently.
Active scanning for known base stations is a 'feature' most people don't know about either. You phone actively tries to connect to base stations it knows, opening you up to attacks from devices like the WiFi pineapple.
Now that the MACs are random does that really solve the problem? A probe request sends out the real MAC of the AP it's looking for as well as the AP ESSID. By using anyone of many translators you can get a map of each ESSID with GPS co-ordinates. While many people will be probing for Starbucks and McDonalds they will always have a unique probe for their own home AP. So now there is no "neat" way of using the MAC as a primary key you can still infer the user by the AP least in common with anyone else, i.e. which probes are NOT McDonalds et al.
So if my home AP ESSID is Einstein, MAC=deadbeef every time I enter a store my home AP MAC is still being recorded as well as the relative movement throughout the store. As well inter-relational data could be inferred by other AP MAC addresses if I visit a friend or family member it's likely that probe will connect us.
TL;DR
Relations are based on unique data just because some of the data is 'scrambled' it's reliance on static data is it's weakness.
Your assumption is incorrect - Probe requests do not contain the MAC of the AP, only the SSID. Wifi clients usually only save the name and security type/PSK of previously joined networks. In many situations, the same SSID is broadcast by multiple different APs with different MAC addresses in the same area so it wouldn't make sense to remember a specific SSID/MAC pair.
If the same client (iPhone) probes for a list of SSIDs with one random MAC and then probes for the same list again a short while later with a different randomised MAC, you could still track that individual based on the list of networks they probe for.
If the client MAC is randomised for every single new 802.11 probe that makes it harder but you could still track based on a single unique SSID probed for (i.e. something more unique than NETGEAR).
I'm going to look into this and possibly update my tool iSniff GPS.
The randomized MAC address doesn't help here. If two probe requests have different MAC addresses but the same SSID list, then the tracker can guess that they are the same device.
Each device sends beacons out at an interval. By sorting all the probes by these intervals (10Hz or what ever) each will likely be slightly different from each other. So my device sends probes out at 0s another will send it out at 0.5s. Also by co-relating these beacons by signal strength well the random MAC doesn't really matter.
This only occurs for 'hidden' networks. If you do not have any hidden networks in your known network list than you will not be broadcasting SSIDs. This is yet another reason to avoid setting your AP to hidden.
Do you have a source for this? Is there any documentation of this in the 802.11 spec? I'm also wondering if devices send a single probe per SSID they're looking for, or one probe with a list of SSIDs?
I'm under the impression that most "mobile" WiFi-enabled devices will actively probe [0] for APs that they've been associated with in the past. It's the SSIDs and MACs of these APs that will be used to figure out who you are, despite your ever-changing client MAC address.
[0] By the gods, this is such a stupid idea. Aren't beacons often sent at a 10Hz rate? Assuming that we've associated with a network that actually sends beacons, why wouldn't remaining silent, listening for the beacon, then associating work just as well as probing?
I think this is a great example of how security and privacy gets sacrificed for convenience -- everyone seems more concerned with how fast they can connect to the first open WiFi network they find when they're roaming than what info they're broadcasting, and software's behaviour and interface reflects that. I'd like finer control over what my device does, like
- whether to automatically connect to any networks
- whether to use active scanning (and if it's off by default, I should be able to force one); passive scanning is fine unless you need to connect to networks without SSID broadcast, since it's just listening. Probably saves a tiny bit of battery too.
- better management of SSID list; I find the design where items in the list appear/disappear dynamically while you're trying to manipulate it rather irritating to use. I would prefer if there was an option to control whether the list gets updated, so it will stop accumulating useless networks. Finally, one for iOS (and Windows 8, which has regressed in this area): make it possible to forget and/or otherwise manage networks that are not in range.
I think they're saying you can still identify a device with pretty good certainty by the probe requests it sends. Probe will include the MAC of your home AP and other known APs, which are unique enough, even if your phone's MAC is changing with each probe.
Without being too specific, you should assume that Large stores already do this. Any store claiming to have "in store wifi" is almost guaranteed to be tracking you through your mac address.
The system that I'm familiar with only tracks where you're going. It didn't (as of a couple months ago) have any way of linking your mac back to a consumer profile.
name
sex
marital status
nationality
place of birth
profession
identity document type
identity document number
street address
city
state
country
cellular phone number
name of cellular provider
landline phone number
email address
barcode from your boarding pass
If you think that this is an April Fool's joke, I can assure you that it's real. Some of the above are optional on the form that's shown, but other airport ISPs in Brazil do insist that you fill in a lot of fields like the above.
I'm happy to say that the trend in the United States and Canada has been toward less or zero information for using wifi. Less than 10 years ago, it was quite common to see all sorts of questions to use wifi. And Internet cafes used to demand ID in the United States and Canada (and they still do in Brazil).
At Beijing airport if you're not Chinese they require a scan of your passport photo page at a special kiosk where they then give you a unique access code....
I also remember checking into a Brazilian hotel, where they wanted Brazilian guests, at least, to specify their highest level of formal education (!), as well as profession, date of birth, and the city from which the guest arrived and the city to which the guest planned to travel next.
I wonder if the last two are specifically meant to aid law enforcement investigations.
So they'd learn my name is Al Kapone, my nationality is the proud citizen of the glorious nation of Kazakhstan, my place of birth is the South Pole, my profession is a lion tamer and I live in 666 Fake Street, Garbadedataville. What they're going to do with this information?
Requiring email confirmation assumes the fact that the user can already connect to the Internet to access his/her email to read the message, throwaway account or not, so that wouldn't work too well...
It's not that, trust me. They make good money with your data. Take it as a way of payment for the "free" wifi.
It helps the same purpose as the loyalty cards, especially the ones that outgrow the original business (I'm looking at you both Tesco ClubCard and Nectar Card). Getting "points" by using those at other businesses like petrol stations helps them profiling you for "better" advertising. They also keep you a bit more loyal to their associated brands, but we already knew that bit :)
I wonder when that better advertising would actually come along. They keep collecting the data but so far all the ads I've seen is either utterly irrelevant crap or "you visited shoe store so our network would show you the same shoe store's ads for the next 3 months, because it can't be that you don't need buy new shoes every day".
It's pretty reasonable to expect a store would think of tracking a customer's path through the store. Websites do that all the time.
In addition, if we find a good way to provide information to the store owner about how his or her store is being browsed and used, it is likely that stores will provide better shopping experiences.
Not my downvote, but I suspect people don't like the slippery slope argument ("tracking is omnipresent on the web, therefore it's OK to do it in the real world as well").
Then there's "better shopping experiences" which most people's BS translators will read as "worse shopping experiences / persuading people to spend more than they intended".
To be clear, I'm not arguing that it is justified or moral. Whatever you think about 'right' or 'wrong', you have to realize that a person who builds a store is going to want to know everything about how his or her store is used. EVERYTHING. That's not good or evil, that's just logical.
Acting like it should be self evident to a store owner that tracking users is inherently wrong is just ignoring the viewpoint of the store owner wholesale. Does not lead to good policy.
It doesn't make much sense and looks utterly paranoid. To me, all this "privacy" thing looks more like a hype than something of real importance, and the companies like Apple are taking advantage of such a mentality. Suppose you operate a store, what would you want to do? Obviously collecting information to improve user experience is only natural. Put it this way: If, at the end of the shopping, somebody from the mall approaches you and asks you to fill out a survey about your shopping experience and what could be improved, would you comply? Probably one half of us will. Then why, a method which is not intrusive, does not take your precious time, and doesn't waste human resource on the part of the mall, would get such a strong reaction of yours? Is it really the "rationality" you boast? I totally doubt it. It's more likely pretensive overreaction.
Why is this so creepy? They know a piece of hardware has been in certain locations for a certain amount of time. This data can help improve your shopping experience and help the store better market to you. (While also increasing their sales). There is nothing personal about at MAC address go ahead and track it.
Also... Yes keeping your phone in Airplane mode is a bit paranoid.
Assuming they track every single purchase made at a store along with the credit card number used (or at least some form of ID associated with that particular card), and all the times the MACs left the store, how many sets of data do you think they need to get a 1:1 match between MAC and person? Even for really large stores, I'm guessing it would only take 2-3 visits before they can link you to POS records with decent accuracy.
Once they have that, your MAC address becomes personal. They know what that MAC buys, how long they spend in the store, how much they spend in the store, how often they visit, etc.
Couple that with the fact that with enough WiFi APs, you can triangulate a certain MAC to a specific location in the store, match with the cameras, etc. Probably track you to your car if they wanted with their satellites watching their parking lots.
And then we get into the problems created when these stores either start sharing this info, or the vendor they hire to install their tracking system starts approaching full coverage of the nation / developed world.
Keep in mind this isn't 'crazy future minority report' stuff. These are all things they are either doing now or could easily do now. All in all, it's just another damn piece of info about me that was once personal and now no longer is. "The amount of time Ben Reaves is spending looking at adult diapers is trending up. Flag their profile for incontinence."
Amazon, does this and it creates (for me) a better shopping experience. When I go to amazon it knows what things I want to buy and puts them right in front of me. Then it points me to other items that are related. Amazon knows precise,y what I look at and for how long before I buy it. Why is this good for online shopping and bad at a B&M store?
I think most people (including me) would probably agree that all this tracking creates a better shopping experience. Taken to its logical conclusion, eventually the stores will know what I want to buy before I even know I want it- they'll place it front and center in front of my face, said face will light up in sudden understanding that this is what I've been missing all my life, and money will exchange hands. Snark aside, I really do agree that this is a better shopping experience.
But we're not just talking shopping experiences here- the data, algorithms, and extra tracking that fuels the (perhaps extreme) future I described above has costs, mostly in personal privacy. Maybe I don't want the conglomerates (and the government, since we all now know they've got their 'black boxes' in the datacenters) to know my penis size, how good my relationship with my father is, what medical conditions I have, and just about everything else one can think of. However, this is the future we're headed towards.
Secondly, I think _greim_ said it very well in this post elsewhere in the thread: "Giving marketers deep psychological and behavioral insight increasingly enables them to circumvent rationality and "hack" consumers in various ways." There is a fine line, I think, between offering exceptional shopping experiences and manipulating your customers.
Mix that with a camera at each teller to do good facial capture for cash customers and cameras at the door scanning people coming in and it gets a bit creepier.
You know what is really creepy, when the tellers and staff at a store are painfully happy and courteous. If feels like if I frown or show any irritation their neck detonator will go off.
I'm genuinely curious, how does it being a problem for them benefit you? (I'm assuming you're not saying that out of indifferent malice but because you have personal gains, which is normal.)
I think on the general principle of privacy. But also, the idea that the more trackable you are, the more easily manipulated you are by marketers and advertisers. Free markets work better the more consumers are rational. Giving marketers deep psychological and behavioral insight increasingly enables them to circumvent rationality and "hack" consumers in various ways.
Thanks for a constructive and very insightful response.
This definitely seems to be a valid reason why people would be against being tracked. We don't want to be more easily manipulated (through the data that the ones doing tracking are able to acquire) and coerced into buying things we don't want/need (but the ones doing tracking want us to buy).
Would it be accurate to describe it like this: the consumers' interests are to be rational, less easily manipulated and "unhackable", and being tracked is a threat to those interests.
On the other hand, the store owners are trying their best to get their products sold, so their interests are opposite of the consumers, to find ways to sell as many things as possible.
If that's accurate, I find it interesting that there are these underlying "wars" occurring within a single species. In fact, a single person may wake up and go to work one morning, serving in the position of the one doing the "tracking" and fighting against the interests of consumers, then in the evening they may go shopping and end up on the other side, fighting against the interests of the ones doing tracking.
That's decently accurate. We're all doing what's in our best interest, in the role that we play in that time.
In general - I want to give people who don't know me personally (and especially people trying to sell me anything) less power to catch my attention and pull at my impulses, not more.
There's a ton of evidence we aren't doing what's in our best interest at minimum a significant minority of the time. In any event, the claim of economics isn't that people act in their best interest, but that they try to maximize happiness* -- whatever that is (it's rather recursively defined -- happiness is produced by voluntary transactions, which in turn are voluntary because both parties believe that the exchange will make them happier).
* or whatever it is makes transactions pareto optimal.
Meanwhile, behavioral economists have shown humans aren't even great at pursuing happiness; perhaps they have reached their high water mark, but they're certainly not completely wrong.
> Would it be accurate to describe it like this: the consumers' interests are to be rational, less easily manipulated and "unhackable", and being tracked is a threat to those interests.
In my view, yes. Being rational is by definition the only way to make my life better. The harder it is to be rational—to perceive the truth through all the layers of bullshit and manipulation—the less I trust my own conclusions, and free markets in general.
underlying "wars" occurring within a single species
Have you met any humans lately? We all have divergent interests, differently expressed in different aspects of our lives. The entirety of law and politics is this.
There's a flip side to this. Being less trackable means that any passive advertising or active marketing you do see is less tailored to your situation and needs.
When I walk around I see many billboards advertising products for which I have no use (e.g. female hair care products). If tracking technology could replace those with things I actually might buy (even if male hair care products) then I would be a touch happier.
Do you know what companies never do? They never ask.
I see dating ads, cars advertisements, feminine healthcare products, insurance ads, etc. What do I want to see? Travel accessories, computers, hardware, games, tech gadgets, etc. I never see these ads.
Why doesn't Google say, hey, you're going to see Adsense all over the internet, advertisements before videos on YouTube, etc. Would you like to select a few categories so that time is spent seeing some cool products that are relevant to you?
I've been on the internet for 15+ years, and no one stopped to ask just once. I could select categories in about 20 seconds that would be more accurate than all this data collection and profiling that happens every day.
Instead, I just block ads, and install ad block on every computer I come across. I make my living off ad revenue, but ads are absolutely awful, irrelevant and too often malicious. If they gave me the option to select some categories in the past, I probably would have discovered some decent products to buy, and keep them turned on. But nope, I can't recall clicking an ad in the past decade.
But if they asked, you could lie to them. Lots of people would. There's a total presumptive lack of trust, which is part of why the whole business is so corrosive.
Serious question: are you sure you'd actually be happier? I like efficiency as much as the next guy, but that doesn't mean that I'm looking forward to companies more efficiently marketing to me. Especially if it's going to be constant.
I have already started to notice ads targeted at me. Ads for niche outdoor gear companies that I patronize.
I can report that it has indeed made me happier, as compared to when the ads were "Click here, Millionth visitor, and win a prize!". The dragnet advertising is a constant assault on your intelligence.
It also helps that the targeted ads I am seeing are tasteful & well designed.
I adblock 90%+ of the time, but I let ads through on some websites.
It can go both ways. When I was researching for the next car I was going to buy, I started getting a _ton_ of car advertisements; however, most of them were useless. What their simple algorithm failed to notice is that I was looking at a very specific class of cars, and I spent more than 1 hour on several manufacturers websites doing research and had mostly narrowed in on my choice. The proper move would be to see that and advertise different dealerships to me, but I only got ads for other cars that I already decided I _didn't_ want.
Also, I like to research, in general. Which means I can often come across and get deeply into some very odd subjects and it seems there are some odd correlations out there in society. For example, after doing a bunch of research on different world religions and their origin stories, I started getting ads for the Mormon church, and strangely, for all types of gambling websites, destinations and attractions. None of this advertising was of any use.
I guess it comes down to a difference in acceptability of intrusive advertising. Personally, I am absolutely disgusted when adverts are tailored towards me (especially since I don't see them most of the time with Adblock).
Seeing tailored advertisements brings me a feeling of despair, in the sense that your personal privacy is being exchanged for money. It only serves as a sad reminder that you must actively fight to protect it, and that we, as consumers, are failing at it right now.
What's bad or irrational about being manipulated by marketers and advertisers? I don't see how buying something because some marketing convinced you of its worth is irrational.
Listen to your sentence, once you factor out the internal contradictions (emphasis mine):
> What's bad or irrational about being manipulated by marketers and advertisers? I don't see how buying something because some marketing manipulated you into thinking it was worth buying is irrational.
Most people, if it explained to them, would be generally uncomfortable with the idea of their movements in a public place being so specifically logged.
How would you feel if every time you were in a store, an employee followed you around and took notes on your actions?
Thanks for a constructive response to my question. I'm simply trying to gain a better understanding of the situation.
> How would you feel if every time you were in a store, an employee followed you around and took notes on your actions?
Most people would feel uneasy/bothered by that. But are those emotions warranted? If we did not get such emotions, would the same scenario be okay? Or are the emotions a consequence of the true reason why we're against such behavior.
It's also worth noting that the employee following you around is a visible behavior, while being tracked via Wi-Fi mac addresses is much less intrusive.
It's also worth noting that the employee following you around is a visible behavior, while being tracked via Wi-Fi mac addresses is much less intrusive.
It's less visibly intrusive, but the effect is the same. Our instincts aren't very good at reacting to effects we can't see, having evolved in a world where there were no undetectable ways for someone to follow us. Thus, we should consider what our natural reactions would be to a person doing the thing we want to use technology to do, before we create the technology to do it.
> It's less visibly intrusive, but the effect is the same. Our instincts aren't very good at reacting to effects we can't see
Absolutely true.
We should also consider the underlying causes of certain emotions, and whether or not they should be warranted.
Many phobias are unwarranted fears, so the goal is to eliminate the emotion rather than the underlying source. But the decision to _try_ to eliminate the fear can only be done after identifying and confirming that the fear is indeed unwarranted and unhealthy.
On the other hand, if the emotion is warranted, then it's completely valid.
What I'm suggesting is that human emotion serve as a really good indicator, but they cannot be taken as the absolute truth. It's best to investigate the actual facts and come up with logical conclusions. So neither trusting emotions blindly, nor ignoring them completely is the best course of action, but something in between.
Why should I have my movements tracked in a store when I'm not using the resources offered by them? They should feel lucky to have me in their store and provide service, not Orwellian surveillance.
My other beef here is that this is just another way to further dumb down and make retail employment completely mindless.
> Why should I have my movements tracked in a store when I'm not using the resources offered by them?
To answer your question directly, one of the advantages could be that they can optimize the store layout better so you don't have to walk as much to find what you want.
(There are other disadvantages and advantages, by listing one of them I don't exclude the existence of others, but I can't cover everything.)
> one of the advantages could be that they can optimize the store layout better so you don't have to walk as much to find what you want.
But stores do not want to do that. Stores know you want a pint of milk and loaf of bread. They put these two items far apart which means you need to walk past all that other stuff, this increasing the chance you'll buy something else.
Tracking technology isn't going to ne used to make my experience nicer unless that translates into more money fornthe store.
> Stores know you want a pint of milk and loaf of bread.
You, me, perhaps: what about other buyers, many of whom don't come to the store with detailed checklists? Their experience involves a fair amount of in-store exploration. For them placing milk and loaf of bread far apart might arguably be beneficial, because it makes them go past all of that other stuff they may forget to buy otherwise. Indeed, I imagine such customers are also easier to upsell to and more prone to impulse purchases of products that yield better margins—and that's part of the shopping process they visit the store for. Alas, people seem to enjoy buying things.
In short, I wouldn't be so confident that a store with more ‘rational’ layout would score better in the eye of the customer, even all else equal.
Disclaimer: I don't work in this area of business and this is purely my speculation.
This is interesting and indicative of a bigger problem.
Why isn't it most profitable for the stores to provide the best experience for customers in order to be most profitable?
Suppose there are two stores:
- Store A. Offers decent experience for the customer.
- Store B. Offers much better experience for the customer.
One would naively expect and hope that, given those two choices, more people would prefer to go to the better Store B and hence it would be more profitable. Hence the stores would try to do their best to serve the customer interests.
Why is it instead more optimal for stores not to optimize for the happiness of its customers?
Could it be because customers are not adept at recognizing which stores offer better experience for them, _and rewarding_ such stores by preferring them over other stores?
These are only speculations, but here are points based on my own habits:
1) The most important criterion for me when looking for a store, is walking distance. I don't want to bike, or drive to the store. So the closest store is almost guaranteed to win my business.
2) The second most important criterion is the price. I'm still a student so I'm a bit careful with my spending. So if a store is much much cheaper, and not too much further, then I might go there when I have big errands to run.
3) I am pretty much insensitive to the layout of the store. I'm already walking 10-15 minutes to get there, so 30 seconds between milk and bread is no problem really
Anyway, my point is that in my case, the reason why the "better" store doesn't win is that I don't really care about the criterion used to define it as "better". So going back to your point, a store doesn't have anything to do to serve my interest other than being close to my apartment and lowering the prices. The rest is almost totally irrelevant to me.
You are assuming that the customer is you, the schlub with the iPhone, are the customer in mind here. It isn't -- product merchandising in stores isn't rocket science. Any decent retail manager handles this stuff just fine and Wal-Mart has been able to track merchandising effectiveness using the registers for like 25 years now.
The customer here is the product manufacturers and distributors, and the product is shelf space. In big box and department stores, strategic shelves like end caps and the area near the escalators are paid placements.
Ditto for the supermarket. Ever notice that in different chains, Coke or Pepsi is always either in the front or back of the store across locations? That's because they bid on the preferred location.
Retailers are focusing on stuff like this because most mass retailers have unsustainable business models and aren't making money at the core job - selling stuff to people.
While I don't have evidence, I think it's reasonable to postulate that store A is able to offer the same products as store B at a lower price due to being able to offset it with the extra revenue earned from people having to walk across the store and buying additional products that they would not have otherwise. While you (and I) might value our time over saving 50 cents on a loaf of bread, a significant portion of the population would rather spend 50 cents less on a loaf of bread and be forced to walk across the store. For other people, the better experience might be saving 50 cents, whereas for you it's saving time.
Same thing with Google and TV commercials. For some people, privacy and security and saving time is a better experience, but for most, saving a few dollars here and there is a better experience.
And going even further, why don't customers punish the stores that give shitty customer by no longer shopping there? Same goes for your ISP, politician, etc... We have short memories.
ISPs = Not many people have a choice. My Parents can get Verizon DSL or Comcast Cable. Not really a "competitive choice".
Politicians = It takes time. Once they are elected terms last a long time and then people often have to choose a "new evil"... They can't just say welp, I don't support you anymore that'll solve the problem.
I think part of it is that there's no real venue for customers to express their satisfaction to other prospective customers. If I find a store relatively well-laid-out, convenient, and friendly, I don't have a lot of opportunities to evangelize that store, even if I want to, because my legitimate actual real customer opinion gets crowded out by and blends in with astro-turfers. Sure I can talk it up to my friends, but that's not really a common topic of conversation.
Depends what you're selling. A grocery store is like that since they operate on razor thin margins and making you impulse buy is how they are going to make more money.
An Apple store is not laid out like that. I always see the big ticket items upfront and the accessories in the back. Most people don't impulse buy things that expensive.
>An Apple store is not laid out like that. I always see the big ticket items upfront and the accessories in the back. Most people don't impulse buy things that expensive.
You just walked past the shiny new things twice while you were there buying a cheap accessory. Maybe you noticed something you'll buy in the near future.
Meanwhile, the big ticket items are window dressing, and people who haven't bought an iDevice don't need accessories for one yet.
If the store owner has to choose between using the data to make more profit or to enhance customer value, he'll likely choose the first option. You're not supposed to find the cheapest product easily, but that which provides the best profit ratio for the store owner. So, store layout will change in a way to manipulate your buying decision and you will not even notice the reason for the gradual change.
it's a simple test: if data companies collect where clearly explained to the user, would the user approve or not?
"By entering this store, we will permanently record your location every 60 seconds. The main purpose of said data collection is attempting to stitch your actions on the internet to store visits to more effectively sell advertising. Further, we will sell this data to many companies, most of whom we don't directly interact with. Our privacy 'policy' will most likely never be audited, and the worst possible outcome of violations is a fine in the low millions of dollars. We will hand this information over to police and lawyers if they clear the high bar of, well, asking for it. The nsa doesn't bother asking."
My guess is that most people would not be okay with that and choose to opt out.
But my question/argument is, would that be a rational decision? I don't see a lot of benefit for the customer to deny the store those options, so why do it if there's nothing to be gained from denying.
> attempting to stitch your actions on the internet to store visits to more effectively sell advertising
I think this is the key factor. If people see themselves as susceptible to such manipulation, then it does benefit them to deny such behavior to prevent stores from affecting them negatively.
>But my question/argument is, would that be a rational decision?
Does that matter? We[1] live in a capitalist democracy. One of the tenets of capitalism is that consumers should be well-informed and "vote with their dollars/feet", and the core principle of democracy is that the individual citizens get to decide how their society is run. We don't live in a LessWrong-ocracy where the world is run based on somebody's idea of rational objectivity or whatever.
I'm in politics so I know exactly how frustrating it can be when the average Joe doesn't necessarily agree with your vision of a rational decision, but if that's the case, the solution is to change their minds, not to circumvent or obfuscate to get around them.
[1] - I'm thinking Westerners in general, but I'm American, so I may be over-generalizing, we're good at that :-)
Notice that the very many organizations that track people, from businesses to government, rarely notify those they track (in an effective manner) and sometimes go to great lengths to hide it (e.g., many stories report police departments hiding their surveillance tactics, such as with Stingray).
If the argument is that it's good for the people tracked, why hide it?
(EDIT: Deleted the first paragraph; I can't find the reference.)
For me it is mostly about the involuntary nature of it. I actually don't mind myself, but I do mind not having the ability to turn that tracking off (well, without manually disabling Wifi all the time anyway) or in any way control or affect the profile it generates.
Interesting to compare to Google who tracks customers around the internet. Crucially, if you don't log in to a Google account you are only one 'clear cookies' away from erasing your profile (I wonder occasionally if Google reconstructs profiles across different cookie sessions or not ...). At least on that side, you have some control. You can't change your MAC address nearly so easily.
The MAC address is stable once a device is authenticated (connected) to the network. With the trend of providing 'free' wifi access within stores, making sure that users connect to that network is enough to continue tracking them.
> The MAC address is stable once a device is authenticated (connected) to the network.
That is necessary to keep the gateway from having to issue a thousand ARP requests (one for every packet you send from a different MAC), but there is no reason why the MAC chosen to connect to the network couldn't change every time you disconnect and reconnect. That would at least prevent you from being tracked between visits to the store [using this tracking method], even if you actually use the network.
True but wouldn't the landing pages of most of these services be able to document the OS, browser, resolution, type of device(tablet vs laptop and IOS vs android) and likely a lot of other stuff.
I can narrow down a huge list to a very short list using above information along with the probes being sent out co-related to the signal strength. Timing of each probe can also be leveraged in uniquely identifying,most probes are sent in interval from each device. Those probes that come in equal intervals are likely from the same source, leveraged against signal strength you can likely identify a small crowd. To take it even further you can calculate the signal as absorbed through the store to signal congestion and possibly other metrics.
Hence the "using this tracking method" caveat. Now you have to do something much more complicated just to get less specific data. And it's a cat and mouse game: You put up a useless landing page, device makers set their browsers to require TLS for any page previously found to support it, preventing you from redirecting requests to the majority of popular sites. Or they could just detect the ARP misuse that makes captive portals work and patch that particular vulnerability, because screw captive portals entirely.
It's a 48-bit space, so you'd need around 16M people connected with random IDs to have a high chance of collision.
Even by sticking to a certain subsets of OUIs, it's still probably fine. On top of that, listening to traffic (even after picking an in-use MAC) would allow you to determine if someone else is using that address.
By making sure your steel-reinforced concrete mall walls are thick enough to block proper 3G/4G reception (no, really, reception is pretty bad in a lot of indoor places).
But still, I agree, it would be very hard to have everyone connect to your wifi.
it's hard to get everybody, but it's easy to get a significant sample. just set up an open network called Starbucks WiFi and watch all the iPhones connect to it
But the device is still visible on wifi even if it does not connect. Some phones tend will try to connect to known networks pro-actively and will leak the SSID of those networks.
I wonder if this explains why a lot of these 'free' Wifi networks let you connect with no issues then ask you to login or whatever when you try to do anything. I figured it was probably just to offer a better login screen (than the Wifi settings on whatever device) but stabilising devices for tracking would make sense too if others do this.
Or, it's to force you to read and accept terms and conditions, to force you to type in your email, to force you to type in a one time use code to connect, to force you to pay money to connect, ...
>If this becomes the trend (which in my opinon would be nice) it will become a big problem for companies that specialise in customer tracking e.g. for supermarkets and big department stores.
Isn't that suppose to be illegal in first place? I mean without actual consent, tracking a device... Doesn't sound extremely ethical.
That said in some airports, changing MAC address is illegal. Now that the iPhone will support the feature and most owners will have no idea what's happening, I guess these airports will have to change policy :-)
You can only get that kind of information (e.g. IMEI) if you use IOKit, and you can't submit to the App Store if your app uses IOKit if you're not a part of the MFi (Made for iOS) program, i.e. a hardware manufacturer.
Edit: I'm really getting confused with downvoting on HN. How exactly is this comment poor?
I'm pretty sure the post you're replying to isn't talking about an iOS app, so IOKit doesn't have anything to do with it. They're saying that a store could install their own cell antenna to listen to nearby cell phones, record unique identifiers, and track customers that way. Apple is anonymizing MAC addresses to stop a similar form of tracking, but it won't work if there are other radio signals they can't anonymize.
Apologies if you knew that and I'm just not understanding your point.
Correct me if I'm wrong, but $tracking_co would just need to get their instore-tracker5000 approved by apple and then they are back to their old ways? I know that may not be cheap/easy for them, but still reasonably within reach.
I don't get it, defeating that kind of tracking sounds...awesome? Isn't that the point?
EDIT: sorry, I've had too little coffee today for proper reading comprehension. Clearly you think it'd be nice too and are not empathizing with the snoops and marketers.
Are retail stores actually using cell phones to track people at the individual level? I mean, I know the technology exists and all, but it just doesn't seem like it'd actually be all that useful to the stores.
My guess is that the stores that are using this tech are mostly concerned about how long the average person has to wait in the checkout line, not whether Joe Blow is was in the store.
Large stores use it to positionally track unique customers. They can analyze the paths they take and ultimately what they buy. This is powerful because the can optimize the layout of their stores to maximize sales based on hard data.
Have the stores release apps (or one app that works for the system they use) that trades a percentage off, coupons, etc, for location data.
"We'd like to learn a little about your shopping habits, and that includes sending anonymized data about your time in our store. In exchange for this, we'd love to offer you 25% off this purchase and 10% off all future purchases".
As nice as this may be for privacy, there is too much at stake here commercially, so this will likely be just a step in the cat and mouse game.
Face recognition comes to mind as a technology that can replace this, and perhaps as a result of the MAC scrambling we will see a bigger push for face recognition in stores.
Perhaps it's not quite that bad. Places like Home Depot use AT&T, so the AP is called attwifi. If you've ever used the wireless at a Starbucks or McDonald's, you've likely already approved your phone to connect to attwifi.
Strongly disagree. The relationship, while it can exist in some areas is by no means universal and certainly not linear. In many cases privacy may be invaded for no end user utility and in others utility may be possible without any privacy costs. Of course some things cannot be offered with privacy fully preserved.
