SEATTLE--A new company that plans to track millions of retail shoppers through a unique ID emitted by their smartphones says it wants to be privacy-friendly.
Will Smith, co-founder and chief executive of Euclid Elements, showed up at the PII privacy conference here today to say that identifying repeat visitors by these unique IDs -- the so-called MAC addresses broadcast when Wi-Fi is turned on -- shouldn't be an issue.
"We put a sensor in the store," Smith said. "It passively detects smartphones that come near the store."
Instead of asking shoppers to choose to opt-in, the company adopted an opt-out model, which means visiting a page on Euclid's Web site. MAC addresses are stored for 18 months and only aggregate data is made available to the retailer, which is required to post a notice telling shoppers what's happening.
But that still means a company, however well-intentioned, will keep detailed logs about the movements of millions of Americans (or at least their mobile phones and perhaps laptops and other gadgets) around cities and shopping malls.
"Because it's such a passive process for the user, it's hard to ensure people understand how this data is being used," says Parker Higgins, an activist at the Electronic Frontier Foundation. "If it really creates value for the shopper, it should be something they opt into. But in practice, it's going to be happening without their knowledge most of the time."
Euclid's database would also allow police armed with a court order to learn about someone's whereabouts as long as they know or can find a suspect's MAC address. (You can typically find your MAC address through your laptop or smartphone's About screens. Wireless access points may also record them.)
Smith said that Euclid has not received any requests from law enforcement. "There are a lot better data sets from the carriers, etcetera than from us," he said.
After a CNET article in June raised privacy concerns about a related feature that Google employed to track MAC addresses, Google curbed the practice. A month later, in response to a second CNET article, so did Microsoft. (Those databases were a bit different and made more information public; they were designed to help mobile phones speed up location fixes by using nearby Wi-Fi networks to determine their positions.)
The kind of aggregate data that Euclid collects, showing what percentage of people enter a store, is useful enough without taking the customized-advertisement approach fictionalized in Minority Report, Smith predicts: "It's really about how frequently are people coming... If you take a certain blend off of your coffee menu, do you lose 15 percent of your regular visitors?"
"Once shoppers give up this information, in some cases without realizing it, it's out of their hands," replies EFF's Higgins. "A data breach, a government subpoena, an overreaching retailer -- all these things can mean invasions of personal privacy in ways people have no control over." (Euclid changes each unique Wi-Fi MAC address into another unique MAC address through what computer scientists call a hash function, but the modified address remains a unique identifier.)
Bellevue, Wash.-based Point Inside is taking a different approach. Instead of collecting data on shoppers' Wi-Fi devices, this company turns smartphones into smart information location and tracking tools -- but only if shoppers voluntarily install and use its app.
"You can order a shopping list and get into and out of the store quicker," said Josh Marti, the company's chief executive and co-founder. (A video shows the app being used to find fruit quickly in a grocery store.)
By tracking customers with their permission, Point Inside allows retailers to learn more about them, Marti says: "Do you have a quick pick persona? Do you have a shopping list persona?...We have a pilot going right now that has three- meter accuracy 90 percent of the time."