Your phone is blabbing your location to anyone who will listen
by Devin Coldewey, NBC News
Everywhere you go, your phone is sending out signals that can be assembled to form a picture of your movements. You can’t turn them off, and companies have begun to pick them up, often without any indication that they’re doing so. As this trend develops, smartphones could spell the end of real-world privacy.
“It’ll get worse before it gets better,” mobile industry expert Chetan Sharma told NBC News. “Unless leaders step up and work on a framework that works for all consumers, it’s going keep getting worse and worse until it is unbearable.”
That prediction may sound grim, but alarming examples are mounting.
A company called Renew recently enabled the LCD-toting “smart trash bins” in London to record the unique MAC addresses — broadcasted in order to facilitate network connections — of devices in the hands or pockets of passersby.
In a single day, just a fraction of the network of smart bins collected data from nearly a million devices. By comparing when a device was in range of one bin to when it appeared at another, or for how long it stayed in range, the movements of these devices could be determined with a high degree of accuracy. All of this happened without a single person noticing — no consent, no warning, no opportunity to opt out.
It’s not the first time such tracking has been done — the fashion retail company Nordstrom tried it out recently, and other firms are already selling this service to brick-and-mortar retailers — but it was perhaps the most high-profile revelation of the practice, triggering an Internet outcry and a conciliatory blog post from Renew’s CEO.
“The process is very much like a website,” wrote Renew’s Kaveh Memari, after explaining that the real-world (but, he stressed, anonymous) tracking had been discontinued. “You can tell how many hits you have had and evaluate repeat visitors, but we cannot tell anything personal about any of the visitors on the website.” This is a common argument of those who track us on the Web — but of course, with enough collected data points, a personalized portrait is easy to paint.
The scary part is that if Renew hadn’t said anything, no one would even have known the bins were collecting all of this data. You can’t opt out of something you don’t know is happening to you.
“People are not consenting to this,” ACLU electronic privacy expert Christopher Soghoian told NBC News. “The phone doesn’t vibrate every time the store tracks them.”
Soghoian said it would be trivial to block such tracking attempts, particularly since MAC addresses can be switched without causing problems. However, mobile operating systems like Android and iOS have “not been built with privacy in mind.”
It’s not just a matter of fixing this one vulnerability, said Bruce Schneier, another leading security technologist.
“Tracking technology will just get better,” he told NBC News. If they can’t identify a MAC address or some other software feature, he said, “they actually can use the noise pattern from your antenna.” That gives your phone a fingerprint that can’t be overwritten or hidden.
If you’re walking through a park and someone takes your picture, that photographer might argue that you didn’t have a reasonable expectation of privacy. You were, after all, in plain view. So what about with your smartphone? Can you even expect privacy for your device, which is constantly reaching out to cell towers and Wi-Fi hotspots, if it’s out in “plain view” of other machines?
Yes, say the experts. Sharma noted that with, for example, CCTV cameras, people are clear on the fact that they’re being recorded, and they understand what is being captured.
That’s not the case with this kind of electronic surveillance. Not only is there no requirement for companies to alert users that this type of information is being collected, there’s no mechanism for it.
“There’s a consistent, systematic violation of privacy by — I’m not going to say everyone, but a significant number of the big players,” warned Sharma.
Euclid is a technology company that, like Renew, tracks foot traffic by “sensing” smartphones. Its system, sold to retailers, not only tracks “how shoppers flow through your store” but it keeps tabs on “their visit duration, and return shopping patterns.”
“To be honest, the industry standard is no disclosure whatsoever,” said John Fu, Euclid marketing director, told tech site ITWorld earlier this year. “Whether they’re using cameras, infrared, Bluetooth, or Wi-Fi, no one is doing really good notification.”
The problem is that customer tracking is potentially so lucrative — and really, it could also be useful. Marketers will want to know what area of town you eat lunch in, so they can offer coupons when you step outside the office. Retailers want to know which of their locations has the most foot traffic, or where people stay seated the longest. And users, of course, want their phone to be remembered for ease of connection with local Wi-Fi spots.
But what if an insurance company got data from such points that suggested you regularly sped on your way to work? Or if your employer found that your phone was hanging out at a bar when you’d called in sick?
If you’re still not creeped out by the possibilities, think about this: Google filed for a patent in 2011 detailing what they call “pay-per-gaze” advertising. It would track what someone wearing a Google Glass-like device was looking at, and alert advertisers which billboards and brands users saw, studied, or skipped.
A “Minority Report”-esque scheme of hyper-personalized ads isn’t as far away as you’d think. And things may get pretty serious before regulators get involved, or before developers decide that protecting privacy is more profitable than invading it.
“Obviously, data is not bad,” said Sharma. “Data is great. It just needs to be paired with transparency and easier ways to have privacy. At some point you cross a line — society needs to establish where that line is.”