WASHINGTON — Signals emitted by your smartphone leave a digital trail that retailers can follow to find out how long you lingered in front of a sales rack or languished in a checkout line.
A growing number of mobile analytics companies use the Bluetooth and Wi-Fi beacons broadcast by smartphones to help retailers monitor customers movements in shopping centers, casinos, restaurants, hotels and airports.
One such company, iInside of Yorba Linda, Calif., boasts on its website that its sensors can pinpoint a customers location within a single meter of floor space.
On a larger scale, mobile carriers such as Sprint, AT&T and Verizon also use location data gleaned from cell towers to send ads for nearby businesses to customers phones, for example, or to prepare marketing reports on how many subscribers visit a citys football stadium and what kinds of apps they use during the game.
Proponents of the technology say the data gathered helps brick-and-mortar retailers compete with online rivals by personalizing and streamlining the customer experience. But consumer advocates warn that the mobile tracking trend underscores the need for stronger privacy laws. Federal regulators are taking a closer look at the practice.
Our understanding is that in many cases this is basically invisible to consumers, so we want to look at whether retailers or the companies theyre using are notifying customers of whats going on, said Amanda Koulousias, a staff attorney with the Federal Trade Commission, which recently hosted a seminar on mobile tracking in Washington.
Businesses that collect and sell mobile location data are eager to demonstrate that theyre capable of self-regulation. In a move timed to coincide with the FTCs seminar, the Future of Privacy Forum, a research center in Washington, announced the creation of a website (www.smartstoreprivacy.org) that allows consumers to opt out of having their locations mapped by participating companies, including iInside, the California firm.
The same group of companies signed a voluntary code of conduct, agreeing to collect only depersonalized location information unless customers give consent, and to alert customers to the use of tracking technologies by promoting the use of data collection signs in stores.
At the end of the day I think market forces prevail, and those retailers and other businesses that violate the trust of their consumers will be punished by the marketplace more than anything else, said Jim Riesenbach, the chief executive officer of iInside, who was a panelist at the FTC seminar.
Riesenbach pointed out in an interview that surveillance in stores is nothing new, although mobile technology allows retailers to analyze customer behavior in greater detail than ever before.
There have been camera systems in stores for many years, not only for surveillance standpoint but also from a traffic-counting standpoint, he said. Theres systems in stores that allow retailers to check how many people walk in the door and how many people walk out the door and things like that, and so what were doing is taking that to a much more granular level.
Heres how it works: Riesenbachs company sets up sensors in clients stores. The sensors pick up probes emitted about every 60 seconds from Wi-Fi-enabled smartphones, and continuously by Bluetooth-enabled smartphones. The probes include a 12-digit code, known as a MAC address, which is unique to each phone.
Using a scrambled version of the MAC address, the sensors can monitor how long a customer waited for a cash register, which aisles the customer browsed and how many times that customer returned to a store or visited different stores in the same chain.
The data compiled dont include personally identifiable information such as users names or addresses. In that sense, proponents say, its similar to a real-time traffic map that shows cars identified by license plates or vehicle identification numbers but not by drivers.
More retailers are quietly testing the technology. The number of stores that installed iInsides sensors grew eightfold last year. Riesenbach declined to identify any of his companys clients, however.
His reticence speaks to the sensitivity of mobile tracking, as businesses try to take advantage of the new technology without alienating customers.
Our clients are basically private about what they are doing, he said. They dont know how its going to be reported; theyre worried that things can be taken out of context.
Sprint also declined to identify clients who use its mobile advertising or analytics programs, which launched in 2012.
The carrier uses only anonymous, aggregated data, and it protects subscribers privacy by allowing them to opt into personalized mobile advertising or opt out of mobile analytics reports, said a corporate spokeswoman, Stephanie Walsh. Users are notified of their choices by text message, on bills and via Sprints website.
Before Im a businessperson, Im a human, and I care very much about my privacy and how my data is used, said Evan Conway, vice president of strategy for Pinsight Media+, a Sprint subsidiary that handles mobile media projects for the carrier.
Frankly, we are so much more careful than any of the experiences that people are used to online, Conway said. If you look at the online world, theyre busy dropping cookies all over your computer, sharing where youre going with whoever is interested. Thats kind of diametrically opposed to the whole approach that Sprint takes.
While its commendable that some companies limit the ways they use tracking, the barriers to entry are very low and the temptations are great, said Seth Schoen, senior staff technologist for the Electronic Frontier Foundation, a digital civil liberties group.
Anyone can set up location tracking sensors at any time. You dont need more sophisticated hardware than a regular laptop, Schoen said.
Theres very little consumers can do to protect themselves other than disabling Wi-Fi and Bluetooth on their phones or turning them off completely, he said.
The fact that mobile devices are easily trackable is a fundamental security problem, Schoen said.
Mobile phones were nominally built to enable communications at the users request, and for what are sometimes obscure technical reasons and unintended consequences of engineering decisions, theyre effectively shouting into the radio spectrum to announce the users presence all day long, he said.
So I think we have to articulate that that state of affairs isnt what users want, it isnt something they mostly are aware of and its something that needs to be fixed.