Every smartphone these days comes equipped with a WiFi card. When the card is on and looking for networks to join, it's detectable by local routers. In your home, the router connects to your device, and then voila — you have the Internet on your phone. But in a retail environment, other in-store equipment can pick up your WiFi card, learn your device's unique ID number and use it to keep tabs on that device over time as you move through the store.
This gives offline companies the power to get incredibly specific data about how their customers behave. You could say it's the physical version of what Web-based vendors have spent millions of dollars trying to perfect — the science of behavioral tracking.
Thousands of customer interactions a day are logged and uploaded to the databases of third-party companies that specialize in retail analytics. Estimates vary as to how big this industry is, but according to Polonetsky, nine major players account for the vast majority of tracking activity. Others estimate there could be as many as 40 major and minor firms.
Here's how it works. To distinguish themselves from other nearby devices, all WiFi or Bluetooth-enabled gadgets come with something called a MAC address. It's a unique, 12-digit code that helps routers send data to the right recipient. (MAC addresses have nothing to do with Apple, although Apple products that ship with wireless components come with them.) By logging the MAC address, companies can identify individual devices.
In general, no personally identifiable information can be gathered this way, says Stillman Bradish, co-founder of The Wireless Registry, a D.C.-based start-up that designs ways for consumers to opt out of the tracking. But, he added, as with any type of metadata, it's easily possible to cross-reference it with other forms of public or commercial information. The resulting data slurry can help firms build detailed profiles of consumers, even if the consumers themselves remain anonymous.
Thwarting this tracking yourself can be impractical. One option is simply to turn off your wireless cards whenever you enter a store. But that might still not prevent a retailer from snatching your MAC address while you're walking by the promotion in the window outside. Some retail analytics companies — including New York-based Nomi, which this week raised $10 million in venture capital — offer an opt-out function on their Web sites where you can type in your MAC addresses and state your desire not to be tracked. Doing this for every device you own can be exhausting, however. And some retail analytics companies don't provide the opt-out feature.
That's where Bradish and The Wireless Registry's other co-founder, Patrick Parodi, come in. Together with the Future of Privacy Forum, the two hope to build a kind of central Do Not Call list for MAC addresses. At least in theory, consumers will be able to visit a single Web site, register their MAC addresses for free, and the major tracking companies that have committed to the project will pledge not to follow those addresses around brick-and-mortar stores. It's a form of potential self-regulation that should look familiar if you've been following the debate over online tracking, where Web browsers have begun letting users tell commercial Web sites they don't wish to be followed.
"This database is going to allow these signals to be identified — it's going to allow people to take control over their proximal identities," said Parodi, referring to the way offline tracking depends on a person's nearness to a store rather than their exact location as divulged by their mobile communications traffic.
The registry is set to launch within the next few weeks; Polonetsky says he's still hammering out the agreement among the analytics companies, and that The Wireless Registry's idea is one of a number of technologies that could ultimately power the list. But the real question isn't when the registry will arrive; it's whether it'll work. There's no law that compels companies to obey the list, so when you hand your MAC address to the retail analytics companies, you're as likely to be doing their jobs for them as you are to be insulating yourself, says Chris Calabrese, a privacy lawyer with the American Civil Liberties Union.
"The danger is that it leads to more tracking rather than keeping you from being tracked," he says, adding that even if the companies that agree to honor the list stand by their word, others may not be so scrupulous if the registry happens to leak.
Earlier this year, Sen. Chuck Schumer (D-N.Y.) took aim at cellphone tracking and demanded the Federal Trade Commission take on the practice. For its part, the FTC has said it is interested in regulating commercial tracking, including on mobile devices.
Meanwhile, although consumers might blanch at the idea of their proximal identities being used for advertising purposes, Parodi argues that the technology might become beneficial in other ways, particularly if the balance of power were returned to the consumer. He and Bradish have patented their idea for a MAC address registry and envision a kind of "proximal API" that will allow app developers to detect nearby signals and trigger an action — without the need for an active Internet connection, as many current geolocation services require.
"It's about asking, 'What are you near?' as opposed to 'Where are you?' " says Parodi. "If you have a MAC address and are willing to take advantage of that, you can engage with your surroundings in powerful ways."