The field of "mobile location analytics"—where tracking companies work with brick-and-mortar retail stores to collect insights about customer behavior based on fine-grained location information harvested from mobile phones—has taken a small step towards self-regulation with a new code of conduct published this week. The code was announced by the Future of Privacy Forum and Senator Charles Schumer, who two years ago intervened to convince a mobile location tracking company not to test its system in two American malls during the holiday shopping season.

The industry is likely hoping to calm privacy concerns that have generated public outcry and attracted the attention of legislators. Earlier this year, Senator Al Franken said that mobile location tracking companies are violating people's "fundamental right to privacy." And in 2011, Senator Schumer himself acknowledged those problems and urged the industry to develop an opt-in mechanism to get explicit consent.

The Code of Conduct

Unfortunately, the published code falls well short of that proposed standard. Instead, it establishes an opt-out system, where users must enter the unique 12-digit MAC addresses of each of their mobile device's Bluetooth and Wi-Fi chips into a database that tracking companies commit to honoring. 

Beside the irony of asking the most privacy-conscious consumers to hand over their MAC addresses to tracking companies, the scheme seems unlikely to see much pickup. For one thing, many users may not be aware of this kind of tracking in the first place, much less whether any particular retailer is tracking them. Tracking is invasive, but surreptitious.

The code attempts to address that lack of information by establishing notice rules as its first principle, but its notice proposals are weak as well. For example, it depends on the retailers, which are not party to this agreement, to implement in-store signage providing notice of the tracking. Retailers, though, have seen customers get upset about the tracking after seeing those signs, so there's an incentive to make it less noticeable. 

Further, the code proposes creating a widely adopted symbol to indicate that mobile location tracking is taking place, rather than plain language like "If you’re carrying a mobile device, this establishment may be tracking your movement and location." The most direct parallel to that symbol might be the "AdChoices" icon, which allows people to configure whether they are shown targeted online ads. That icon has been widely adopted by advertisers, but is virtually unknown among users

How Identifiable Is a MAC, Anyway?

The code instructs that tracking companies should use hashing to "de-personalize" MAC addresses. That approach, though, has significant limitations.

For one thing, MAC addresses are, by design, fixed permanently to a single device. In practice, they can sometimes be changed in software, or "spoofed," but that software is not available for every platform and may require technical expertise to use. The privacy concern here is like that presented by biometrics: once a MAC address is correlated with an identity, it can be difficult or impossible to shake that connection.

That quality makes a MAC address attractive for tracking repeat customers, because it's unlikely to change between visits, but also rings alarm bells for privacy. Hashing the MAC address doesn't address those concerns: by definition, hashing the same value always produces the same result. In other words, hashing creates a pseudonym for the MAC address, but it is still persistent.

MAC addresses are also broadcast frequently, and it's easy to imagine advertisers or others could work to correlate them with personally identifiable information. Companies that operate paid WiFi networks, and thus collect both device networking information and account credentials, may already have that kind of database.

That's a problem because hashing MAC addresses doesn't really de-personalize them. Hashing generally make it virtually impossible to go from a hashed value to the original, but hashed MAC addresses could actually be reversed through brute computing force. That's because there are only 248 possible MAC addresses, and in practice many fewer than that, due to fixed bits and standard vendor prefixes.

Conversely, with a list of unknown hashed MAC addresses and a list of identified unhashed MAC addresses, it is simple to hash the second list and look for matches.1

Finally, the code requires companies to commit to not de-personalize the data or allow downstream clients or contractors not to use it to identify particular individuals. Importantly, though, that is a policy limitation—not a technical one.

Pen Register/Trap-and-Trace Device Concerns 

It’s generally illegal to record or decode "dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted" without a court order unless you're a provider of communications service and can fit into one of the statutory exceptions.

We’re unaware of any relevant case law, but capturing MAC addresses from smartphones might run into this statute. Note, however, that this law doesn’t have a private right of action, i.e., it doesn’t say that an ordinary person can sue someone under it.

What Tracking Companies Shouldn't Do

Mobile tracking companies have compared their services to online analytics options, but there are important reasons not to accept that argument at face value.

First, it creates a privacy ratchet: treating online tracking practices as uncontroversial and bringing offline tracking to the same level could undermine important steps the public has taken to unwind certain invasive online methods.

Second, offline analytics techniques for now leave less of a trail than their online counterparts. Users can monitor or block connections to and cookies from online tracking networks, but currently have no way of knowing whether an offline store was using location tech, and from which vendor. That missing information means users can't truly be making informed consent decisions.

It's encouraging to see companies in this field acknowledging the concerns and adopting regulations. But until that approach provides meaningful benefits for the users, it is not much comfort for privacy-conscious consumers.

  • 1. This attack isn't possible if the original list hashed MAC addresses with an unknown "salt" value. However, the code doesn't specify the use of a salt, and tracking companies may be concerned it would complicate device-matching across multiple sessions.