Imagine picking up your morning coffee at Philz before class, and noticing the usual 8:45 a.m. rush has not kept you waiting the last few weeks like it did in the beginning of the semester. You also happily notice that Philz has started offering a new berry protein kale snack which is perfect for your post-yoga pick-me-up. It’s like Philz can read your mind, and you feel slightly guilty for Starbucks-cheating last week when they offer you a half off skinny latte for being such a loyal customer. With such efficient crowd control, specialized merchandize, and seemingly random loyalty generators, why would anyone go somewhere else?
Though that story is entirely fiction, the fact Philz likely knows how often you visit, how long you wait in line, what other coffeeshops or public locations you’ve been to in the last several months is not. Feel relieved you’ve never purchased from Philz? Well if you’ve walked by a store, they know that too.
Philz Coffee is one of many commercial businesses purchasing plug-and-play sensors from data analytics companies to track customers’ wifi-enabled smartphones and customer data for marketing and business analytics. This post will focus primarily on Euclid Analytics, though there are many others offering similar platforms like Turnstyle Solutions and iBeacon (see previous blog post). This post will examine the privacy implications specific to this use of geolocation data and explore the need for privacy frameworks in this type of consumer data collection.
How does Euclid’s technology work, and what data is collected?
Euclid Analytics offers a plug-and-play sensor, data processing, and analytics platform that allows businesses to purchase and install a small sensor and instantly begin collecting data from customers who are carrying a wifi-enabled mobile device. If the wi-fi capability on a device is turned on, but not necessarily connected to a hotspot, the Euclid sensors collect the location, manufacturer code, and MAC addresses which are scrambled using a one-way hashing algorithm and then transported using a Secure Sockets Layer (SSL) to be stored at Amazon Web Services (AWS). The one-way hashing encryption generates the same scrambled number for each MAC address, so repeat visits and cross-store triangulation can be tied to the same version, even if it is not formally linked to an individual identity. The sensor is able to track smartphones within 24,000 square feet and can pinpoint a customer’s location within a 10-foot radius.
The range and precision of Euclid devices may pick up on consumers who are never patrons of a Euclid-powered store, and perhaps even pick up signals from nearby patrons of other stores. As Euclid’s business base expands, they are able to match your location to not only multiple Philz Coffee locations, but any other store that utilizes Euclid technology. This technology is useful to determine not only where a customer has been, but how much time they spent in line, in the bathroom, or browsing a certain section.
Why could this information be sensitive?
Recently in London, a marketing firm announced the deployment of trash cans that track the unique hardware identifier of every Wi-Fi enabled smartphone that passes by. Location data can reveal very private information and put user at physical risk. Identified by MAC address, the location data of the user can be determined exactly. While the Mobile Location Analytics (MLA) companies attempt to persuade the public that the transmitted data are all aggregated and can not be identified to an individual and device, the data itself reveals certain attributes of the customer. For example, a device that goes into women room most likely belongs to a female. Moreover, the combination of MAC address and any unencrypted traffic that may leak out can be a powerful database used for nefarious purposes.
Privacy policies? Notification? Opting out?
Last October, to eliminate the privacy concerns among public, Euclid announced the adoption of the MLA Code of Conduct, which is cooperatively drafted by seven location analytics companies, government officials and public policy advocates. As a self-regulatory and enforceable standard, MLA Code requires the participating companies must:
– Provide a detailed privacy notice on their website describing the information they collect.
– Promptly de-identify or de-personalize the MAC addresses they collect.
– Ensure that MLA data is not used for adverse purposes (like employment or healthcare treatment eligibility, for instance).
– Retain MLA data for a limited time only.
– Provide customers with the opportunity to opt out of mobile location tracking.
To analyze the capacity of MLA Code to support privacy, we refer to the privacy framework and find while MLA Code initialized a good start, there are certain design flaws in the MLA Code can be improved.
First, the collection of location information is not clearly restricted to inappropriate context. Although the MLA Code requires the data must not be used for adverse purposes, the scope of adverse purposes are loosely defined as “employment eligibility, promotion, or retention; credit eligibility; health care treatment eligibility; and insurance eligibility, pricing, or terms.” Apparently, the scope is too narrow to consider the large potential misuse, and implies that as long as the MLA data are used for business analytics, the retailers are protected to access and use these data in any forms. While Euclid provides Euclid Express, which is a free service allows every individual user to easily install and access the data, Euclid does not specify how they ensure the usage is qualified as an appropriate context. We think the definition of context should be complemented with more specific variables, for example, certain physical places like bathrooms, hospitals, and hotels may be inappropriate contexts to retrieve customer’s data even for business analytics.
Second, the user-control and consent are vulnerable under MLA Code. Although the MLA Code requires the MLA companies and their clients to inform the customers about the collection and usage of MLA data, it sets an exception for the data are not unique to individual or device. Also, the MLA Code designed the consent to be operationalized as an opt-out, which in our inspection is a relatively difficult step for customer to take. Without the active notice by retailers, we assume most of the customers are not even aware of the MLA technology, and under this circumstance, how can we expect customers to actively take additional effort to submit their opt-out request? We went through the opt-out process of Euclid, and found out that after submitting, it takes a surprising long time of 7 days to successfully delete the applicant’s MAC address from their database.
Finally, the secondary use of the data are approved in the MLA Code. The fifth principle in MLA Code allows MLA Companies to provide MLA Data to unaffiliated third parties as long as the use of MLA Data by third party are consistent with the Principles of this Code. This principle permits the secondary use will not require user’ consent, and thus can put privacy in a vulnerable state.
Privacy frameworks and businesses
Identification of gaps in the current privacy framework is a topic of research in many organizations, especially the government. As per a study done by the US Government Accountability Office in September, 2013, there is no overarching federal privacy law for governing the collection and sale of personal information, including information resellers like Euclid Analytics. Instead there are a number of laws which are tailored for specific situations and purposes. An example cited is the Fair Credit Reporting Act which limits the use of personal information collected or used to help determine eligibility for such things as credit or employment but does not apply for marketing. There are some that apply to healthcare providers, financial institutions or the online collection of information about children.
Although private sector companies argue that the current statutory framework for privacy should suffice, the study found gaps did exist and the current framework did not incorporate the Fair Information Practice Principles.
A majority of the businesses are of the view that an overarching privacy framework would inhibit innovation and efficiency and at the same time reducing the consumer benefits such as relevant advertising and beneficial services. The private sector prefers self-regulation over additional legislation. As per them, additional regulation would be especially hard on small businesses and start-up companies as it would raise compliance costs and thus hinder innovation and economy in general.
We believe a comprehensive privacy framework for businesses which is ‘sector agnostic’ would be welcome. Lot of the self regulation of privately held businesses is arbitrary in nature and a good majority of them fail in providing adequate privacy protections. Given the plug and play nature of many of these MLA platforms, some businesses may not realize there are privacy implications involved with using this type of analytics. It is easy to put privacy best practices on the backburner when faced with business challenges. The argument about decreased commerce due to increased regulation is also suspect. While it is true that targeted marketing has increased conversion rates with regards to ‘potential buyers’ to ‘buyers’, privacy groups have argued that increased privacy protection has actually increased consumer participation. Encryption technologies that consumers know about promote the confidence to engage in transactions using these technologies.
Having said that, a careful study of the impact of such a regulation on businesses, especially small business, should be undertaken so as not to over regulate and limit the information available to them. A carefully prepared list of acceptable and restricted types of personal information that can be collected should be used and regulation should be applicable only for restricted personal information.
Recommendations for future action
Any future privacy framework has to be compliant with the Information Practice Principles.
-A person should be provided sufficient notice about the information practices before the collection of data. This would exclude companies such as Euclid from gathering data from a passerby who is completely unaware of the sensors and their purpose.
-Users should have easy access to their personal information. A mechanism has to be provided to monitor how the information is being used and contest any data that they think is erroneous or undesirable.
Due to relatively large number of companies engaged in retail analytics or information reselling, it is highly impractical for a person to track information across all these databases and exercise his or her powers. Therefore, a single system which is tied to an individual and houses the information collected off of an individual would be ideal. Any person who wishes to track his/her personal information can access the system, see what data has been collected, be it from a visit to Philz or the gym, and the use that it is being put to. Although it might require significant initial investment, such a system should address the privacy concerns and provide a complete picture of a person’s information footprint. If the businesses would like to avoid governmental regulation, the onus is on them to implement such a sector wide system. If the businesses are unwilling due to financial or administrative overhead, the government should step in.
By Sophia Lay, Elaine Sedenberg, and Rahul Verma
 Sadowski, Jathan. 2013. “In-store Tracking Companies Try to Self-regulate Privacy.” Slate, July 23. http://www.slate.com/blogs/future_tense/2013/07/23/ privacy_self_regulation_and_consumer_tracking_euclid_and_the_future_of_privacy.html.
 “Easy to Implement and Scale: Euclid Analytics Is the Easiest Way to Measure Visits, Engagement, and Loyalty to Your Store.” 2013. Euclid. http://euclidanalytics.com/product/technology/.
 Clifford, Stephanie, and Quentin Hardy. 2013. “Attention, Shoppers: Store Is Tracking Your Cell.” New York Times, July 14. http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0.
 Dan Goodin, 2013, “No, this isn’t a scene from Minority Report. This trash can is stalking you”,http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/
 Future of Privacy Forum, 2013, “Mobile Location Analytics Code of Conduct”, http://www.futureofprivacy.org/wp-content/uploads/10.22.13-FINAL-MLA-Code.pdf
 “Senator Schumer and tech companies announce important agreement to protect consumer privacy” Euclid, 2013, http://blog.euclidelements.com/2013/10/senator-schumer-and-tech-companies.html
 “What is MLA Code of Condcut?”,2013, Future of Privacy Forum
 Nick Doty, Deirdre K. Mulligan and Eric Wilde. (2010). Privacy Issues of the W3C Geolocation API. UC Berkeley: School of Information. Report 2010-038.
 Opt-out, 2014, Euclid, https://signup.euclidelements.com/optout
 INFORMATION RESELLERS:Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. GAO-13-663: Published: Sep 25, 2013. Publicly Released: Nov 15, 2013.