Larry Page, Sergey Brinn and Mark Zuckerberg became billionaires at very young ages because they created a way, through Google and Facebook, to track the moment-by-moment movements of billions of consumers online. The aggregate of this data is worth hundreds of billions of dollars to marketers, politicians, and any other group trying to sell you a product or an idea.
This week, Short Pump Town Center in Glen Allen, Virginia, a Richmond suburb, announced that it will be one of two malls in the United States that will use customers’ cell phone signals to track their movements through the mall during the holiday season.
My initial reaction was, “This is just too creepy and too invasive”. I wrote up a blog post outlining why I would not be shopping at the mall. But after thinking about it for a bit, I decided to withhold judgment on that. I am in a good position to give folks a realistic view of what is being done and what the risks are.
I am a software developer and I specialize in web-based software. I have worked with a lot of the Facebook, Google and Twitter tools and have a pretty good understanding of how their systems work. In addition, I have worked in the area of internet security and I know a good bit about how hacking and security work in the online and offline realms.
In the security world, there is a concept known as PII or “personally identifiable information”. This is any information that by itself or combined with other information can be used to personally identify someone. Examples of PII are a Social Security Number, a home address, a driver’s license number, etc. You should always be very, very careful about where, how and with whom you share your PII.
Now before anyone panics, detecting your phone’s unique signal does not personally identify you any more than your computer’s IP address or your car’s license plate do. Simply knowing that piece of information doesn’t tell the holder of the information anything about you except maybe that you have a phone, drive a car or are using a computer. However, this information is unique to you and it can be used to personally identify you if not properly guarded by the people who have the information – like your cell phone provider, the Department of Motor Vehicles or your internet service provider. But you also must do your part.
Hacking and identity theft are rarely achieved by a heist-movie-worthy-break-in to a secure system. The majority of the time, the hack is achieved through “social engineering” which is basically manipulating some unscrupulous person into giving out information they should not. The unscrupulous person could be someone at your cell phone provider or DMV or even you.
A thief does not need to break in or manipulate anyone in order to obtain a wealth of hair-standing-on-end-creepy amount information about you. With just the trail you leave online, someone who knows what to look for and where to look could build a pretty good profile of most people who spend a decent amount of time online. Go search for yourself on Spokeo.com – I’ll wait right here.
BTW, you should go to Spokeo.com and find your information and ask for it to be removed anyway. They are legally bound to remove you from their database if you request it.
You might ask, why are they allowed to do this?
Well, first of all, when you are out in public, whether at a park, a mall, or online, you have no reasonable expectation of privacy. The law and society agree that you should expect that anything you do in public can be observed even monitored and tracked by a someone else. The onus is on you to protect any information you do not want publicly known.
In our free market society, the law gives business a lot of leeway on what information it can collect and compile about you. A lot of this information seems harmless by itself but when aggregated it can give a frighteningly detailed picture of you: where you live, approximately how much money you make, approximately how much you paid for your house, where your kids likely go to school, previous residences, criminal record, etc.
The point of this article is not to judge the morality or ethics of these notions but to inform readers about what is going on so you can make informed deicsions for yourself.
Protecting your privacy requires a lot of diligence. You probably routinely give out information without even realizing it. For instance, did you know your cell phone embeds “meta data” in every photo you take. So when you upload that photo to Facebook, they know exactly when you took the photo and where you took it? I’m not sure if any PII (personally identifiable information) is embedded in the photo but it could be.
As a software developer, it is my job to think like my clients, many of them involved in marketing, and to anticipate their needs. I promise you that developers are already working on ways to track your moment-by-moment movements online and offline – because that is exactly what I would be doing. This informaion is worth hundreds of billions of dollars and they would not be very good business people if they were not working on this. It is inevitable.
Short Pump Town Center is not violating any laws. Whether tracking the moment-by-moment movements of citizen-customers is ethical or good for society is a matter for debate and for another article. My opinion is that shopping there is as safe as can reasonably be expected. Any time you do anything, especially in a society as “wired” as ours, you risk your actions being monitored. Simply turning off your phone prevents you from being tracked.