Popular Bay Area cafe Philz Coffee is tracking how often and for how long its customers visit its various locations through smartphones, tablets, and any other Wi-Fi connected devices that are inside and nearby the shop — without asking anyone’s permission to do so.
Beginning in 2012 the coffee company partnered with retail analytic firm Euclid, installing devices in their stores that detect the “pings” Wi-Fi enabled devices send out while searching for networks to connect to. The “pings” include what’s called a device’s Media Access Control (MAC) address (which is kind of like a unique device serial number) that’s used by Euclid in aggregate to provide business intelligence, in order to, they say, to improve operations.
It’s not just a business’s customers that are tracked, however: Euclid’s technology also scans devices of those passing by.
Reached by telephone Friday morning, Philz Coffee CEO Jacob Jaber told the Appeal that “We think [the Euclid devices are] a useful way for us to help deliver a better customer experience. What we’re particularly interested in is dwell time, so, for example, we can restructure the furniture in various locations to accommodate commuters or customers who camp out with their laptops.”
The collected information about customer habits is aggregated and anonymous, so Philz can’t actually look at any person’s habits individually, the CEO said.
The Appeal verified there was a small sticker informing customers of the tracking (that’s one there pictured above) in at least three locations in San Francisco.
In general, there have been an increasing number of brick and mortar businesses experimenting with the technology, according to a report by the New York Times.
Once they’re made aware of the tech, not every Philz patron is comfortable with the tactic. “The creepy thing isn’t the privacy violation, it’s how much they can infer,” Bradley Voytek, a neuroscientist who had stopped in at Philz Coffee in Berkeley, told the Times last year.
Digital civil liberty defenders the Electronic Frontier Foundation also have a problem with the retail tracking technology at Philz.
The blame for this kind of tracking should be directed at cell phone (and other wireless device) manufacturers, for producing gadgets with “persistent unique hardware identifiers that are automatically transmitted wirelessly, in the clear, even when the user isn’t intentionally communicating using the device,” senior staff technologist Seth Schoen told the Appeal.
But, the retail analytics companies shouldn’t get a free ride either, and can “certainly be criticized for doing something creepy” because there are “legal concerns” over the means of gathering location information about US citizens, he said.
Euclid doesn’t believe it’s doing anything wrong, however. “”We’re shoppers too,” said Euclid CEO Will Smith in a prepared statement, “so we wanted to create a powerful product that helps retailers optimize the shopping experience, while at the same time could be proud of as consumers. We’ve built our technology from the ground up with privacy in the fore-front, and none of the information we collect can ever be traced back to an individual.”
However, despite Euclid’s insistence that the collected MAC addresses from devices are anonymized, Schoen said that the obfuscation technology used to do so doesn’t actually work. Schoen also posits that because of most analytics companies’ close ties to the advertising industry, there’s no financial incentive to improve the anonymization of the data.
Other security experts suggested that this type of technology has the potential for misuse in the advertising industry. “Modern advertising has a greater and greater focus on understanding purchasing habits” Morgan Marquis-Boire, a researcher from the University of Toronto told the Appeal.
“Enabled by the ubiquity of smart-devices and big data processing power, a vast amount of consumer information is being collected and analyzed in a manner and quantity previously unheard of.”
Schoen also pointed out that because Philz partners with Facebook and Cisco to set up the infrastructure in their stores, Facebook would theoretically be in a position to observe the MAC address alongside a Facebook user name — thereby establishing a correlation with a device owner’s actual identity, at least in theory.
Jaber, Philz CEO, said the theory was too technical for him and that he didn’t understand what Schoen was talking about.
If you’re not interested in being tracked, there are a few ways to opt-out of the Euclid tracking besides refusing to patronize all businesses that admit that they use the technology: Turning off a device’s WiFi altogether is one solution, albeit an obvious one. It’s also possible to opt-out of retail tracking in the US altogether by going to this website and following the instructions.