Looks like the honeymoon between Philz Coffee and retail analytics company Euclid Elements is over. The breakup was aired in public yesterday when the popular Bay Area coffee shop’s CEO Jacob Jaber said that it’s going to discontinue its policy of tracking customers and passers-by who are equipped with wireless devices, a practice we reported on earlier this week.

“We think [the tracking devices are] a useful way for us to help deliver a better customer experience,” Jaber told the Appeal last week. “What we’re particularly interested in is dwell time, so, for example, we can restructure the furniture in various locations to accommodate commuters or customers who camp out with their laptops.” The detection devices monitor the frequency and duration that Wi-Fi connected devices (cell phones, tablets, and laptops, for example) are nearby and within the shops, and have been active and in place since 2012.

Following the Appeal’s story, Jaber said that the company takes “privacy really seriously” and that the tracking program managed by Euclid will “no longer be active.” By as early as this weekend the devices will be out of the cafes, according to an ABC7 News broadcast.

When contacted by the Appeal this morning for comment on the decision to discontinue the tracking program, Jaber said, “I’d appreciate it if there wasn’t any update.” Jaber had made no bones about his displeasure with our earlier report, responding aggressively to customer queries on Twitter and by telling this reporter that we didn’t sufficiently emphasize that the collected data is anonymous and the company can’t spy on its customers — which Euclid confirmed that all the data is indeed anonymously presented to Philz.

Nonetheless, retail tracking remains a serious concern to digital liberties defenders the Electronic Frontier Foundation.

“There are no real meaningful technical constraints on this kind of monitoring,” EFF senior staff technologist Seth Schoen told the Appeal. “You can do it yourself with an ordinary laptop, just by running software that tells the laptop to pay attention to the hardware addresses attached to wireless signals in the vicinity. And there is no really meaningful way to detect who is monitoring you.”

The Euclid devices in places like Philz’s stores detect the “pings” Wi-Fi enabled devices send out while searching for networks to connect to. The “pings” include what’s called a device’s Media Access Control (MAC) address (which is kind of like a unique device serial number) that’s used by Euclid in aggregate to provide business intelligence, in order to, they say, to improve operations. It’s not just a business’s customers that are tracked, however: Euclid’s technology also scans devices of those passing by.

Schoen also pointed out that because Philz partners with Facebook and Cisco to set up the infrastructure in their stores, Facebook would theoretically be in a position to observe the MAC address alongside a Facebook user name — thereby establishing a correlation with a device owner’s actual identity, at least in theory.

When asked about this partnership, Jaber, Philz CEO, said the theory was too technical for him and that he didn’t understand what Schoen was talking about.

Euclid maintains that it’s not doing anything wrong, however. “We’re shoppers too,” said Euclid CEO Will Smith in a prepared statement, “so we wanted to create a powerful product that helps retailers optimize the shopping experience, while at the same time could be proud of as consumers. We’ve built our technology from the ground up with privacy in the fore-front, and none of the information we collect can ever be traced back to an individual.”

It appears, however, that consumer response to the news that Philz employed this technology convinced Jaber that Euclid was not the right fit for his business. Before privacy fans relax too much, however, the EFF’s Schoen reminds them that the real issue is not just with retailers like Philz or the retail analytics industry, it’s with wireless devices, themselves.

“I think that the ability to track a device’s physical location should be viewed as an engineering problem with the device itself and that cell phones (here, through their wifi interfaces) are an example of a device that has this flaw or misfeature, along with laptops and plenty of other communication devices.”

Please make sure your comment adheres to our comment policy. If it doesn't, it may be deleted. Repeat violations may cause us to revoke your commenting privileges. No one wants that!
  • thingsthings

    I fail to see the issue with Philz/Euclid. Yes, disclosure would’ve been nice. And I’m glad its been amicably resolved.

    SFappeal’s website is using Quantcast, SiteMeter, and StatCounter to collect data on me right now. Not to mention the the social media widgets embedded too. So I can’t help but think this feels like a hit piece or the standard tech-journo knee jerk.

    Edit: typo

    • Shakakai

      Agree. Disclosure is key but every site you visit is doing the same thing.

    • Look into a plug-in called Ghostery. On this page, it identified twelve trackers, and blocked the eleven of the twelve I see no reason to allow to run code on my machine. (The twelfth being Disqus.)

  • I’ll believe it when I see it. And I really want to believe that Philz doesn’t understand what’s happening here.

    It’s not just that Facebook set up infrastructure in Philz’s stores. As one friend pointed out to me, Philz Palo Alto store converted their wifi to a forced Facebook sign-in, blocking Apple’s wifi login dialogue. That’s a sneaky way of giving Facebook data; the goal is to get a Facebook cookie into your mobile device’s primary browser.

    This friend also pointed out that Palantir hosts a public Philz at Forest Ave., “and Palantir/Euclid share VCs, recruiters, etc.”

    To me, this story is far from over.

    Finally, this is not a knee-jerk reaction by a few people, it’s a genuine feeling of fear felt by many. Go look at the anger Philz got on Twitter after the first Appeal story ran. A little bit of informed consent would have gone a long way.

    • thingsthings

      I hear your point. Mine is, why Philz? They are a relatively small, local business. Hence, low-hanging fruit.

      Every wi-fi network you join is privy to your activity. On a higher level, so is your ISP and the other telecoms like Level3. Just do a traceroute and you’ll see.

      RE FB. They use it for marketing, of course. I’m sure having customers ‘check-in’ to FB has generated a lot of business for them. You can opt-out. Plus nothing is free. At least they’re explicit about it.

      • thingsthings

        And no. I do not work at Philz. I live near one in SF and like all the employees. I’d hate for my neighbors to lose their jobs from something this.

        • I’m a Philz fan too (from back when Phil was serving coffee out of his 24th Street corner store). I just don’t think whoever made this decision understood the questions it raises or thought about how customers would react, from knee-jerk to well-versed. I think businesses need to know what they’re getting into, and what they’re getting their customers into, and I worry that companies like Palantir, Facebook etc. take advantage of the knowledge gap to get “theirs”. Customers can’t opt-out or refuse Euclid’s tracking, even by choosing not to physically go into a place of business that uses Euclid, and that’s a problem. On a site like SFA, we have a reasonable expectation of behavior and can at least refuse when we use tools like Do Not Track.

          Why Philz? I think you answered your own question. It’s low-hanging fruit. Perfect for testing and development because it’s small and local, with a strong relationship already in place with Euclid/Palantir. It’s a natural fit for an industry that has been testing and developing IRL B2B tracking data analytics across the US for years. I spoke with VC’s backing B2B facial recognition apps after I wrote this http://www.zdnet.com/blog/violetblue/san-francisco-hates-your-startup-scenetap/1326 and learned quite a bit. The only thing that’s unclear to me is what Philz was really going to get from it.

          And maybe you misunderstood: it’s not an FB check-in, it’s a forced login. Sure, customers can choose not to use the wifi. But it’s not clear at all to ordinary customers that this is the only way to “opt out” of FB sniffing your mobile browser data, habits (and when does that cookie expire?) just to use the wifi in your local cafe.

          Thanks for the great discussion.

  • Diane Feinstein

    $20 coffee nuts == copper foil hatted nuts

  • sfsoma

    Most of the customers I’ve observed at Philz use electronic payment. The advertisers know that you specifically had a certain drink at a certain time on a certain day. Why worry about anonymous collection here while it is everywhere one goes now? This is nothing but media pandering for clicks.

    • Forthright

      Keep telling yourself that….

  • swagv

    Philz customers are all sheep anyway. I don’t see the problem.

  • Forthright

    Strange that someone would let his business become such a tool for the CyberTrackers, unless there was some major $$ involved…