The Arcology Garden

In Stores, Secret Bluetooth Surveillance Tracks Your Every Move - The New York Times


Along the same Technology Privacy nightmare-lines: Every move you make, I’ll be watching you: Privacy implications of the Apple U1 chip and ultra-wideband

In order to track you or trigger an action like a coupon or message to your phone, companies need you to install an app on your phone that will recognize the beacon in the store. Retailers (like Target and Walmart) that use Bluetooth beacons typically build tracking into their own apps. But retailers want to make sure most of their customers can be tracked — not just the ones that download their own particular app.

So a hidden industry of third-party location-marketing firms has proliferated in response. These companies take their beacon tracking code and bundle it into a toolkit developers can use.

The makers of many popular apps, such as those for news or weather updates, insert these toolkits into their apps. They might be paid by the beacon companies or receive other benefits, like detailed reports on their users.

The passive surveillance panopticon is here, we just don't realize it yet, or realize it's being used against us yet.

Location marketing aims to understand “online-offline attribution.” If a Starbucks coffee ad is sent to your email, for example, marketers want to know if you actually went there and bought a coffee. The only way to know is to monitor your online and offline habits at all times.

All of this surveillance is just to see whether you have looked at an advertisement. This is pure surveillance capitalism, and there is evidence from Real Economists that that it's a bubble1.

And despite what Apple and Google and the surveillance enablers will tell us, it's not "just" an opaque device ID and a location: it is as much as they can afford to pass, and as often as much as they can get away with it.

Location data companies often collect additional data provided by apps. A location company called Pulsate, for example, encourages app developers to pass them customer email addresses and names.

Not to be left out, in 2017, Google introduced Project Beacon and began sending beacons to businesses for use with Google Ads services. Google uses the beacons to send the businesses’ visitors notifications that ask them to leave photos and reviews, among other features. And last year, investigators at Quartz found that Google Android can track you using Bluetooth beacons even when you turn Bluetooth off in your phone.

For years, Apple and Google have allowed companies to bury surveillance features inside the apps offered in their app stores. And both companies conduct their own beacon surveillance through iOS and Android.

It should not be lost on the public that Apple created the first Bluetooth system of commercial surveillance. Apple’s chief executive, Tim Cook, recently wagged his finger at the “data-industrial complex.” Unlike other tech giants that monetize surveillance, Apple relies upon hardware sales, he said. But Mr. Cook knew what Apple was creating with iBeacon in 2013. Apple’s own website explains to developers how they can use iBeacon to micro-target consumers in stores.

Companies collecting micro-location data defend the practice by arguing that users can opt out of location services. They maintain that consumers embrace targeted ads because they’re more relevant. Industry players further claim that data is anonymized through techniques that mask the identification of users. Your data may be stored as “ID-67aGb9ac72r” instead of “Jane Doe.” Yet studies have shown that it is relatively easy to deanonymize mobility data. Moreover, the process of “informed consent” fails to protect user privacy. As The Times noted in an investigation into smartphone location tracking, “The explanations people see when prompted to give permission are often incomplete or misleading.”

Direct swipes at "informed consent":

For informed consent using beacons, you have to first know that the beacons exist. Then, you have to know which places use them, but venues and stores don’t put up signs or inform their customers. You can download an app like Beacon Scanner and scan for beacons when you enter a store. But even if you detect the beacons, you don’t know who is collecting the data. Let’s say you visit Target; it might be collecting data from you, but it might rent its beacons out to other businesses, allowing them to monitor your location. Moreover, some beacons are not secured, so third parties can “piggyback” off public beacons and use them to collect your location. There is no way to know if a store has secured its beacons.


author bio: Michael Kwet is a visiting fellow at the Information Society Project at Yale Law School, and host of the Tech Empire podcast.