UK malls quietly start tracking you through your mobile

Back in November the Daily Mail did a scream piece on Big Brother technology monitoring your mobile phone presumably to piggyback on the news coming out of America at the time about Path Intelligence getting kicked out of a few US malls. It must be a slow news day as they are back at it again with a rehashed piece on Big Brother mall tracking. Despite our *love* for the Daily Mail here at Bitterwallet HQ the story is worth picking up as it seems Path are gaining traction in UK retail.

Path Intelligence is a UK company that produces a product called Footpath which tracks people through an area using their mobile signal. Here's the quote from Path's site about how the Footpath product works: "The Path Intelligence FootPath system consists of a small number of discreet monitoring units installed throughout the centre. These units calculate the movement of consumers without requiring the shopper to wear or carry any special equipment. The units measure signals from the consumers' mobile phones using unique technology that can locate a consumer's position to within a few metres. These units feed this data (24 hours a day 7 days a week) to a processing centre, where the data is audited and sophisticated statistical analysis is applied to create continuously updated information on the flow of shoppers throughout the centre."

So how does the Footpath system work and do you have cause for concern? Obviously Path doesn't explain fully on their site how their technology works but here's our best guess as to what they are doing (anyone who is a GSM network specialist please jump in the comments with anymore advice!). When you enter a location served by a network base station your mobile interacts with the station regardless of you being on the subscriber network. The base station creates a visitor location register of all the mobiles in the area and assigns them a TMSI (Temporary Mobile Subscriber Identity). This TMSI is used throughout this location area but is updated if you move to a new location area.

Presumably Footpath is setting up local base stations which maintain a visitor location register and triangulate using multiple signal stations to locate the individual within a few metres. The TMSI would be persistent through the mall location allowing Footpath to follow users through the mall.

It is true that Footpath is not able to gain your mobile number nor your personal name or info on your phone. However, depending on how the base station is configured I believe it is able to access your IMSI (International Mobile Subscriber Identity) which is persistent across geographies and time. If Footpath or a similar service is storing your IMSI it would be possible to build up a rich individual profile of behaviour despite not having personal details or phone number.

Path Intelligence claim they respect the public's privacy and that they do not correlate mobile activity with other forms of identification. For example, as you are tracked to the metre your activity could be mapped to CCTV footage to provide facial profiling (Path explicitly point out they do not correlate with CCTV footage). Other methods of identification could also be used such as credit card payment at the till mapped to your location at the till.

To be clear, Path Intelligence state they do not correlate tracked activity with other data, however it should be pointed out how the persistent activity data could possibly be used by parties to build up a detailed profile of your purchasing activity, movements and interests without your consent or knowledge. Path Intelligence exonerates themselves by stating malls are obligated to display a plaque in the entrance notifying users that in the "interests of customer service" mobile movements are monitored. The implicit suggestion is that mall visitors are duly informed about the consequences of entering the mall and their entrance indicates consent for being tracked.

In the end, this is the concerning part of the story. Whether Path is using the data responsibly or not, many individuals don't like having their behaviour tracked, particularly if it is persistent even just for a single location. Assuming that persons give consent through passive means is a dangerous precedent in the offline space as technology enables advertisers to reach deeper into our personal behaviours. Those who wish to avoid giving away this information, no matter how innocuous it may be, should have the knowledge of when this activity is occurring and a simple way to opt out from it. The recent changes to EU data privacy in regards to tracking cookies and "right to be forgotten" shows that legislators are increasingly aware and interested in preserving our control of personal privacy in an age of increasingly pervasive technology. This same control which is being demanded online should extend to offline occurrences of consumer tracking and identification.


  • The B.
    "If Footpath or a similar service is storing your IMSI it would be possible to build up a rich individual profile of behaviour despite not having personal details or phone number." To what ends though? With product such as Mosaic/Acorn, the profile can be broken down by categories like postcode, sex, age range. This gives you an IMSI and a list of shops people have been to, unless you can cross reference the IMSI to different ranges then it's utterly redundant as a marketing tool, you couldn't even track by purchase and cross reference because the receiver stations wouldn't be that accurate.
  • James
    "Path Intelligence exonerates themselves by stating malls are obligated to display a plaque in the entrance notifying users that in the “interests of customer service” mobile movements are monitored." Can I suggest that anyone finding such a notice lets the Bitterwallet team know, and in a few days time they publish a list of all the participating malls? Along, perhaps, with contact details so that we can let the owners know that we promise not to shop there again until the monitoring units are removed? BW team - would you be up for that?
  • Paul N.
    @The Real Bob - Path Intelligence are saying they aren't cross-referencing to other sources of data. As I wrote, I think it would be fairly trivial to correlate with other data including purchase data if desired. Mosaic is also at the postcode level not the individual level. The more worrying provider is Hitwise which is at the individual level and then aggregated - of course this is all the same company now. @James - I didn't try to find the list of malls but I believe it is all the Land Security malls if not more.
  • The B.
    @Paul - I had a meeting with Experian about 4 months ago, they sell Mosaic at both individual and postcode level (apparently anyway, I can't imagine it's too accurate). I wouldn't be too concerned to be honest, there's not a lot they can do with the data they collect, certainly compared to the likes of Quidco and TopCashback, think of the stats they have (although whether they can actually resell them is dubious).
  • Al
    @Paul - I think you're explanation of how it works is pretty much correct though my understanding of it is that it's a purely passive system. That is, they never transmit anything to your phone (as this would require a costly license). Instead they are eavesdropping on the TMSI that your phone is using to communicate with your operator's base station. The IMSI is trickier to get hold of and, as far as I know, is only broadcast when the phone boots up. I believe the police have active phone tracking where they can trick your phone into giving up its IMSI/IMEI giving them the ability to uniquely identify and track people at protests and then get your name/address off the network operator is they want to have a word with you.
  • Al
    Oh noes ... I committed the sin of mixing your and you're.
  • Paul N.
    @The Real Bob - Hmm ok didn't know they were doing individual level with Mosaic. @Al - I don't think eavesdropping on the TMSI would work as it's encrypted and regularly cycles right? So you couldn't keep a fix on an individual phone with it. My guess was that they are acting as a base station so that the handset sends the initial "handshake". Now that I'm thinking more... the TMSI is set by the base station though - can any base station set a TMSI even if they are not the service provider? ie can a mobile contain multiple TMSI that identifies it to multiple base stations at a time.
  • mikepegg
    Been going on for some time in Portsmouth:
  • rubidium
    With the imminent arrival of Near-Field-Communication purchasing using your mobile this would allow any firm to track purchases by a particular mobile user (user specific tracking as oppose to random) and then individual users code be tracked with a TMSI as described. So any mobile user paying with NFC could be identified and tracked between shops and their purchases all logged. But given we all go to Tescos etc and use our clubcards then thats probably fairly irrelevant...
  • The B.
    That's a very good point it'd be perfect for use with NFC, that's if the technology ever takes off.
  • Al
    @Paul - A slightly more technical explanation is available in their patent (google 'WO2006010774'). Their key advantage they cite is the passive nature of the device. In the parent document they claim that the TMSI is broadcast unencrypted on a control channel. I believe the TMSI does regularly cycle (not sure how often) but they can still work out who you are ... if a phone disappears in the middle of a shopping centre and then another one magically appears then chances are that it's the same phone. It's not 100% accurate but probably good enough ... especially if they can track you to the metre as the TMSI change will be very quick.
  • Mister n.
    You and the Daily Mail - redefining "News"
  • Rich
    Didn't know the UK had "malls" :s
  • Jeremy
    I don't own a mobile, on the grounds that no call can be that important. Seems I also get privacy as well. Is it conceivable that these people aren't building databases of private information but are happy to pay for base stations etc just to follow someone through a shopping centre (He went into shops A, B & C), but we don't know if he bought anything? Why not just employ a few minimum wage serfs, who could trail wealthy looking people around the place?
  • I'm g.
    Because Jeremy, the bigger picture isn't companies collecting data about our shopping, the bigger picture is our dear leaders knowing everything they can possibly know about all of us. Just like my father would like to know everything I do unless I stop him, our dear leaders are trying to deny us the right to say stop
  • The B.
    @Paul - Apologies. Just had a look and what Mosaic touted as "individual" is in fact still at postcode level but broken down by Mosaic code i.e. 5% are Silver Surfers, 7% are Blue Collar, etc.
  • The B.
    "I don’t own a mobile, on the grounds that no call can be that important." - Jeremy Except when your mother phones you up screeching down the phone that your father has just keeled over clutching his chest and could you shift your arse over there asap. Never been gladder to have a mobile at that single point in time.
  • ID c.
    [...] Nikkel, writing in the Bitter Wallet web site, has a thoughtful comment piece on the subject. He concludes: Path [...]
  • Lawrence
    I suppose that the benefits of the system aren't for marketing purposes - rather the location of shops within shopping centres*. Are people going into multiple homeware shops* dotted around the centre, or are they just going to one? Would the other homeware shops benefit from being placed nearer to the most popular one? Are people happy to wander around the centre for department stores? If so, are they popping into other shops they see as they pass by? With regards to the "passive acceptance of legislation", I'm pretty sure that there are certain rules about what Terms and Conditions can be binding when only "passively" accepted (hence the "active" have-you-checked-the-box on most web forms). It's previously been decided in court that failing to read a contractual term does not exclude you from it, however if a party wishes to rely upon a significant term/exclusion then they are required to draw "reasonable attention" to it. I wonder how prominent the signs in the shopping centre entrances are? Also, what is the range of the base stations being used? Would your phone be connecting to them outside the shopping centre (i.e. before you've had a chance to read the sign)? I'd imagine that this is highly possible/probable. If so, they'd be falling foul of some other contract laws... "a representation made by one party cannot become a term of a contract if made after the agreement was made. The representation can only be binding where it was made at the time the contract was formed." * If we're talking UK, let's use the correct terminology. ;-)
  • Lawrence
    Oh, and incidentally Paul... isn't this a direct example of shops (well, shopping centres) using a fairly clever bit of minimally invasive technology to improve the "shopping experience"? In your article the other day you spoke about how shops need to do all that they can to improve the customer experience. Is working out at what point in a shopping centre people stop shopping and decide they need to find the nearest coffee or loo, then putting a coffee shop or new toilets in that point, improving the customer experience? Maybe, a little. If not, at least it'll reduce the amount of time that they spend wandering around aimlessly trying to find the nearest facilities...
  • Tim
    This technology has a filter on it. Anyone old enough to own a free bus pass is automatically filtered out by the fact they never have their phone switched on anyway.
  • Paul N.
    @Lawrence - I'm not sure it is improving the shopping experience but even if so I think when it comes to your data and privacy it should be transparent and opt in. Good points in regards to the coverage and shopping centre signage.
  • Major A.
    Hmmmm still dont ever recall seeing a clear and noticble sign at any of the entrances to Gunwarf Quays the last time i went there! Must check that the next time i go down.....
  • james D.
    If this is just anonymous data tracking your movement as just one of many anonymous variables I have no problem with it. As soon as they start tying the data to me as an individual person though then I will not be happy.
  • Frank P.
    Also here

What do you think?

Your comment