UK malls quietly start tracking you through your mobile
Back in November the Daily Mail did a scream piece on Big Brother technology monitoring your mobile phone presumably to piggyback on the news coming out of America at the time about Path Intelligence getting kicked out of a few US malls. It must be a slow news day as they are back at it again with a rehashed piece on Big Brother mall tracking. Despite our *love* for the Daily Mail here at Bitterwallet HQ the story is worth picking up as it seems Path are gaining traction in UK retail.
Path Intelligence is a UK company that produces a product called Footpath which tracks people through an area using their mobile signal. Here's the quote from Path's site about how the Footpath product works: "The Path Intelligence FootPath system consists of a small number of discreet monitoring units installed throughout the centre. These units calculate the movement of consumers without requiring the shopper to wear or carry any special equipment. The units measure signals from the consumers' mobile phones using unique technology that can locate a consumer's position to within a few metres. These units feed this data (24 hours a day 7 days a week) to a processing centre, where the data is audited and sophisticated statistical analysis is applied to create continuously updated information on the flow of shoppers throughout the centre."
So how does the Footpath system work and do you have cause for concern? Obviously Path doesn't explain fully on their site how their technology works but here's our best guess as to what they are doing (anyone who is a GSM network specialist please jump in the comments with anymore advice!). When you enter a location served by a network base station your mobile interacts with the station regardless of you being on the subscriber network. The base station creates a visitor location register of all the mobiles in the area and assigns them a TMSI (Temporary Mobile Subscriber Identity). This TMSI is used throughout this location area but is updated if you move to a new location area.
Presumably Footpath is setting up local base stations which maintain a visitor location register and triangulate using multiple signal stations to locate the individual within a few metres. The TMSI would be persistent through the mall location allowing Footpath to follow users through the mall.
It is true that Footpath is not able to gain your mobile number nor your personal name or info on your phone. However, depending on how the base station is configured I believe it is able to access your IMSI (International Mobile Subscriber Identity) which is persistent across geographies and time. If Footpath or a similar service is storing your IMSI it would be possible to build up a rich individual profile of behaviour despite not having personal details or phone number.
Path Intelligence claim they respect the public's privacy and that they do not correlate mobile activity with other forms of identification. For example, as you are tracked to the metre your activity could be mapped to CCTV footage to provide facial profiling (Path explicitly point out they do not correlate with CCTV footage). Other methods of identification could also be used such as credit card payment at the till mapped to your location at the till.
To be clear, Path Intelligence state they do not correlate tracked activity with other data, however it should be pointed out how the persistent activity data could possibly be used by parties to build up a detailed profile of your purchasing activity, movements and interests without your consent or knowledge. Path Intelligence exonerates themselves by stating malls are obligated to display a plaque in the entrance notifying users that in the "interests of customer service" mobile movements are monitored. The implicit suggestion is that mall visitors are duly informed about the consequences of entering the mall and their entrance indicates consent for being tracked.
In the end, this is the concerning part of the story. Whether Path is using the data responsibly or not, many individuals don't like having their behaviour tracked, particularly if it is persistent even just for a single location. Assuming that persons give consent through passive means is a dangerous precedent in the offline space as technology enables advertisers to reach deeper into our personal behaviours. Those who wish to avoid giving away this information, no matter how innocuous it may be, should have the knowledge of when this activity is occurring and a simple way to opt out from it. The recent changes to EU data privacy in regards to tracking cookies and "right to be forgotten" shows that legislators are increasingly aware and interested in preserving our control of personal privacy in an age of increasingly pervasive technology. This same control which is being demanded online should extend to offline occurrences of consumer tracking and identification.