CNet reports on Euclid, a company that seeks to keep track of millions of shoppers with sensors that would record the Media Access Control (MAC) addresses of their phones. MAC addresses are unique identifiers and they are designed to be persistent over the lifetime of the device. Tracking such addresses can have substantial privacy implications. (For more on MAC addresses and privacy concerns, see a 2011 report (pdf) from the Ontario Privacy Commissioner’s office.) CNet reports:
SEATTLE–A new company that plans to track millions of retail shoppers through a unique ID emitted by their smartphones says it wants to be privacy-friendly.
Will Smith, co-founder and chief executive of Euclid Elements, showed up at the PII privacy conference here today to say that identifying repeat visitors by these unique IDs — the so-called MAC addresses broadcast when Wi-Fi is turned on — shouldn’t be an issue.
“We put a sensor in the store,” Smith said. “It passively detects smartphones that come near the store.” […]
Instead of asking shoppers to choose to opt-in, the company adopted an opt-out model, which means visiting a page on Euclid’s Web site. MAC addresses are stored for 18 months and only aggregate data is made available to the retailer, which is required to post a notice telling shoppers what’s happening.
But that still means a company, however well-intentioned, will keep detailed logs about the movements of millions of Americans (or at least their mobile phones and perhaps laptops and other gadgets) around cities and shopping malls. […]
Euclid’s database would also allow police armed with a court order to learn about someone’s whereabouts as long as they know or can find a suspect’s MAC address. (You can typically find your MAC address through your laptop or smartphone’s About screens. Wireless access points may also record them.) […]
“Once shoppers give up this information, in some cases without realizing it, it’s out of their hands,” replies EFF’s [Parker] Higgins. “A data breach, a government subpoena, an overreaching retailer — all these things can mean invasions of personal privacy in ways people have no control over.” (Euclid changes each unique Wi-Fi MAC address into another unique MAC address through what computer scientists call a hash function, but the modified address remains a unique identifier.)