You have no expectation of privacy when in public. My question is whether there is any difference to someone following you around a mall as you go through your shopping journey (whether with cameras or in person even), as compared to someone following your phone?
I'm seeing this objection a lot lately, and perhaps I'm showing my age here, but I've certainly got an "expectation of being largely individually anonymous when in public". While there's nothing to stop people looking for me and possibly finding me in public - I _don't_ expect people(/corporations/tlagencies) to be recording everybody in public spaces and archiving them permanently in ways that allow all archived recordings of me to eventually be crossreferenced and de-anonymised.
These days though, the technology exists to do just that - and people/companies/agencies are doing it on smaller or larger scales, without societies discussion or approval, and without the laws regarding that collection being brought up-to-date regarding the citizenry's wishes.
The genie is probably a long way out of he bottle now, face detection, face recognition, ubiquitous cellphones with their wifi, bluetooth, and GSM/CDMA transmitters - we are all, in a lot of circumstances, uniquely identifiable in crowds - and probably a startlingly large amount of the time, fairly trivially trackable across spaces till we get to places where things like credit card transactions can tie all recorded surveillance back to our legal identities.
But acknowledging that all that's _possible_, doesn't mean we need to accept that it's open season on personal tracking data. Your health care providers are under heavy regulation about what data they're permitted to collect and the standards they're required to secure that data too(HIPPA, in the US). Anybody collecting credit card payments needs to comply with the PCI standards.
Instead of saying "you have no expectation of privacy in public … ", shouldn't we at least consider having the discussion about "now that ubiquitous surveillance is technically possible, what are the community expectations of privacy in public, and should we choose to regulate the collection, storage, and use of personal data collected in public spaces?"
Times change. Peoples opinions and expectations change. Laws change - slower than public opinion, but they _eventually_ catch up (hopefully with the right "lag" to avoid fashion/fad law changes, but quickly enough to stop people revolting against law enforcement and the legal system).
Speeding used to be "legal", back before we passed laws recognizing the "danger to society" these new-fangled horseless carriages represent. Cocaine, ecstacy, and LSD were all once unregulated and "legal". It used to be OK to take pocketknives and drinks on airplanes. It used to be against the law to export strong crypto from the US. It used to be legal to own slaves.
I'm not suggesting society or the law have settled on ideal solutions or reactions to those examples - but I am suggesting it's time to at least start talking about whether there is a difference between a "shopping researcher following someone around a mall", and an automated system tracking and recording everything every visitor to a mall does - and tying that back to "unique identifiers" (phone's wifi/bluetooth MACs, face recognition, cc details at cash registers), then being able to track that all across multiple visits or visits across multiple locations.
Personally, I'm of the opinion that "public space personally identifiable data collection" should be regulated similarly to HIPPA. There needs to be accountability, transparency, up-front notification, and ability for an individual to opt out without suffering any repercussions. I think shopping mall operators should be asking them selves serious questions about whether their ongoing responsibility to secure any personally identifying data (camera feeds, facial recognition output, skeletal geometrics, personal electronics identifiers, etc) - and the legal penalties they'd be responsible for if that data ever gets misused or exposed - is worth the benefit of collecting and storing it in the first place. I think police departments and towtruck/repo cpllectives doing widespread ANPR should all be shitting themselves at the legal/financial consequences of their databases of time/location of individual's vehicles being stolen, and ensuring they've got auditable/provable policies in place to minimise the storage of that data to very short timeframes to demonstrate "reasonable care" of people's privacy in any future court cases.
I might be wrong - and perhaps most of society thinks that's all unnecessary government regulation (and hell, I'm perhaps hypocritically all for "small government" and fewer rather than more laws) - but I'm pretty sure nobody has actually _asked_ "the public" whether it's OK with them while explaining what "it" is and the consequences (either positive or negative) to them. I'd at least like that discussion to happen.
Banning efficiency, of all things, seems counterproductive. If someone (or a government) really cares, they can simply spend the resources to do full-scale surveillance and tracking the old-fashioned way. It's not like we'll refuse to pay for it, given budgets what they are today. Lack of technology didn't stop the surveillance apparatuses of the USSR or East Germany. They just had larger staffs than we do.
Either something is okay, in which case it's okay to do with a machine, or it's not, in which case it's not okay to do at all. If it's okay to tail someone with a police car, it's okay to follow them with a drone. You stop mass surveillance not by making it cost the taxpayer more, but by outlawing mass surveillance and requiring some sort of suspicion or probable cause for each individual case.
People who want to track and surveil others like efficiency, but are in general still capable of hard work. Raising the effort required stops only the most pedestrian violators.
> Either something is okay, in which case it's okay to do with a machine, or it's not, in which case it's not okay to do at all.
Let's reflect that it's fairly easy, in the grand scheme of things, to bring explosives on board an airplane and take it down. The reason that doesn't happen more often isn't because screening procedures are so effective -- it's because very few people want to do that.
Now, people generally don't like the idea that the government, or stores, or unfriendly neighbors, or their daughter's boyfriend, might track their every movement day and night without end. And if you proposed that it should be allowed, you'd poll a lot of "it's not okay to do at all". The reason it's happening now is because it was "okay" before, which led people to do it as soon as it became possible. But, and this is where the cost structure becomes relevant, the reason it was "okay" before is not that society made a considered judgment that this sort of thing should probably be allowed. The issue was never considered at all, because the practice was impossible and therefore considering the issue was pointless. All kinds of things are legal right now only because they can't actually be done, but that's not a compelling argument for letting people do them even if they could be done.
Banning efficiency, of all things, seems counterproductive."
Counter-argument: For many thing the efficiency of enforceability is built into the penalty structure. "The public" accepts - more or less - the current penalties for speeding/parking/general traffic offences. This is in spite of the fact that most of us "speed" when we consider it safe/appropriate, that most of us will stop in a no parking zone briefly if we think we aren't going to inconvenience anybody, that we'll use our better judgement at stop signs or merge lanes or double lines and obstructed roads.
If someone proposed a "better 'cause it's _more efficient_" means of enforcing road rules, where every single infraction was immediately deducted from your bank account - we (the people) would rightly push back and demand a reconsideration of what an "infraction" is, and how much the penalty for an infraction cost. And, indeed, whether implementing such a "super efficient" system is what anybody wants.
Super efficient surveillance is similar. It's now possible in ways that it never was when we wrote the laws regulating it. If you take out a camera and shoot a few shots in a park, you might get a few odd glances, but you're unlikely to get asked to stop unless you're being creepy. If you stand outside schools and take photographs of every child arriving and leaving you'd rightly expect to get asked to explain who you are, what you're doing, and where those photos are going to end up. Even if you're a cop or FBI/NSA operative, I'd expect you to get asked about what case you're working on, who's supervising it, and what probable cause you have to justify invading the privacy of every schoolchild at this school.
These days, it's clear that shopping mall and store security cameras, and wifi base stations sniffing phone wifi IDs, are capable of collecting - and with very little doubt actually collecting right now - much more detailed and accurate data about individuals (including the "think of the children" example earlier - these systems don't discriminate about all the kids hanging out in shopping malls).
Who's being held responsible for that data? Who's tapping the guy with the harddrives full of images and cellphone ID's on the shoulder and saying "Hang on, who are you? On who's authority are you collecting all these images and IDs? Where are they going to end up? Who's signed up to accept legal/financial responsibility if this data is misused or stolen?" Why isn't he being treated with the same suspicion as the guy outside the school with the camera?
To do so sans technology requires an undue amount of resource. Ie the energy required to surveil 1x1 personally vs algorithmically is substantial and one is much more feasible than the other (especially if you don't read the TOS - and who does?)
All that said, though, I think we are mostly on the same page: you have to accept responsibility for your actions in public. I think where we differ though is that the majority of people don't have a clue wtf is actually going on.
PS the argument doesn't hate you. It's willing to take any and all input, process it, and maybe come out changed. It loves, respects, and thrives on you.
Actually, if you follow someone around everywhere they go, even in public, unless they've famous and you're a paparazzi you're likely to get charged with stalking.
But they keep that data, and use it to recognise repeat visitors.
In general when people keep data about me there should be a few minimal protections: keep that data secure, use it for what they say they're going to use it for, offer me the option to opt out[1], don't keep the data too long, let me know that you're doing it.
In the UK this is covered by Data Protection law.
To answer your question: I'd much rather they tracked my phone than a person followed me with a camera.
[1] I prefer "don't do it unless I've opted in" but it feels like I lost that argument.
Either way, I don't have a problem with this as long as they aren't intercepting communications or anything private like my name and recognizing me every time I enter the store. If it's information that they can obtain without identifying me, there isn't much I can complain about. It's their store and as long as my rights are intact I'm cool with it.
WiFi signals contain a device MAC, which gives us a unique ID on the customer. This allows us to track repeat visits to a store, and even visits to different stores within the same retail chain. We can also track the WiFi "pings" from your device to see approximately how long you were in the store, whether you passed by the store without walking in, etc. Essentially the physical-world equivalent of data that google analytics provides you for your website.
The type of data described above is not quite possible to obtain via video as face recognition is nowhere near as robust, certainly not when it needs to be done non-intrusively as in a retail environment.
Video is still very useful however as it gives us 100% customer coverage - many customers still don't have smartphones, many that do keep WiFi turned off, many stores don't have WiFi APs, etc.
HN: a thermometer for frogs in nearly boiling water.
As long as no personally identifying information such as a phone number or some sort of phone ID is gathered without a customer deliberately giving it to the company and tracking cookies aren't used without permission, I wouldn't think there's much of an issue here. I might even appreciate, with some kind of deliberate opt-in, seeing some coupons or sales info showing up on my phone when I'm spending 5-10 minutes in one single section of the store.
This is still a potential privacy issue if they're somehow using cookies or some other information to track people without their consent, but as it's presumably on private property this is a different kind of privacy issue than government spying.
Chances are better than good that they're capturing your MAC address. While not necessarily unique, on cell phones, it's probably as good as in the vast majority of cases.
With WiFi signals they can uniquely identify a single customer (by MAC) without having to rely on facial recognition or complex image processing. I'm guessing that's the reason.
The MAC address doesn't lead to your name, address, credit card, or anything. It's just how they tell one phone from another.
"Are you here to rob us?"
"No, I'm just opting out of your facial-tracking systems. Which way to kitchen appliances?"
I wonder what percentage of the population cares about being profiled though. Less than 5%?
It's a niche business opportunity.
I'm always surprised when I see people who are convinced technology can solve their woes when all you need to do is make some observations. No wi-fi tracking will tell you there's a huge clearance rack blocking your view of several other items. It also won't tell you if a merchandise row is so narrow only one person can stand in front of a display.
Technology is great, but in most retail or commercial environment's, you still need feet on the ground.
Here is a way to opt-out of this particular service. https://signup.euclidelements.com/optout
It seems like it would be trivial to tie in the location tracking with the products someone purchases and if you are using a rewards card (like most grocery stores have) then the store has all of your information tied to your MAC address.
It's not just stores, any place could have these systems set up. Malls, airports, stadiums, schools, or even your workplace.
Is it possible to obscure or modify a phones wifi strength when not connected to a network to prevent this tracking?
It seems like only people who actually connect to the wifi can be tracked. There's no way to harvest the MAC address of a wifi device that hasn't connected to your network, is there?
As a store, this seems to be not that valuable to me. I can't imagine that very many shoppers actually take the time from shopping to decide to connect to your wifi. I get that they only need to do this once, and after that, it will auto-reconnect. I'm still not buying it as an effective tracking method.
Yes, there is. If you set your WLAN interface to monitor mode and run tcpdump or similar, you can look at packets passing by, even if you're not connected to a network at all. I built a Wifi tracking system this way when I was in school.
This seems like a pretty powerful data source to use for all sorts of things, if it's always accessible like that. A world readable cookie for every yuppie and hipster on the planet!
Surely having a handful of shoppers who all have the same MAC address in one store at one time would screw up their analysis a little bit, no? It would certainly make it much more difficult to track a specific individual.
It's the same tricks basically, just far more efficient. Making the optimal store layouts so customers spend as much time inside as possible or get exposed to as many other items as possible. Use machine learning algorithms to set the prices so every price is as high as it can be before people stop buying it entirely.
Yes, they've been placing food/beverages at the back since years ago.
This also means that customers that are in a hurry to buy bread/food/milk/whatever are more likely to go to their local grocery store. As we, the customers, may be stupid enough to buy into their .99 tricks, but we aren't so stupid as to not notice that it took 3 hours to buy milk or bread, as many times you're really not in the mood to gape at useless shit. It's interesting though that local grocery stores are not so common in the U.S., compared to Europe. To get food, I only need to cross the street.
Also, setting the prices dynamically will not work in an online world. What if customers had a mobile app with which they could compare prices with other retailers just by scanning the bar code? Again, customers aren't so stupid - they may not notice that the price of individual items has gone up, but they do notice fluctuations in their monthly spending.
Dynamic price setting works because people are not perfect rational actors that compare every single item they look at to the lowest price in town. I don't know if anyone does that actually.
People might notice a bigger shopping bill, but they are more likely to attribute it to buying more than slightly higher prices on every single item, which they might not even notice.
In any case they wouldn't be doing this if it didn't make them more money.
That is a profoundly ignorant statement to make - the vast majority of web users have no concept of the scope at which they are being tracked online.
If there was a sign spelling out all the trackers on every web page like there was a sign in the store, you can be sure a whole lot more people would be "bristling."
Frankly I would assume using computer vision to track heads like molecules in Brownian motion would be cheaper simpler in all cases.
However this one creeps me out far more than NSA. Odd really
A client that's actively looking for networks to join will occasionally broadcast a probe request frame on all of the channels it can transmit on, trying to get nearby access points to respond. If you have at least three access points that "hear" the same probe request and you know where those access points are located, you can use the position information of the access points combined with the received signal strength of the probe request frame at each access point to compute that client's position.
Obviously this won't work for facial recognition, but I see that's discussed in other comments.
