FTC, NoMi and opting out

The U.S. Federal Trade Commission (FTC) settled charges with Nomi Technologies over it’s opt-out policy on April 23rd. Nomi’s business is putting devices in retail stores that track MAC addresses.  A MAC unique MAC address is associated with every device that can use WiFi –it is the key to communicating with your device (cell phone, tablet, laptop, etc.) as opposed to someone elses device.  Nomi apparently performs a hash ‘encryption’ on this (which is still unique, just not usable for WiFi communications) and tracks your presence near or in participating retail stores world wide.

The question the FTC was addressing is does Nomi adhere to it’s privacy policy, which indicates you can opt out in store, and would know what stores are using the technology. Nomi’s privacy policy (as of April 24) indicates they will never collect any personally identifiable information without a consumer’s explicit opt in — of course since you do not know where they are active, nor that they even exist it would appear that they have no consumer’s opting in.  Read that again closely — “personally identifiable information” … it is a MAC address, not your name, and at least one dissenting FTC commissioner asserted that “It is important to note that, as a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.”  In other words, as long as Nomi is not selling something to the public, they should have no-holds-barred ability to use your private data anyway they like. The second dissenting commissioner asserts “Nomi does not track individual consumers – that is, Nomi’s technology records whether individuals are unique or repeat visitors, but it does not identify them.” Somehow this commissioner assumes that the unique hash code for a MAC address that can be used to distinguish if a visitor is a repeat, is less of a individual identifier than the initial MAC address (which he notes is not stored.) This is sort of like saying your social security number backwards (a simplistic hash) is not an identifier whereas the number in normal order is.  Clearly the data is a unique identifier and is stored.  Nomi offers the service (according to their web site) to “increase customer engagement by delivering highly relevant mobile campaigns in real time through your mobile app” So, with the data the store (at it’s option) chooses to collect from customers (presumably by their opting in via downloading an app) is the point where your name, address, and credit card information are tied into the hashed MAC address.  Both dissenting commissioners somehow feel that consumers are quite nicely covered by the ability to go to the web site of a company you never heard of, and enter all of your device MAC addresses (which you no doubt have memorized) to opt-out of a collecting data about you that you do not know is being collected for purposes that even that company does not know (since it is the retailer that actually makes use of the data.)  There may be a need to educate some of the folks at the FTC.

If you want to opt out of this one (of many possible) vendors of individual tracking devices you can do so at http://www.nomi.com/homepage/privacy/ .Good Luck.

 

Eavesdropping Barbie?

So should children have toys that can combine speech recognition, wi-fi connection to capture and respond to them and potentially recording their conversations as well as feeding them “messages”.  Welcome to the world of Hello Barbie.

Perhaps I spend too much time thinking about technology abuse … but let’s see.  There are political/legal environments (think 1984 and it’s current variants) where capturing voice data from a doll/toy/IoT device could be used as a basis for arrest and jail (or worse) — can  Barbie be called as a witness in court? And of course there are the “right things to say” to a child, like “I like you”  (dolls with pull strings do that), and things you may not want to have your doll telling your child (“You know I just love that new outfit” or “Wouldn’t I look good in that new Barbie-car?”) or worse (“your parents aren’t going to vote for that creep are they?)

What does a Hello Barbie doll do when a child is clearly being abused by a parent?  Can it contact 9-1-1?  Are the recordings available for prosecution?  What is abuse that warrants action?  And what liability exists for failure to report abuse?

Update: Hello Barbie is covered in the NY Times 29 March 2015 Sunday Business section Wherein it is noted that children under 13 have to get parental permission to enable the conversation system — assuming they understand the implications. Apparently children need to “press a microphone button on the app” to start interaction. Also, “parents.. have access to.. recorded conversations and can .. delete them.”  Which confirms that a permanent record is being kept until parental action triggers deletion. Finally we are assured “safeguards to ensure that stored data is secure and can’t be accessed by unauthorized users.”  Apparently Mattel and ToyTalk (the technology providers)  have better software engineers than Home Depot, Target and Anthem.

Cell Phone WiFi Used to Track Your Location

The 14 Jan Wall St. Journal has an article noting that your cell phone is being used to track where you are, and not by the cell phone provider (well, ok, they do as well, but using the cell-tower location process).  This tracking occurs when you have  your WiFi enabled and pass a detection device.  Turnstyle Solutions and Apple iBeacon (BlueTooth) provide devices placed by shop-owners and others to detect, record and report your location.  Turnstyle works with your devices WiFi MAC address, and iBeacon with iOS on your phone. iBeacon provides location data for Aps, but also for the host location.

The good: Knowing you are there may allow you to pay for goods at checkout without having to get out your credit card.  It may provide you with immediate “discount coupons” or other offers.   The Apple concept with BlueTooth is promoted as a way to provide ‘fine tuned’ personal (identifiable) services such as payment, or any other service that your phone apps using location services may be able to provide.

The bad: Turnstyle is not tied to apps, your cell provider, or your phone OS. It simply uses your MAC address (which is part of the handshake that is periodically being transmitted by any WiFi device to identify possible connections.)  An intended service Turnstyle provides their customers is a composite of “what other locations your customers visit”.  A restaurant has offered branded workout shirts as a result of feedback that 250 of their customers went to the gym that month (or at least to a gym that was in the Turnstyle network.) One Turnstyle customer is quoted as saying “It would probably be better not to use this tracking system at all if we had to let people know about it.”   I find that insightful.

Turnstyle also offers free WiFi in various retail locations.  The information about your sites visited, searches, etc. can be used to further classify you as a consumer — without collecting “personally identity” information (maybe.)  Any number of combination of data-mining techniques can be used to get fairly personal here — via Apps, site usernames, email addresses disclosed, etc.

The ugly: In the context of the article, the example of a problematic location tracking might be your visits to a doctor, say the oncology clinic in a monitored area. Combine that with searches on selected drugs and diseases and what you thought was private medical information is now available, and perhaps bypassing heath privacy regulations.

Consider the “constellation” of radio beacons you either transmit or reflect.  My car keys have an RFID chip, some credit cards have these (and passports), you have unique cell phone ID, WiFi MAC address, BlueTooth id, Apps that may be sending data without your awareness, etc. While any one service may be protecting your anonymity the set of signals you transmit becomes fairly unique to you.  Connecting these with your identity is probably more a question of the abusers desire to know than it is a question of your rights or security measures.

These mechanisms can be used by paparazzi, stalkers, assassins, groupies, and other ne’er-do-wells for their nefarious purposes.

In the Harry Potter series the Marauder’s Map was used to track anyone, at least within Hogwarts. To activate this “Technology” you tapped it with a wand and declared “I solemnly swear that I am up to no good.

Where have your footprints been taking you lately? And who has been watching them?