Nordstrom Phone-Tracking Trial Raises Customer-Theft Threat

Written by Evan Schuman
February 13th, 2013

Nordstrom (NYSE:JWN) is six months into a 17-store trial in which shoppers are counted by way of Wi-Fi signals from their smartphones. The 236-store apparel chain is not storing any customer personal information from the trial, and it’s only being given aggregated data on customers by the vendor handling the trial. But that vendor, Euclid, is storing hashed versions of customer Wi-Fi MAC addresses—and is also running trials for some 35 other of the nation’s 100 largest retailers. That presents what could easily become an irresistible cross-retailer mobile tracking temptation.

Two very desirable—and potentially lucrative—sets of shopper data are being captured and saved here, but the retailers and the vendor involved are all pledging to not use it. The first is cross-retailer data, which is where the vendor will recognize a shopper’s phone’s MAC address when the shopper repeatedly walks into a Nordstrom and will then detect that same shopper walking into a Nordstrom competitor. How much would that rival pay for such information? The second data set: Once one of those MAC addresses makes a purchase, the chain could connect that MAC address with the payment information. Voila, instant CRM-friendly data on whenever that customer walks into a store and, with enough sensors, every aisle he or she visits and how long the shopper lingers.

These temptations, for the moment, are all weighing upon Euclid and other mobile vendors. In this instance, Euclid is only delivering aggregated data to the retailers, listing how many shoppers were in a store, how long they stayed and how many repeat customers were in that crowd. Depending on the store, the number of sensors and prior arrangements, even the specifics of that shopper’s movements may not be reported back to Nordstrom.

“We’re making trade-offs on location granularity,” said Euclid CEO Will Smith. “We’re not telling them which aisle they were in. We’re talking more like which floor people are on.” Asked why the geolocation data isn’t more specific, Smith said, “Because retailers won’t pay us for it.”

Smith clarified that the data limits generally speak to the number of sensors—and all the associated set up required if those sensors are being connected with physical wires. A sensor costs about $200, and the maximum distance is about 60 yards. When asked how reliable the data was on the periphery of that distance, Smith said, “very inaccurate.”

To be precise, the MAC addresses of those shoppers are not being stored by Euclid; instead, a hashed version of those MAC addresses is being stored. But as long as that information is enough to detect that it’s the same shopper when the phone is detected in any store involved in a trial, the ability to track a shopper is still happening.

Euclid offers shoppers the ability to opt-out on its site, although it’s not clear how many shoppers would bother to go to the site, fill out the form, identify their MAC address and key it in—when they could achieve tracking protection by simply turning off the phone or even just the phone’s Wi-Fi connection. The opt-out does, however, promise to delete historical data about that shopper, which would address any activity that was logged before the shopper thought to turn off the phone or Wi-Fi.

The nature of the opt-out mechanism, though, will make clear to shoppers that there is a file of data specifically linked to their phones. That’s a message retailers may not want to stress, especially because the retailer itself is not benefitting from that customer-specific information (beyond a generic “18 of these customers had been in the store six times this month”).

These mobile-data fears are not new. A couple of retailers at an MCX panel at the National Retail Federation’s show last month said fears of data-selling from mobile vendors was one of the driving forces behind MCX’s formation. Jay Culotta, the treasurer at regional convenience chain Wawa, said many of the mobile vendors say they are not—today—planning on sharing data, but they refuse to say what will happen down the road. “It’s not a forever situation,” Culotta said, adding that the temptations for leveraging such data will likely be overwhelming. “It’s unclear what their business case would be without monetizing that data.”

A Lowe’s (NYSE:LOW) executive on the panel—VP, Operational Controller John Manna—agreed and painted a scenario where a mobile vendor knew that a Lowe’s customer made regular purchases at Lowe’s and then walked right by an Ace Hardware store. And if an Ace Hardware corporate manager is then talking with that vendor, will the very substantial dollars Ace would likely pay for that list of customers be set aside? Manna indicated he would rather not find out.

At its most innocuous core, the Euclid system is simply a customer counter. But is it a more accurate one? In its favor, argues Euclid’s Smith, is that a system based on mobile—rather than one that counts customers based on breaking a beam or being detected by a thermal pattern—can be more selective. “We don’t count kids who run in and out of the store multiple times,” Smith said. “And we don’t count sales associates.” Associates are excluded based on how many hours they stay in the store.

On the down side, mobile tracking is thwarted by anyone who doesn’t have a smartphone or who has the phone—or even just the Wi-Fi—turned off. In Euclid trials, Smith said, the vendor says typical stores in San Francisco and New York saw that about 70 percent of their shoppers had smartphones turned on—with Wi-Fi activated—while visiting. That number plunged to about 40 percent for the same type of store in Atlanta. “It all involves smartphone penetration by region,” Smith said.


2 Comments | Read Nordstrom Phone-Tracking Trial Raises Customer-Theft Threat

  1. ed Says:

    Tapping into customers wi-fi transmission not only is bad karma but totally unneccesary and not the most effective manner to get the end result.

    A better implementation would be augmented video analysis similiar to the CBS series “Person of Interest” that can deliver more accurate data. There are several open source and commercial packages that can accomplish this.

    Take the existing recorded security camera video feed, run it through the video analytics engines that turns people into object squares like CBS “Person of Interest” and you can tag each “object” and track their activity in the store.

    The floor can have augmented markers (qr codes or special barcode paint on wall/column) for each departments and the video analytics can how long “objects” linger around them.

    Totally not necessary to tap into people wi-fi signal and not cool..

  2. A Reader Says:

    Is it better to remind people that their phones are continually broadcasting their presence by using that data commercially; or is it better to pretend that this isn’t already being done?

    NATMEC has used stationary Bluetooth receivers to study traffic flows and speeds along highways by timing the signals from passing Bluetooth headsets and phones. Google relies on GPS data from Android phones to measure current traffic speeds and to display them in Google Maps. Apple transmits cellular, WiFi, and GPS location information back to Apple in order to improve their Location Services database. People are already contributing their location data constantly without being aware of it. And all such data originates with enough information to uniquely identify the phone – although the services above assure us that the identity data is stripped prior to aggregation, that doesn’t mean it doesn’t exist.

    The only reason wireless data isn’t being used for shopper tracking today is the fear of backlash. Offer someone a discount in exchange for tracking them, though, and I bet they’ll let you follow them anywhere.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.