London’s Recycling Bins Don’t Do Mobile Tracking Anymore. (Until This Week, They Did.)

Written by Frank Hayes
August 14th, 2013

At a time when many retail chains are trying to navigate the public-relations minefield of customer tracking, disclosure and data use, a story from London is a useful reminder that nobody is getting this right. On Monday (Aug. 12), the government told a startup called Renew to stop using its recycling bins in London’s financial district to track passers-by by way of their phone signals.

Wait, recycling bins? Yes, 100 very high-class recycling bins outfitted with large, Internet-connected digital screens that show advertising (the financial district’s government—yes, it has its own government—gets 5 percent of the airtime to display public announcements). But recently Renew added a new feature to a dozen of the bins: the ability to capture any passing smartphone’s unique MAC address if it has Wi-Fi turned on. (Which, these being financial-district yuppies, is pretty much a given.) You can see the possibilities—but not necessarily all the possibilities that Renew sees.

Let’s be clear: Renew wasn’t putting up warning signs, but it didn’t keep the tracking a secret either. It promoted the phone-tracking capability in its marketing materials, with scenarios like being able to spot the same customers whose phones had been spotted in, say, a coffee shop previously, and flash them an ad that would nudge them back toward their caffeine provider.

And in context of London security—layer upon layer of surveillance, built through decades of first IRA and then al-Qaeda terrorism—it all sounded pretty innocuous to its creators. “From our point of view, it’s open to everybody, everyone can buy that data,” Renew CEO Kaveh Memari told the online news magazine Quartz. “London is the most heavily surveillanced city in the world…As long as we don’t add a name and home address, it’s legal.”

Technically, yes, but that’s mainly because those laws haven’t been written yet. Given that in the first month after it installed the MAC-grabbers Renew says it tracked more than a million unique devices, and that it identified 106,629 individual people by way of 946,016 MAC grabs, the idea that this isn’t the real-world equivalent of a web cookie is pretty specious. And those require opt-in (though enforcement of the requirement hasn’t ramped up yet).

And that’s the real problem, the one that retailers are grappling with: The problem isn’t what’s technically legal. Lawyers can find you safe passage on that. The problem is that no matter how legal it may be, if people feel violated, they’ll take it out on whoever is electronically stalking them.

Consider a more elaborate Renew scenario, one that Memari says it’s still trying to get a bar signed up to try: The bar would install five tracking devices—by the entrance, one in each bathroom, one at the POS and one on the roof. Then each customer, tagged by a unique MAC address, could be identified by gender (which bathroom did they use?), how much time they spent in the bar, what they bought, how much they spent and who they left with.

Of course, that MAC address could also be linked to the plastic card the customer paid the tab with, and thus identified by name, address and credit rating, but Memari thinks that would be too much. What wouldn’t be too much? Using that behavioral data to flash targeted ads at the customer all over the financial district.

This is actually a lot more elaborate (and stalkerish) than any proposal we’ve heard from a U.S. retailer. In some ways, that’s heartening—retailers have figured out that there are limits to what customers will put up with.

It’s also at least a little heartening that Renew backpedaled furiously once its talkative CEO’s comments were reported. It’s no longer collecting MAC addresses, and says it will take a much slower pace going forward, complete with consultations with organizations like the Electronic Frontier Foundation.

Then again, instead they could try something that some retailers testing tracking-by-mobile have considered: Tell everyone about it. Make the warning signs so bland and ubiquitous that after the first few weeks, no one will take any more notice of them than they would a surveillance camera. Renew (like any retailer) would still have to navigate the legal minefield. But at least no one could claim he hadn’t been warned.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.