It’s worse. I have personal knowledge from a lot client work in this space.<p>There are companies offering some basic functions like “wayfinding” so the retailer or mall wants to give wayfinding to the user in their app. Sounds good, in fact it’s cheap, and they will even handle the beacon deployment... hook up sdk to wireshark and find it sending lots of data, some of it comes to me (retailer api) but a metric ton of it is going back to the provider. Being able to see the installed solution in multiple retailers and seeing the app code you start to notice persistence between them... retailer and mall didn’t even ask for this. They just wanted wayfinding.
Maybe the existence of such toolkits is a Chesterton's Fence that says you can't make this work without something installed on the phone. But this would be possible without these trojans.<p>If the Bluetooth beacon configures itself as a master, and enters inquiry mode, phones that pass nearby will happily respond with their Bluetooth ID (see <a href="https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=457080" rel="nofollow">https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?d...</a>, section 8.4).<p>You can also do the same with Wifi access points: Phones are constantly broadcasting their MAC address during active scanning for networks. The location from signal strength isn't as good (a Bluetooth beacon can pin you down near the Yoplait yogurt, a Wifi beacon and signal strength measurement just put you in dairy) but it's getting better (worse?). See: <a href="https://www.crc.id.au/tracking-people-via-wifi-even-when-not-connected/" rel="nofollow">https://www.crc.id.au/tracking-people-via-wifi-even-when-not...</a><p>I imagine it would not be perfect but would be acceptably easy to use these "anonymous" MAC addresses to connect you to a name and address on a debit card. If your MAC and 20 other people left the store Friday at 2PM, and you and 20 other people went through checkout, and then your MAC and checkout are seen with 20 different people next week it's pretty trivial to identify you.<p>The cynic in me, though, says that even a minor loss of fidelity in tracking data weighed against the minimal risk and cost of building the spyware makes it worth building both.
I setup Home Assistant with the Raspberry Pi Bluetooth module to detect when my fiance and I were home or away (to turn on/off lights, turn off WeMo switches to the curling iron that my fiance always forgets). After a few weeks of forgetting I had it running, I logged back into the Home Assistant dashboard to notice that it was tracking nearly all of my neighbors Android phones, iPhones, headphones, TVs - when they were home, when they were away. Entirely passively. Most devices had names that could very easily be linked back to the user - i.e. "Joe's iPhone".<p>Just to reiterate - this was _entirely passive_. I did nothing but enable the Bluetooth presence detection module in Home Assistant on my Raspberry Pi, and over time it built up a detailed log of when nearly all of my neighbors were home or away.<p>Luckily I was able to quickly turn off tracking of devices that weren't explicitly enabled.<p>What confuses me, is that I thought iPhones had randomized MAC addresses? In the Home Assistant known_devices.yaml file, you can give aliases to phones based on their MAC address. And my iPhone has never changed it's MAC address, because Home Assistant continues to track it with ease. Not entirely sure how that works.
Yep and I’ve been researching this for robotics. The new WiFi standard 802.11mc includes improved time-of-flight measurement of radio packets such that the device can be localized to within 1 meter reliably. Android 9 and the Pixel already support this, though WiFi APs supporting this are still in the early phases. Google WiFi supports it tho.<p>The good news is that this technology does not tell the AP where you are, only the device knows. However an app on your device could share this information with advertisers.<p><a href="https://www.crowdconnected.com/blog/testing-wifi-rtt-on-android-p-for-indoor-positioning/" rel="nofollow">https://www.crowdconnected.com/blog/testing-wifi-rtt-on-andr...</a>
This is rage inducing. I went into this article thinking "ok as long as I don't have the Target or Ikea or whatever app installed on my phone, I'm fine." While that is a primary way, this needs to be outlawed:<p>> These companies take their beacon tracking code and bundle it into a toolkit developers can use. The makers of many popular apps, such as those for news or weather updates, insert these toolkits into their apps. They might be paid by the beacon companies or receive other benefits...<p>Ban this, full stop, on both ends of this transaction. The Reveal Medias and the scummy app devs using their ~~SDKs~~ trojan horses. At the very least these apps need to be named and shamed, I find this fraudulent and extremely difficult for end users to police.<p>I have very minor hope that Apple at least will one day shine light on this or ban apps who are not transparent about the data they're sending and to whom, as it doesn't conflict with their business model and they seem to be moving there. For now I have to essentially disable bluetooth when I get out of my car.
This is really big in the WiFi space. Aruba, Cisco, etc all market services to public places like malls where you throw in a huge public wifi network, and regardless of whether you connect or not, they can see phones looking for known network and track traffic patterns.<p>Malls can then see which stores have highest foot traffic on what days, etc.
It's actually one of the things that justifies the expense for huge, expensive free wifi deployments. And it is used to more accurately price locations around malls.<p>The other alternatives to getting the same kind of data is security camera analytics. Sometimes literally someone just watching footage and taking notes on who they see and what kind of demographics, etc. Which is problematic in it's own right.
I think the biggest misconception here is the belief that Bluetooth LE beacons are tracking phones. The beacons themselves operate as transmit-only and don’t receive any data and therefore don’t perform any tracking themselves. The more correct way to look at this is that the apps are tracking a user’s location, and the beacons are providing the app with information to determine the current location.<p>If the app’s knowledge of your location provides some service and the user is opting-in, this shouldn’t be a problem (just like I opt-in to provide Google Maps my location).<p>The keys here are (1) users should be aware that an app knows your location, and (2) User should have the ability to opt-in to providing my location to the app. The mobile operating systems should do a better job of making the user aware and making it very easy to opt in or out.<p>Maybe an ideal solution would be where (assuming the user opts-in) the OS automatically controls whether an app has the ability to use Bluetooth locationing when the GPS detects that I’m in a certain area. For example, the Target app is prevented from using Bluetooth tracking most of the time, but when my phone GPS sees that I’m in a Target store it automatically enables it while I’m there, and disables it when I leave.
Having done some proof of concept work for a couple of very large retailers using BLE/beacons I believe most of the scumminess isn’t on the retailer side but the 3rd party API/framework.<p>The requests we were fielding was for better ability to find things in the store, floor maps for every store with wayfinding, and the ability to use the app to get more contextual info on demand.<p>For those not completely in the know on beacons: they are broadcast only and it is the apps running in the background on your phone that shuffle off the data on your phone. If you were running a device free of the offending apps, your privacy is fine on that front. The WiFi tracking is a different story though.
This is a bit off topic, but how could I do this at home? Seems like it could be a great addition to home security systems. Criminals know to cover their faces with all the cameras and they use stolen vehicles that can’t be traced back to them. I bet they still have their phones with them. I’m not sure the police would take action on a device’s MAC address- but it’s still another data point. Perhaps there are hardware/usb sticks designed for this purpose?
To me, this isn't big news -- It's at the point where I turn wifi and Bluetooth off when I'm shopping.<p>Look at some of the filings by Kroger:<p><a href="https://fccid.io/PBR-SZG3APWC/Users-Manual/Manual-3994818" rel="nofollow">https://fccid.io/PBR-SZG3APWC/Users-Manual/Manual-3994818</a><p>They are tracking down at the bay level for some items.
Based on the title of the article I was expecting the stores to passively collect data based on the MAC address. I guess I was way wrong. I am a traffic engineer and we use passive BT MAC address scanners to sort out origin/destination and travel time. This is done by setting up multiple detectors around a study area. Each detector saves the time and MAC address of every device it detects. We later match the MAC addresses that have been detected at multiple locations and that gives us the travel time between them. The raw data is rather useless for any other purpose, to us at least, and is tossed after we are confident in the data results. If a store were to use something like this, they would have to tie my MAC address to me, which I doubt would be too hard.<p>I don't see anything wrong with passively tracking people in a store, mall, shopping center, etc., as long as it is used to inform the owners of movement patterns in the area. To use the information to push notifications and determine purchasing habits of people is over the line.
Android has a feature called "nearby device scanning" so even if you turn off bluetooth, apps can still do BLE. I suspect stuff like this, where many many apps can spy on you on behalf of others, is why Google made BT access a Location category. But it means your weather app that uses location to tell you where you are? It is selling your location via BT beacons to 3rd parties.
Nothing would make me want to buy yogurt less than an ad on my phone while I'm looking at yogurt. I would hope everyone would feel the same way, to disincentivize this.
Shouldn't there be a setting under Privacy to turn responding to beacons off?<p>I'd be interested in a list of popular apps or SDKs that use beacons -- so I could uninstall them pronto.
This book <a href="https://www.amazon.com/Aisles-Have-Eyes-Retailers-Shopping/dp/0300212194" rel="nofollow">https://www.amazon.com/Aisles-Have-Eyes-Retailers-Shopping/d...</a> goes into quite a bit of detail about various techniques retailers use to track customers.
What exactly are retailers doing with this data, that they couldn't do before? If you go to a supermarket and pay by credit card, the supermarket is going to have a profile on what type of things you like to buy, even if you aren't a member of their loyalty program. They've been doing this since loyalty cards became popular in the 90s.<p>It seems somewhat benign, and not very useful, that they know I spent 45 seconds in front of the yogurt section, compared to the average at that time of 28 seconds. Maybe a friend I haven't spoken to for a long time started messaging me. Or maybe I was helping an elderly person get something from the top shelf.<p>The part about eending ads to your device is FUD, any app that starts doing that without my permission is getting uninstalled straight away.
In order for this to work the apps have to listen to bluetooth signals from the beacons (or register a hook for an OS level beacon listening service?). How do I prevent an app from listening to bluetooth? Is this gated by the iOS "access current location" permission, or the "bluetooth sharing" permission?
The iOS docs I've found are unclear:
<a href="https://developer.apple.com/ibeacon/Getting-Started-with-iBeacon.pdf" rel="nofollow">https://developer.apple.com/ibeacon/Getting-Started-with-iBe...</a>
So... turn off Bluetooth and Wifi when you go into a store? Put subtle lines on your face with makeup to confuse their facial recognition systems? What else do we need to do now to go out in public?
I feel like I need a lot more clarification here, can anybody help out, whether on iOS or Android:<p>1) Some random third-party app has to be <i>running</i> on your phone to detect beacons and send the data back... how viable/likely is this actually? It seems like this would only ever effectively detect a tiny percentage of users at best who just happen to have one of the apps open while walking around a store?<p>2) For an app to detect beacons, don't you have to give permission for the app to use Location Services? I've tried Googling it but can't seem to find a definite answer... I'd be surprised (and saddened) if Apple or Google are allowing apps to detect beacons without explicit location or Bluetooth permissions.<p>3) If the goal is to track as many users as possible... wouldn't it be far more efficient to look for Wi-Fi devices that are scanning, and identify them by their MAC address? I don't understand what Bluetooth beacons enable that Wi-Fi scanning doesn't.<p>4) The article lists companies that provide these third-party toolkits... but not a single name of an app that uses them, or what percentage of phones contain an app with them. Since this is the main accusation of the article... I don't understand why they wouldn't provide even a single instance of proof.<p>I've just seen a lot of very questionable reporting from the NYT in the past on tech/security/privacy, so I'd like to understand better how real this is or not.
On Android, this just had me
1. Settings > Security
2. Click on Location
3. Enhance location precision
4. Disable "Bluetooth Analysis" aka the use of BLE beacons
The really simple answer? Give up your smartphone. It's eating your life anyway, crossing boundaries with your family / work. You're addicted to checking: your downtime is zero, your free space to think: negligible. Mindfulness: none. Mindlessness: maximum.<p>Just a thought.
We need to articulate the changes we need from Apple & Google. Something along the lines of a) permission required for any app to use Bluetooth or BLE - preferably differentiating between whether the app is running in the foreground or background b) a way to turn off <i>both</i> Bluetooth and BLE at the OS level.
Then pressure needs to applied either through public opinion or through legislative efforts.
I actually implemented a nearly identical system for my senior design project, except we targeted the smart home ecosystem. Basic use cases would be automatically turning on/off lights or having a music stream/temperature preference/... follow you as you move throughout your house and enter/leave rooms. All implemented by an app on your phone detecting strategically placed beacons.
This isn't new. I wrote this blog about beacons back in 2015 for the NoSQL vendor Aerospike; there aren't just audio (high frequency) beacons. There are also RF and other spectrum beacons:<p><a href="https://www.aerospike.com/blog/silverpush-unifies-people-devices-data/" rel="nofollow">https://www.aerospike.com/blog/silverpush-unifies-people-dev...</a>
The other day I had to send a video to a friend. Too big for email and fb messenger wouldn’t let him download it once received, so I ended up trying airdrop and got a list of names of everybody’s iPhone or iPad around me.<p>Apparently we are all telling anyone around us who cares to listen who we are.
I didn't know it was a secret? Figured it was pretty common knowledge back when iBeacons and similar were announced and when major retailers like Target even made press releases about it<p><a href="https://techcrunch.com/2017/09/20/target-rolls-out-bluetooth-beacon-technology-in-stores-to-power-new-indoor-maps-in-its-app/" rel="nofollow">https://techcrunch.com/2017/09/20/target-rolls-out-bluetooth...</a><p>Kind of funny that Apple pushing privacy basically helped create this kind of tracking to begin with.<p>Edit: NYT article mentions other apps selling data to retailers. I think it's time apps start asking permission to use BTLE. No reason a weather app needs that kind of access.
So when can we start using this stuff to get indoor navigation or navigation inside tunnels to work properly? If we are being tracked we should get some benefit from it as well.
am I understanding this mechanism right?<p>1. Set up a bluetooth beacon in the diary aisle that broadcasts as a connectable (nor not?) device with an "SSID" (or the bluetooth equivelant) that is a known GUID<p>2. apps on your phone can scan for available bluetooth devices, and see the presence of the GUID, which is enough for them to know you are in the dairy aisle of Store 1234.<p>if that's right, does this mean disabling bluetooth, or restricting a device's access to scan for devices, will preclude this?
Hopefully not a dumb question...<p>Are there any apps / options that allow for only connecting / responding to a previously connected unless overridden?
What I don't get is:<p>1. Pretend it's the 1900s.<p>Walk into a general store, shopkeeper sees you looking at ammo for 20 minutes and then leave without buying anything. Next time you walk in, he recognizes you and says he'll give you a discount on ammo if you buy in bulk.<p>This is totally cool, not a violation of privacy, and both parties benefit. win/win<p>2. Use a computer to do the same exact thing automatically<p>Rage, pitchforks and proverbial molotov cocktails and people going on privacy diatribes.<p>What's the difference?
Honestly, part of this doesn't bother me that much. It doesn't bother me for a store to know where I'm standing while I'm in their store.<p>What <i>does</i> bother me is the part where they can get lots of other data and use it to build a profile of me that spans far beyond their store. The fact that this Pulsate company encourages devs to include my email address, for example, seems <i>really</i> invasive, and probably would be illegal under the GDPR?
>Location marketing aims to understand “online-offline attribution.” If a Starbucks coffee ad is sent to your email, for example, marketers want to know if you actually went there and bought a coffee. The only way to know is to monitor your online and offline habits at all times.<p>Make no mistake: the purpose of marketing is to maximize information asymmetry. The natural end point is totalitarian: they know everything about you, and you know nothing at all, blindly obeying.
A provocative thought experiment: are you more annoyed by retailers recommending a product you just purchased from them, or a retailer recommending a product you probably will need soon? In a world blanketed by advertising, I would rather see relevant advertisements than be bombarded by garbage. Maybe I will get a deal, maybe I will discover something I like, maybe I will ignore it... but the spray-and-pray untargeted advertising that tries to advertise arthritis medication to me as a 31-year-old man is guaranteed only to annoy.