The great shopping-mall cellphone-tracking experiment of 2011 has come to a halt, thanks to the actions of an activist U.S. senator.
Forest City Commercial Management said on Friday that it was suspending its trial of the FootPath customer-tracking system after Sen. Chuck Schumer, D-N.Y., raised concerns.
"Even though all information gathered by the system is anonymous, some consumers may still wish not to participate," Forest City spokesman Jeff Linton told the Associated Press.
The tracking system, developed and operated by Path Intelligence of Portsmouth, England, depends on receivers placed around shopping malls that listen for the "pings" sent out by cellphones at regular intervals as they communicate with cellular towers.
Since each phone transmits a unique (but temporary) ID, the movements of individual phones and, presumably, their owners through the shops can be discerned. That's a great boon to retailers, who constantly seek more information about potential customers — and who already collect such information, and much more, about online shoppers.
Forest City had planned to test the system from this past Friday, "Black Friday" (Nov. 25), through the end of the year at the Promenade Temecula mall in southern California and the Short Pump Town Center mall in Richmond, Va.
But after CNN's business section ran a story Wednesday (Nov. 23) about Forest City's trial of FootPath, Schumer contacted Forest City, pointing out that the only way for a shopper to avoid being tracked by the system would be to put his phone into "airplane mode," or to turn it off altogether.
"A shopper's personal cellphone should not be used by a third party as a tracking device by retailers who are seeking to determine holiday shopping patterns," Schumer said in a statement released by his office. "Personal cellphones are just that — personal. If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so. It shouldn't be up to the consumer to turn their cellphone off when they walk into the mall to ensure they aren't being virtually tailed."
Forest City's spokesman could only agree.
"At present, the option for them to decline to participate is to turn off their mobile phones," Linton told the AP. "We would like to pursue an easier 'opt-out' option for consumers."
The CNN story noted that JCPenney and Home Depot were considering implementing FootPath.
Schumer also sent a letter to Path Intelligence asking them to institute an "opt-in" system for FootPath — right now, malls put up signs explaining that the system is in use — and another letter to the chairman of the Federal Trade Commission to ask whether FootPath was permissible under U.S. privacy rules and regulations.
It's not clear how much of a privacy risk the FootPath system actually poses. In a email to SecurityNewsDaily, Path Intelligence Chief Executive Officer Sharon Biggar explained that all data collected by the FootPath system is temporary, encrypted and anonymized.
"We detect the TMSI, the Temporary Mobile Subscriber Identifier," Biggar wrote. "If the user has Bluetooth set to discoverable, and Wi-Fi switched on, we also pick up on those signals."
The TMSI is a short-term identity number issued to a mobile device when it enters a cellular tower's coverage area. It expires when the device moves to another tower's coverage area.
"We do not provide information at the level of the individual for privacy reasons," Biggar said. "Indeed we hash [encrypt] the TMSI number before we store it on our database, again for privacy reasons." (Each hashed TMSI would be unique and thus still useful to FootPath.)
Lee Tien, an attorney with the Electronic Frontier Foundation, a digital-rights advocacy group in San Francisco, wasn't sure the phone IDs couldn't still be matched up with phone owners.
"Each store at least knows who has bought something (and maybe via some other means knows who has been in the store)," Tien wrote in an email to SecurityNewsDaily. "Could they share data to construct shopper paths, and then compare?"