Apple Cuts Off a Way to Secretly Track Shoppers

Apple is preparing to shut down a trick that companies you’ve never heard of have been using to gather information about your shopping habits.

Unless the Wi-Fi capability of a phone is switched off, it is constantly sending out signals, looking for a way to connect. These signals include a unique identification number for your phone called a MAC address. Companies such as Euclid Analytics and Nomi realized they could set up hardware in retail stores to collect these pings, analyze the patterns, and sell what they learn to the retailers. Because people never connect to these networks, a company like Euclid doesn’t even have an opportune moment to ask for permission.

These companies may not be able to connect your device to your name—although that’s not as hard to figure it out as it sounds—but they’ll know when your device visits the store. Starting this fall, iPhones will stop playing along. Apple recently told developers that the new version of its operating system will randomize MAC identifiers, as recently noted by Frederic Jacobs, a security researcher.

The development has pleased privacy advocates because it eliminates one way for companies to discreetly collect lots of information about unwitting shoppers. Jacobs says that he hopes it becomes an industry standard. Android users have had the option to obscure their MAC addresses for over a year, but the opt-in system requires people to be savvier and more dedicated than the average smartphone user.

“Apple takes user privacy very seriously, and with iOS 8 we will go even further,” says Trudy Muller, a spokeswoman for Apple. Nomi declined comment.

Removing MAC addresses won’t render Wi-Fi tracking useless. Phones will continue to send out these signals, helping stores keep track of foot traffic and study how long consumers are browsing. But it won’t be possible for companies to create profiles of customers across multiple visits.

Some retail analytics companies have already tired of passive Wi-Fi tracking. Rudd Davis, chief executive officer of Swarm Mobile, says his company has moved away from the technique because the information wasn’t all that useful. “We want to give the store the ability to interact with the customer through an interface,” he says. “What we’ve found is that pure aggregate analytics that’s all anonymous—it’s not really that actionable.”

Instead, Swarm uses iBeacons, Apple’s own version of a Bluetooth technology that has generated immense enthusiasm among companies interested in location-based smartphone marketing. There’s a higher barrier to entry—users have to download an app before they can be tracked—but the information can be much more valuable. (Nomi has also begun supporting iBeacon.)

Given that Apple’s latest move makes iBeacon even more attractive than the alternative, its motives have been greeted with some cynicism. Even if Apple is slyly giving its product an edge, it’s hard to argue that doing so is bad for customers. A type of tracking that people knew nothing about is being replaced with one they have to opt into actively. Just be sure to read the terms of service.

Updated at 5:00 June 10: Euclid Analytics sent the following statement via email: “Like Apple, we take privacy very seriously. We only collect anonymous device data and have never collected a device’s real, universal address. Our approach to delivering insights on attribution, shopper funnels, and overall trends, has been to scramble the MAC address prior to collection. We fully support Apple’s decision to add additional layers of consumer protection by randomizing MAC addresses at the device level.”

Before it's here, it's on the Bloomberg Terminal.