24 Jul 2013

As invasive in-store tracking technology becomes more common, companies attempt to self-regulate + US Federal government going after master encryption keys from Internet companies for easier spying

By Madison Ruppert: A little-known industry built around tracking customers in and around physical stores has grown considerably over recent years and now the industry is supposedly going to regulate itself amidst privacy concerns.
Companies and the technologies they use are quite diverse, ranging from facial recognition cameras in mannequins to systems that track signals from Wi-Fi enabled smartphones.
The latter technology is used by a company called Euclid which bills itself as “Google Analytics for the physical world.”
If Wi-Fi is turned on, Euclid can collect information including the presence of the phone, the MAC address, the phone’s manufacturer, the signal strength, and the name of the Wi-Fi network it is connected to (if applicable), according to the company’s privacy statement.
While the company says they don’t capture personal information or real-world identity, they are able to produce some quite amazing information for their customers.

Some of the products they offer include: capture rate, which tells customers how well window displays bring shoppers into the store; repeat visitor ratio; measures of how many customers walk by the front door; visit duration, including if they spend their time waiting in line or engaging with staff; visit frequency and time between visits and engagements and bounce rates along with engagement and bounce rates.
Your phone does not need to be connected to the store’s network to gather such information, they only need your Wi-Fi antenna to be turned on.
One company, RetailNext, is able to use a store’s Wi-Fi network to pinpoint where a shopper is in the store within a 10-foot radius, according to Tim Callan, the company’s chief marketing officer.
Megan Garber, writing for the Atlantic, points out that physical stores can gather the following information about you when you visit: age, gender, mood, time spent in each section of the store, the items you looked at, how long you looked at items before purchasing, the products you looked up on the store’s website, purchase history, number of recent visits and average time between visits.
It might seem hard to believe that a store could know your mood, but it is indeed quite possible.
“Through video of your movements through the store, and images of your facial expressions as you do that moving, and facial recognition software that analyzes those expressions, stores are attempting to recreate in the physical world the paths of digital breadcrumbs customers leave as they explore websites,” Garber writes.
NEC IT Solutions has also exploited facial recognition technology, although they use a database of celebrities and valued customers to identify incoming customers as VIPs.
The program sends an alert to staff via computer, iPad or smartphone, according to NPR, while also supplying details like the customer’s favorite buys, shopping history and dress size.
Obviously there has been a great deal of concern about the privacy implications of this type of technology on the part of customers.
Indeed, as an article in the Economist points out, “because most Wi-Fi devices broadcast a list of known networks, a monitoring system could, in theory, collect the list and match it against databases of known Wi-Fi networks, which are used as a rough and ready alternative to satellite positioning in built-up areas. Shoppers’ stored list of connections could thus reveal where they live or work, and possibly their identities.”
Indeed, Nordstrom stopped using Euclid after customers responded negatively when signs were placed in stores telling customers that they were being tracked.
The companies have come together to create industry “best practices” for privacy controls in what is clearly an attempt to defend the industry against public criticism.
Companies like Euclid, WirelessWerx, Mexia Interactive and ShopperTrak are working with the Future of Privacy Forum (FPF) to develop the best practices.
Unfortunately, the Future of Privacy Forum is, as Jathan Sadowski points out for Future Tense, “primarily underwritten by corporate money, much of which originates from the tech sector—Facebook and Google are listed.”
Furthermore, “Companies that use in-store tracking services, such as Nordstrom and other big box department stores, are also supporters,” Sadowski writes, noting that Euclid is a donor.
Jules Polonetsky, the director of FPF, told Sadowski that they “are often more optimistic about the positive values of smart data use than some [advocacy groups] who may be more skeptical of industry promises.”
Yet Polonetsky also claims that FPF promotes positions that some of their donors do not agree with, like Do Not Track. Personally, it seems that companies aren’t quite dumb enough to spend money on a group that is actively working against their interests.
The problem is that even if FPF can be considered credible, something which I think is far from certain, self-regulation doesn’t have a bright history.
Sadowski points out a 2005 report by the Electronic Privacy Information Center (EPIC) which drives the point home.
Even the title of the report, “Privacy Self Regulation: A Decade of Disappointment,” makes the reality of the situation clear.
A 2012 report produced by the Federal Trade Commission (FTC) reinforced this perspective by calling for Congress to “consider enacting baseline privacy legislation” since “self-regulation has not gone far enough.”
“Self-regulation in its purest form is a recipe for disaster. There are simply too many incentives to violate privacy interests and too little transparency to know what’s going on,” said Woodrow Hartzog, privacy lawyer at Samford University, according to Sadowski.
Hartzog, who is also an affiliate scholar at Stanford’s Center for Internet and Society, contends that truly robust privacy protections require a “patchwork of regulation, [consumer] education, and organizational responsibility.”
Until that patchwork is put in place, you probably can’t expect any meaningful degree of privacy while shopping.

Source





____________________




US Federal government going after master encryption keys from Internet companies for easier spying


Madison Ruppert: According to a new report, the U.S. government is demanding the master encryption keys that are used by Internet companies to protect the private communications of countless users from government surveillance.
A recent government report revealed that encryption actually thwarted attempted wiretaps for the first time on record, which makes it all the more understandable that the government would now be attempting to break through any and all methods of encryption.
The demands for these master encryption keys have not been disclosed previously, according to Declan McCullagh, the journalist who broke the story for CNET.
It represents a new level in the secret methods used by the FBI and National Security Agency (NSA) in their quest to spy on millions of Internet users. The NSA is now facing a major lawsuit over their surveillance programs.
If the NSA had master encryption keys, they would never have to worry about directly placing surveillance equipment in the server rooms of ISPs and would have a much easier time of spying on people around the world.
If the government gets their hands on an Internet firm’s master encryption key, government agents would then be able to decrypt communications intercepted via wiretap or through the many surveillance authorities given by the Foreign Intelligence Surveillance Act (FISA).
Web encryption uses technology called Secure Sockets Layer (SSL) and according to one anonymous source who spoke to CNET, web firms are already responding to the government’s attempt to obtain the encryption keys.
“The government is definitely demanding SSL keys from providers,” the anonymous source, who has dealt with the government’s attempts to obtain the keys, said.
Large Internet companies have successfully resisted the government requests, stating that they exceed what is required by law, according to the source.
However, the individual said that smaller companies without a well-funded and staffed legal team may not be as willing to fight the government on the issue.
“I believe the government is beating up on the little guys,” the source said. “The government’s view is that anything we can think of, we can compel you to do.”
Yet the source’s claims about the large Internet companies should be treated with a healthy degree of skepticism, in my opinion.
After all, we know that companies have worked with the NSA in the past and even launched projects to help their surveillance efforts.
Furthermore, we have seen their cleverly worded statements avoided actually denying the reality of their role in the PRISM program.
Silicon Valley and the NSA are far from enemies, evidenced by the tight-knit relationship Google has with the government, especially with the NSA.
A spokesperson for Microsoft would not say if the company has received government requests for their master encryption keys.
However, when asked if they would hand over the master key used for either web or e-mail encryption, the spokesperson said, “No, we don’t, and we can’t see a circumstance in which we would provide it.”
Google similarly refused to say if they had received requests for their encryption keys.
Yet they also stated that the Internet giant has “never handed over keys” to the government and that all requests are carefully reviewed.
“We’re sticklers for details — frequently pushing back when the requests appear to be fishing expeditions or don’t follow the correct process,” the Google spokesperson said.
A spokeswoman for Facebook, on the other hand, refused to answer any questions. Yet one anonymous individual claimed that the company would “vigorously” fight such a request.
A long list of companies refused to respond to questions from CNET asking if they would hand over encryption keys to government agencies.
Such companies include: Apple, Yahoo, AOL, Verizon, AT&T, Opera Software’s Fastmail.fm, Time Warner Cable, and Comcast.
“The requests are coming because the Internet is very rapidly changing to an encrypted model,” an unnamed former Justice Department official told CNET. “SSL has really impacted the capability of U.S. law enforcement. They’re now going to the ultimate application layer provider.”
A spokesman for the FBI would not comment on the matter, saying that they do not “discuss specific strategies, techniques and tools that we may use.”

No comments:

Post a Comment