Mastodon

What price might you really be paying for Woolworths “free” wifi?

You know how the saying goes – if the product is free then you’re the product! This works for the likes of Facebook or Google because you get hit with targeted ads. It works for LinkedIn because they can then sell premium services that grant people access to the data they collect. Question is though, how do you become the product in an era of free wifi?

The other day I noticed this for the first time in my local Woolworths supermarket down here in Australia:

Sign in Woolworhts offerring free wifi

Free wifi makes a lot of sense in certain places. In a cafe, for example, you – the customer – lingers longer and consumes more lattes. In fact it’s a drawcard to cafes – “I think I’ll just go to the one that lets me browse for free over my brekkie”. It also makes sense in airports where you’re sitting around for extended periods.

Question is, what’s the value proposition for the provider of free wifi in a supermarket? Here’s a highly mobile environment where you spend your visit wandering around from aisle to aisle. There’s no seating, no real waiting around and no apparent value proposition for offering customers web access. Except potentially, there is, and it’s actually quite devious.

What exactly are you “agreeing” to?

The instructions in the image above should be a bit of a red flag, but unfortunately they’re missing a step so let me add it here:

1.5 – Read and understand the terms and conditions

Problem is, what you’re agreeing to is damn hard to read on the device which you’re inevitably carrying with you when you actually want to use the service:

Tiny terms and conditions on iPhone

As we’ve come to expect from terms and conditions, there’s absolutely no way you can read them before accepting them anyway! Partly this is due to the fact that it’s almost impossible to scroll through them in the small window Woolies have placed in the phone and partly it’s because you’re really in no mood to absorb a thousand words on an iPhone whilst standing around in a grocery aisle. Never mind, you can read them in their entirety here. I did, and found some interesting info that might help explain the value proposition.

Ponder this in the privacy section:

However, once you access the Service and open the internet browser application to a website, information about the web browser type and/or operating system information used by the enabled device may be captured and processed in order to determine the most effective and/or customised means of displaying the requested website on your device. Woolworths will collect and store the IP and MAC address of the enabled device that has accessed the Guest Wi-Fi service, once you have agreed to the terms and conditions.

The emphasis is mine because the highlighted section is very telling. The IP address doesn’t mean a lot (it’s assigned to you by Woolworths when you connect anyway), but the MAC address, now that’s something altogether more interesting…

What you’ve got to remember about MAC addresses is that they’re personally identifiable – each one explicitly ties back to an individual device. Oh sure, people will argue that to be “personally identifiable” you’ve got to have someone’s name or address or phone or some other attribute that ties back to an individual, but the reality is that there are many, many ways of mapping a MAC to a person. In fact to that effect, NIST even deem it as personally identifiable as it meets the following criteria:

Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people

It’s a unique device ID that’s sent when you connect to a wireless access point and it contains information about who made the device (i.e. Apple) but more importantly, it sticks with the device forever (short of subversive means to change it).

What’s interesting here though is that Woolworths will – not “may” or “reserve the right to”, but “will” – store it. That now opens up a whole new world of possibilities, let’s take a look at them.

Thank you, please come again (and don’t forget to bring your phone)

The most obvious advantage of storing the device MAC is that they get to track customer movements. If I connect my iPhone to the local Woolies and they store the MAC, the next time I return with my phone, WAMMO! Now they’ve been able to map my repeat business.

Of course this is made possible by two important factors:

  1. Devices will reconnect to known networks. You jump your iPhone onto “Woolworths Free WiFi” and when you come back tomorrow or next week or even next year, you’ll auto-connect.
  2. We all carry our devices everywhere. This is almost as good as a human tracking implant but without the surgery! Having a wifi enabled phone on you these days is ubiquitous.

But it goes beyond just my local store; if they’re smart (and I’ve no reason to think they’re not), they’ll be aggregating those MAC addresses centrally against store location and the time it was seen and then aggregating that across multiple stores. Now that’s interesting as you get to start tracking customers across multiple locations, all you need is the same SSID on the free wifi in each store and I’m guessing that “Woolworths Free WiFi” isn’t unique to my local one…

But all this gives you is unidentifiable foot traffic, right? I mean you don’t actually know who owns the MAC, right? Actually, discovering that is very easy once you have another key piece of data – loyalty cards.

For your convenience, please use your rewards card

This little puppy is a goldmine for retailers:

Woolworths everyday rewards card

I can’t recall ever having made a purchase at Woolies and not being asked if I have a reward card to present. They love them! They don’t love them because it allows them to actually (eventually) give you some discounts, they love them because they’re awesome data aggregation services. Your shopping habits contain a huge amount of information about you, information that can be invaluable for targeting purposes. But it can also be used to reconcile your movements even when you don’t use the card.

Now I can only talk to the technological possibilities here, I don’t know if Woolies are actually doing this or not, but let’s hypothesise for a moment how easy this would be:

Woolies has a customer using the free wifi and upon each visit they store the MAC address of the device (remember, they will store it). Coincidentally, the same loyalty card was used within 20 minutes of the MAC being recorded on two subsequent visits. Ok, could be just coincidental – how about three subsequent visits? Or four? You get the point – reconciliation of this data is dead easy. Once there’s a reasonable degree of confidence in the identity of the MAC address holder, there’s no longer a need to reconcile against the loyalty card, they already know who you are by your phone’s identifier alone.

Woolies’ position on data collection

Curious as to just how accurate the statement “Woolworths will collect and store the IP and MAC address of the enabled device” really is, I asked them for my data. In fact I asked them for all my data and all my wife’s data as well. What I asked for was anything they had on file for our identities based on name, address, email and phone as well as for my iPhone’s MAC address. The latter resulted in this response:

There is no data on file related to the MAC address you provided, for the reasons outlined below:
Before an individual can use the free WiFi service in stores, they must first consider and accept the 'Terms and Conditions' (T&Cs) for using the service. The T&Cs outline Woolworths' position on a number of relevant considerations for using the service. On acceptance of the T&Cs, the customer consents to the conditions of use. I can confirm that Woolworths does collect and store the IP and MAC address of individual's devices insofar as to monitor what content is being accessed and block access to sites that contravene Woolworths' 'Acceptable Use of Information Systems' Policy. It is important to note however that this data is only retained during the period in which the individual is using their device on the WiFi network, and not indefinitely. Additionally, the content is only filtered for verification of what is being viewed - Woolworths can not, and does not link this with who is viewing such content.

There are a number of interesting messages in this: firstly, that content is being monitored. Now that’s a pretty broad statement – are they just monitoring URLs? Or response content? Of course either may contain data of a sensitive nature and would still fit within their definition of “acceptable use” (I haven’t seen this definition but I think we can reasonably guess at its contents) so the same old “don’t use public wifi and expect your datas to remain private” mantra applies.

Secondly, remember that devices will usually auto-connect to known networks and that Woolworths will “monitor what content is being accessed“. So now you’re heading down to the shops months after toying with the free wifi, phone in pocket and and they’re monitoring all the stuff your device is up to just by virtue of you coming into range. For many people, that’s a startling privacy revelation.

Thirdly, is it really necessary to store the MAC address in order to implement filtering? Most commonly, filtering is done by blacklisting disallowed resources, what’s the value proposition in storing uniquely identifiable data about the customer? Unless they’re looking for a pattern across requests from an individual device (which would raise other privacy questions), it’s hard to rationalise why this would be needed.

Finally, this statement: “Woolworths can not, and does not link this with who is viewing such content”. As I outlined earlier, “can not” is not exactly correct as they have enough personally identifiable data to know exactly when I walk into the store, where I live, how to phone me and what kind of eggs I like (dependant on the loyalty card recording purchases, of course). “Does not” is an entirely different can of worms to “can not” and we need to take them at their word on that.

Because data like this is just too valuable not to have

With the caveat that I am clearly speculating and have nothing other than an understanding of the technology and the disclaimers Woolies gives us on which to base this blog post, the opportunity to implement the scenario I’ve described here must be very tempting. I’ve seen some of the things that the shadier advertising agencies in Australia have proposed to large organisations in the past and if this opportunity hasn’t been put to them in the strongest possible way, I’d be massively surprised.

We’re already seeing this sort of thing happening in the wild; remember the rubbish bins that tracked and targeted people in the UK last year? Or moving on from wifi but still within the realm of shady retailer practices, how about Tesco’s facial recognition? Or the whole “Target knew a girl was pregnant before her family did” debacle? There’s a pattern here with physical stores regularly pushing up against Eric Schmidt’s “creepy line” and arguably, frequently going beyond it.

The supermarket scene in Australia is massively competitive as I’m sure it is in other parts of the world too. Our two largest chains have copped their fair share of bad press (and bad legal attention) by pushing the boundaries on things like fuel discounts after using their shopping services, would it really be that great a surprise if they were found to be harvesting customer movements through wifi? It’s hard to see another value proposition for standing up access points in a highly-mobile environment where people just want to grab their groceries and get out of the place; Woolies isn’t exactly a “destination”!

This all has to leave you wondering: if you go shopping and partake in the free wifi, is it you who is shopping for products or do you become the product as soon as you came within range of their access points?

Edit: For a good real world example of the scenario I'm painting here, check out How Retail Stores Track You Using Your Smartphone on Lifehacker.

Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals