On behalf of consumers in Minnesota and across the country, U.S. Sen. Al Franken (D-Minn.) today pressed one of the country's leading analytics firms to stop using people's smartphones to track their movements without their permission.
Recent news reports suggest that Euclid, Inc. technology has tracked approximately 50 million Americans through their smartphones without their permission as they go about their daily shopping. Sen. Franken said in a letter to the company that he wants this practice put to an end.
"It's one thing to track someone's shopping habits through a loyalty card or credit card purchase; folks understand that their information may be collected," said Sen. Franken. "It's another thing entirely to track consumers' movements without their permission as they shop, especially when someone doesn't buy anything or even enter a store. People have a fundamental right to privacy, and I think neglecting to ask consumers for their permission to track them violates that right."
Currently Euclid, Inc. keeps tabs on consumers as they walk past a store, enter a store, or move between a store's floors by tracking a unique and permanent hardware number transmitted by consumers' smartphones. Unless a consumer visits Euclid's website to opt-out of being tracked, their location is collected without their permission or knowledge.
Sen. Franken sent a letter to Euclid, Inc., today with several questions regarding the company's practices and has requested an answer by April 1, 2013.
You can read the full letter below.
March 13, 2013
Mr. Will Smith, CEO
1027B Alma Street
Palo Alto, CA 94301
Dear Mr. Smith:
I am writing to request information about Euclid, Inc.'s use of consumer tracking technology. As I understand it, your company's technology can track consumers as they walk past a store, enter a store, or move between its floors by tracking a permanent and unique hardware number transmitted by those consumers' smartphones. This tracking occurs on an opt-out basis: unless someone visits your website and enters her information, Euclid's technology will track her. Recent news reports suggest that Euclid's technology has tracked 50 million unique smartphones or other WiFi-enabled devices. All of this would suggest that the movements of millions of Americans have been tracked in your clients' stores without those consumers' permission. I find this troubling.
It's clear that your company has taken concrete steps to protect consumers' privacy, such as "hashing" the unique identifiers you collect from consumers' smartphones and only disclosing aggregate consumer data to your clients. I applaud these efforts. At the same time, I think that Americans have a fundamental right to not be tracked without their consent - especially in the real, "offline" world where they are less likely to expect it. I also have serious concerns about how Euclid will use, share, and protect the data that it collects from users in this manner.
I request that you provide answers to the following questions by April 1, 2013.
Exactly how many unique smartphones has Euclid tracked in its clients' stores?
In what cities and states does Euclid track consumers' smartphones?
Does Euclid track people's smartphones when they enter a store but don't buy anything?
Does Euclid track people's smartphones when they walk past a store without entering it?
Does Euclid track a particular individual smartphone owners as they visit or walk past different stores?
Euclid's online Privacy Statement says that its technology would enable it to tell a client whether "more people usually tend to grab a coffee or an ice cream after going to the dentist[.]" I understand that Euclid's technology is not being used in any medical facilities or pharmacies. Is that correct? If so, will Euclid pledge that it will never deploy its technology in or near any medical facilities or pharmacies in the future?
The Privacy Statement says that Euclid may augment its client reports with "information [Euclid] guesses infers [sic] from user activity, such as whether a device owner is male or female, income bracket, etc." (emphasis added). How exactly could Euclid guess or infer a consumer's gender and income bracket based on her smartphone data?
A recent New York Times article said that Euclid's technology is used to calculate "the percentage of people who come into the store who leave without making a purchase." How does Euclid calculate that percentage based on consumer smartphone data?
What mechanisms does Euclid have in place to monitor and identify breaches of consumer data?
Has Euclid's consumer data ever been breached?
The Privacy Statement says that Euclid's data is stored with Amazon Web Services. In January 2012, Zappos, an Amazon-owned company, suffered a breach that compromised the names, shipping and billing addresses, phone numbers, and e-mail addresses of over 24 million customer accounts. Has Euclid taken additional precautions since this breach?
If a law enforcement agency or a company told Euclid the MAC address for someone's smartphone and asked what stores the owner of that smartphone had previously walked past or visited, would Euclid be able to answer that question?
Will Euclid require law enforcement to obtain a warrant before disclosing a particular consumer's location records?
Does Euclid have any plans to sell, rent or disclose any of its consumer data to data brokers or any other third parties?
Will Euclid assure users that it will never sell, rent or disclose any of its consumer data to data brokers or any other third parties?
Will Euclid move to an "opt-in" model where a unique person is only tracked if she agrees to that tracking? If not, why not?
Thank you for your time and prompt attention to my inquiries.