Should Feds Regulate Persistent Identifiers as Personal Information?

mobile analyticsRecently, the Federal Trade Commission settled an action it had brought against Nomi Technologies, a provider of “in-store analytics” technology. The fact that the action was brought against Nomi to begin with, considering what Nomi does, and the 20-year consent decree that Nomi entered into with the FTC, has raised more than a few eyebrows. It has left many – including some of the FTC’s own Commissioners – wondering just what regulators are interested in when it comes to controlling information collection practices in the “information economy.”

Nomi has developed and markets technology to retailers that helps to physically track customers while they shop and analyze patterns that retailers can then use to improve the shopping experience. When a customer walks into a retail store with smart phone or other device enabled for Wi-Fi, the device broadcasts a 12-digit identifier, known as a MAC address, while it searches for a Wi-Fi network. Nomi’s technology detects this signal, scrambles the MAC address, and then assigns each smart device it detects with a “persistent identifier” that it then uses to track the device as it moves around. The technology collects data about the device’s movements within the store, how long it stays at a particular location in the store, and when it leaves the store. Whenever the device returns to the store on another visit by its owner, Nomi’s technology recognizes the identifier that it previously assigned. Nomi’s technology uses this information, in the aggregate, to help retailers “analyze and optimize every investment in marketing, labor and operations” and “increase customer engagement by delivering highly relevant mobile campaigns in real time” through the retailer’s own mobile app. As James Riesenbach of the retail consulting firm, iInside, explained at the Federal Trade Commission’s Mobile Device Tracking Spring Privacy Series earlier this year, mobile analytics can be used to improve in-store environments, “both from a merchandising and marketing perspective … so that customers are able to easily find what they’re looking for.”

The FTC primarily based its Complaint against Nomi on allegations that Nomi failed to abide by a promise in its website privacy policy to allow customers to opt out of being tracked by its technology in-store. But the FTC’s consent decree with Nomi may have more significance than just another warning to “Say what you do, and do what you say” in privacy policies.

Commissioner Joshua Wright, in his dissent in the Nomi case, summed up the real concern about the FTC’s interest in Nomi’s technology matter this way: “Nomi does not track individual consumers.” It merely creates persistent identifiers for each Wi-Fi enabled mobile device that it detects, and it tracks that persistent identifier. In fact, the U.S. Geological Survey defines persistent identifiers as “globally unique numeric and/or character strings that reference a digital object.” In the Nomi case, the object is a mobile device. The FTC is apparently concerned that persistent identifiers may be assigned to the device for long periods of time, perhaps even as long as the device’s lifespan, and that the identifiers used in Nomi’s technology, like all persistent identifiers, allow retailers to distinguish one mobile device from another.

But since when has the FTC been concerned about technology that tracks objects – or in this case, devices? Previously, the FTC’s focus has centered on regulating information that identifies actual people.

This concern by the FTC seems similar (if not identical) to the claims made in a would-be class action lawsuit brought against Google and Viacom in 2012, which was dismissed by a federal judge in January 2015 because the court could not find a viable claim. In that case, the lawsuit charged Google and Viacom with “illegally tracking” the Internet activity of children who visited Nickelodeon’s website, in order to send targeted advertising. The lawsuit claimed that Viacom surreptitiously tracked children under age 13 who visited its Nick.com website and streamed videos or played video games and shared that information with Google. The lawsuit further alleged that both companies, without permission, put cookies into the children’s computers, allowing them to gather additional information that advertisers could use. Among other claims, the lawsuit accused the companies of violating the Video Privacy Act.

But in dismissing the case on January 20, 2014, U.S. District Judge Stanley Chesler noted that neither Google nor Viacom could identify which children streamed specific videos or played specific video games, as opposed to identifying children generally. He also found no showing that the companies engaged in “highly offensive” behavior for which they could be held liable, as the plaintiff alleged.

mobile device trackingIt would seem that Nomi’s technology is not any more “highly offensive” than that found by Judge Chesler in the Google/Viacom case. Nomi is only tracking objects, not identifying actual people. In fact, Nomi’s technology is doing nothing more than a small army of store personnel, outfitted with stopwatches and paper and pen to record their observations, could do in person. Store patrons might find it creepy if human personnel tracked them in this manner, but it would certainly not be illegal or subject to an FTC complaint. Granted, with some extra steps, Nomi might be able to tie its tracking of a certain device to a certain person – for example, by matching the device up to a credit card used in a transaction at the same time that the device was detected and then using that credit card information to identify the person. But Nomi doesn’t actually do this and, as far as anyone knows, it has no plans to do this. So, as Commissioner Wright wondered, where’s the harm in this conduct that justifies a federal regulator stepping in?

Before this FTC Consent decree, no regulator of which we are aware has taken action against the use of persistent identifiers. In fact, persistent identifiers, as used by Nomi, do not even meet the very broad definition of personal information under the E.U. Data Protection Directive, which is far broader than any definition of personally identifiable information under U.S. law. The E.U. Data Protection Directive (95/46/EC) defines personal data as follows:

“Personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The FTC is apparently interested in regulating the tracking of anything trackable, whether it’s an identifiable person or not. However, mobile analytics like those provided by Nomi have real benefits to consumers, and the FTC’s zeal to control the collection of data must be balanced against the benefits offered by such technology. Again, Commissioner Wright’s dissent is on the mark:

[W]ithout knowing the identity of those visiting their stores, the data provided by Nomi’s Listen service can generate potentially valuable insights about aggregate in-store consumer traffic patterns, such as the average duration of customers’ visits, the percentage of repeat customers, or the percentage of consumers that pass by a store rather than entering it. These insights, in turn, allow retailers to measure how different retail promotions, product offerings, displays, and services impact consumers. In short, these insights help retailers optimize consumers’ shopping experiences, inform staffing coverage for their stores, and improve store layouts.

As Commissioner Wright points out, Section 5(b) of the FTC Act requires the FTC, before issuing any complaint, to establish a “reason to believe that [a violation has occurred]” and that an enforcement action would “be to the interest of the public.” There can be little argument that mobile analytics technology, which depends on persistent identifiers, provides benefits to consumers. Although the FTC’s Consent Decree was focused on a single allegedly deceptive statement in Nomi’s website privacy policy that consumers would have the right to opt out of its tracking technology in-store, one has to wonder if the FTC’s true agenda is to squelch all activity that even smells like consumer tracking. Commissioner Wright makes a compelling argument that the offending statement – that consumers could opt out of Nomi’s tracking technology either on its website (which many consumers did) or in-store – failed to meet the materiality threshold required by the FTC Act. Tim Sparapani of Forbes Magazine makes an equally compelling point that Nomi was not required to offer consumers an opt out of its data collection in the first place because, as already noted here, Nomi does not collect information that could identify specific customers.

Still, for its single, at least arguably immaterial misstatement, Nomi is subjected to a 20-year Consent Decree, with the attendant privacy audits and expense. The disproportionate “punishment” to Nomi – a company that collects no consumer data for itself or on behalf of its customers – perhaps reveals a bias by the FTC against just about any use of persistent identifiers. In fact, the FTC, in its Complaint against Nomi, showed its disdain for persistent identifiers by noting Nomi’s cryptographic hashing of the persistent identifiers before retaining them, so that no actual consumer could ever possibly be identified. But the FTC stated, “the result [of the hash] is still a persistent unique identifier for that mobile device.” In other words, the FTC’s presumption is that persistent identifiers are bad, even if the object that is being identified is not an actual human being.

Such a bias against persistent identifiers could have an adverse impact on innovation. The entire Internet is built on persistent identifiers. In this sense, persistent identifiers are “simply maintainable identifiers that allow us to refer to a digital object – a file or set of files, such as an e-print (article, paper or report), an image or an installation file for a piece of software.” The advent of mobile Internet has encouraged innovation in the use of persistent identifiers that promises benefits that can hardly be imagined from our current vantage point, just like the benefits of the Internet could hardly be imagined 20 years ago. Perhaps regulators should focus on regulating activities that threaten the privacy of actual people. This seems to be a big enough job on its own.

This entry was posted in Corporate Data Policies, e-Commerce, Privacy & Information Management, Regulatory Fines & Settlements and tagged , , , , , , , . Bookmark the permalink.

2 Responses to Should Feds Regulate Persistent Identifiers as Personal Information?

  1. datasubject says:

    This is about potential reidentification. The hashing is a red herring. Whether hashed or not, the identifier can track individuals. For instance, it seems unlikely to make any difference whatsoever to the Californian Xora case (or following class actions) whether Xora’s identifiers are hashed or even disclosed to anyone. Stalking technology can use hashed as easily as unhashed identifiers. The only difference is you can’t identify the device, but nobody cares about the device, the whole point is reidentification and surveillance of the individuals carrying them.

    It’s not clear from your article whether Nomi shares the hashed identifier with their customers. If they do, then because reidentification is possible via “extra steps”, I respectfully dissent from your view that it doesn’t indirectly fall within the scope of the Directive regardless of Nomi’s intentions – because their customers are free to take those extra steps. After all a couple of Uber executives were arrested and charged in France last week for much the same thing (of course Uber actually takes those extra steps).

    • John says:

      We appreciate you reading our blog and appreciate your comment. It’s a debate worth having, which is why we blogged about it in the first place.

Leave a Reply