I recently had the privilege to have some discussions with fellow members of a privacy-oriented group. They were mostly lawyers, and after a series of discussions we waded into the current disapprovals over Nordstrom’s practice of tracking people by Wifi (see here for more on this). Basically  its the implied consent that seems to be getting people up in arms. That and this natural tendency to get riled up about technological-based tracking in general. I interjected that this really isn’t very different from just tracking customers by camera and reviewing the tapes after the fact. Admittedly the automated element here makes this slightly different, but at its base, its still the same to me–after all, are you consenting to be recorded as you walk through the store?  No, its implied and we’ve all mostly moved beyond our concerns about being recorded. But then I remembered something much more central to this debate! Allow me to paint a picture.
A very good friend of mine from college (and high school actually) was an electrical engineering major. He had a job with a company that made lab rat cages. They sold to pharmaceutical companies, universities,  you know, any place that needed something to put their white, red-eyed rats into. So why did they need an EE on staff? Well, his job was to design a monitoring solution for these cages. He configured a USB camera to record the rats, then wrote some software that divided the camera’s field of vision into a grid. When the software detected movement in one of the grids, it incremented a counter and provided some reporting capabilities  Researchers would use this to determine how often the rats went to the water dish, spent time at the food bowl, hit the “gym” wheel, etc.

There is absolutely nothing stopping an existing retailer from applying this technological approach (which is approaching two decades old now) using nothing more than the surveillance videos already in place. I’m willing to wager this is current state for a lot of retailers.

So really, let’s put our big boy and girl pants on and don our risk hats. Look at this holistically — if I configure a wireless access point to record requests for attachments by MAC address then I correlate some logs between various devices, its really no different that them tracking you like a rat in their cage. I mean store.

I think a lot of the privacy industry is invested in outrage–that is, greeting all new technological advances and permutations of common practice as an outright infringement of natural law and civil rights. As always, it falls upon the risk profession to act as the saucer–cool the hot coffee of others into a productive risk discussion.