Now the STORES are Tracking Our Movements - VIA OUR CELL PHONES!

I guess I should have seen this one coming and should either slap myself in the face or go find someone to do it for me to remind me that when the opportunity is there, someone will take advantage of it.  After all, I have worked in this industry for more than 40 years now and am usually keenly aware of the less than appetizing uses to which new technology is frequently adopted, but I didn't and now am . . .   shame on me!

For those who don't know what I'm talking about, the issue is the fact that major corporations like Target, Nordstrom's, Family Dollar, Cabela’s, Macy's and Mothercare, along with untold other numbers of stores, are now using the WIFI PING capabilities on your cell phone to track you while you are shopping in their stores.

Not only are they tracking the number of customers who come in the stores, but they are also tracking how long you spend stopped in front of a particular item, what parts of the stores you spend the most time in, and, depending on the level of service they have subscribed to, may even be able to tell what items you are actually considering based on the number of times you go back and forth between items to do comparison shopping and price checking of various like items.

So how are they able to track us within their stores, and just what information can they gather?

The how part is easy:  they take advantage of the fact that our cell phones are, in many cases, constantly pinging for available WIFI networks so they can notify us that free or "open"  WIFI service is available for our use.  They are taking advantage of the fact that most of us are cheap and too lazy to do manual searches for WIFI, allowing our mobile devices to do the searching for such service and automatically notify us when those services are available.

They are also taking advantage of the fact that the steel roof and iron girder superstructures of their stores, along with the other wireless signal absorbing materials used in the construction of such facilities frequently absorbs so much of the cellular network's signal level as to make it unusable within those stores and take advantage of the fact that, by our very nature we will almost automatically take advantage of their free WIFI network to see if we can find an item sold within their stores for less money on Amazon or another web-based sales portal - which is frequently the case with most overpriced items, especially in major electronics stores like Bust Buy and the former Circus City stores where there was not, nor has there ever been, such a thing as a knowledgeable sales person or good customer service.

In defense of those stores who have adopted this tracking method, they are at a disadvantage when it comes to tracking customer spending habits.  Online vendors like Amazon have technology to their advantage because they can follow our every move electronically, keep a digital record of every item we look at, set cookies in our browsers, and use our logins and purchase history to know what our preferences are, how much we like to spend, and what we are looking for as soon as we walk in the digital door.  The poor bastards at the brick and mortar locations don't have such advantages and most of the human employees they have would not be capable of compiling such data even if they had the tools to do so in real time.  Fortunately someone created the sales person and equipped those ruthless individuals with the tools to bring tracking similar to the online retailers to the physical store level . . .

The Actual Technology:  I've already eluded to the fact that these stores are using our mobile devices to track us via their WIFI networks, but exactly what technology are they using?   It's simpler than it sounds:  they track our MAC addresses . . .

The MAC address is a unique code which is assigned to every network interface.  Whether a connection is made via Bluetooth, a hard-wired connection, or a wireless connection, there's a MAC address involved.  The MAC address is a HEXIDECIMAL or BASE 16 number which is hard encoded into the electronics of the device and looks something like this:  00:4B:9F:21:6C:A7.  This unique set of 12 numbers, which can range from 0 through F, gives the ability to set a unique, non-repeating identifier to every network device and is the code which is tracked by the services which the stores have now authorized third-party vendors to collect and store in the cloud -- WITHOUT first gaining your permission to do so -- tracking your every move and spending habits.

So Who's Collecting the Actual Data:  While there may be other vendors, the largest culprits in the shopper MAC address conspiracy business are currently Euclid Elements, NOMI, RetailNext, and Sparkfly.

What Can You Do to Protect Yourself:  The simplest solution is to turn off your cell phone whenever you get out of the car to go shopping.  No matter where you go, someone is going to try to figure out how to more effectively make you think you really need to purchase something you don't actually want to spend your money on.

The other solution is to OPT OUT.

OPTING OUT:  The bad news is that, at least in most cases, you'll never know you're being tracked.

Both Euclid Elements and NOMI provide OPT OUT websites where you can plug in your the MAC address of your cell phone and have them remove all tracking of that unique ID from their databases.

To opt out or Euclid Elements, go to: https://signup.euclidelements.com/optout

To opt out of NOMI, click on this link and then scroll down to the OPT OUT link at the very bottom of the screen.

RETAILNET does not provide an opt-out solution at this time.

SPARKFLY does not provide an opt-out solution at this time.

To opt our of being tracked requires that you look up your MAC address on your cell phone or wireless device so you may want to do that ahead of time so you can have it handy.  Pay close attention to the format you use when entering that number as the format is six sets of two hexadecimal digits separated by a COLON ":"

Finding your MAC address:

• Iphone
  Settings > General > About > Wi-Fi Address








• Android
  Settings > About > "Status" or "Hardware information" > Wi-Fi MAC address
• Blackberry
  OS 4.5-5.0: Options > Status > WLAN MAC
  OS 6.0-7.1: Setup > Options > Device > Device and Status Information > WLAN MAC
• Windows Phone            
  

  Settings > About > More info > MAC address

SUMMARY:

 

If you want to be truly safe from tracking while shopping, turn off your cell phones before you even pull into the parking lot!

=====================

Be certain to like us on FaceBook, too.

 

TEXT MESSAGES used for Patient Care are NOT HIPAA COMPLIANT!

TEXT MESSAGES used for Patient Care are NOT HIPAA COMPLAINT because the telecom servers used to sent those messages are not secure, and the telecoms store the actual content of the messages for up to seven years!

Additionally, the telecoms do not now, nor will they likely in the future, provide proper HIPAA / HITECH training to their employees. Telecoms also do not provide Letters of Agency to outside contractors and are not compliant with data and log retention policies required under the HITECH portion of HIPAA

All of these things are required to meet the compliance requirements required by HITECH.

Telecoms Store SMS Text Message Details - NOT HIPAA Compliant - EMR and HIPAA

In a recent article in Wired Magazine, Wired included data which showed the SMS message and data retention policies of the four major wireless carriers. Wired included data which showed the SMS message and data retention policies of the four major wireless carriers

Wired's article, which can be found here, was based on a secret memo obtained from the Justice Department.

The memo exposes the length of time which data is stored by wireless carriers. Of concern in this article is both the amount of time that TEXT or SMS messages are stored by wireless carriers and the fact that that data is neither stored on secured servers or by employees and vendors who have been properly trained under the HITECH portion of the HIPAA requirements.

While the second line of the chart shows that the CONTENT of the message may only be contained for 3 to 5 days, the fact that this is saved at all raised questions under HIPAA / HITECH.  Because the first line states the DETAIL of the message is saved for up to 7 years, we can realize that some providers choose to keep the CONTENT of the message in the DETAIL of the message.  Either way, the fact that they are saving confidential patient PHI for even a second, along with the fact that the data it is running through unsecured servers and data circuits, this is clearly a violation of HIPAA / HITECH.


The next two line show IP SESSION and IP DESTINATION information.  Because IP assignment records are kept for various periods by the different carriers, this ties patients and healthcare providers together because the IP session and destination information can be directly tracked back to a specific provider who is caring for a specific patient.

In the last lines, we see the call detail record retention rates.  While many may construe this to pertain only to voice calls, SMS or TEXT MESSAGES are part of those call records and, once again, this can be used to tie specific providers to specific patients.

To both handle and save patient PHI data, as well as to meet the requirements of HIPAA / HITECH, requires the use of:

• secure servers;
• controlled access to the servers;
• controlled access to server rooms based on a need to have access basis only;
• security training on a minimal time table of at least twice a year, and;
• a written business associate agreement between the healthcare provider who uses the telecom provider's text messaging service and the service provider.

Because the telcos also have outside vendors who work with the switches and software, this will also require business associate agreements with everyone who comes in contact with the switches and even the buildings in which they are housed.  The HITECH portion of HIPAA also requires those same business associate agreements and training for everyone who maintains the cellular towers and the lines between the towers and the provider's switches.

The servers used by telecom providers are not HIPAA / HITECH secure.  I have yet to see a telecom provider, wireless or landline, sign a business associate agreement with a healthcare provider.  I also believe that it is unlikely that any telecom provider will ever sign a business associate agreement because telecoms love to hide behind the fact that they are regulated by the Federal Communications Commission and are not beholden to any other rules or regulation.

The problem is the fact that SMS / TEXT messaging is so readily available.  Almost everyone who has a smart phone, cell phone, tablet, or any other device which is SMS equipped has SMS / TEXT messaging capability.

Because SMS / TEXT messaging is so easily used, via small and portable wireless devices, text messaging is has the potential to be, and is perceived to be, an extremely valuable tool to healthcare.  In reality, it is.  From a security standpoint, it is not.

Unfortunately, and primarily because of the non-compliance with HIPAA / HITECH, SMS and TEXT messaging use must be prohibited by healthcare providers at this time - prohibited until the issue of PHI, data security, server security, network security and HIPAA / HITECH compliance is addressed.

The solution is not going to be implemented at the level of the wireless provider and telcos.

The good news is that there is a solution.  The solution is the adaptation of secure SMS and TEXT MESSAGING systems from third-party providers.  While this places an additional burden on healthcare providers, it is the only way to ensure that patient data is properly protected and secured as we move forwarded under HIPAA / HITECH.

================================================

Read all of ChicagoNetTech's security blogs at: http://networkbastion.blogspot.com/

If you have any questions, or are looking for hosted solutions, please feel free to contact me.
Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved