Hundreds Of Devices Hidden Inside New York City Phone Booths

Beacons can push you ads — and help track your every move. Update: Hours after BuzzFeed News exposed the devices, the city ordered the removal of the devices.

UPDATE

Hours after BuzzFeed News published this report, City Hall asked Titan to remove the devices, which could have been used to push ads — and track phones.Oct. 6, 2014, at 12:21 p.m.

A company that controls thousands of New York City’s phone booth advertising displays has planted tiny radio transmitters known as “beacons” — devices that can be used to track people’s movements — in hundreds of pay phone booths in Manhattan, BuzzFeed News has learned.
And it’s all with the blessing of a city agency — but without any public notice, consultation, or approval.
Titan, the outdoor media company that sells ad space in more than 5,000 panels in phone kiosks around the five boroughs, has installed about 500 of the beacons, a spokesman for the city’s Department of Information Technology and Telecommunications (DoITT), Nicholas Sbordone, confirmed to BuzzFeed News.
Beacons are Bluetooth devices that emit simple signals that smartphones can pick up. They’re best known for their growing use in commercial settings: in stores, for example, to alert customers to sales, or in stadiums, to tell patrons which entrances are least crowded.
But the spread of beacon technology to public spaces could turn any city into a giant matrix of hidden commercialization — and vastly deepen the network of surveillance that has already grown out of technologies ranging from security cameras to cell phone towers.

Jon Premosch / BuzzFeed News

New York City residents had no say in the deployment of Titan’s beacons. Titan notified DoITT of its plans to install the beacons in 2013, which the city agreed to without a formal approval process because, according to Sbordone, the company said it was using the devices for maintenance purposes only. Titan installed the beacons from September to November 2013; a source with knowledge of the situation alerted BuzzFeed News to the program anonymously for fear, the source said, of being fired for speaking publicly.
One of New York’s leading privacy advocates, New York Civil Liberties Union executive director Donna Lieberman, denounced the program after learning of it from a New York Daily News reporter.
“To the extent that the city is involved in this, the lack of transparency [is] of even greater concern,” Lieberman, who called on the city to make public the details of the arrangement, told the Daily News.
“Consumers should be aware when they’re in a zone that projects beacons,” said Doug Thompson, the CEO of dot3, a beacon technology company, who also runsBEEKn, an industry blog. “It shouldn’t be kept hidden from them.”
Neither Titan nor DoITT would provide the specific locations of the beaconized phone booths, but they appear to be densely concentrated in central and lower Manhattan. On a 20-block stretch along Broadway and Sixth Avenue (from the bottom of Madison Square Park to just north of Bryant Park), BuzzFeed News identified 13 Titan-Gimbal beacons — or more than one, on average, every two blocks. To detect the beacons, BuzzFeed News used an Android app that lists nearby beacons, their identification codes, and signal strength, which gets stronger as a phone approaches the transmitter.

Titan, which is also active in San Francisco, Los Angeles, and other cities, said it has installed Gimbal beacons in other markets, but declined to provide details about those programs to BuzzFeed News.
The beacons are manufactured and sold by Gimbal, a San Diego company thatspun off in April from Qualcomm, the telecommunications giant. In its current iteration, a Gimbal beacon requires a third-party app to trigger advertisements, and requires those apps to receive “opt-in” permission from users in order to collect data and send notifications. (Users, of course, also need to have Bluetooth enabled.) Major League Baseball and GameStop, among others, already use Gimbal beacons in their stadiums and stores (respectively). Each uses its own proprietary app (though not necessarily integrated with Gimbal’s software). A beacon in a New York City phone booth ad would need to recognize a corresponding app to push beacon-linked content to that phone.
Gimbal has unusual roots for a technology company. Its CEO, Rocco Fabiano, was chairman of Far Western Bank, a subprime auto lender shut down by California regulators in 1990. In 1993, a federal grand jury indicted Fabiano for allegedly taking bribes as part of an auto-financing scheme. He was acquitted in 1995.
DoITT and Titan say the beacons are currently in use on a test basis only, largely to determine the effectiveness of the technology and for “inventory management,” helping alert Titan which panels are scheduled to be replaced. DoITT’s Sbordone said that any explicit commercialization of the beacons would require a more formal city approval.
The Tribeca Film Festival app used Gimbal beacons this year to send festival-goers notifications about nearby happenings, according to an event press release. Dave Etherington, a spokesman for Titan, confirmed some of the beacons were in city phone booths, but stressed that Titan received no data from the festival-related beacon interactions.
The beacon industry is rooted in the increasingly complex interactions between the beacons, smartphone applications, and cloud-based data collection. Gimbal’s own, public documentation repeatedly and plainly indicates that the company receives beacon-phone interaction data. Those interactions, which Gimbal calls “sightings,” are illustrated in the following graphic from the documentation’s “Proximity Overview” section, intended for prospective Gimbal clients:

Gimbal

“Sightings,” according to the documentation, are sent to both Gimbal servers and, in some cases, “3rd party” servers.
Gimbal’s privacy policy says Gimbal-powered apps may collect your current location, the time of day you passed the beacon, and details about your device. These apps may also, under certain circumstances, collect data about the websites you visit, the apps on your phone, and the “frequency and duration of app usage.” The policy says that app-usage and website-visit data are not sent to Gimbal’s servers.
Gimbal COO Kevin Hunter said through a spokeswoman that the company only provides clients with “aggregated, anonymized data.” Indeed, Gimbal does not collect names, email addresses, or other personally identifiable information. But the company’s software, with users’ permission, can collect a remarkably detailed suite of information.
Gimbal has advertised its “Profile” service. For consumers who opt in, the service “passively develops a profile of mobile usage and other behaviors” that allow the company to make educated guesses about their demographics (“age, gender, income, ethnicity, education, presence of children”), interests (“sports, cooking, politics, technology, news, investing, etc”), and the “top 20 locations where [the] user spends time (home, work, gym, beach, etc.).”
Throughout its marketing materials, Gimbal emphasizes the importance of consumer privacy.
But, with severe data breaches at Home Depot, Target, and JPMorgan Chase, written commitments to privacy and security are only as strong as the technology backing them up.
Email the writers of this article at joe.bernstein@buzzfeed.com and jeremy.singer-vine@buzzfeed.com.

CORRECTION

Major League Baseball has installed Gimbal beacons in stadiums, but does not use Gimbal’s software in its apps. An earlier version of this post said that an MLB app was “Gimbal-enabled.” Oct. 6, 2014, at 10:29 a.m.

Tags

Source