In a single day, just a fraction of the network of smart bins collected data from nearly a million devices. By comparing when a device was in range of one bin to when it appeared at another, or for how long it stayed in range, the movements of these devices could be determined with a high degree of accuracy. All of this happened without a single person noticing — no consent, no warning, no opportunity to opt out.
More from NBC News:
Ready for battle: Syria on edge as Obama prepares to address US
McCain faults Obama strike plan as 'cosmetic'
Why Syria is no Iraq rerun
It's not the first time such tracking has been done — the fashion retail company Nordstrom tried it out recently, and other firms are already selling this service to brick-and-mortar retailers — but it was perhaps the most high-profile revelation of the practice, triggering an Internet outcry and a conciliatory blog post from Renew's CEO.
"The process is very much like a website," wrote Renew's Kaveh Memari, after explaining that the real-world (but, he stressed, anonymous) tracking had been discontinued. "You can tell how many hits you have had and evaluate repeat visitors, but we cannot tell anything personal about any of the visitors on the website." This is a common argument of those who track us on the Web — but of course, with enough collected data points, a personalized portrait is easy to paint.
The scary part is that if Renew hadn't said anything, no one would even have known the bins were collecting all of this data. You can't opt out of something you don't know is happening to you.
"People are not consenting to this," ACLU electronic privacy expert Christopher Soghoian told NBC News. "The phone doesn't vibrate every time the store tracks them."
(Read more: Forget smartwatches, consider crowdfunding this)
Soghoian said it would be trivial to block such tracking attempts, particularly since MAC addresses can be switched without causing problems. However, mobile operating systems like Android and iOS have "not been built with privacy in mind."
It's not just a matter of fixing this one vulnerability, said Bruce Schneier, another leading security technologist.
"Tracking technology will just get better," he told NBC News. If they can't identify a MAC address or some other software feature, he said, "they actually can use the noise pattern from your antenna." That gives your phone a fingerprint that can't be overwritten or hidden.
If you're walking through a park and someone takes your picture, that photographer might argue that you didn't have a reasonable expectation of privacy. You were, after all, in plain view. So what about with your smartphone? Can you even expect privacy for your device, which is constantly reaching out to cell towers and Wi-Fi hotspots, if it's out in "plain view" of other machines?
Yes, say the experts. Sharma noted that with, for example, CCTV cameras, people are clear on the fact that they're being recorded, and they understand what is being captured.
That's not the case with this kind of electronic surveillance. Not only is there no requirement for companies to alert users that this type of information is being collected, there's no mechanism for it.
"There's a consistent, systematic violation of privacy by — I'm not going to say everyone, but a significant number of the big players," warned Sharma.
(Read more: Smartphones: Why one size doesn't fit all anymore)
Euclid is a technology company that, like Renew, tracks foot traffic by "sensing" smartphones. Its system, sold to retailers, not only tracks "how shoppers flow through your store" but it keeps tabs on "their visit duration, and return shopping patterns."
"To be honest, the industry standard is no disclosure whatsoever," said John Fu, Euclid marketing director, told tech site ITWorld earlier this year. "Whether they're using cameras, infrared, Bluetooth, or Wi-Fi, no one is doing really good notification."
The problem is that customer tracking is potentially so lucrative — and really, it could also be useful. Marketers will want to know what area of town you eat lunch in, so they can offer coupons when you step outside the office. Retailers want to know which of their locations has the most foot traffic, or where people stay seated the longest. And users, of course, want their phone to be remembered for ease of connection with local Wi-Fi spots.
But what if an insurance company got data from such points that suggested you regularly sped on your way to work? Or if your employer found that your phone was hanging out at a bar when you'd called in sick?
If you're still not creeped out by the possibilities, think about this: Google filed for a patent in 2011 detailing what they call "pay-per-gaze" advertising. It would track what someone wearing a Google Glass-like device was looking at, and alert advertisers which billboards and brands users saw, studied, or skipped.
A "Minority Report"-esque scheme of hyper-personalized ads isn't as far away as you'd think. And things may get pretty serious before regulators get involved, or before developers decide that protecting privacy is more profitable than invading it.
"Obviously, data is not bad," said Sharma. "Data is great. It just needs to be paired with transparency and easier ways to have privacy. At some point you cross a line — society needs to establish where that line is."
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
—By Devin Coldewey of NBC News