22 May 2011, rev. 31 May 2011
Means for ascertaining the location of a computing device have matured rapidly recently, and include GPS, Wifi, and triangulation within mobile phone cells. Researchers and privacy advocates have long warned about the dangers of person location and tracking. During April 2011, the public became aware that location data was being gathered with much greater intensity, was being retained longer, was being stored in more accessible places, and was being used for more purposes, than consumers had previously realised. The collection and exploitation of data about the users of mobile devices raises serious privacy issues. These are addressed in the APF’s Policy Statement on the Location and Tracking of Individuals through their Mobile Devices.
Transmissions over wireless networks are also capable of being exploited in order to gather data about third parties. In particular, various organisations have been collecting positional data as a means of locating stationary Wifi networks. The purpose of this Policy Statement is to declare the APF’s position on the gathering of positional data relating to third parties such as the operators of stationary wireless networks, through the interactions between those networks and mobile devices carried by individuals.
Wireless networks pass data between devices by transmitting signals using particular parts of the electromagnetic spectrum. Those transmissions can be detected by any device in the vicinity of the device that sends the message. There is a variety of categories of wireless networks, which have varying characteristics such as the size of the area within which they are usable, and the volume of data traffic that they can support. This document focuses primarily on one particular, currently very common category of wireless network, which is specified by the IEEE 802.11x series of standards, and is usually referred to as ‘Wifi’.
The message-content that devices transmit over Wifi networks may be ‘in clear’, or it may be encrypted. (The most common encryption tool is SSL/TLS, which is used by web-browsers when they communicate with web-servers by means of the https protocol rather than http). For several reasons, most message-content is sent ‘in clear’. One reason is that encrypting and decrypting message-content incurs overheads and slows down ‘the user experience’. Another is that most users are unaware of the risks they take by transmitting messages in clear, or rely the providers of their devices, software and services to operate in a trustworthy and secure manner.
To transmit message-content over a wireless network, a device also transmits unique identifiers for both the sending device and the device that the message is intended to reach. These unique device-identifiers may be referred to variously as a Network Interface Card Id (NICId) or a Media Access Control address (MAC). Of necessity, the device-identifiers are transmitted ‘in clear’, i.e. unencrypted. Because of the nature of wireless media, the device-identifiers are able to be detected by every other device that is in the vicinity at the time.
Generally, the hub of a Wifi network transmits a particular message-type every few seconds, which is commonly referred to as a beacon. This publishes the SSID (an identifier for the network), and a range of data describing the network’s mode of operation. The beacon also includes the hub’s own unique device-identifier. However, because it is addressed to any device in the vicinity, it does not contain the unique device-identifier of any other device. An alternative is available, referred to as ‘passive mode’, whereby the hub only sends a beacon when requested to by another device that is in the vicinity.
It is inherent in many networks, including wireless networks, that every device may detect every message sent by every other device on that network. Well-behaved devices are designed to ignore messages that are not intended for them. The data is ephemeral in the device’s memory, and quickly flushed. This is an implementation of the principle that technology should be designed to forget non-relevant data. However, devices may be designed to instead gather some or all data that it detects, and to retain it and/or make it available to one or more other devices.
Generally, consumer devices such as Wintel and Mac desktops and laptops were designed to be well-behaved and forgetful of data that is not relevant to them. Generally, it appears that mobile devices, including smartphones (running under Apple iOS, Google Android, MS Phone 7, RIM/Blackberry, and perhaps Nokia Symbian) and ‘GPS’ devices (such as TomTom and Garmin), have been designed to be not well-behaved, but instead to be elements of a surveillance system.
Organisations have interests in taking advantage of data that can be gathered from wireless networks. One motivation is to acquire information about the behaviour of individual mobile devices, and hence about their users. This can then be exploited to provide better services to users generally, or better services for each specific user, or (depending on the point of view) to manipulate users’ behaviour.
A second motivation for gathering data from wireless networks is to improve the accuracy with which devices’ locations can be computed. Each technique for computing the location of a computing device has limitations. These include, for example, blindspots, local weather conditions, obstructions to wireless signals such as pre-stressed concrete, and network congestion. Several corporations have come up with ways to create and maintain databases that assist them to cope with these limitations. An element of these schemes is the use of positional data associated with Wifi networks.
Users’ mobile devices detect and interact with wireless networks. The position that a mobile device was in when it detected a network can be recorded. (For example, a GPS reading may be available when a Wifi network is detected). The Wifi network’s identity and location, and the date and time, can then be uploaded to the corporation, with or without the individual being aware of it, or consenting to it. The corporation can thereby create and update a database of locations of Wifi networks, and that database can thereafter be used as a means of computing the location of mobile devices. This has been performed by companies such as Skyhook, and appears to have been a primary reason for Google’s ‘StreetView’ programs, during which they captured not only images of the streetscape they passed through, but also Wifi traffic.
The Privacy Issues
Each message that is transmitted over a wireless network is intended for, and only for, a specific device. It is addressed to a specific device, and is not ‘broadcast’ and it is not ‘published’. Because of the nature of electromagnetic transmissions, however, the message may be detected by devices other than the intended device. Every device other than the intended recipient-device must respect the fact that the message is addressed to another device, and must ignore the message.
That statement applies to the message-content, which may of course be not only private, but also sensitive.
That statement also applies to the device-identifiers that travel with the message. Device-identifiers are by their very nature highly sensitive data. In a great many circumstances, the data is directly associated with a specific individual, or capable of being indirectly associated with a specific individual. If device-identifiers were collected by another party, they would enable the correlation of multiple messages sent and received by the device over a period of time. This would represent a systematic and very serious breach of the privacy of personal communications.
During the first half of 2010, it was discovered that Google, as part of its StreetView operations, had been gathering device-identifiers and message-content (referred to in the reports at the time as ‘payload data’). This was a serious breach of privacy expectations, was in many cases a breach of privacy laws, and was in many cases also a breach of telecommunications interception legislation.
The Special Case of Beacons
The above analysis applies to all messages transmitted on a stationary network, but special consideration needs to be given to beacons. There are three key differences between a beacon and other messages:
- a beacon’s purpose is to enable the hub of a stationary network to declare to other devices its existence, its name, and other information such as its security profile
- a beacon’s message-content appears to be not generally sensitive
- a beacon does not carry an identifier for any other devices
The SSID (network name) and the device-identifier for the hub itself may or may not be sensitive. For example, an Internet cafe may consent to, and even encourage, the recording and publication of the network name and the hub’s device-identifier; whereas an individual who establishes a personal area network to enable communication among the individual’s multiple devices may have a strong preference for their device-identifier to not be recorded or published.
The APF’s Policy Position
In Relation to All Messages Other Than Beacons
1. All messages transmitted on wireless networks such as Wifi must be regarded as being for the specific purpose of transmitting message-content from the sending-device to the intended recipient-device and to only the intended recipient-device.
2. All devices other than the intended recipient-device that detect messages transmitted on wireless networks:
- must immediately delete all copies of the message and all data relating to it
- must under no circumstances retain any copies of the message or data relating to it
- must under no circumstances make copies of the message or data available to any other device
3. All handling of messages transmitted on a stationary network such as Wifi must be subject to legal requirements that obligate the behaviour described in the preceding paragraphs. Infringements must be subject to criminal provisions, and infringers must be prosecuted.
In Relation to Beacons
In general, beacons and data relating to beacons must not be stored, retained nor made available to other devices. If, however, two conditions hold, then exploitation of that data is permissible. The two conditions are:
1. The operator of the hub must have signified their consent to storage, retention and/or disclosure of the data. (It is acknowledged that the standards currently lack a simple means for hub-operators to signify consent. Nonetheless, until the standards are upgraded, the onus must be placed on organisations that wish to exploit the data to demonstrate that they have the hub-operator’s consent).
2. The user of the mobile device that detects the beacon must have signified their consent to storage, retention and/or disclosure of the data. (Again, it may not to be simple to achieve free and informed consent by the user; but the onus must be placed on organisations that wish to exploit the data to demonstrate that they have the user’s consent).
Cavoukian A. & Prosch M. (2010) The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users‘ Information and Privacy Commissioner, Ontario, Canada, 29 December 2010
Cavoukian A. & Cameron K. (2011) ‘Wi-Fi Positioning Systems: Or An Unintended Architecture of Location –Tracking?’ Information and Privacy Commissioner, Ontario, Canada, forthcoming, 2011
Metz C. (2010) ‘Google ends all Street View Wi-Fi data collection ‘Who needs the cars? We’ll use handsets” The Register, 20 October 2010