Yesterday, the press carried reports of TfL monitoring Wi-Fi signals from users’ phone and other devices, to generate information about how people use the tube. The news has prompted the usual privacy scare stories and raises interesting questions about how new technologies are deployed and the public’s understanding of privacy risk.
What’s the issue?
It seems that TfL are collecting information about the location and movement of mobile phones – and therefore their users - as they travel through the underground system. The information will presumably be used to plan services, detect passenger bottle-necks, improve safety and generally make the system run more smoothly. So far so good.
At the initial data collection stage, the resultant information will be personally identifiable and could potentially be used for all sorts of purposes. For example, a combination of TfL’s Wi-Fi data and information held by a telco or ISP could allow the police to identify (most of) the people present on a particular station platform when a serious incident took place. Other information that may be available, e.g. CCTV or payment card data, could also aid individual identification.
TfL will be aware of the public sensitivities around ‘hoovering up’ peoples’ Wi-Fi data and retaining it in a personally identifiable form. Therefore, I should imagine TfL – perhaps in real-time – converts the information into pseudonyms (actual device identifiers hashed and the original data deleted) – preserving privacy to a reasonable degree whilst still allowing individual-level journey tracking. Presumably they can also produce truly anonymised data e.g. aggregated data showing that at 7.50AM on 9 July 2019, 753 devices/people were located on Platform 2 at Victoria Underground Station and therefore it was very crowded.
Is it really a problem?
Despite the potential for privacy enhancing technologies and techniques, like pseudonymisation, to turn personal information into a safe but still useable form, the reporting of the TfL story has been generally pessimistic and somewhat alarmist. Personally, I won’t be turning off my Wi-Fi when I travel on the underground. I feel assured enough that the collection of information about my phone – and therefore me – presents such a minimal privacy-risk that I am perfectly happy for TfL to take my data and to do useful things with it.
Other travellers may be more concerned about being ‘tracked’, ‘followed’ and ‘spied-on’ by TfL. However, assessing privacy risk and understanding concepts like pseudonymisation, anonymisation and re-identification is a very specialist activity. I can see why many people will fail to see the difference between information that identifies them, and information extracted from such information, but which no longer identifies them. The ‘spectrum of identifiability’ will be lost on most people and they may see it all as ‘information about me’.
This leaves organisations like TfL with a dilemma
TfL should either stop the data collection and negate any privacy risk/public concern, or continue but attempt to explain the people whose information is being analysed how the privacy safeguards work, and hopefully allay any fears they may have – a big ask.
TfL are not the first organisation to track your Wi-Fi and it’s fairly common place in shopping centres and retail outlets. It would be a shame if this sort of data analysis is prevented because of largely illusory privacy risks, with no obvious evidence of detriment. Although, I suspect most travellers will leave their Wi-Fi switched on.
“Privacy experts are warning commuters to disable the Wi-Fi on their phones while using the London Underground…Even phones that are not connected to TfL’s Wi-Fi will be vulnerable to tracking and security expert Simon Migliano from PrivacyCo told the Telegraph that the only ‘sure-fire solution’ is to switch off the capability entirely.”