Wi-Fi tracking: great opportunities come with privacy concerns

Author: Fook Nederveen, Research assistant, RAND Europe

Knowing your customer is key to succeeding as a business. For this reason, tracking online behaviour has become central to the business model of many online services. By collecting and analysing large amounts of data on their (potential) customers, online retailers can offer advertisements and recommendations tailored to individuals. Offline retailers are facing a serious disadvantage as they cannot reap the benefits of this very valuable information. However, they have found a different way of inconspicuously collecting useful data about their customers’ behaviour: Wi-Fi tracking.

Provided that Wi-Fi is activated, mobile devices are continuously looking for Wi-Fi networks. Each phone emits a unique signal, a media access control (MAC) address, to identify all Wi-Fi broadcasters in the immediate surroundings. The Wi-Fi access point registers the MAC address together with a time stamp. By monitoring several of these access points in a certain area, as well as the strength of each signal, a fairly accurate estimate of the device’s location and direction of movement can be established. An actual connection to a network is not needed to identify and follow a device. A very similar tracking process can be applied to Bluetooth signals.

Tracking the physical movement of individuals renders access to data that was previously very hard to obtain and it opens doors to enhanced customer engagement.

Users of this technology

Particularly for retailers and shopping centres, this data is a gold mine. Channel 4 reported in 2014 that Kingsgate shopping centre in Huddersfield, UK was one of the first shopping centres to employ this technology. Many other stores and shopping centres have since installed tracking equipment to amass invaluable patterns from the data. The data collected may include: which shops individuals visit, routes used, locations of entry and exit, the duration of visits, whether it is a recurring customer, whether an affiliated store has been visited in the past, footfall and people passing by, duration of standing in front of a display, and so on.

Taken together, businesses can optimise their product positioning and improve their operational efficiency. Secondary revenues can be earned by sending tailored promotions to devices upon entering the shop or by selling the data to third parties. Enhanced shopping experiences, better designed stores and shopping centres, and reduced waiting times at check-out could also be of benefit to the customers.

However, the use of Wi-Fi tracking is not limited to retailers. It is an increasingly widespread phenomenon applied in a myriad of other settings, such as marketstheme parksmuseumsairportsrestaurantsnightlife, hospitals, conferences, gyms, casinos, stadiums, festivals, libraries and zoos.

Public authorities also use it in their Smart City strategies, predominantly to create heat maps that could support crowd management and to improve and optimise public and private transport flows. The Future Cities Catapult, for example, turned Hyde Park into a “living laboratory” for a period of 12 months from August 2014 to August 2015, tracking all the visitors to the park who carried devices scanning for Wi-Fi networks to improve the park’s management of resources, ecology and facilities. It also looked to improve policing during large events.

Similarly, Transport for London (TfL) conducted a four week trial in 2016, collecting data on London Underground passengers by transforming “its public transport network into one that actually works”, as Deutsche Welle jokingly reported. The data would provide TfL with a greater understanding of how individuals move from A to B and how crowds develop. It is easy to imagine how this information would be extremely helpful in improving timetables, station designs, customer information and disruption management, while simultaneously allowing for advertisement and rent revenues to be optimised.

Quid pro quo?

Despite the obvious advantages for parties tracking the public, the benefits are not always as apparent to the individuals being tracked. On top of that, the very limited or even absent information about tracking, and the automatic opt-in of every individual within range of a Wi-Fi broadcaster, seems to be the standard operating procedure for the application of this technology.

Take the TfL case for example. According to the UK’s digital campaigning organisation Open Rights Group (ORG) it missed “three crucial points to help passengers understand a) how the scheme works, b) all the purposes the data is being collected for, and c) how to opt-out.” And notwithstanding these shortcomings, TfL at least notified they were tracking passengers on the tube and tried to identify and tackle some privacy risks, according to one privacy researcher.

Sometimes individuals are not even made aware that tracking is taking place. For this reason, the Dutch Data Protection Authority ruled that the collection of data by a Dutch company called Bluetrace, which failed to notify the large number of people being tracked inside and outside certain shops, was not compliant with the law. In a similar vein, privacy campaigners Krowdthinkshowed that many UK mobile and Wi-Fi service providers do not provide any notification of tracking customers’ movement, bury opt-outs in their contracts, use personal data for marketing purposes, and sell it to third parties.

Privacy considerations

Some people may consider their whereabouts as sensitive information and would prefer not to share their location data. Also, some might not feel comfortable with being monitored without understanding why the monitoring takes place. In contrast to tailored promotions, an undesirable outcome could also be that prices could increase due to an individual’s personal behaviour.

When data is not anonymised, it is relatively easy to link an identity to a MAC address. But even anonymised data is not an undisputed guarantee of protecting identities either, nor is it very straightforward what ‘anonymised location data’ precisely means as an individual could theoretically be identified by his or her movement. There are always risks of hacks and re-identification.

ORG recommends keeping privacy risks in mind when setting up a tracking system (“privacy by design”) and informing people that their personal data is being collected and for what purpose. This might help build trust between customers and the parties tracking them. To the same end these tracking parties should ask for permission.

Looming reforms

The EU’s General Data Protection Regulation (GDPR) that will come into force on 25 May has a far more stringent requirement for what constitutes consent compared to the Data Protection Act 1998 that currently applies in the UK. Under the GDPR, location data should be considered personal data when a person can be directly or indirectly identified from that data. Processing personal data without obtaining the individual’s consent would be a violation of the law.

On top of the GDPR, which deals with the processing of personal data relating to individuals in the EU on a general level, another piece of legislation may further specify the rules around online and offline tracking, namely the European Commission’s ePrivacy Regulation. The proposal prohibits Wi-Fi tracking under Article 8 (2), unless it is done for the sole purpose of establishing a connection or when “clear and prominent” notices of tracking and its purpose are displayed. Appropriate security measures must also be in place. Moreover, these notices should include information on how to stop or minimise the collection of data.

Under these rules, tracking would technically still be possible without an opt-out or without having to ask for consent, provided some visual notices have been put up. The European Parliament, however, took a tougher position, opting to make both consent and visual notices requirements for Wi-Fi tracking. The European Council, on the other hand, has not yet established its position, only after which negotiations can start. Nevertheless it seems that covertly tracking people in the physical world will soon be regulated more strictly across Europe.