How intrusive are TfL’s plans to track passengers’ movements? – NS Tech

On Wednesday (22 May) Transport for London (TfL) announced that from July passengers on the Underground will be tracked via their smartphones’ Wi-Fi signals.

The initiative will provide data about how passengers travel through stations and across different lines. While TfL can use ticket barriers to assess where passengers enter and exit the Underground, it has not been able to see which of the many possible routes people take in between.

The aim of the project is to give customers more precise information about the network so they can identify the easiest way to get around the capital. Crowding data will also be fed into TfL’s API, which is used by apps such as CityMapper and Google Maps to relay near real-time travel information to passengers.

Another advantage of being able to see how passengers travel through stations, TfL says, is that it will provide data about their exposure to different adverts, with the ultimate aim being that this will increase revenues.

The roll-out comes after a trial of the system sparked a privacy backlash in 2016, but TfL has said it worked closely with the Information Commissioner’s Office to ensure data protection issues were addressed in the full roll-out.

“While I am excited about the potential of this new dataset, I am equally mindful of the responsibility that comes with it,” said TfL’s chief digital officer Lauren Sager Weinstein. “We take our customers’ privacy extremely seriously and will not identify individuals from the Wi-Fi data collected.

“Transparency, privacy and ethics need to be at the forefront of data work in society and we recognise the trust that our customers place in us, and safeguarding our customers’ data is absolutely fundamental.’

One of the key differences between the trial and full deployment is that customers’ movements will only now be tracked if they have signed up to TfL’s free Wi-Fi service, which is provided by Virgin Media. But Eerke Boiten, a professor of cyber security at De Montford University, said TfL should have gone a step further. “Once people sign up or connect to the Wi-Fi, they could give an option to sign out of being tracked.”

While TfL stressed that smartphones’ MAC addresses would be depersonalised, Boiten added that it may be possible to link the MAC address customers use when they sign up for WiFi to the code which is generated to protect their identity.

Although the code cannot be reverse engineered, TfL uses the same salt key for an undisclosed period of time so that it can continue to track the same person through the network. “What they could do is try all the known MAC addresses [provided to Virgin at registration] and see if they give the same outcome,” said Boiten. Because a MAC address is unique to each smartphone, this may then enable the organisation to identify an individual.

The longer an individuals’ movements can be tracked through the network, the more identifying the data becomes. TfL should change the salt key “as often as possible beyond the level they need for identifying an underground trip,” Boiten added. “If the longest possible time somebody could spend travelling from A to B on the London Underground is an hour and a half, they should refresh it every two hours. Maybe they do, but they haven’t advertised it.”

While the scenarios Boiten presents may be hypothetical, he says they have an impact on how the project complies with data protection legislation. “Would TfL in principle be able to reconstruct the MAC address through an attack? The answer is possibly or possibly in collaboration with Virgin who provide the WiFi. Why is that important? Because some interpretations of GDPR say that if it’s pseudonymised data, it’s still personal data and subject to all of the protections.”


Leave a Reply