Privacy warning over TfL plans to track tube passengers via WiFi

Nicholas Fearn
clock • 4 min read

Privacy Experts believe that the move by TfL - starting in July - could infringe passengers' rights to privacy

Privacy experts have issued warnings over plans by Transport for London to track tube passengers across the network using WiFi and device MAC addresses.

TfL announced that it would begin monitoring and analysing the movements of commuters next month by tracking their mobile devices as they travel around the London Underground network.

TfL claims that such data will help it improve services by seeing more clearly the exact routes that people take to get from one place to another.

The de-personalised data collection, set to begin on 9th July, will harvest data from the WiFi connections at more than 260 London Underground stations.

According to TfL, this data will be used to "provide better, more targeted information" and help customers "better plan their route to avoid congestion and delays". 

TfL claims to have developed a system that automatically depersonalises data "with no browsing or historical data collected from any devices". A 2016 pilot gathered the data of more than 42 million journeys.

Lauren Sager Weinstein, chief data officer at Transport for London, said: "The benefits this new depersonalised dataset could unlock across our network - from providing customers with better alerts about overcrowding to helping station staff have a better understanding of the network in near-real time - are enormous.

"By better understanding overall patterns and flows, we can provide better information to our customers and help us plan and operate our transport network more effectively for all."

Weinstein talked to Computing in March 2018 about how the organisation is trying to make better use of data in its operation and planning

But despite privacy assurances from TfL, these plans have raised concerns from data privacy experts. Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University, Leicester has highlighted several concerns.

He told Computing: "Overall, TfL have paid decent attention to the responses to their 2016 pilot of this scheme. Some of those were making the broader argument that it is a fundamental privacy invasion to record what trips people make.


Computing AI and Machine Learning Live 2019 logo

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.


"That is still a valid objection against this scheme, although the limitations and safeguards introduced here may well make this data less privacy invasive than what TfL already record through Oyster cards and touchless bank cards.

"Asking people to switch off phone WiFi functionality is not an acceptable method of opting out. Fortunately, there is also another one, which is not to register for the 'free' wifi in the first place. [This is] also a positive move since the pilot. The downside of this is that the process of registering for WiFi potentially undermines the safeguards built into the system."

Boiten also raised concerns over the way in which TfL is using one-way data pseudonymisation at source to de-personalise the data. "That is a good thing, but they haven't released enough technical details for me to understand the full impact of that," he said.

"It is good that they are unable to recreate MAC addresses from pseudonyms (that's 'one-way'). But the pseudonym generated has to be the same, every time, for the same MAC address during a London Underground trip, as they need to link the same person across multiple observations.

"This means that they can still check pseudonyms against known MAC addresses - including any recorded as part of registration for wifi.

"Most importantly, it is not clear whether the mechanism changes the pseudonym-MAC association often enough to prevent TfL from being able to link different underground trips, on the same day or a later day, by the same person."

Computing Cloud and Infrastructure Live 2019 logo

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?

You may also like
Google Chrome can now make its own decisions on your safety

Internet

The browser's newest version can act by itself to snip out unwanted permissions

clock 13 September 2024 • 1 min read
Teen arrested over TfL cyberattack

Hacking

And TfL finally confirms customer data was compromised

clock 13 September 2024 • 3 min read
TfL revises statement on customer data theft after cyber-attack

Hacking

The incident continues to disrupt online services

clock 12 September 2024 • 2 min read
Most read
01

Ransomware targets London branch of China's ICBC

13 September 2024 • 2 min read
02

Teen arrested over TfL cyberattack

13 September 2024 • 3 min read
03
05

Avis notifies customers of data breach

10 September 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft offers advice on avoiding another CrowdStrike-style outage

Microsoft offers advice on avoiding another CrowdStrike-style outage

Vendors should minimise use of kernel mode, customers should make full use of integrated Windows security features

John Leonard
clock 29 July 2024 • 3 min read
'Gay furry hackers' breach conservative US think tank behind Project 2025

'Gay furry hackers' breach conservative US think tank behind Project 2025

Heritage Foundation calls group "degenerate perverts"

Tom Allen
clock 11 July 2024 • 2 min read
Why 'change' for the UK must include cybersecurity

Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Rick Jones
clock 11 July 2024 • 4 min read