Updated: see note below. Further updated 13/8/2013 to add commentary about the security of hashing.
One of the issues with modern technology when it comes to privacy and tracking is that it isn't always obvious what data we should be worrying about.
The latest example of this is the NZTA's trial of a passive monitoring system called Blip Track to monitor traffic congestion on the Puhoi to Warkworth road.
The BlipTrack system relies on the Bluetooth functionality built in to many mobile phones and related accessories, car stereos, and mapping devices. Each Bluetooth device broadcasts a unique MAC address if the device is set to be visible. By detecting the same MAC address at different locations, the Blip Track system can work out how long it took for the device to travel between the two points and therefore make some assumptions about how congested the road is. (See the BECA report (PDF) for more information about how the system works.)
With mobile phones being very personal devices that we tend to carry everywhere we go, it seemed obvious to us that this sort of technology could be used to track people. We asked NZTA about this and their response was:
We do not consider that the Privacy Act 1993 applies. This is because the information collected is not personal information.
NZTA declined to give us a copy of the legal advice they have received on the privacy issues.
The BECA report linked before also touches on the topic:
Although there may be potential sensitivities for using Bluetooth, the MAC address numbers can only be identified / observed if the Bluetooth device is active and the privacy settings have been set to allow it (i.e. the Bluetooth is set to 'visible'). Also, unlike number plates or cell phone IDE numbers, there is no way of tracking the MAC address number back to the owner as there are a variety of types of device with Bluetooth, and no database matching these devices to their owners.
What is "personal information"?
The Privacy Commissioner defines personal information as follows:
Information about a living human being. The information needs to identify that person, or be capable of identifying that person.
While the Bluetooth MAC address can't be used to work out who someone is, that's not to say that someone who already has a person's MAC address can't use it to find out where they've been. For example, an NZTA employee with access to the database could look up the MAC address of their partner's mobile phone to see if they were telling the truth about where they were last night.
We reject NZTA's interpretation; we believe that the Bluetooth unique identifier is personal information, that the NZTA is collecting it without consent and storing it without permission. This is in breach of the Privacy Act.
We also note that there is no need to store the unique Bluetooth address in the database after the match has been made. Anonymising this would remove much of the potential for misuse. (See Update below.)
Sharing data with law enforcement
More interestingly, this data could also be made available to the Police. While the Police are limited by the Search & Surveillance Act in the use of electronic tracking systems, is there anything stopping them from asking NZTA to look up their database?
Of course, even if NZTA did count it as personal information, we note that the Privacy Act has some very large holes when it comes to sharing data with the Police and provides no real oversight of such sharing.
We're not trying to say NZTA are bad people or that what they are doing is particularly wrong. They're currently using the technology for a reasonable purpose and at least already have some protocols around what data they can share with other agencies.
However, even though they've tried to think about the privacy implications of the technology they're using, they still haven't fully understood the risks of collecting and storing data of this type.
The technology involved in this type passive tracking system is continually getting cheaper. It would make perfect sense for NZTA to extend it across the road network to help them with their planning. At the same time, this would establish a national database that would enable NZTA or anyone else with access to it to track people. In particular this data could be made available to the Police with no significant oversight.
We believe that our privacy and data collection/sharing laws need to be updated to take account of new technologies and the power of big data.
We have been sent further information (PDF) about the BlipTrack system. From the document:
When a BlipTrack™ sensor detects a Bluetooth Device in its proximity, the sensor will generate a one way hash code from the Bluetooth address of the detected device using a SHA-256 algorithm. Only Bluetooth hash codes are transmitted to the central server. There is no way to revert hash codes back to real Bluetooth addresses, thereby preventing access to the Bluetooth MAC addresses of the tracked devices.
In case the BlipTrack™ data was compromised, the attacker could try to correlate data between multiple systems and possibly, over time, be able to link a hash code of a Bluetooth device address to a record in another system, that could contain user information. To prevent this, BlipTrack supports Re-Hashing of Bluetooth Address device Hashes. By Re-Hashing the Hash codes using a new salt on a daily basis, a detected Bluetooth device will only have the same hash code for one day. The next day that user will be seen as a new user.
However, people familiar with this type of cryptography expressed grave doubt that the protections outlined would be sufficient to protect the information from even basic attacks. Details of the BlipTrack implementation are vague, but the number of possible MAC addresses are small making it likely that without very careful precautions a brute-force attack against the hash using modern computers could reveal all the original MAC addresses even for days when the salt is not accessible.
BlipTrack, in an example of having their cake and eating it too, then go on to claim that MAC addresses do not link to personal user information. If this was the case, you might wonder why they go to such lengths to stop them being available in their database. More to the point, we've already explained why we believe that they are personal information in the terms of the Privacy Act - and therefore would require permission to capture them in the first place.
See update at end of post.
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Update 5th August 2013
The Police have announced they will be deploying new red-light and speed cameras. We asked them if these new cameras would support ANPR. Their response:
There are no current plans to deploy either digital red-light cameras or speed cameras that support Automatic Number Plate Recognition.