Updated: see note below. Further updated 13/8/2013 to add commentary about the security of hashing. Further updated 5/11/2014 to link to NZTA letter showing that data is being shared with CERA, Police and Ministry of Transport.
One of the issues with modern technology when it comes to privacy and tracking is that it isn’t always obvious what data we should be worrying about.
The latest example of this is the NZTA’s trial of a passive monitoring system called Blip Track to monitor traffic congestion on the Puhoi to Warkworth road.
The BlipTrack system relies on the Bluetooth functionality built in to many mobile phones and related accessories, car stereos, and mapping devices. Each Bluetooth device broadcasts a unique MAC address if the device is set to be visible. By detecting the same MAC address at different locations, the Blip Track system can work out how long it took for the device to travel between the two points and therefore make some assumptions about how congested the road is. (See the BECA report (PDF) for more information about how the system works.)
With mobile phones being very personal devices that we tend to carry everywhere we go, it seemed obvious to us that this sort of technology could be used to track people. We asked NZTA about this and their response was:
We do not consider that the Privacy Act 1993 applies. This is because the information collected is not personal information.
NZTA declined to give us a copy of the legal advice they have received on the privacy issues.
The BECA report linked before also touches on the topic:
Although there may be potential sensitivities for using Bluetooth, the MAC address numbers can only be identified / observed if the Bluetooth device is active and the privacy settings have been set to allow it (i.e. the Bluetooth is set to ‘visible’). Also, unlike number plates or cell phone IDE numbers, there is no way of tracking the MAC address number back to the owner as there are a variety of types of device with Bluetooth, and no database matching these devices to their owners.
What is “personal information”?
The Privacy Commissioner defines personal information as follows:
Information about a living human being. The information needs to identify that person, or be capable of identifying that person.
While the Bluetooth MAC address can’t be used to work out who someone is, that’s not to say that someone who already has a person’s MAC address can’t use it to find out where they’ve been. For example, an NZTA employee with access to the database could look up the MAC address of their partner’s mobile phone to see if they were telling the truth about where they were last night.
We reject NZTA’s interpretation; we believe that the Bluetooth unique identifier is personal information, that the NZTA is collecting it without consent and storing it without permission. This is in breach of the Privacy Act.
We also note that there is no need to store the unique Bluetooth address in the database after the match has been made. Anonymising this would remove much of the potential for misuse. (See Update below.)
Sharing data with law enforcement
More interestingly, this data could also be made available to the Police. While the Police are limited by the Search & Surveillance Act in the use of electronic tracking systems, is there anything stopping them from asking NZTA to look up their database?
Of course, even if NZTA did count it as personal information, we note that the Privacy Act has some very large holes when it comes to sharing data with the Police and provides no real oversight of such sharing.
Conclusion
We’re not trying to say NZTA are bad people or that what they are doing is particularly wrong. They’re currently using the technology for a reasonable purpose and at least already have some protocols around what data they can share with other agencies.
However, even though they’ve tried to think about the privacy implications of the technology they’re using, they still haven’t fully understood the risks of collecting and storing data of this type.
The technology involved in this type passive tracking system is continually getting cheaper. It would make perfect sense for NZTA to extend it across the road network to help them with their planning. At the same time, this would establish a national database that would enable NZTA or anyone else with access to it to track people. In particular this data could be made available to the Police with no significant oversight.
We believe that our privacy and data collection/sharing laws need to be updated to take account of new technologies and the power of big data.
Update
We have been sent further information (PDF) about the BlipTrack system. From the document:
When a BlipTrack™ sensor detects a Bluetooth Device in its proximity, the sensor will generate a one way hash code from the Bluetooth address of the detected device using a SHA-256 algorithm. Only Bluetooth hash codes are transmitted to the central server. There is no way to revert hash codes back to real Bluetooth addresses, thereby preventing access to the Bluetooth MAC addresses of the tracked devices.
In case the BlipTrack™ data was compromised, the attacker could try to correlate data between multiple systems and possibly, over time, be able to link a hash code of a Bluetooth device address to a record in another system, that could contain user information. To prevent this, BlipTrack supports Re-Hashing of Bluetooth Address device Hashes. By Re-Hashing the Hash codes using a new salt on a daily basis, a detected Bluetooth device will only have the same hash code for one day. The next day that user will be seen as a new user.
However, people familiar with this type of cryptography expressed grave doubt that the protections outlined would be sufficient to protect the information from even basic attacks. Details of the BlipTrack implementation are vague, but the number of possible MAC addresses are small making it likely that without very careful precautions a brute-force attack against the hash using modern computers could reveal all the original MAC addresses even for days when the salt is not accessible.
BlipTrack, in an example of having their cake and eating it too, then go on to claim that MAC addresses do not link to personal user information. If this was the case, you might wonder why they go to such lengths to stop them being available in their database. More to the point, we’ve already explained why we believe that they are personal information in the terms of the Privacy Act – and therefore would require permission to capture them in the first place.
Update 2
In response to an OIA request (PDF), NZTA has revealed that BlipTrack data has been shared with NZ Police, CERA and the Ministry of Transport. They say that this is just aggregated statistical data.