WiFi tracking and the ePrivacy Directive in Denmark

By EDRi · July 1, 2015

Citizens are increasingly being monitored and tracked by public authorities and commercial interests. Many carry digital devices which, by design, emit a unique identifier, such as the WiFi Media Access Control (MAC) address of a smartphone. Even though the MAC address does not directly reveal the identity of a person, the fact that it is constant over time and easy to intercept (all you need is a WiFi network adapter), means that it can be used for recognising individuals between different sensor points and tracking their movements. With a sufficient number of sensors, an almost complete profile of a person’s movement in a city can be obtained without consent.

WiFi tracking can be used for a number of purposes, ranging from tracking repeat customers in a shop to measuring road congestion and travel times. At Copenhagen Airport, the technology is used for tracking the movement of passengers, including measuring waiting times at the security checkpoint. Vendors of this type of technology generally claim that they “encrypt” the MAC address in order to alleviate privacy concerns, for example by using a one-way hash function.

Ultimately, the privacy challenge is to give different data to each sensor. Even encryption does not provide a full solution; if the encryption algorithm is shared between two sensor points, citizens can still be recognised from previous sensors and tracked. Complete randomisation of MAC addresses at the collection point will defeat the purpose of tracking, so this will not be done by the vendors. However, certain smartphones can do this before their MAC address is broadcast in the first place. A compromise solution is to change the encryption algorithm regularly, which will allow for tracking within a limited time period only, assuming that information about the previous encryption algorithms is effectively discarded.

In Europe, WiFi tracking is regulated by the Data Protection Directive 1995/46/EC, to the extent that the collected data is regarded as personal data, and by the ePrivacy Directive 2002/58/EC. In Opinion 9/2014 on device fingerprinting from the Article 29 Working Party (WP29), accessing the MAC address of a WiFi device is considered to be covered by Article 5(3) of the ePrivacy Directive, the so-called cookie provision (see section 7.3 of the Opinion). Article 5(3) states that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only allowed if informed consent has been obtained from the user. In the present context, the MAC address is the information stored in the user’s terminal equipment. The exceptions for consent in Article 5(3) do not cover the purpose of tracking, according to the WP29 Opinion.

The WP29 Opinion, published in November 2014, caused some concern among Danish municipalities which were using, or planning to use, WiFi MAC tracking for either traffic monitoring or “smart city” projects. The Danish Business Authority, which is the regulatory authority for the Danish transposition of the ePrivacy Directive, initially indicated in media comments that these systems were subject to Article 5(3) and that consent was required. There is no practical way that the required consent could be obtained, so this would effectively have forced the Danish municipalities to stop their traffic monitoring projects.

In January 2015, Blip Systems, a Danish company developing and selling tracking technology, submitted a formal request to the Danish Business Authority about the collection of MAC addresses in the Bliptrack system which is used for traffic monitoring by Danish municipalities. On 26 March 2015, the Danish Business Authority rendered a formal decision on the matter which reversed its initial position that the consent requirement of Article 5(3) applies to these systems.

The decision that Article 5(3) does not apply to the collection of MAC addresses is based on the following factors:

  1. The location data is collected in a way that makes it impossible for Bliptrack to monitor individual citizens. An analogy to anonymised data in the Data Protection Directive 95/46 is made here, but the decision does not mention that first-party cookies used for anonymous web statistics (web analytics) are not exempt from the consent requirement in Article 5(3);
  2. The MAC addresses are anonymised with a hashing algorithm which is changed every 24 hours, so citizens cannot be tracked for a period longer than 24 hours as the hash value of the MAC address has changed;
  3. It is not possible for the Bliptrack system to communicate with users in order to obtain consent.

Overall, the March 2015 decision by the Danish Business Authority seems fairly limited in scope, so that it would not necessarily apply to WiFi tracking over longer periods than one day and for other purposes than aggregated statistics like traffic monitoring.

The European Commission has recently published a study of the national transposition of the ePrivacy Directive, but the work for this study was completed before the WP29 Opinion 9/2014 was made. Interception of WiFi MAC addresses is only briefly mentioned in the study, and only in the context of breaches of confidentiality of communications, a separate issue from Article 5(3).

The cookie provision in Article 5(3) has been heavily criticised by the web industry and internet users alike, because of the annoying cookie popups which ask for consent to place tracking cookies on the user’s device, often with no possibility to refuse. Therefore, it seems likely that Article 5(3) will be changed in the planned revision of the ePrivacy Directive. Needless to say, this will also have implications for the legality of using WiFi tracking in the physical space.

How tracking customers in-store will soon be the norm, The Guardian (10.01.2014)

Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting, Article 29 Data Protection Working Party (25.11.2014)

Widely used system for traffic monitoring is illegal, Version2 (only in Danish, 26.01.2015)

Traffic monitoring system not covered by the cookie provision, Danish Business Authority (only in Danish, 26.03.2015)

ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation, The European Commission (10.06.2015)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)