Free wifi and the GDPR
According to the 2017 Norton Wi-Fi Risk Report, many people are careless about sharing private information when using public wifi. Despite the earlier commotion about wifi and Bluetooth tracking, consumers are willing to compromise on safety and privacy to obtain free internet access.
Signals from your phone can be used for tracking purposes, but it’s also possible for hackers to obtain passwords by using a lookalike network. You may think you are connected to a wifi network provided by a shop or airport, but you are not. Checking your email or bank balance through wifi may cost you dearly.
A safer option is to use a VPN service, but reliable ones are not free. Therefore it’s doubtful fans of free wifi service are willing to pay for extra security. The safest option is to use your data plan for banking, email and social media. Extra costs for roaming have been abolished in the EU, so this won’t cost you the earth.
Free wifi in shops and restaurants can be useful. It allows you to quickly check for online reviews or compare prices for whatever you want to buy. You can also consult a friend on WhatsApp about your outfit straight from the fitting room. Free wifi is presented as a service that’s free of obligation, but beware of the terms and conditions! Read them carefully (as you always do, of course) and you will find your personal data is being collected.
How does wifi tracking work?
Scanners installed in shops and on streets can pick up the media access control (MAC) address that is unique to your device. This will even work if you are not connected to a network. All that’s necessary is that wifi or Bluetooth is enabled. Tech companies, hired by councils or retailers, monitor when, where and how long your device is used at a specific location.
Councils use these data for crowd control and security. Retailers want to know how long cutomers stay in their stores, what they are looking at and how often they return. They also want to monitor how many people are in a shop, so they can send extra staff to the floor or cash registers if necessary.
Tracking techniques could also be useful during epidemics, like the one caused by the Corona virus. They can be used to measure crowds and to know when and where to enforce safety rules. The AP stresses in its advice to local government that very strict rules and conditions apply in these cases.
Useful tool or breach of privacy?
In theory, it’s possible to opt out of wifi tracking, but to do so, you have to register your MAC address with the company doing the tracking. Even if you know what your MAC address is, you will need to be informed by the council or retailers about who is doing the tracking for them. The simple way to opt out of tracking is to disable wifi and Bluetooth when you are out and about.
The Dutch privacy regulator, the Autoriteit Persoonsgegevens, has once again clarified the rules on wifi tracking in a statement and FAQ on November 30, 2018. Because the data that is collected is considered personal data according to the GDPR, strict conditions apply.
Preliminary results from AP study of Smart City techniques
The Autoriteit Persoonsgegevens started its investigation of privacy in public spaces in the fall of 2019. A very diverse group of local councils shared information about how they handled the privacy of their citizens and visitors in connection with scanning and surveillance devices. Although the study will conclude later in the year, the AP has published some preliminary results and recommendations (Dutch only).
A summary of wifi tracking in the news
In April 2017, European privacy authorities expressed concern about the new ePrivacy regulation as proposed by the EU Commission. This ePrivacy law is scheduled to go into effect at the same time (May 2018) as the GDPR, the new European law on personal data. The privacy authorities found some of the wording in the ePrivacy law unclear, specifically mentioning wifi tracking as one of the areas that need attention. Read more on the opinion of the privacy authorities on the website of the Dutch Autoriteit Persoonsgegevens.
On October 17, 2016, the Dutch tv programme Radar contained a segment about wifi tracking. Their report showed many people are still unaware they can be tracked by signals from their phone. Dutch public tv channel NPO 3 also paid special attention to privacy in 2016. More information about these programs can be found on their website (in Dutch).
In December 2015, the Dutch privacy regulator, Autoriteit Persoonsgegevens (AP), fined the company Bluetrace for breaking the law when collecting and processing personal data. Citytraffic, another company that collects data from locations all over the Netherlands, came under scrutiny from the media in 2016.
In a reaction to Radar, Bluetrace claims to now be using a different method to count visitors to a specific area that does not rely on wifi or Bluetooth signals. This new method remains a trade secret of course, but it could make use of the actual phone signal, or the location (GPS) signal of the device.
Regulations and enforcement
The Autoriteit Persoonsgegevens has notified retailers and Dutch city councils about the laws that apply to tracking mobile signals. It warns that they will keep investigating, and if necessary sanctioning, companies that collect personal data by tracking phone signals.
This article was last updated in August 2020.