Feeds

Using phone-tracking tech? 'Fess up now, urges expert

Shopping centres, stadiums among orgs sniffing YOUR whereabouts

Internet Security Threat Report 2014

The public should be informed when a building or facility operator uses systems to track the location and movements of mobile phones, a data privacy expert has said.

Phone-tracking systems are used in some shopping centres and in other environments such as at stadium concerts and in refugee camps. The system helps to build up a picture about the mass movement of people, the chief executive of a company that operates such technology told Out-Law.com.

Data protection law only applies to information that qualifies as 'personal data'. The information these systems gather is unlikely to qualify as personal data when read on its own but could identify individuals when combined with information from other sources, according to Kathryn Wynn, an expert in data privacy at Pinsent Masons, the law firm behind Out-Law.com.

This means that operators should inform mobile users when the technology is in use, she said, because some of the information gathered could later become personal data, depending on the processing of it.

"If the company is just tracking customers' movements on a single visit to a shopping centre and is not able to collect shopping habit information about individuals on a long term basis it would appear that the information collected is more like geolocation data rather than technology which is akin to a [website] cookie," Wynn said.

“However, if that company is able to combine that information with other information about that individual – via, for example, CCTV, bluetooth locally-targeted advertising systems, Wi-Fi networks and Facebook location-login systems – this could constitute personal data. The company would then need to notify customers about the way in which and the purposes for which their personal data is being processed," she said.

EU data protection laws are about to change, and Wynn said that if current proposals were adopted then the operators of premises using these systems would need to go further than merely posting notices in order to have lawfully obtained mobile users' consent to use the technology.

"Shopping centres should consider how tracking aligns with the shoppers' expectations," she said. "They should ask whether shoppers would be happy with being tracked or if they would deem it as too intrusive, particularly if the information is combined with other data. Although an opt-in consent may not be currently required it may be required at a later date and shopping centres may have to think how they will obtain that opt-in consent from shoppers."

New EU data protection laws will change requirements for consent

New EU data protection laws are due to be proposed later this month. Draft proposals thought to be under consideration at the European Commission were leaked last month and, if enacted in their current form, would change the requirements for obtaining consent to the processing of personal data.

Organisations would generally be required to obtain individuals' "freely given specific, informed and explicit" consent in order to process their personal data. Consent could not be inferred through silence or inactivity, the leaked proposals said.

There would also be no legal basis for saying consent had been given "where there is a significant imbalance in the form of dependence between the position of the data subject and the [organisation]," it said. Certain forms of personal data processing may also require prior consent to be obtained.

Under current data protection rules processors of personal data must generally obtain "freely given, specific and informed" consent in order to do so.

Phone-tracking 'not analogous' to cookies...

Sharron Biggar, chief executive of Path Intelligence, told Out-Law.com that its FootPath system uses signals sent from mobile phones in order to track the movement of those devices in locations such as shopping centres. Biggar said the technology does not invade individuals' privacy.

She said that it was not fair to draw an analogy between the collection of this location information and 'cookies' in web browsing.

FootPath system's collection of data "is in no way analagous to cookies" because the technology neither stores nor accesses information from user devices, Biggar said.

The information collected using FootPath is not personally identifiable and is not stored or accessed from user devices, Biggar said. The EU's Privacy and Electronic Communications Directive requires consent from users in order to place or access files that allow user activity to be tracked. The company consulted with the UK's Information Commissioner's Office (ICO) in order to ensure privacy was protected, Biggar said.

"Cookies are downloaded onto your device. We do not interfere with the device in any way at all. We passively detect signals that are being broadcast. It is more like walking past a radio. The radio is broadcasting music/voice over signals and I am picking those up as a human receptor - in picking up the signal I am in no way interfering with the radio," Biggar said.

The FootPath system is used in a number of UK shopping centres. Detectors are placed around centres that pick up radio signals coming from phones and the information collected is processed by a special "mathematical algorithm". The data allows Path Intelligence to "determine your path through premises equipped with our receiver units," according to the company's privacy policy.

The information "provides organisations with the ability to optimise the layout of their space and improve their productivity, by understanding how people are moving around within it".

Although signs are displayed within centres to inform consumers that their movements are being tracked, privacy groups have expressed concern that the system does not enable mobile phone users to opt out unless they switch their phones off. However Biggar said that providing individuals with the option of opting out would involve the company attaching identifying traits to the data it collects; something she said the company currently does not do in a bid to ensure privacy.

"When a mobile phone communicates with a network a number is remotely generated so that they can 'talk' to one another. The number is not encrypted. Our system passively receives these radio signals and collects information a bit like dots. We cannot take out personal information from these dots. If we were to move to an 'opt out' basis we would be required to associate these dots with individuals, which to our mind is more risky," Biggar said.

Biggar said the networks often change the number associated with each device, a process which Path Intelligence "has no control over". This means that whilst the company is generally able to track a device throughout the duration of a user's visit to a shopping centre, it is unable to identify whether that is the same device when it is next brought to the centre or if it is taken to another centre where the system operates in a different location, she said. Biggar said the range that its receivers are able to operate in "depends on the architecture of the area".

A spokesperson for the ICO confirmed to Out-Law.com that the watchdog had given advice to Path Intelligence regarding its FootPath system, but said that it had not approved the system as such.

"We think it is unlikely that the system collects personal data. It is our understanding that the system associates a temporary number to the data which is not linked to a person. There is an argument that the data constitutes geolocation data, but even if it is the e-Privacy regulations allow the collection of geolocation data [without consent] if the user or subscriber cannot be identified."

EU privacy watchdog body the Article 29 Working Party last May called for geolocation data to be classed as personal data in order that the information would be protected under data protection laws.

Beginner's guide to SSL certificates

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.