WiFi tracking: a violation of privacy?
Earlier this year, the Dutch city of Enschede received a 600.000 euro fine for allegedly violating their citizens' privacy (NOS, 2021). The city used WiFi tracking to count the number of people in the city. According to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens in Dutch), this practice violated people’s privacy, so they fined the municipality (Autoriteit Persoonsgegevens, 2021). The question I would like to answer in this paper is: How is the Enschede WiFi tracking case related to the larger debate about privacy?
WiFi tracking and its ties to privacy and democracy
Before diving into the Enschede case, I want to discuss WiFi tracking, privacy, and related concepts. I will begin with a definition of WiFi tracking: it monitors people through the WiFi signals of their mobile phones by use of sensors (Privacy Company, 2019). WiFi tracking only requires the enablement of WiFi connections; it does not need phones to be connected to (open) WiFi networks (Privacy Company, 2019).
A mobile phone transmits WiFi signals to WiFi hotspots as a sign to connect. These signals include the MAC address of the phone. The MAC address is the unique code of the device, which makes it distinguishable from others. The WiFi tracking sensors process these MAC addresses alongside other data, such as the time, date, and location. With this data, companies can analyze the number of phones within the range of sensors and the movement of phones. WiFi tracking can thus generate insights and data on walking flows and (shopping) behavior within a particular space (Privacy Company, 2019).
Next, I will discuss privacy. There is not just one definition of privacy: there are many definitions, which can vary based on context and culture. A broad description is that privacy is the right to be let alone and not be bothered by others. The right or civil liberty to be a free person is another definition (Lyon, 2015). In other words, it is the right to be oneself. Privacy is ‘an essential component of democracy and of a decent human life’ (Lyon, 2015).
In a democracy, people have the right to speak and move freely. Furthermore, in theory, people have the right to be informed about what authorities are doing. Here is precisely where the problems occur. Regulatory bodies such as intelligence agencies, governments, and municipalities do things in secret, such as mass surveillance, in the name of security. Edward Snowden’s revelations showed that many international security agencies’ mass surveillance targets everyone; innocent bystanders included. This focus on security is not something new. Police departments already monitored specific groups of people in the 1960s (Lyon, 2015). Since the 1970s intelligence agencies do the same in the name of national security (Lyon, 2015). By the 1990s monitoring came to be defined as information-handling practiced to manage risks (Lyon, 2015). And after 9/11 it grew exponentially to unimaginable proportions. WiFi tracking is an example of a practice that can be used by authorities to monitor people.
Another closely-related concept is the notion of surveillant landscapes. Surveillant landscapes are spaces that make the monitoring of people possible through visible and invisible architectures (Jones, 2017). Open WiFi networks in shops, cafes, and city centres are examples of how monitoring takes place in surveillant landscapes. Your presence can be monitored by connecting to these networks or just by having your phone’s WiFi connection enabled. This last point also counts for WiFi tracking. It can be observed where you are, how long you stay there, which route of walking you choose, etc.. It is an invisible surveillant landscape as no signs are stating this monitoring is happening. In this sense, it happens without people knowing or being aware of it.
Due to digitalization and social media, the amount of available information has grown to myriad proportions. This has opened the doors to dataveillance. Dataveillance is ‘the monitoring of citizens on the basis of their online data’ (Van Dijck, 2014). Furthermore, ‘[..] dataveillance entails the continuous tracking of (meta)data for unstated preset purposes’ (Van Dijck, 2014). Two broader concepts come to mind here: datafication and dataism. Dataism refers to a widespread solid belief in the objectivity and the possibilities of large amounts of data (Van Dijck, 2014). Datafication is the transformation of social (inter)action into online quantified data; or the quantification of sociality so to speak (Van Dijck, 2014). In this context, data is a resource used to predict future behavior. Data makes it possible to understand things about human behavior which were never likely to be seen, detected, or interpreted as easily, if at all (Van Dijck, 2014). As WiFi tracking uses the (WiFi) data of mobile devices, we can see this practice as an example of datafication and dataveillance as well.
Now that we have some insights into WiFi tracking and its connections to privacy and democracy, it is time to investigate the specific use of WiFi tracking by the municipality of Enschede.
What happened in Enschede?
In 2017, Enschede hired CityTraffic to track and analyze WiFi data (Tubantia, 2021). On the website, CityTraffic say it gathers information about volumes of people at city centres, football stadiums, and shopping malls, called, ‘footfall counting’ (CityTraffic, 2021). Further stating that footfall counting does not follow persons; it only counts people at a particular moment (CityTraffic, 2021). On the ‘Privacy’ page, CityTraffic state it uses sensors that pick up the WiFi signals of mobile devices within range. CityTrafficacknowledges that with these signals, the MAC address of phones is broadcasted, making the WiFi data count as personal data (CityTraffic, 2021).
However, CityTraffic states that it immediately anonymizes the MAC addresses by a practice called hashing. Hashing means the converting of input into a random (new) code. The sensor then sends the anonymized data to the company server. There the data get anonymized for a second time. CityTraffic claims that this double anonymization makes this data not count as or include personal data (CityTraffic, 2021). And as such, it cannot (re-)identify specific persons. After analyzing the data, CityTraffic presented its findings to partners that hired its services, such as the municipality of Enschede. The analyses provide insight into flows of people, the flourishment of specific areas, or a need to invest in certain areas (Tubantia, 2021).
Enschede case: a violation of privacy?
On April 29, 2021, the news reported that the Dutch Data Protection Authority, also referred to as (Dutch) DPA, fined the municipality of Enschede for violating the privacy of its inhabitants by their use of WiFi tracking (NOS, 2021). What is vital for the case’s background is that it is not the first time the DPA or the Dutch privacy watchdog makes a statement about privacy issues about shops, companies, and municipalities that use WiFi tracking. Both in 2016 and 2018, they expressed their concerns about the likely breach of privacy when using it (Autoriteit Persoonsgegevens, 2016; Autoriteit Persoonsgegevens, 2018).
On March 25, 2018, a heavy data processing regulation policy came into effect within the European Union, called the GDPR: General Data Protection Regulation (GDPR, 2021). At the time, Enschede asked the Dutch DPA if their citizen counting through WiFi tracking conflicted with the GDPR (Tubantia, 2021). The privacy guard then said they first wanted to investigate the case.
A closer look at the General Data Protection Regulation
It is crucial to take a closer look at the GDPR to make valid statements about whether or not Enschede violated privacy. Firstly, in Article 4, the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’) [..] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (GDPR, n.d.). Furthermore, ‘Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it’ (GDPR, n.d.).
In Article 6, the GDPR states it is lawful that personal data is processed if either (a) the data subject has given consent, (b) it is done in the performance of a contract, (c) there is a legal obligation, (d) it is of vital interest, (e) it is in the public interest, or (f) if there is a legitimate interest to process data (GDPR). It also includes a note that (f) 'shall not apply to processing carried out by public authorities in the performance of their tasks' (GDPR, n.d.).
The grounds of a legal obligation, vital interest, and public interest are challenging to prove in the context of Enschede's WiFi tracking. Moreover, a contract or legitimate interest are not at hand or relevant here. And consent has not been given either; local hacker Borghuis states that Enschede’s citizens did not know about or consent to the processing of their data (Tubantia, 2021). While difficult to make solid, Enschede’s municipality might be able to use the public interest argument. The city stated that it wanted to map the flows of people within specific parts of the city to guarantee the security and liveability of the people by not having the area be over-crowded (Tubantia, 2021).
The Dutch Data Protection Authority sees itself justified to fine Enschede for privacy violation
In its two-and-a-half-year investigation of Enschede’s case, the DPA concludes that while the WiFi tracking might not have been used to track people, the technical means make it possible to do so. ‘Each phone was registered separately and given a unique code. This makes it possible to measure how crowded the street is by counting how many phones are near a sensor at a particular time. If, however, you monitor over a longer period of time which phone passes close to which sensor, that ‘counting’ becomes tracking’ (Autoriteit Persoonsgegevens, 2021). As such, it makes the practice illegal and in conflict with the GDPR (Autoriteit Persoonsgegevens, 2021).
DPA’s deputy chair states it was possible to use the data to track people in the centre of Enschede: ‘When it’s relatively quiet, you can see exactly which person belongs with which code. Or you can look at patterns: if a person arrives at the same location every day at 08.00, and leaves again at 17.00, that means they work there’ (Autoriteit Persoonsgegevens, 2021).
The privacy guard sees this case as very troubling: ‘If people can be tracked via their phones that is a bad state of affairs. Everyone has the right to go about their business outside freely and without being spied on. Without the government or any other party being able to watch you or keep track of what you’re doing. That is part of our free and open society’ (Autoriteit Persoonsgegevens, 2021).
Further, the privacy guard states that municipalities should use systems that effectively count people and nothing more. The (protection of the) rights of citizens should be their priority, and nothing else. The privacy guard acknowledge that in some cases, it is allowed to use WiFi tracking, but as the means can affect people’s lives so heavily, it is restricted and, in most cases, prohibited (Autoriteit Persoonsgegevens, 2021).
The WiFi tracking case in a broader context
At the beginning of this paper I asked: How is the Enschede WiFi tracking case related to the larger debate about privacy? Privacy in this context is a broad notion founded on democratic principles and human rights. It states that people should be able to speak and move freely. In a democracy, citizens have the right to know what authorities are doing. Yet, these authorities often deploy secret mass surveillance in the name of security. This was also at hand in the Enschede case; the municipality defended its WiFi tracking by stating they wanted to protect the city's liveability and prevent overcrowding.
Contemporary times are furthermore driven by a paradigm of datafication that focuses on the potential of massive sets of data (Van Dijck, 2014). Within this paradigm data are collected and analyzed to provide insight into people’s behavior (Van Dijck, 2014). An example of datafication is dataveillance. Dataveillance is a monitoring practice that uses people's (online) data (Van Dijck, 2014). In Enschede’s use of WiFi tracking, the processed WiFi data was used to indicate the crowdedness of the city’s centre. This is both an instance of datafication and dataveillance.
Mass surveillance and datafication are at odds with the above stated democratic principles as it monitors people’s movements. It happens on a significant scale without people being aware of it. This also applies to WiFi tracking, and as such, it makes it an example of a surveillant landscape (Jones, 2017). 'Surveillant landscape' is a term coined by Jones (2017) to describe architectures that make it possible to monitor people in public spaces. That definition describes precisely what happened in Enschede. The city centre of Enschede became a space of monitoring due to its municipality using WiFi tracking. Everyone that entered this specific area would be tracked by the WiFi signals of their mobile phone. It was an invisible surveillant landscape as no signs stated this monitoring was happening and without people being aware of it. Hacker Borghuis noted that the people did not know about the WiFi tracking in Enschede and did not give their permission to gather their data (Tubantia, 2021).
The Dutch Data Protection Authority states that the WiFi tracking done by Enschede’s municipality is a violation of privacy. According to the privacy guard, said WiFi tracking made it possible to track and identify people (Autoriteit Persoonsgegevens, 2021). This makes the practice illegal and in conflict with the GDPR. Even though they did not find evidence that Enschede used it that way, WiFi tracking's technical architecture makes it possible to follow people instead of just counting them. As such, the privacy of the people was not protected well-enough. The Dutch DPA concluded that these findings were reason enough to fine the municipality for privacy violation (Autoriteit Persoonsgegevens, 2021).
All in all one could say that this case proves the point made by Jones (2017) that a surveillant landscape, such as the use of WiFi tracking in Enschede, renders people visible as well as legible. In situations like these people can be read and seen by (hidden) digital technologies. This often happens without notifying the people that are being read, viewed, or tracked. The fact that this information, in the name of 'security' is not disclosed shows the mighty and panoptic powers and effects of digital technologies. What itdisplays is the importance of frameworks such as the GDPR and the alarmingly urgent need for data(fied) literacies.
A silver lining?
Are there positive sides to this situation? Yes.. The Netherlands is a European Union country. It falls within GDPR’s jurisdiction. It means solid restrictions and regulations need to be considered when one wants to process personal data. And as we have seen, the DPA makes sure that businesses and state authorities follow the GDPR guidelines. When they conclude that an organization has violated citizens’ privacy rights, they take action, such as in the form of a hefty fine.
Furthermore, because Enschede got a 600.000 euro fine, other municipalities are now actively questioning their practices that have to do with data processing. Some cities instantly shut down WiFi tracking because Enschede received this fine (Tubantia, 2021). It is a new focus on privacy which in the long run might create improvement of privacy and awareness that there are strict rules and that state and government have to make sure that they correctly follow those guidelines.
Autoriteit Persoonsgegevens. (2016, June 6). AP wijst winkels en gemeenten op voorwaarden wifitracking.
Autoriteit Persoonsgegevens. (2018, November 30). Bedrijven mogen mensen alleen bij hoge uitzondering met wifitracking volgen.
Autoriteit Persoonsgegevens. (2021, April 19). Dutch DPA fines municipality for Wi-Fi tracking.
CityTraffic (n.d.). Privacy.
GDPR. (n.d.). General Data Protection Regulation (GDPR).
GPDR. (n.d.). What is GDPR, the EU’s new data protection law?
Jones, R.H. (2017). Surveillant landscapes. Linguistic Landscape 3(2), 149-186.
Louwes, W. (2021, April 29). Enschede was gewaarschuwd voor wi-fi tellen, maar gemeente was zich van geen kwaad bewust. Tubantia.
Lyon, D. (2015). Surveillance after Snowden. Cambridge: Polity.
NOS. (2021, April 29). Privacywaakhond legt Enschede boete op van 600.000 euro vanwege wifitracking.
Privacy Company. (2019). What does the GDPR say about WiFi tracking?
Tubantia. (2021, April 29). Enschede niet akkoord met forse privacyboete om wifi-tracking: ‘Wij volgen niet, wij tellen slechts’.
Tubantia. (2021, April 30). Hengelo stopt na boete voor Enschede ook maar even met wifi-tellingen.
Van Dijck, J. (2014). Datafication, dataism, and dataveillance: Big Data between scientific paradigm and ideology. Surveillance & Society 12(2), 197-208.