WiFi has become so ubiquitous: It's at airports, libraries, department stores, hotels, hospitals, and of course coffee shops. All this public WiFi is incredibly convenient, but raises privacy issues for users and potential backlash for WiFi providers.
With retailers and other WiFi providers gathering mobile location data, consumers are being tracked, oftentimes without ever knowing it. And there's very little in the way of any regulatory framework for these data collection activities, experts say.
Like cell phones, WiFi devices have unique identifiers that can be used for tracking purposes, but tracking someone's cell phone records requires a court order because that information is recognized as legally protected, said Matthew Gast, director of product management at Aerohive Networks, noted author of WLAN books, and speaker at Interop Las Vegas.
"If you want to track WiFi information, you need 100 bucks worth of hardware times the number of sites you want to monitor. You can collect the data. If you want to sell it, you can... It's not legally protected in the same way," he said in an interview.
A WiFi device constantly look for networks it's configured for, so even if a user doesn't connect to the network at say, the mall, the device can be tracked by the mall's WiFi network. (With iOS8, however, Apple disguises the device by randomizing its MAC address.) A retailer, for example, could then see how long customers shop and how repeat customers behave. With some additional personal information provided by the customer for WiFi access, a retailer can profile individual customers.
MAC-based location data is a lot like license plate reader data right now; both are unregulated, so no one really knows how it's being used, Lee Badman, wireless network architect for a large private university, said in an email. If MAC location data is tied to the social WiFi model, in which social networking credentials are used to sign in to wireless networks, "it gets potentially more intrusive," he said, noting that the MAC address alone isn't all that valuable until it's tied to a person the first time.
Even when a mobile app or a WiFi service asks a user for permission to use his or her location data, not many users understand what that involves, said David Adler, an attorney and founder of Adler Law Group. At Interop Las Vegas, Adler will lead a session, Privacy Implications of Mobile Advertising Location Data.
"No. 1, there's no U.S. regulatory framework for ensuring that location data is protected. No. 2 -- this is the bigger issue -- I don't think there's any way an end user can give meaningful consent to use of their location data," he said in an interview. "I don't think end users understand the information that's being shared, and I don't think they can.
When users click yes when a mobile app asks if they will share their location data, they likely aren't aware that MAC addresses are collected and sometimes handed off to third-party aggregators or advertisers, which can use the information for profiling, he said.
"There are no restrictions on how this data is gathered, how it's used or with whom it's shared," Adler said.
The only kind of enforcement comes when companies don't follow their privacy policies, if they've issued any. "It's a much narrower set of circumstances," Adler said. "It's the difference between breaking the law and breaking a promise."
Backlash & industry response
Outside of actual legal ramifications, location tracking still can get WiFi providers into hot water. Gast noted that a San Francisco Bay Area coffee shop business, Philz Coffee, stopped using customer analytics software that used location data after customers complained. And according to a New York Times report, Nordstrom dropped similar technology, in part after receiving customer complaints.
There are additional liabilities that retailers and other may face in providing WiFi, but they are unrelated to location data, Adler said. They include illegal downloading or transmission of third-party content by a user, and someone causing personal harm to another, such as stalking, via a WiFi hotspot.
Gast, who served on the 802.11 working group that revises WiFi standards and currently leads security efforts for the Wi-Fi Alliance, said the industry is responding to the privacy concerns. "There has been recognition on the part of the broader WiFi community that this is important to users and we need to respond," he said.
For example, the Wi-Fi Alliance is exploring a technical response that would borrow from the GSM technology in cell phones, he said. A functionality in GSM assigns temporary identification numbers to mobile devices as they move between networks. "It's not hard to see the concept -- you don't use a real, unique identifier. You negotiate for something that's temporary, use that in a space where it has to be unique and keep recycling it," Gast said.
Gast sees the privacy concerns from location tracking as a security issue. "I like the fact that my daily movements aren't generally accessible by people without a court order," he said. "That is a rich data set. I don't have anything particularly to be afraid of, but I know people who do."
WiFi is an asset that people generally love, and the WiFi industry wants to keep it that way, Gast said. "If we get associated with unsavory tracking practices, that's not going to be good for us."
Attend Matthew Gast's live session, Building the Wi-Fi On-Ramp to the Internet of Things and David Adler's presentation on Privacy Implications of Mobile Advertising Location Data at Interop Las Vegas. They are part of Interop's Mobile & Wireless Track, which includes sessions on WLAN troubleshooting and the next-generation WLAN. Don't miss out! Register now for Interop, April 27 to May 1, and receive $200 off.