This morning I noticed a piece in the Irish Independent which highlighted that Dublin Airport is automatically scanning and tracking passenger WIFI and bluetooth signals to measure the length of time taken to go through security queues.

Investigation launched after man carries knife onto plane in ‘error’ — Irish Independent, 9th Nov 2015

Example: Unique WIFI and Bluetooth MAC address on an iPhone

While everyone hates airport queues, this measure also has significant implications for passenger privacy.

If you have WIFI or Bluetooth turned on (they do not have to be connected to anything) then Dublin Airport is tracking a minimum of one or two completely unique identifying numbers of your mobile phone (and your laptop, iPad, smart watch, fitness tracker etc) — the WIFI MAC (Media Access Control) address and/or the Bluetooth MAC address. These MAC addresses are completely unique all over the world to your device. Such tracking systems, called “Mobile Location Analytics” are increasingly common in public spaces like shopping centres. Yet Dublin Airport is not just a small shopping centre, it is Ireland’s most important transport hub.

Using standard WIFI tracking technology providers, you can see a mockup example of the type of information visible here. When presented in that way, the information seems fairly innocuous — (and we should give Dublin Airport the benefit of the doubt that its reasoning is most probably genuine customer service).

Why does this matter to Irish citizens privacy?

We now understand from a wide variety of reports from the Edward Snowden releases that members of the “Five Eyes” specifically target airports worldwide for electronic and human intelligence gathering in places like Canada. This is because locations like airports, hotels and borders are natural chokepoints for tracking people. In a nutshell, what happens is they gather information or directly hack airport WIFI services and other technology to find out where you are and what you are up to. Ireland is not exempt from targeting by the “Five Eyes” and has been the target of GCHQ for decades (see examples in the 90s, 00s and present) so it’s not unreasonable to consider that Irish Airports would be targets also.

So far, it appears this has mostly targeted users who actually connect to “Free WIFI” services like Boingo (which is not used at Dublin Airport, instead Eir is the provider of free WIFI).

(Not that it wouldn’t be possible to gather advanced information on passengers though other methods such as portable IMSI catchers, ticket purchases, PRISM, human intelligence agent etc — but let’s leave that aside for now.)

If I’m a passenger, I should know how my data is being used

Without even getting into the issue of those who do connect to free WIFI, passengers at Dublin Airport who do not connect to free WIFI services should have an expectation of privacy — as they have not actively consented to tracking (e.g unlike free WIFI, there is no little box which appears that you have to tick to accept terms and conditions). While you can argue that passengers consent to other security measures such as CCTV monitoring, body checks etc — that technology is visible and signposted, at no point do passengers see a sign that says “Welcome to Dublin Airport, we track a piece of unique information about your mobile phone, laptop and iPad whether you agree to it or not”.

The automatic nature of the passenger queue monitoring technology arguably represents an infringement on their privacy as there is nowhere (to my knowledge) in Dublin Airport ticket conditions or otherwise where a passenger agrees for their electronic devices to be subject to surveillance for these purposes. Moreover, it is likely that staff and people who are not passengers (friends dropping someone to the airport etc) are also likely to have their devices tracked if they are near the security areas.

When asked about it, Dublin Airport said:

Question about the tracking at Dublin Airport

Dublin Airport Reponse

The response from Dublin Airport suggests they don’t really understand the wide nature of “personal data” in a digital age. They say that are not collecting “personal data” however the tracking of a unique WIFI or Bluetooth MAC address is de facto a piece of extremely personal data (Apple iOS 8 update tried to deal with this problem by randomly changing MAC addresses for this exact reason, though it’s efforts had limited success). Our phones and devices and their MAC addresses travel everywhere with us and are used for everything from calling our loved ones to visiting a web page. Thus MAC addresses link us to everything we do online.

Dublin Airport does not force passengers to give their personal phone number when we walk through the airport doors, so why should it grant itself the right to gather up unique information about the devices where passengers do everything from read the news to browse Tinder?

What’s the bigger picture here?

If we set aside the issue of making it easier for foreign intelligence agencies to track people in arguable one of the most sensitive locations in any country, the bigger picture is quite simple.

Tracking technologies in public area’s in Ireland are likely to spread quite quickly — and as in this case, without any warning to the people who’s information is at risk. At the moment, the ability to track mobile phones is fairly limited to a small group of organisations such as phone companies but with this technology — a large swath of commercial organisations will be able to build up a map of your movements. The public and policy-makers have yet to really keep up with the challenges this may create. For example:

A retailer can now follow a person, including a child with a mobile device, around a shop and target adverts at them. This effect is magnified when combined with technology such as “Apple Pay.” It is only really a matter of time before data on your specific (device) movements are sold to advertising aggregators, as currently happens with store loyalty cards etc.

It becomes a lot easier for your boss (or husband/wife) or your insurance company to know exactly where you are — with the resultant effect on your job, life, privacy and premiums.

Those who require protection and privacy for their work, for example a social worker meeting a victim or a journalist meeting a source are more likely to accidentally leave a digital trail which may endanger them.

The questions I have for the Dublin Airport Authority are:

Where in your terms and conditions or other publicly available policy does a Dublin Airport passenger consent to allowing you to track the unique MAC address of their electronic devices?

How long has this tracking technology been in place?

Can you describe exactly how the technology works?

Which technology and company provides this service?

What data do they hold on the individual MAC addresses?

How long do they hold this data on the individual MAC addresses?

Where do they store this data on individual MAC address?

How many unique MAC address are currently stored by the system?

Do you also collect the list of SSIDs broadcast by many mobile phones?

Who at Dublin Airport and at the service provider has access to my individual MAC address?

What (if any) other third parties allowed to access this data?

What areas of Dublin Airport are also subject to WIFI or Bluetooth device tracking? Is it only in the security queue(s)?

What uses, other than queue management, does Dublin Airport use for this tracking technology?

Who do passengers contact to have copies of their MAC address records and/or other tracking data be sent them?

How do passengers opt-out of individual MAC addresses being scanned and/or retained?

What can a passenger at Dublin Airport do to protect their privacy?

Turn off WIFI and Bluetooth when travelling through the airport (or for more privacy, switch to flight mode) Use an automated MAC address changer such as WIFI Mac Address Changer or Pry-Fi (Android only) or update to iOS 8 (iPhone) Delete old WIFI networks which you have previously connected to but no longer need from your devices. This helps reduce another possible form of tracking based on SSID tracking. Learn more about mobile location tracking here. Assuming you trust them to do so, some mobile location analytics companies allow you to “opt-out” your MAC address from their tracking. See here.

Want any easy way to manage your digital and physical security on the move? Download Umbrella App

For more information on digital and physical security tools, Security First has launched a free, open source (Android) app called Umbrella. It contains lessons and checklists about how to do everything from keeping your data safe to travelling through airports securely. Find out more at https://www.secfirst.org or download directly from the Google Play store.