London Underground passengers told to turn off their Wi-Fi if they don’t want to be tracked

Graham Cluley

Underground wireless

Underground wireless

From July 8 2019, travellers on London’s underground tube network may wish to turn off their Wi-Fi first… if they don’t like the idea of being tracked.

97% of London Underground stations offer free wireless internet access via a partnership with Virgin Media, and this week Transport for London (TfL) announced that it would be starting its “secure, privacy-protected data collection” via these hotspots from Monday 8th July.

According to an FAQ about the data collection, the information will help TfL “better understand how customers move through and between stations,” by measuring how long it takes for a device to travel between stations, the route taken, and waiting times at busy times.

Later in the year, TfL hopes to introduce better alerts about delays and congestion within stations through its analysis of the data it collects.

In an attempt to allay privacy fears, TfL says that the data collected will be “automatically depersonalised… immediately after the data is first collected.” No browsing or historical data is collected from any devices, says TfL.

Travellers who have previously signed-up for the Tube’s free Wi-Fi service will have their device’s unique MAC (Media Access Control) address collected, alongside the date and time their smartphone authenticated with the Wi-Fi network and the router they connected to.

This depersonalised Wi-Fi connection data will be held for two years.

If you haven’t signed-up for free Wi-Fi on the London Underground, your phone will still be regularly sending out a probing request searching for a Wi-Fi hotspot to which it can connect. TfL says it will not use such data for analysis, and will remove such un-authenticated data “as soon as possible after receipt.”

It sounds to me like TfL is looking to provide a better service for Tube users by doing something smart with the data it has available to it.

But what bugs me is that, once again, an organisation is assuming your consent rather than asking you to opt-in. Where does this end? You might not be too perturbed by this use of your data, but what might they think of next?

If you don’t like the idea of being tracked in this fashion, the onus is on you to turn off your Wi-Fi or enable Airplane mode before you enter the station, and – of course – no longer have access to Wi-Fi on the Underground.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

6 Replies to “London Underground passengers told to turn off their Wi-Fi if they don’t want to be tracked”

  1. You said that this will work only for people who registered with that WiFi network. So it is opt-in, rather than opt-out, isn't it?

    1. No, it's not what I would call opt-in.

      Even if you aren't registered to use the Underground Wi-Fi, your phone will still be picked up when it does its search for hotspots. This will be picked up as an "unauthenticated device". TfL says it will not use such data for analysis, and will remove such un-authenticated data “as soon as possible after receipt.”

      Of course, it's up to you whether that's a concern or not – but there will apparently be signs up in stations telling travellers to turn off their Wi-Fi if they don't like it.

      Furthermore, for those travellers who previously signed-up for the London Underground Wi-Fi service, they did so without knowing anything of how their usage might later be used for tracking. If they’re not happy about that the onus is now on the travellers to opt-out rather than opt-in.

      Like I said: “What bugs me is that, once again, an organisation is assuming your consent rather than asking you to opt-in. Where does this end? You might not be too perturbed by this use of your data, but what might they think of next?”

  2. "free" wi-fi, really? I always knew there is no such thing.

    I'm more worried about the fact that it's an unsecured network than by the tracking.

    1. Well that argument doesn't *necessarily* apply to free WiFi in the same way as free email, for example, because the assumption is that your in a business and probably a costumer, so giving you a better experience will make you more likely to spend more time there buying stuff/giving the money somehow. This doesn't mean you won't pay with your data, just that it's not a surefire sign that you will.

  3. I think both Apple and Android phones are (or soon will be) able to do Mac address randomization on purpose? I wonder, how this will factor in then.

  4. The Register covered this in 2017, possibly in effect already. https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.