WiFi-enabled smartphones, laptops and other mobile devices could turn their users into walking data leaks just waiting to happen, Ontario Information and Privacy Commissioner Ann Cavoukian said yesterday.
The provincial privacy chief spoke at the SC Congress Canada security conference in Toronto. During the event, she also released a white paper entitled: Wi-Fi Positioning Systems: Beware of Unintended Consequences – Issues Involving the Unforeseen Uses of Pre-existing Architecture, which she wrote in collaboration with Kim Cameron, a digital identity expert.
Whenever an individual uses location-based services on their devices, a unique identifier of nearby traceable WiFi access points called MAC (media access control) address is relayed to enable the network to pinpoint the location of the user and provide services such as directions to a restaurant, she said.
The process raises privacy concerns, Cavoukian said, because the location information may be compiled over time to create a profile of the individual which could show where the person has travelled to, shopped, eaten, or banked.
The unique addresses of WiFi devices are tracked by mapping systems maintained by companies such as Apple Inc., Microsoft Corp., Google Inc., Skyhook Wireless Inc. and Research in Motion Inc., said Cavoukian. Many companies prefer to use WiFi for location-based services such as navigational applications, social networking apps and Web-based maps, because WiFi places less drain on a mobile device’s battery compared to global positioning systems (GPS).
“MAC addresses are core to current networked communications. But with minimum time and resources, one may be able to associate MAC addresses of mobile devices to physical addresses and then to a specific individual,” she warned.
Future technological developments may also turn WiFi device users into “unknowing informants” on their friends and family members, Cavoukian added. “Individuals using geo-location services could inadvertently report the MAC address (and physical location) of mobile devices belonging to friends, family and co-workers,” she said.
Cavoukian’s co-author, Cameron, raised some questions about how further technological developments in the WiFi field might be misused.
“What companies, government departments, people and systems will be able to follow our physical movements and activities, five to 10 years from now?” he asked.
“How will the access to this information change the way we are treated? Will individuals have any protections?” Cameron said. “When you look into this it becomes clear that location technology must embrace our human need for privacy.”
Baking privacy into design
During her talk, Cavoukian cited the case of Sony Corp., which figured in a massive data breach scandal recently, and Apple which was the target of a class action suit complaints after researchers revealed that the iPhone and iPad stores information of user’s movements for up to a year.
Related Story: Apple hit with another suit alleging privacy violations
“I’ll repeat my message to Apple and Sony. Don’t practice privacy by chance. Build it into the design of your product,” she told engineers at the conference.
For instance, she said, issues around unintended uses of technology should form part of a developer or company’s privacy risk analysis well before a product is created. “In our example, in no case should the MAC address of the end-user device be collected or tracked without the consent of the owner of the device,” said Cavoukian.
Cavoukian also called for more transparency on what data companies are collecting and what they are doing with the information. In Apple’s case users were concerned about the fact that they were not aware their location data was being collected by the iPhone and iPad devices.
“The people felt misled and their trust in the company was eroded,” she said.