
Is Dublin Airport tracking passenger phones without their permission? - secfirstmd
https://medium.com/@roryireland/is-dublin-airport-tracking-passenger-phones-without-their-permission-8a779453a6d7
======
jeremysmyth
This article is based on a premise that is either incorrect or has not been
defined or settled in law.

The data protection law exists for the protection of personal data, defined as
"data relating to a living individual who is or can be identified either from
the data or from the data in conjunction with other information that is in, or
is likely to come into, the possession of the data controller"[1]

If the airport authority is not gathering any other information beyond the
device MAC address, and is not connecting that information to other
information sources (such as MAC addresses gathered from WiFi registrations)
then the MAC address cannot be used to identify a living individual.

Now, we all know that there is a correspondence between such a MAC address and
a single individual, just as there is with DNA or fingerprints or footfall
pattern or voice analysis or facial recognition, or car registration numbers
or any of a number of other identifying characteristics. However, the law does
not concern the gathering of data (however unique), merely the gathering of
_personal data_ that identifies someone in conjunction with other data in the
possession of the data controller.

Just because that data _could_ be used to identify someone (in a different
system) does not mean that it is covered under data protection obligations _in
this system_.

[1] [https://www.dataprotection.ie/docs/What-is-Personal-
Data-/21...](https://www.dataprotection.ie/docs/What-is-Personal-
Data-/210.htm)

~~~
kwhitefoot
How is my device's MAC address not personal information? It is unique and
belongs to me, how much more personal can you get?

~~~
jeremysmyth
_[my device 's MAC address] is unique and belongs to me, how much more
personal can you get?_

Regardless of its uniqueness, it can't be used _by that data controller_ to
identify you because the collector does not have additional information.

I can't identify you by reading your car licence plate, even though that
information _can_ be used to identify you by others who have access to a
database of cars-to-owners. The point of the law is that _I_ can't use it to
identify you, therefore I don't have to notify you when I collect that
information.

~~~
noja
> The point of the law is

Is? Or was?

Was the law written when mass tracking of inidivuals by unique serial numbers
was common, possible, or feasible?

------
retube
I just can't get outraged by this. You are walking around literally shouting
out a personal identifier and demanding that no one listens.

People need to take responsibility for themselves. If you have a problem with
this, TURN YOUR WI-FI OFF.

~~~
jeremysmyth
But I am broadcasting identifiers everywhere I go. The oldest means of
recognition in the world is _my face_ , and I don't cover that up wherever I
go. I've also got a recognizable smell[1], a recognizable gait[2], a
recognizable voice[3], and doubtless many other things that can be used
individually or in aggregate to identify me, and that's before we get to
contact-based or invasive techniques involving fingerprints, iris recognition,
or DNA tests.

Suggesting that people "need to take responsibility for themselves" is
tantamount to victim blaming when it comes to broadcasting identities for
gathering by third parties. The responsibility for correctly using data should
really lie with those that _collect_ the data, and that's what data protection
acts in Europe tend to target.

[1] [http://www.livescience.com/5188-odor-unique-
fingerprint.html](http://www.livescience.com/5188-odor-unique-
fingerprint.html)

[2] [http://www.wired.com/2011/09/walking-biometric-
identificatio...](http://www.wired.com/2011/09/walking-biometric-
identification/)

[3]
[https://en.wikipedia.org/wiki/Speaker_recognition](https://en.wikipedia.org/wiki/Speaker_recognition)

~~~
enginnr
This sounds like a judgement on those who carry phones and don't think too
hard about this but then call out those who go phoneless because they (the
phone-equipped) don't understand the hardware. This is not a judgement. It's
simply challenging the false narratives and assumptions citizens have when
they carry a phone around: DO you feel empowered or enfeebled (weakened) by a
phone?

------
Frqy3
These sort of solutions (Wi-Fi and/or Bluetooth based) are already growing in
popularity amongst the retail sector (esp. large shopping malls), so no
surprise that an airport is doing likewise.

And to be clear, this in no way implies that I am okay with this state of
affairs.

~~~
Ao7bei3s
So maybe we should start randomizing MAC adresses whenever Wifi is turned on.

(Would it be a privacy problem if MAC adresses were very short-lived? I really
don't know.)

~~~
746F7475
There would be at least service gaps if you changed MAC on the fly while
connected to a network. At worst your packets would go to another device,
unless your device announced it's MAC change, which would render the whole
operation pointless.

And sniffing for probe requests is way more revealing than just sniffing MAC
addresses. Only real solution is to turn off all WiFi and bluetooth devices,
latter is getting harder and harder with smart watches, wireless headphones
and other stuff.

That being said I'm not worried about being tracked while I move through an
airport, since they already have cameras. Also your ticket is pretty telling,
they know when it gets printed out, when it gets scanned in security and when
it's scanned in the boarding, so you have always been tracked. This just
brings more accurate data how long it takes for you to get from point A to B.

~~~
secfirstmd
I think the bigger point is that the roll out of MLA systems is happening in
public spaces without any real public debate or knowledge that these things
are happening. CCTV is obvious and normally sign posted in a public area, MLA
is not...

