A recent news story reported that a small number of litter bins in London were collecting a unique identifier from passing mobile phones and using these for some sort of “footfall analysis”. There doesn’t seem to be much detail about the plans: it struck me that a helpful application could perhaps be look for the same phone passing slowly and repeatedly past, and display an “are you lost?” map on the bin’s advertising screen! The story triggered a discussion among lawgeeks as to whether the information constituted personal data, something the Information Commissioner is apparently investigating. My tentative conclusion suggests that whichever answer is right, in these edge cases data protection law may neither be a good guide to when privacy concerns will arise, nor to how to address them.
What the bins seem to have been collecting is the Media Access Control (MAC) Address, a unique number that is built into every network interface by the equipment manufacturer. Back in the days when all networks were Ethernet, we used to refer to them as Ethernet Addresses, but now they appear in many other technologies notably the interfaces for IEEE 802.11 radios that allow your laptop, tablet or phone to connect to wifi. Since the wifi MAC address is included in every transmission, if your device’s wifi is on then any radio within range (50-100m or so) that’s tuned to the right frequency can ‘hear’ it. And, since the whole point of a MAC address is to ensure that every device has a unique number, a series of radios down a street could, indeed, ‘follow’ your phone as you walked along.
So is a MAC address personal data? Under UK law, at least, that’s far from clear. It’s tempting to compare MAC addresses with IP addresses, but there are two significant differences. First, MAC addresses are only visible to other devices on the same local network segment: they aren’t (at least for IPv4, some IPv6 options do use the MAC address as part of the IP address) carried across the Internet to remote servers. Web servers and other remote systems can’t use your MAC address to distinguish you or to link your activity across different services because they’ll never see it. On the other hand, again unlike an IP address, your MAC address doesn’t change when you move to a different network. So two hotels in different countries could, if they cared to exchange logs, work out that the same laptop had visited both of them. At least they could if it had connected to both wireless networks, because each interface on a laptop has a different address: a wired network sees one MAC address, a wireless network sees a different one. Interestingly, I don’t think my home broadband provider can see either of those addresses: all it can see is the MAC address of the router/access point that I manage. So MAC addresses don’t travel as far across networks as IP addresses, but they may persist for longer.
That means that the group of organisations likely to be able to link the MAC address to the person carrying the device (thus making the MAC address personal data in their hands, according to the UK Data Protection Act) is different from those who can link the IP address. A hotel whose wireless network requires you to give a room number to log in probably will be able to make the link; even if you don’t need to log in, they could potentially link you to the customer who caused trouble in another hotel last week! But none of the websites that you accessed during your stay can, even if you logged in to accounts on them, because they don’t see the MAC address. Unless the bin company had an information sharing agreement with nearby hotels, it seems unlikely to me that MAC addresses were personal data in their hands (the system has now been switched off because of privacy concerns, hence the past tense).
Even though the Data Protection Act may not have applied, the privacy issues do seem to have worried people. So just because you aren’t processing something classed as personal data doesn’t mean you can ignore privacy. This is one of the things that should be picked up by a Privacy Impact Assessment: checking early in the design process whether affected people are concerned about a system may be more useful than a detailed analysis of whether the letter of the law applies.
Furthermore when dealing with these not-quite-personal identifiers, the law may anyway give paradoxical guidance. If the MAC address did constitute personal data then what the bins are doing would count as processing location data, which has special status under European and UK law. In particular you can only process the location of identifiable individuals if you have their consent and on condition that they can withdraw consent at any time. But if all you have is a MAC address, you can neither ask them for their consent nor validate their request to withdraw it: for that you would need an e-mail address or phone number that let you contact the device’s owner. In fact the bins do provide an opt-out: there is a webpage where you can enter a MAC address and prevent it being tracked. But you have to enter the address manually because, as above, a website can’t see it, so there’s nothing to stop you entering someone else’s MAC address. That probably doesn’t matter for an opt-out. However the draft Data Protection Regulation suggests automating Subject Access Requests for information associated with personal identifiers: would that let me type in someone else’s MAC address and see where they had been walking?
So it seems that if the MAC address of a phone were classed as personal data, it would be impossible for a system following the location of MAC addresses to comply with Data Protection law, because it would have no way to communicate with the individual. So the law would effectively prohibit that system. But, ironically, if mobile phones instead broadcast their e-mail address or phone number then it would be possible for a tracking system to comply, by seeking consent, even though the information collected by that system would allow also much more intrusion into private lives. Should the law really encourage systems to use more privacy-invasive identifiers than it needs? Around the edges, the over-simplistic model where information is either personal or it isn’t can produce some very odd effects.