How do Wi-Fi Positioning Systems interact with the GDPR?

Question

There is a paper (described in the news) that details how to use Apple's Wi-Fi Positioning System (WPS) facilitates mass surveillance, even of those not using Apple devices. The system is described so:

Mobile devices that have used GPS to obtain their location often report back to a WPS service, along with a Wi-Fi Access Point's MAC address, which forms the AP's Basic Service Set Identifier (BSSID). Thereafter, other mobile devices that are not using GPS can obtain location data by querying the WPS service.

Device queries involve sending a list of nearby BSSIDs and their signal strength to the WPS. The WPS, as the paper describes, generally responds in one of two ways.

Either it calculates the client position and returns those coordinates, or it returns the geolocations of the submitted BSSIDs (which are associated with AP hardware) and lets the client perform the calculations to determine its location.

Google's WPS does the former while Apple's WPS does the latter. But Apple's system is exceptionally talkative, the boffins suggest.

"In addition to the geolocations of the BSSIDs the client submits, Apple’s API opportunistically returns the geolocations of up to several hundred more BSSIDs nearby the one requested," the paper states.

"In Apple's version, you submit BSSIDs to geolocate, and it returns the geolocation it believes the BSSID is at," said Rye. "It also returns many more (up to 400) that you didn't request that are nearby. The additional 400 were really important for our study, as they allowed us to accumulate a large quantity of geolocated BSSIDs in a short period of time. Additionally, Apple's WPS is not authenticated or rate limited and is free to use."

"Because the precision of Apple’s WPS is on the order of meters, this allows us to, in many cases, identify individual homes or businesses where APs are located," the paper explains. "Out of respect for user privacy, we do not include examples that could publicly identify individuals in the case studies we examine in this work."

Nonetheless, the researchers say, it's "eminently possible" to use the techniques described in the paper to determine the identities of individuals or groups they're part of, "down to individual names, military units and bases, or RV parking spots."

It would seem that the WPS operators would be clearly data controllers in this situation, with responsibilities to all those who own devices with identifiers stored within their system. With reference to the case where the GDPR applied to posting pictures of on social media platforms it would seem that the users are also potentially liable, as provide personal information to an organisation that then distributes it.

What is the situation here with respect to the EU General Data Protection Regulation (GDPR)? Does the GDPR apply to the use of WPS at all? Who is a data controller in this case? Is the server operator a data controller? Is the uploader of the data a data controller? Does the fact that they may not be aware of what they are doing have any legal effect?

From comments there are questions about whether BSSID would meet the definiton for personal information. From a previous question is seems that BSSID's are unique and I think can be persistent. The UK ICO defines personal data as:

Personal data only includes information relating to natural persons who:

• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information.

This, along with the paper that describes a way to locate a natural person from this data, seems to mean that the data shared is personal information.

Some comments and answers have questioned if this counts as personal data in the sense of can they be used to identify and locate natural people. This is what is says in the use case of User Tracking:

In §7, we found that by querying 10 million BSSIDs daily only 0.06% moved more than one kilometer over the course of a month. Many of the AP vendors from that sample manufacture infrastructure that seldom moves—both commercial and residential Wi-Fi deployments are rarely taken down and set back up once they are installed.

However, certain types of APs are designed for mobility. For example, the router manufacturer GL.iNet [2] produces a variety of small “travel routers” designed to be used for e.g., in hotels, boats, and recreational vehicles.

Of 511,935 GL.iNet BSSIDs we geolocated at any point over the yearlong corpus collection, 23,396 BSSIDs moved more than 1 kilometer, our conservative threshold to de- tect AP mobility. This 4.6% BSSID movement rate is 76 times greater than the mobility observed in our 10 million randomly sampled corpus, and highlights the different use cases of different router types.

Figure 9 shows that the GL.iNet routers move signifiantly farther than the movers in the month-long sample. While ≥ 1 kilometer moving routers in the 10 million BSSID sample have a median distance traveled of 4 kilo- meters, moving GL.iNet routers over the same time period traveled a median 97 kilometers. Over the six months dur- ing which we tracked GL.iNet travel routers, the median distance traveled grew to 120 kilometers.

This suggests that when general-use routers move, such as those rented or lent to customers by Internet Service Providers (ISPs), their movements are less pronounced thanrouters that are specifically designed for movement. While we do not have ground truth, we surmise that these types of routers, when they do move, are often redistributed to customers of the same ISP that live in the same general area from a local customer support office.

While we omit specific details to protect the users we were able to track, movement from BSSIDs represents a serious privacy problem. We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.

Travel routers, like many GL.iNet devices, compound the problem. Because travel routers are frequently used on campers or boats, we see a significant number of GL.iNet devices move between campgrounds, RV parks, and mari- nas. They are used by vacationers who move between resi- dential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.

The ability to detect router movement is a grave threat to individuals who wish to not be tracked. In the next section, we discuss privacy threats to entire populations of sensitive populations and vulnerable people – military members and civilians living through the wars in Ukraine and Gaza.

Answer 1

The paper is about a made-up problem.

When yo carry your phone with you, you yourself want to know your location. For that your phone uses GPS which takes a lot of battery power and doesn’t work well in built-up areas like London or New York. Your phone also receives signals from WiFi transmitters. Apple and Google collect the location of these transmitters to you on request, and your phone can use this to calculate its position.

In addition, to preserve your privacy, Apple sends the information about some area. So someone who listens in can’t conclude your rough location from the data sent.

To collect the location of WiFi routers, phones with GPS turned on detect thes routers (that is part of their functionality) and send their location. The information that is sent is for example that a WiFi router inside my home is inside my home. So where else could it be? If I move homes then they will find that “the WiFi router in my new home” is in my new home. There is no personal information. Nobody knows where the router that I bought is, only that some router is where it is.

When they say they can identify a business, for example: No, they can’t. They can find there is a router at wherever location it is. Then they can, with no help from this data, find the location on a map, and then they can check what’s at that location. Exactly what a good map allows you to do. They can not say “I want to know the location of Smiths hardware store” and get it from this information. They might as well make up a random location, check on a map where it is, and find out who lives there.

Answer 2

According to a paper Do European data protection laws apply to the collection of WiFi network data for use in geolocation look-up services?, International Data Privacy Law, Volume 1, Issue 3, August 2011

WiFi maps do not fall within the scope of existing European privacy legislation. They do not consist of ‘location data’ as defined by the E-Privacy Directive, nor do they consist of ‘personal data’ under the Data Protection Directive, except in highly unusual and very rare circumstances.

Distinctions can be made between IP addresses and WiFi network data. As such, the Article 29 Working Party's reasons for considering IP addresses to be personal data are unlikely to apply to WiFi mapping.

Open discussion on this complex issue should be initiated between all interested parties to ensure a proportionate, industry-wide response and to avoid individual countries' regulators adopting conflicting positions across Europe.

Whilst the paper was written a while ago now, there may have been some changes, though I imagine Apple and others comply with existing legislation.

Also the UK's Information Commissioners Office (ICO) mentions about Location Data:

You can only process location data (information from the network or service about the location of a phone or other device) with the authority of the network, service or value-added service provider, and only if:

• It is anonymous; or
• you have consent to use it for a value-added service.

Just to add there's a bunch of other companies in addition to Apple that collect BSSID's such as Google, Skyhook, and others.