Tracking is no longer just on the rails for Boston's MBTA

The advertising contractor for metropolitan Boston’s subway rail system is launching a program to track riders with smart beacon technology. The company emphasizes that it is voluntary and anonymous, but privacy experts are not convinced

Big Conductor could be watching you … but only if you want him (or her) to.

That, of course, is not the way a press release a couple of weeks ago put it, announcing the launch of a pilot program by private contractor Intersection to track riders’ who are using the Massachusetts Bay Transportation Authority (MBTA) system in 10 of its stations in Boston and Cambridge.

The pitch from Intersection, an “urban experience” company created through a merger of media company Titan and technology firm Control Group, is that the program’s goals are to improve the rider experience and to help companies that advertise with the MBTA “increase engagement and interaction with commuters” who are near to their stores – targeted ads, in other words.

This will be accomplished through what Intersection says is, “a secure, closed network of Gimbal Bluetooth Smart beacons,” that will collect no personally identifiable information (PII), since they are, “transmit-only Bluetooth low-energy devices that send out a signal that can only be used by user-enabled apps running on mobile devices to trigger location-specific content.”

The company said riders will be tracked only if they, “download an app that utilizes the technology and opt in, to allow the app to receive the beacon’s signal.”

Gimbal, in a prepared statement, emphasized not only the anonymity of the program, but the choices to riders, who can disable it by turning off location services or Bluetooth on their phones.

The company said it is TRUSTe certified and a member of the Future of Privacy Forum (FPF).

All of which sounds like no surreptitious invasion of personal privacy, since even those who agree to be tracked will remain anonymous.

Not necessarily, according to a number of privacy experts, who say the announced safeguards are too vague to guarantee anonymity.

Privacy and encryption expert Bruce Schneier, CTO of Resilient Systems, said in a world of increasing surveillance by both the private and public sectors, this program probably ranks on the low end of the risk to privacy, although “it depends on the details.” But he said it is difficult to preserve anonymity when downloading an app.

“Can you get into the iTunes store without a credit card?” he asked. “I can’t.”

bruce schneier

Bruce Schneier, CTO, Resilient Systems

Others are more emphatic about the privacy risks. Lee Tien, senior staff attorney at the Electronic Freedom Foundation, said even if the beacons don’t collect any data, “it’s unclear to me what the app does with any information it collects. Unless that’s made clear, those who volunteer won’t have done so in an informed way.

“We know that apps also can surreptitiously collect other data on the phone, which can be linked to the ID of the phone,” he said.

And Rebecca Herold, CEO of The Privacy Professor and cofounder of SIMBUS360, said apps are, “some of the most privacy invasive technologies around because of all the data they can suck up from the device – about what the device user is doing, whereabouts, etc., with absolutely no direct interaction with the device users to ask to have data explicitly provided by them.”

Herold and others said there is far too much wiggle room in terms like “personal data,” “consumer information” and “closed network.”

“What does a ‘closed network” mean?” she said. “That no one but their business employees are able to access it? It would imply that they do not outsource access to the data to any third parties, but they do not explicitly state this.”

rebecca herold

Rebecca Herold, CEO, The Privacy Professor and cofounder, SIMBUS360

Things like that also trouble Dennis Devlin, cofounder, CISO and CPO of SAVANTURE. Even though the company says the system will not collect any PII and will be on a closed network, there is clearly some collection going on if riders can receive push notifications from advertisers. “The notice is vague as to exactly what is being collected and how it will be used after collection, and there is no access provision for individuals to see their own data,” he said.

He added that, “there is no such thing as guaranteed anonymity when it comes to geolocation data collected from a mobile device.”

The involvement of an app, or apps, for the program is apparently based on vendors advertising through Intersection with the MBTA. While the press release from Intersection says, “a user must download an app that utilizes the technology,” Caitlyn Kasunich, a media representative for Intersection, said there is, “no overarching pilot program app; there will be third-party apps that become part of the program.”

dennis devlin

Dennis Devlin, cofounder, CISO and CPO, SAVANTURE 

Indeed, Jason B. Johnson, deputy press secretary of the MBTA, said Intersection is the contracted, “manager of the T’s advertising program. As such, the Pilots Beacon Initiative was not created by the T.”

But Herold noted that a key phrase from the Intersection press release is that the program is designed to show how, “technology can enable citizens to have more unique, tailored experiences with both cities and brands.” She said there is no way to “tailor” experiences without an app that connects individuals to the program, and without PII being involved.

Kelsey Finch, policy counsel at FPF, agrees that is the key element that should concern users.

“Beacons themselves cannot pinpoint smartphone position and do not track smartphone owner movement,” she said. “They can only detect that a Bluetooth-enabled device has entered a particular zone.”

But while the beacons themselves don’t collect any data or send messages, “they enable an app associated with them to understand more precisely where you, or your phone, are,” she said. “It’s the app that collects the data and uses it to send users messages when they are near a particular beacon. As to whether apps can promise not to collect PII, that’s a different question.”

Join the CSO newsletter!

Error: Please check your email address.

Tags surveillance

More about CSOFreedomGoogleHarvard Business SchoolSmartTransportationTRUSTe

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place