[B]URLINGTON โ The revelation that Church Street Marketplace uses its free Wi-Fi network to monitor foot traffic has raised questions about how the data collected could be used.
Church Street Marketplace, a city department, announced in June that it would start providing a free Wi-Fi network. The Burlington Free Press reported Tuesday that the network tracks Wi-Fi-enabled devices in range by using each deviceโs media access control address, regardless of whether visitors log into the network.
That data provides far more accurate foot traffic numbers than the marketplace has had access to previously, making it an invaluable tool for the businesses that line Burlingtonโs retail hub, said Ronย Redmond, executive director of Church Street Marketplace.
A 2015 Pew Research survey found that 68 percent of adults in the U.S. have a smartphone, meaning a cellphone with Internet access.
Redmond said that eventually he wants to compare the cellphone data with sales by category of business, so retailers in the marketplace can see how they performed against foot traffic totals and sales by other similar businesses.
Many of Church Streetโs small businesses could not afford to do that type of data analytics on their own, and the marketplace began doing the cellphone tracking to help them compete with online and suburban retailers, Redmond said.
Burlington area resident Bradley Holt, a software developer who has worked in data analytics, said itโs concerning that peopleโs devices are being tracked without them logging into the system and without any public notification.
Users who log into the Church Street Wi-Fi network are asked to accept the terms of use and privacy policy. That allows the network to collect far more detailed data on a device than what the marketplace can track passively, but only with the userโs permission.
For Holt the problem with the passive data collection is itโs not clear what privacy protections there are for people walking down the street with a smartphone in their pocket, and no terms of use for what can be done with the data once itโs collected, he said.
Cellphones that can connect to Wi-Fi send out probes scanning for networks to join. The probes are sent using a device’s MAC address, which is a unique identifier.
Redmond said the Church Street Wi-Fi network collects only aggregated data on the number of unique MAC addresses that come in range of the system. It lacks the ability to isolate specific MAC addresses, he said.
Furthermore, the Church Street Wi-Fi canโt trace a MAC address back to the individual subscriber, said T.J. Phillips, a consultant who helped set up the network.
Redmond told the Free Press that would make the passively collected data useless to law enforcement, but Holt said thatโs not necessarily true.
If investigators wanted to determine whether a person was on Church Street at the time of a crime, or as part of the timeline leading up to a crime, the MAC address could be traced to an individual through the deviceโs manufacturer, Holt said.
While Church Street Marketplace lacks the sophistication to go beyond aggregated MAC addresses, Phillips acknowledged that the individual MAC addresses are likely swept into the cloud-based system used to track them.
The cloud-based analytics service was purchased from Cisco Meraki. It uses nine networked Cisco Meraki access points to collect data from all Internet-enabled devices that come in range.
โI suppose if they were presented with a subpoena โ I donโt know. I certainly canโt answer for them,โ Phillips said.
โWe have no access to (individual MAC addresses). Cisco may or may not, and how easily theyโll provide that I couldnโt begin to guess. They donโt provide it to us, and weโre paying for (the system),โ he added. VTDigger was unable to reach a spokesperson from Cisco Meraki.
Using subpoenas to obtain the MAC address of a suspectโs cellphone from the manufacturer, and then getting Cisco to provide data on when that device was on Church Street, is probably not the easiest way for law enforcement to establish someoneโs presence.
Security cameras are common on the four-block marketplace, and police have said detectives regularly access that footage for burglary and theft investigations.
Given the current legal battle between Apple and the FBI over accessing an encrypted iPhone belonging to a suspect in the terrorist attack in San Bernardino, California, it doesnโt appear likely that Apple would willingly comply with a request to identify the MAC address of a subscriber.
In fact, as Holt pointed out on Twitter, Apple says it has taken the step of randomizing usersโ MAC addresses specifically to avoid the type of passive data collection Church Street Marketplace is doing.
On a Web page detailing the security features of its iOS8 operating system, Apple states that, โAn information disclosure existed because a stable MAC address was being used to scan for WiFi networks. This issue was addressed by randomizing the MAC address for passive WiFi scans.โ
While that likely prevents people with newer iPhones from being swept into the data collected in Wi-Fi scans, some technology observers question the efficacy of Appleโs randomization.
Itโs also unclear what impact MAC randomization might be having on the integrity of Church Street Marketplaceโs data. The system is supposed to create an unduplicated count of MAC addresses it picks up, so it could discern if the same device returned multiple times.
Holt said another concern he has about the Church Street Marketplace passive data collection is that it could be used to build a profile around the shopping habits of individuals based on their phoneโs MAC address.
Phillips and Redmond said the Cisco Meraki system does not allow them to do that. Even if Cisco Meraki were to go into the data stored in its cloud and extract data to build a profile around a MAC address, the data would not be illuminating for digital marketers, Phillips said.
Thatโs because the system canโt track someoneโs location on the marketplace with any greater specificity than which of the four blocks the person visited, according to Phillips. Beyond that, all it is tracking is when the visit happened and its duration, he said.
โThey donโt know what you did there,โ Phillips said. โAll they can see is a unique device was visible to the network and then it wasnโt.โ
People who want to avoid the passive data collection can simply turn off their phoneโs Wi-Fi, which stops the device from sending out the probe signals swept up by the Cisco Mareki system. There are also a number of apps designed to randomize or block a user’s MAC address.
Correction: Ron Redmond’s name was misspelled in an earlier version of this story.
