University Tracks Students' Movements Using WiFi, But Says It's OK Because It's Not Tracking Students

from the slippery-slope dept

One of the many revelations from the Snowden files was that Canada's spy agency has been tracking people as they connect to WiFi in different public locations. And if Canada is doing it, you can be pretty sure the NSA and GCHQ are doing the same, since neither is known for being backward in using whatever means it can to snoop on huge numbers of people. Of course, you'd expect spy agencies to be up to these kinds of tricks, and you might also be unsurprised to learn that shops are also tracking you using your WiFi connection. But we might have hoped that universities would have been a little more sensitive to privacy issues than the following news on the Australian ABC News site suggests is the case:

The University of Melbourne has moved to allay privacy concerns amid revelations it is tracking students through their wi-fi usage.

The university said the practice, which looked at where people were moving around campus, helped institutions improve retention rates and the experience of students.
According to the article, the university is using the data for the following reason:
The university is trying to work out where people move across the campus to help with planning the new Metro Rail project, which will run through the middle of the campus.
That's certainly a reasonable goal, but the university seems blissfully unaware of the privacy dangers of its data gathering. In particular, the fact that it is interested in which campus room students are in at any given time means that it could probably work out the identities of those using a particular WiFi system by correlating the rooms visited with the different courses taken by each student. The university would then have a record of where all its students went during the day, who they met, and for how long. Apparently meaningless location information is actually incredibly revealing.

There's no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 16 Aug 2016 @ 3:58am

    The campus also includes accommodation, which make this tracking very powerful for determining sexual orientation etc.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 16 Aug 2016 @ 4:32am

    "The university is trying to work out where people move across the campus"

    Have you tried asking them? OK, there might be concerns about accuracy there, but you wouldn't be facing any "revelations" if you'd asked them up front.

    "There's no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered."

    The other issue, of course, is that it's not even relevant what the current university administration actually do. If the data is accessible by anybody else, they can use it for whatever they wish, whether that was the original intent or not. Plus, whenever current management is replaced, will the new administration be so honest?

    That's why this is always a concern - "trust us, we won't do that" doesn't help if the data is compromised or if the next guy in charge has a different idea on how to run things. You might genuinely state that you won't abuse any new powers, but there's always someone else who will.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 16 Aug 2016 @ 5:49am

      Re:

      To be sure, the basic mitigating ethics governing large-scale data collection always tend to amount to "don't be evil yet", gradually supplanted by "no-one could have expected us to let all this potential go waste".

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 4:58am

    who needs magic when you have wifi

    they have means to create a marauder's map

    reply to this | link to this | view in chronology ]

  • identicon
    Quiet Lurcker, 16 Aug 2016 @ 5:33am

    The university said the practice, which looked at where people were moving around campus, helped institutions improve retention rates and the experience of students.


    How are these things even related?

    According to the article, the university is using the data for the following reason:

    The university is trying to work out where people move across the campus to help with planning the new Metro Rail project, which will run through the middle of the campus.


    Again, I see no relation, except insofar as the location data might suggest where not to run the line in the interest of not putting people at risk.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 5:51am

    Other universities too

    The university I work at had something similar in its strategic IT plan. That was under a different director though, so it might have been dropped.

    The idea was both for lecture attendance (more for course evaluation than student assessment) and to identify high traffic/utilization areas on campus.

    reply to this | link to this | view in chronology ]

  • identicon
    Step, 16 Aug 2016 @ 5:52am

    The practice is not confined to the University of Melbourne. There was an article in the Sydney Morning Herald about a week ago with the provocative title "Students be afraid: big chancellor is watching you". The online version is at:

    http://www.smh.com.au/national/university-students-you-are-being-watched-20160811-gqqet7.html
    At the University of Melbourne, Wi-Fi routers track students as they move through the campus and leave a digital trail with their mobile phones. And at the University of Sydney, students' online activity is matched with their demographic background to predict who might drop out. It's called "learning analytics" and universities say it is the key to improving retention rates and the student experience.
    Elsewhere the article adds:
    The University of Sydney is also trialling an initiative which uses the data created by students to identify those at risk of dropping out. It uses their enrolment details, which could include demographic data, and information about their engagement during the first six weeks of semester. This engagement data is based on student's interaction with university resources such as videos, reading materials and responses to online questions.
    Big Chancellor indeed!

    If those two universities are doing such things chances are others as well. Or soon will.

    The article goes on to note that at Australia's RMIT university "a team monitors...how often students are logging into the learning management system, submitting assignments and attending classes" and "reaches out to those who appear disengaged" while at the University of Wollongong "the number of times you borrow a book might help determine whether you are an at-risk student"

    Big Chancellor is coming!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 6:06am

    There's no ethical problem with doing this...

    If the university gets the informed consent of the observed first. Of course, then students may say "no" and that would decrease the value of the study as well as making the university work harder (otherwise known as "do it's job", but it seems no authoritarian institution likes actually doing it's job these days). And to get consent they would probably have to have a data deletion policy, so they wouldn't be able to profit from mining the data collected for purposes other than the currently stated one.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 16 Aug 2016 @ 6:41am

    Any form of tracking without consent should be illegal (excluding investigative law enforcement work properly authorized by a court). And in this case you can't protect yourself with standard practices (ie: vpn). I'm guessing you'd need to spoof information on your device (ie: MAC) and prevent other data leakage that's somewhat beyond any average user.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Aug 2016 @ 6:49am

      Re:

      Spoofing your MAC address might work, but you'd need to change it frequently. Perhaps every 15 minutes or so? The only other method I can think of to avoid this would be to turn your WiFi off.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2016 @ 7:45am

        Re: Re:

        Do people really keep their wifi on all the time? I only turn mine on if I have a slew of updates, otherwise it isn't worth the little extra battery drain. I do have "unlimited" data so I only really care about speed...

        reply to this | link to this | view in chronology ]

        • identicon
          Stephen, 16 Aug 2016 @ 7:52am

          Re: Re: Re:

          Do people really keep their wifi on all the time?
          Since many if not most people seem to walk around with their smartphones in their hands, it's a fair bet those who keep their wifi off most of the time are in a minority.

          reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 16 Aug 2016 @ 8:04am

          Re: Re: Re:

          Personally, I use Android and Tasker to accomplish a compromise. My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on and connects to that point automatically. When I leave the AP's range, it turns the wifi back off.

          This way my wifi is effectively off when I'm out and about, but I don't have to remember to turn it on or off myself.

          reply to this | link to this | view in chronology ]

          • identicon
            Chuck, 16 Aug 2016 @ 8:29am

            Re: Re: Re: Re:

            The problem with this is that, if you were a student at the university, then your phone would probably still have the school's network in your "approved access point" list and still connect to it.

            This is the problem. WiFi security revolves around at least some minor level of trust. When it's the network itself that's tracking you, no amount of software security can help you.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 16 Aug 2016 @ 8:42am

              Re: Re: Re: Re: Re:

              Yes, this is precisely correct.

              I was speaking of the more general case. After all, some retail stores have started using the exact same sort of tracking of anyone that comes into their stores.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Aug 2016 @ 4:02pm

            Re: Re: Re: Re:

            Haven't looked at this for decades, but the moment a receiver receives, it does a transmission by reflection. So, just by "sniffing" you send out a signal (momentary though it may be and small though it be). Mind you, with so many active sites around you, it may not be possible to actually pick up said signal anyway.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 16 Aug 2016 @ 9:50pm

              Re: Re: Re: Re: Re:

              I'm not sure what you're referring to here. When my receiver is sniffing, it is only listening. It is not sending out a radio transmission at all. (I just now confirmed this with some test equipment.)

              Your reference to "transmission by reflection" is vague and I can think of a couple of things that you might be referring to, but none of them seem very relevant to this particular issue.

              What am I missing?

              reply to this | link to this | view in chronology ]

          • identicon
            Stephen, 17 Aug 2016 @ 2:06am

            Re: Re: Re: Re:

            My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this)...
            If your phone is doing a handshake with a cell tower when it does that "sniffing", then it is necessarily exchanging data packets with the tower.

            reply to this | link to this | view in chronology ]

            • icon
              nasch (profile), 17 Aug 2016 @ 7:19am

              Re: Re: Re: Re: Re:

              If your phone is doing a handshake with a cell tower when it does that "sniffing", then it is necessarily exchanging data packets with the tower.

              He's talking about wifi, so no cell tower involved.

              reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 17 Aug 2016 @ 7:31am

              Re: Re: Re: Re: Re:

              Nasch is right, I'm not talking about cell towers. Also, my Wifi is not engaging in any handshaking to do this. It's just listening for the AP beacons.

              reply to this | link to this | view in chronology ]

          • icon
            nasch (profile), 17 Aug 2016 @ 7:18am

            Re: Re: Re: Re:

            My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on

            How does it check for wifi without turning wifi on?

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 17 Aug 2016 @ 7:34am

              Re: Re: Re: Re: Re:

              It does turn the wifi on briefly to listen, but transmits nothing when it does so. It uses the radio chip as a receiver only. The rest of the operating system does not think the radio is on when it does this.

              reply to this | link to this | view in chronology ]

              • identicon
                Stephen, 18 Aug 2016 @ 7:10pm

                Re: Re: Re: Re: Re: Re:

                It does turn the wifi on briefly to listen, but transmits nothing when it does so.
                So your phone is capturing data packets being broadcast by a wifi router but not sending any of its own?

                reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 17 Aug 2016 @ 12:26am

          Re: Re: Re:

          You answered your own conundrum there. *You* have unlimited data so *you* don't care about the wifi. Others don't, or have maxed out their "unlimited" quotas, etc., so they use wifi. *You* care about the battery drain, others value the wifi data more.

          These things tend to be more understandable when you don't assume everyone else has the same needs and resources as you do.

          reply to this | link to this | view in chronology ]

      • identicon
        Quiet Lurcker, 16 Aug 2016 @ 7:45am

        Re: Re:

        Or not use the public wi-fi. I take my smart-phone places where there's free wi-fi. If I don't connect, I don't send any information, and the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity. Now, more than one access points being available might be a bit problematic. Relative signal strengths acquired from a few different points for a given MAC address might enable some reasonably close position estimation (subject to such things as time stamp resolution vs. speed of light for a given distance; effects of human body/furnishings/other devices/etc. on signal strength; positions in 3-dimensional space of the access points as compared to one another, etc., etc...)

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 16 Aug 2016 @ 7:59am

          Re: Re: Re:

          "the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity."

          Right, which means that it's possible to identify and track the movements of your cell phone, even if you don't connect to anything.

          reply to this | link to this | view in chronology ]

        • icon
          Tom Mink (profile), 16 Aug 2016 @ 12:07pm

          Re: Re: Re:

          If your device pings the access point to see if there's a network, that's enough to establish your location even without establishing a connection. By default most wifi enabled devices like to introduce themselves to every router within shouting distance.

          reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 16 Aug 2016 @ 6:45pm

      Re:

      not a should but in most states it is illegal.

      reply to this | link to this | view in chronology ]

  • identicon
    Chuck, 16 Aug 2016 @ 8:24am

    Stalker's Wet Dream

    Never mind the potential for abuse by school officials, either of their own accord or at the behest of the NSA and their ilk.

    What about a stalker? What about a hacker? What about both?

    Can you imagine a stalker who also happens to be a decent hacker getting their hands on this data? Live tracking of their potential victim at their fingertips. Holy hell what a bad idea.

    As with so many privacy issues today, the question is not "can you trust the authorities with this information?" The question is "can you trust every single person on earth with this information?" Everything CAN be hacked, no exceptions, no exemptions, ever, period. The only way to truly secure data is for the data to not exist in the first place.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Aug 2016 @ 8:38am

      Re: Stalker's Wet Dream

      This has been trivially possible for a very long time now. The only thing that's happening here that's new is that it's being done by institutions on a wide-scale basis. But the technique they're using is as old as Wifi itself.

      By the way, this can't even be considered "hacking". All of the information being obtained is being done through known and accepted protocols being used in the intended way.

      The issue, really, is that data, legitimately obtained for one purpose, is being used for an entirely different purpose without people's knowledge -- let alone consent.

      So, as with many of these things, the real question is "who owns the data"? Is it "your" data, because it is about you, that you've "licensed" for a particular purpose? Or is it the AP owner's data, because they collected what was freely given, and they can use for any purpose they wish?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 9:37am

    This is interesting use of the technology but I don't understand what exactly can be done about it. So to me it's just more evidence of people using fear tactics to whip people up into an unecessary frenzy about big brother and his evil intentions - ooooo scary!

    The wifi system by it's very nature knows where your device is physically located and by that it knows where you (or the person holding your device is located). Thus the administrator(s) of that system know where you/your device is at all times within a reasonable degree of accuracy. "Oh but I don't use wifi, I turn it off" - well your carrier's data system knows where you are too so good luck with that.

    There's no such thing as location privacy if you have a cellphone in your posession that's turned on (wifi or not). So stop living your lives in fear. Big brother is always watching. He always has been in some form or another but you've managed to survive despite that fact. Calm down folks. That said, when you hear of cases of someone or some organization taking the ability of this and other types of technology too far - then you can scream to the hilltops. For now, nothing to see here - move on.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2016 @ 9:58am

      Re:

      There is a difference between a system keeping short term records of a devices location, so that it can be communicated with, and some organization collecting that data into a database where they can analyses it for all sorts of information. The first is transient necessary information, and could possibly be used to locate you right now, the second, on a residential campus is going to capture much more than just attendance at lectures.
      Do you really want university staff to be able to figure who is sexually active, and with which taste in partners?

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Aug 2016 @ 9:55pm

      Re:

      "For now, nothing to see here - move on."

      I couldn't disagree more. If we just ignore these issues now, they will be decided by default in a way that is very unfavorable for individuals and will become extremely difficult to change.

      Now is exactly the time to raise a big fuss about all of this.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 3:33pm

    Back when I was in uni, an enterprising student whipped up a program that tracked where any username that was logged in to the mainframe was located, and outputted an ascii map of the location (a modem for remote dial-up, and a map of the lab with an arrow pointing at the specific computer for on-campus access).

    This software was extremely useful for finding and meeting up with friends (I even wrapped it in a csh script to alert me if one of my friends was logged in in a nearby lab).

    Eventually the university found out and banned the software. Reportedly, some enterprising students had started using it as stalking software.

    Sounds like the more things change, the more they stay the same.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Math Is Not A Crime
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.