University Tracks Students' Movements Using WiFi, But Says It's OK Because It's Not Tracking Students
from the slippery-slope dept
One of the many revelations from the Snowden files was that Canada’s spy agency has been tracking people as they connect to WiFi in different public locations. And if Canada is doing it, you can be pretty sure the NSA and GCHQ are doing the same, since neither is known for being backward in using whatever means it can to snoop on huge numbers of people. Of course, you’d expect spy agencies to be up to these kinds of tricks, and you might also be unsurprised to learn that shops are also tracking you using your WiFi connection. But we might have hoped that universities would have been a little more sensitive to privacy issues than the following news on the Australian ABC News site suggests is the case:
The University of Melbourne has moved to allay privacy concerns amid revelations it is tracking students through their wi-fi usage.
The university said the practice, which looked at where people were moving around campus, helped institutions improve retention rates and the experience of students.
According to the article, the university is using the data for the following reason:
The university is trying to work out where people move across the campus to help with planning the new Metro Rail project, which will run through the middle of the campus.
That’s certainly a reasonable goal, but the university seems blissfully unaware of the privacy dangers of its data gathering. In particular, the fact that it is interested in which campus room students are in at any given time means that it could probably work out the identities of those using a particular WiFi system by correlating the rooms visited with the different courses taken by each student. The university would then have a record of where all its students went during the day, who they met, and for how long. Apparently meaningless location information is actually incredibly revealing.
There’s no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: australia, privacy, students, tracking, wifi
Companies: university of melbourne
Comments on “University Tracks Students' Movements Using WiFi, But Says It's OK Because It's Not Tracking Students”
The campus also includes accommodation, which make this tracking very powerful for determining sexual orientation etc.
“The university is trying to work out where people move across the campus”
Have you tried asking them? OK, there might be concerns about accuracy there, but you wouldn’t be facing any “revelations” if you’d asked them up front.
“There’s no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered.”
The other issue, of course, is that it’s not even relevant what the current university administration actually do. If the data is accessible by anybody else, they can use it for whatever they wish, whether that was the original intent or not. Plus, whenever current management is replaced, will the new administration be so honest?
That’s why this is always a concern – “trust us, we won’t do that” doesn’t help if the data is compromised or if the next guy in charge has a different idea on how to run things. You might genuinely state that you won’t abuse any new powers, but there’s always someone else who will.
Re: Re:
To be sure, the basic mitigating ethics governing large-scale data collection always tend to amount to “don’t be evil yet”, gradually supplanted by “no-one could have expected us to let all this potential go waste”.
who needs magic when you have wifi
they have means to create a marauder’s map
The original story is from here:
http://www.smh.com.au/national/university-students-you-are-being-watched-20160811-gqqet7.html
How are these things even related?
Again, I see no relation, except insofar as the location data might suggest where not to run the line in the interest of not putting people at risk.
Other universities too
The university I work at had something similar in its strategic IT plan. That was under a different director though, so it might have been dropped.
The idea was both for lecture attendance (more for course evaluation than student assessment) and to identify high traffic/utilization areas on campus.
The practice is not confined to the University of Melbourne. There was an article in the Sydney Morning Herald about a week ago with the provocative title “Students be afraid: big chancellor is watching you”. The online version is at:
http://www.smh.com.au/national/university-students-you-are-being-watched-20160811-gqqet7.html
Elsewhere the article adds:
Big Chancellor indeed!
If those two universities are doing such things chances are others as well. Or soon will.
The article goes on to note that at Australia’s RMIT university “a team monitors…how often students are logging into the learning management system, submitting assignments and attending classes” and “reaches out to those who appear disengaged” while at the University of Wollongong “the number of times you borrow a book might help determine whether you are an at-risk student”
Big Chancellor is coming!
There's no ethical problem with doing this...
If the university gets the informed consent of the observed first. Of course, then students may say “no” and that would decrease the value of the study as well as making the university work harder (otherwise known as “do it’s job”, but it seems no authoritarian institution likes actually doing it’s job these days). And to get consent they would probably have to have a data deletion policy, so they wouldn’t be able to profit from mining the data collected for purposes other than the currently stated one.
Any form of tracking without consent should be illegal (excluding investigative law enforcement work properly authorized by a court). And in this case you can’t protect yourself with standard practices (ie: vpn). I’m guessing you’d need to spoof information on your device (ie: MAC) and prevent other data leakage that’s somewhat beyond any average user.
Re: Re:
Spoofing your MAC address might work, but you’d need to change it frequently. Perhaps every 15 minutes or so? The only other method I can think of to avoid this would be to turn your WiFi off.
Re: Re: Re:
Do people really keep their wifi on all the time? I only turn mine on if I have a slew of updates, otherwise it isn’t worth the little extra battery drain. I do have “unlimited” data so I only really care about speed…
Re: Re: Re: Re:
Since many if not most people seem to walk around with their smartphones in their hands, it’s a fair bet those who keep their wifi off most of the time are in a minority.
Re: Re: Re: Re:
Personally, I use Android and Tasker to accomplish a compromise. My phone occasionally “sniffs” the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on and connects to that point automatically. When I leave the AP’s range, it turns the wifi back off.
This way my wifi is effectively off when I’m out and about, but I don’t have to remember to turn it on or off myself.
Re: Re: Re:2 Re:
The problem with this is that, if you were a student at the university, then your phone would probably still have the school’s network in your “approved access point” list and still connect to it.
This is the problem. WiFi security revolves around at least some minor level of trust. When it’s the network itself that’s tracking you, no amount of software security can help you.
Re: Re: Re:3 Re:
Yes, this is precisely correct.
I was speaking of the more general case. After all, some retail stores have started using the exact same sort of tracking of anyone that comes into their stores.
Re: Re: Re:2 Re:
Haven’t looked at this for decades, but the moment a receiver receives, it does a transmission by reflection. So, just by “sniffing” you send out a signal (momentary though it may be and small though it be). Mind you, with so many active sites around you, it may not be possible to actually pick up said signal anyway.
Re: Re: Re:3 Re:
I’m not sure what you’re referring to here. When my receiver is sniffing, it is only listening. It is not sending out a radio transmission at all. (I just now confirmed this with some test equipment.)
Your reference to “transmission by reflection” is vague and I can think of a couple of things that you might be referring to, but none of them seem very relevant to this particular issue.
What am I missing?
Re: Re: Re:2 Re:
If your phone is doing a handshake with a cell tower when it does that “sniffing”, then it is necessarily exchanging data packets with the tower.
Re: Re: Re:3 Re:
If your phone is doing a handshake with a cell tower when it does that “sniffing”, then it is necessarily exchanging data packets with the tower.
He’s talking about wifi, so no cell tower involved.
Re: Re: Re:3 Re:
Nasch is right, I’m not talking about cell towers. Also, my Wifi is not engaging in any handshaking to do this. It’s just listening for the AP beacons.
Re: Re: Re:2 Re:
My phone occasionally “sniffs” the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on
How does it check for wifi without turning wifi on?
Re: Re: Re:3 Re:
It does turn the wifi on briefly to listen, but transmits nothing when it does so. It uses the radio chip as a receiver only. The rest of the operating system does not think the radio is on when it does this.
Re: Re: Re:4 Re:
So your phone is capturing data packets being broadcast by a wifi router but not sending any of its own?
Re: Re: Re: Re:
You answered your own conundrum there. You have unlimited data so you don’t care about the wifi. Others don’t, or have maxed out their “unlimited” quotas, etc., so they use wifi. You care about the battery drain, others value the wifi data more.
These things tend to be more understandable when you don’t assume everyone else has the same needs and resources as you do.
Re: Re: Re:
Or not use the public wi-fi. I take my smart-phone places where there’s free wi-fi. If I don’t connect, I don’t send any information, and the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity. Now, more than one access points being available might be a bit problematic. Relative signal strengths acquired from a few different points for a given MAC address might enable some reasonably close position estimation (subject to such things as time stamp resolution vs. speed of light for a given distance; effects of human body/furnishings/other devices/etc. on signal strength; positions in 3-dimensional space of the access points as compared to one another, etc., etc…)
Re: Re: Re: Re:
“the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity.”
Right, which means that it’s possible to identify and track the movements of your cell phone, even if you don’t connect to anything.
Re: Re: Re: Re:
If your device pings the access point to see if there’s a network, that’s enough to establish your location even without establishing a connection. By default most wifi enabled devices like to introduce themselves to every router within shouting distance.
Re: Re:
not a should but in most states it is illegal.
Stalker's Wet Dream
Never mind the potential for abuse by school officials, either of their own accord or at the behest of the NSA and their ilk.
What about a stalker? What about a hacker? What about both?
Can you imagine a stalker who also happens to be a decent hacker getting their hands on this data? Live tracking of their potential victim at their fingertips. Holy hell what a bad idea.
As with so many privacy issues today, the question is not “can you trust the authorities with this information?” The question is “can you trust every single person on earth with this information?” Everything CAN be hacked, no exceptions, no exemptions, ever, period. The only way to truly secure data is for the data to not exist in the first place.
Re: Stalker's Wet Dream
This has been trivially possible for a very long time now. The only thing that’s happening here that’s new is that it’s being done by institutions on a wide-scale basis. But the technique they’re using is as old as Wifi itself.
By the way, this can’t even be considered “hacking”. All of the information being obtained is being done through known and accepted protocols being used in the intended way.
The issue, really, is that data, legitimately obtained for one purpose, is being used for an entirely different purpose without people’s knowledge — let alone consent.
So, as with many of these things, the real question is “who owns the data”? Is it “your” data, because it is about you, that you’ve “licensed” for a particular purpose? Or is it the AP owner’s data, because they collected what was freely given, and they can use for any purpose they wish?
Re: Re: Stalker's Wet Dream
exactly! A+++++ on these comments
This is interesting use of the technology but I don’t understand what exactly can be done about it. So to me it’s just more evidence of people using fear tactics to whip people up into an unecessary frenzy about big brother and his evil intentions – ooooo scary!
The wifi system by it’s very nature knows where your device is physically located and by that it knows where you (or the person holding your device is located). Thus the administrator(s) of that system know where you/your device is at all times within a reasonable degree of accuracy. “Oh but I don’t use wifi, I turn it off” – well your carrier’s data system knows where you are too so good luck with that.
There’s no such thing as location privacy if you have a cellphone in your posession that’s turned on (wifi or not). So stop living your lives in fear. Big brother is always watching. He always has been in some form or another but you’ve managed to survive despite that fact. Calm down folks. That said, when you hear of cases of someone or some organization taking the ability of this and other types of technology too far – then you can scream to the hilltops. For now, nothing to see here – move on.
Re: Re:
There is a difference between a system keeping short term records of a devices location, so that it can be communicated with, and some organization collecting that data into a database where they can analyses it for all sorts of information. The first is transient necessary information, and could possibly be used to locate you right now, the second, on a residential campus is going to capture much more than just attendance at lectures.
Do you really want university staff to be able to figure who is sexually active, and with which taste in partners?
Re: Re:
“For now, nothing to see here – move on.”
I couldn’t disagree more. If we just ignore these issues now, they will be decided by default in a way that is very unfavorable for individuals and will become extremely difficult to change.
Now is exactly the time to raise a big fuss about all of this.
Back when I was in uni, an enterprising student whipped up a program that tracked where any username that was logged in to the mainframe was located, and outputted an ascii map of the location (a modem for remote dial-up, and a map of the lab with an arrow pointing at the specific computer for on-campus access).
This software was extremely useful for finding and meeting up with friends (I even wrapped it in a csh script to alert me if one of my friends was logged in in a nearby lab).
Eventually the university found out and banned the software. Reportedly, some enterprising students had started using it as stalking software.
Sounds like the more things change, the more they stay the same.
It nevertheless violates the privacy of students. The university does not have the right to do this without the consent of students. Studying cannot be effective in such conditions. You can go to this site to find a good study program. But if a student pays money, then he will be responsible for his visits, and college can not force him to attend classes.