Big Brother is Watching. Government Invades Resident Privacy

By 27 March, 2013 58

the one eye sees all

ACT Territory and Municipal Services (TAMS) has admitted to surreptitiously tracking and recording the movements of residents in Canberra’s South through the interception of the private Bluetooth emissions of their mobile phones and car hands-free systems.

TAMS has collected these data as part of its evidence base in support of the highly controversial plan to implement more than 82 traffic calming devices across the southern suburbs of Chisholm, Gilmore, Richardson, Macarthur, Fadden and Gowrie.

The data were reportedly used to map traffic flows and to measure ‘rat-running’ of traffic through the aforementioned suburbs. Collection apparatuses were placed by the side of the road at all entrance and exit points to each suburb. Under the project, if the same signal was received at two collection points, it was inferred that the vehicle had ‘rat-runned’ through the suburb.

All traffic with Bluetooth devices entering or leaving each suburb was tracked as part of the study, conducted jointly by Purdons Consulting and TAMS, in December 2012. This capability would normally require obtaining a warrant under the Telecommunications Interception and Access Act 1979, which was intended to restrict the activities of domestic law enforcement agencies. Further, there is a reasonable expectation of privacy whilst utilising Bluetooth, as well as the possibility of the information being personally identifying. As such the collection of these data is likely to be in contravention of the Privacy Act 1988.

Residents were not advised about their intentions to conduct this activity, nor has TAMS offered residents the opportunity to review their private data collected under the study. When questioned about the legality of the program by concerned residents at a recent public consultation on 13 March, Mr Rifaat Shoukrallah, Roads ACT Senior Manager of Traffic Management and Safety, stated that he considered the actions of the department to be “completely legal”. The event was also attended by ACT Greens Minister Shane Rattenbury.

The activities of TAMS are eerily similar to the blunder of Google’s Street View project, where the company recorded Wi-Fi access point location data of millions of users worldwide. This lead to the company being fined for breaching user privacy. However, unlike Wi-Fi, where broadcasts are expected to be received by surrounding users attempting to locate and connect to home networks, Bluetooth beacons are private signals intended only for the target user. This makes the suspected breach all the more serious.

Similar activities have been conducted in Queensland, where investigations concluded that information collected was not personally identifying, and as such, not a breach of the Privacy Act. However, most readers will be aware that by default, Bluetooth devices often use the owner’s name as the identifier. The trend towards law enforcement abroad and domestically increasingly using similar methods as a mechanism for tracking the location of criminals (under warrant) also suggests that the legality of this technology needs to be reviewed before use in the ACT.


ED – We were rather surprised by this story so asked TAMS for comment. They had this reply:

Bluetooth data collection is used for traffic studies across Australia and worldwide. Please be assured that this technology is not able to collect any personal data and there is no way to identify individuals through Bluetooth devices. If the technology could in any way contravene the Privacy Act or other legislation, TAMS would not use it.

The Bluetooth technology allows for information to be collected about the movement of cars through a suburb. Data receivers collect an electronic signature at the entry and exit points to suburbs and by looking at the time it takes vehicles to travel that distance it can be determined whether they are ‘rat running’ or whether they were instead going to the local shops or dropping their kids off at school. If data is captured only at the entry point then it can be determined that the owner of the vehicle must live in the suburb.

TAMS has received many safety and complaints relating to rat running in Chisholm, Gilmore, Richardson, Macarthur, Fadden and Gowrie and is responding with detailed traffic studies. Bluetooth technology is being used instead of manual counting as it much more accurately records traffic flows. It also offers a greater degree of privacy than that which can be provided with toll tag tracking or license plate surveys due to the fact that there are no databases of Bluetooth addresses that can be used to associate addresses with individual owners or their vehicles.

The Minister has asked TAMS to include information on Bluetooth data collection on its website, as we understand people may have concerns or questions about how it works.


UPDATE 29/03/13 10:31: Good grief we’ve made The Register who seem to have blurred the line on user generated content into an editorial line.

Please login to post your comments
58 Responses to Big Brother is Watching. Government Invades Resident Privacy
#1
obamabinladen11:36 am, 27 Mar 13

We are entering an era where our privacy is under threat. The people need to remember that we are the majority and the government works for us not the other way around.

#2
Solidarity11:58 am, 27 Mar 13

A vast majority of people would have bluetooth turned off?

#3
devdsp12:06 pm, 27 Mar 13

> there is no way to identify individuals through Bluetooth devices

Bullshit. It’s a UID that you take with you either in your car or in your pocket. How is that not personally identifying?

Leave one of those sniffers at (or near enough to) one of the point to point speed cameras and they’ll be able to match hands-free kits to cars.

A bluetooth sniffer near a security camera would very easily build a dataset that could be used to match images of people to bluetooth devices.

#4
themetresgained12:09 pm, 27 Mar 13

At least that data is anonymous. The same cannot be said of transit data derived from registered MyWay cards. As a matter of principle, I choose not to register my MyWay card. There’s been incidents where Victorian police have solicited Myki data and gotten it with no trouble – there’s no way to prove the same can’t happen with MyWay.

#5
Canberracanuck12:15 pm, 27 Mar 13

I think the privacy needs of citizens are no more important than the safety concerns of those residents of the suburbs concerned. What reasonable objection can responsible citizens have to the territory trying to improve quality of life for those residents? Granted, there need to be controls to ensure the information gathered is used only for the stated purpose, but the point about it being the easiest/cheapest way to collect data is a good one…if they had announced what they were doing, then the data collected would have been suspect, as no doubt a portion of the group would have either changed their behaviour or found a way to avoid detection. There is a serious problem to be faced by our society in the addiction to the convenience of the automobile, with no consideration given to the discomfort and danger to which it exposes the rest of the population, let alone the driver/occupant. We should applaud the guy who thought up the idea, as well as the local government for trying to do something measured and constructive, instead of just blindly re-designing the infrastructure (or worse yet, doing nothing). And anyone who is squeamish about this tiny “invasion of privacy” might want to think about selling the computer they use to read this forum!

#6
Alderney12:16 pm, 27 Mar 13

I understand your concerns.

Quite frankly, I’m more concerned that my neighbour can have CCTV that can view my property.

Short of breaking the law and taking it down myself when they go away on holidays, there is nothing I can do.

#7
magiccar912:22 pm, 27 Mar 13

Where was the community awareness and consultation for this project? Did we get told before this began what was going to happen? Did they say “Hey, we’re going to start tracking you through you bluetooth devices”…

My phone can pass information regarding a phone number and contact name stored in the phone to the hands-free kit in the car. For example, if I have a contact named “Jon” saved into my contact list on the phone and he rings me it shows up on my hands-free as “Jon” calling and the phone number.
By collecting the BT Unique Identifier, the Government can begin their own database to track these signals – which I feel invades our right to privacy. Can the Government guarantee me that this data can’t be stored and used later for their own use? Probably not.
Also, what’s stopping a begrudged TAMS IT employee from using this data collected for unsavory use?

#8
Mr Evil12:33 pm, 27 Mar 13

This is old news. The real worry is that “they” can now also track you by collecting the reflected light and brainwave energy that bounces off your tinfoil hat and passes through the chemtrails overhead.

#9
dpm12:35 pm, 27 Mar 13

I wouldn’t have thought that many people leave their bluetooth on? Maybe the ones with hands-free, but surely that isn’t anywhere near close to the majority (or a useable amount even)? You lean something new every day! :-)

#10
DrKoresh1:15 pm, 27 Mar 13

Not exactly a Stalinesque attack on our rights is it? Still would have been nice if they’d told us before-hand rather than after the fact.

#11
Felix the Cat1:25 pm, 27 Mar 13

themetresgained said :

At least that data is anonymous. The same cannot be said of transit data derived from registered MyWay cards. As a matter of principle, I choose not to register my MyWay card. There’s been incidents where Victorian police have solicited Myki data and gotten it with no trouble – there’s no way to prove the same can’t happen with MyWay.

Why would you be worried about the police accessing data? Ever think they might need it in relation to solving a crime?

#12
Gungahlin Al1:28 pm, 27 Mar 13

Won’t anyone think of the uni students?
How do they survive now without income from writing down numberplates??

#13
gooterz1:30 pm, 27 Mar 13

Cyclists don’t have Bluetooth?

It’d be skewed anyway, only a select few would leave Bluetooth on.

82 devices because the gov is to tight to fix anything south of parliament house?

Perhaps we could leave a devices outside the assembly so we know our leaders are working?

Good to know that the government was open about this, so the public could be assured of the confidentiality of their data.

Now was the Bluetooth’s Mac id’s recorded or were Bluetooth transmissions completely recorded, in which case the government has illegally intercepted telecommunications breaching the Telco act

#14
davo1011:41 pm, 27 Mar 13

Quick break out the tin-foil hat. Talk about an overreaction.

First off does the Telecommunications Interception and Access Act apply here? The Act states that it does not apply to a system for carrying communications solely by means of radiocommunication. Secondly does the Privacy Act apply? If they are collecting Bluetooth MACs then I don’t see how this can be considered personal information. How would you go about working out who 01-07-6B-88-EA-01 is? Thirdly, given the number of security breaks over the years, why would you have a reasonable expectation of privacy whilst utilising Bluetooth?

Lastly, and most importantly, if you choose to drive around Canberra broadcasting a tracking signal don’t be too surprised if some is listening in.

#15
mezza762:16 pm, 27 Mar 13

davo101 said :

Quick break out the tin-foil hat. Talk about an overreaction.

First off does the Telecommunications Interception and Access Act apply here? The Act states that it does not apply to a system for carrying communications solely by means of radiocommunication. Secondly does the Privacy Act apply? If they are collecting Bluetooth MACs then I don’t see how this can be considered personal information. How would you go about working out who 01-07-6B-88-EA-01 is? Thirdly, given the number of security breaks over the years, why would you have a reasonable expectation of privacy whilst utilising Bluetooth?

Lastly, and most importantly, if you choose to drive around Canberra broadcasting a tracking signal don’t be too surprised if some is listening in.

^ this. Where can I subscribe to your newsletter?

What a beat up. Seriously. If you’re concerned about privacy and personal information by Government you might want to consider never loding a tax return, accessing welfare and the health system. That information stored would pale in comparison than your driving habits and bluetooth identifier which, frankly, probably bores the pants off some poor TAMS functionary.

And I do register my MYWAY card – because I couldn’t care less if the ACT police called me to ask if I saw a crime, or that I got on at Forde and got off at Civic. I’d volunteer it if I saw a crime or if the police asked me…because you know, I abide by the law.

Do you people put a hood over your face to evade CCTV in Civic or the bank? Or any other store? Your face is recorded… far more invasive than your name and bluetooth id. Or your driving habits.

#16
Watson2:20 pm, 27 Mar 13

davo101 said :

Quick break out the tin-foil hat. Talk about an overreaction.

First off does the Telecommunications Interception and Access Act apply here? The Act states that it does not apply to a system for carrying communications solely by means of radiocommunication. Secondly does the Privacy Act apply? If they are collecting Bluetooth MACs then I don’t see how this can be considered personal information. How would you go about working out who 01-07-6B-88-EA-01 is? Thirdly, given the number of security breaks over the years, why would you have a reasonable expectation of privacy whilst utilising Bluetooth?

Lastly, and most importantly, if you choose to drive around Canberra broadcasting a tracking signal don’t be too surprised if some is listening in.

+1

I often think that people like to shout about their privacy being invaded because they like to pretend they are interesting enough to be spied on. But really, who cares about someone collecting these sorts of extremely limited data? If it is truly illegal (I’ve no idea) it is not exactly best practice and it should prompt them to tighten their business processes. And then we all move with our lives.

#17
kos2:26 pm, 27 Mar 13

davo101 said :

Quick break out the tin-foil hat. Talk about an overreaction.

First off does the Telecommunications Interception and Access Act apply here? The Act states that it does not apply to a system for carrying communications solely by means of radiocommunication. Secondly does the Privacy Act apply? If they are collecting Bluetooth MACs then I don’t see how this can be considered personal information. How would you go about working out who 01-07-6B-88-EA-01 is? Thirdly, given the number of security breaks over the years, why would you have a reasonable expectation of privacy whilst utilising Bluetooth?

Lastly, and most importantly, if you choose to drive around Canberra broadcasting a tracking signal don’t be too surprised if some is listening in.

The TIA doesn’t apply here, Bluetooth is indeed a radio transmission and not covered by the TIA. The Privacy ACT also wouldnt apply, as you must have bluetooth enabled on your device in order to connect to these points.

The reply from TAMS is pretty rubbish, you can quite easily get into a device over bluetooth and pull data from it (including private data). All it would take is for one TAMS employee who wants to do the wrong thing.

#18
Watson2:48 pm, 27 Mar 13

kos said :

The reply from TAMS is pretty rubbish, you can quite easily get into a device over bluetooth and pull data from it (including private data). All it would take is for one TAMS employee who wants to do the wrong thing.

How and how different is this from someone doing the same thing using their mobile?

#19
astrojax3:10 pm, 27 Mar 13

dunno what toothpaste you all use, but my teeth is white :)

#20
RedDogInCan3:11 pm, 27 Mar 13

obamabinladen said :

We are entering an era where our privacy is under threat.

The era started way back in the early 2000′s, please try to keep up.

Watson said :

I often think that people like to shout about their privacy being invaded because they like to pretend they are interesting enough to be spied on. But really, who cares about someone collecting these sorts of extremely limited data?

We should care. Whilst it may seem like extremely limited data today but it will be used as justification for tracking more detailed data in the future using the argument that ‘nobody complained when we tracked them before so it will be ok to use this slightly better system to track them in a bit more detail’. And nobody will complain then because ‘it’s only a little bit of data’ and the ‘ privacy needs of citizens are no more important than the safety concerns of those residents’. When do we call enough? Much easier to stop it now than when the government is mandating tracking devices for all cars.

In any case, the real story here is that TAMS is ignoring the actual problem of peak hour capacity on arterial roads and is instead seeking to justify a solution to a follow on problem that will inconvenience residents far more than rat runners. Fix the main roads and this problem will fix itself.

#21
thebrownstreak693:33 pm, 27 Mar 13

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

#22
p13:37 pm, 27 Mar 13

What interests me is what data exactly TAMS intend to keep in the long term. Will they completely de-identify the results and destroy all the rest? Or will they keep everything they recorded for ever?

Because while it might not be possible to just look in their database and recognise my details, should someone actively wish to investigate me¹, it wouldn’t take much to loiter near enough to get my bluetooth ID, look back at the database and see there and when I passed a device in the past.

Plus, all the people who think only a small percentage of people leave bluetooth on might be forgetting that many cars these days have bluetooth built in. Many cars have after market GPS systems which have bluetooth capability. All of these devices could be tracked (which raises an interesting point for their data collection – can it tell if three separate devices were in the same vehicle, or is the data meaningless?).

1 - While it is unlikely that anyone will be stalking me - and if the cops are investigating me I probably did something dodgy - there are plenty of cases out there of people (sometimes famous, sometimes just unlucky) being stalked followed, hacked etc. Governments shouldn't be going to building databases of information without very tight controls placed on them. Now I shall go back to polishing my tin-foil hat.

#23
gooterz3:41 pm, 27 Mar 13

thebrownstreak69 said :

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

Who says everyone uses FB?

Bit of irony that its illegal to use mobile phones while driving but its ok for the government to use your phone while your driving.

Also if a car had 5 people/phones in it then would that count as 5 cars or 1?

The other option would be to use road counters that judge speed and record time. Setup one at each end of the road, and exclude the cars that don’t have a matching entry exit time. Much more accurate than Bluetooth.

Knowing IT projects how much did these Bluetooth devices cost? We’ll probably spend more on the studies over the years than the price of fixing the road

#24
p13:43 pm, 27 Mar 13

thebrownstreak69 said :

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

I think most people – even those who put their entire lives on facebook for all to see – would say the difference is the ability to opt out should you wish.

#25
Skidbladnir3:46 pm, 27 Mar 13

If you’re good at data relationships, you’d be amazed at just what can be achieved.

And for those who assert the old chestnut that The good have nothing to fear, the good have everything to fear, the most to lose, and due to a lack of risk familiarity/recognition, are the most exposed.

Bad police, crazy lovers, stalker exes, and people with axes to grind all exist, everybody has something they consider worth hiding, privacy breaches can destroy lives and families, and the impact doesn’t simply end with those who are breached or at the time of the breach.
If there was no reasonable expectation of privacy there would be fewer sales of curtains.

#26
thebrownstreak694:16 pm, 27 Mar 13

p1 said :

thebrownstreak69 said :

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

I think most people – even those who put their entire lives on facebook for all to see – would say the difference is the ability to opt out should you wish.

You can’t remove what’s already out there, though.

#27
p14:27 pm, 27 Mar 13

thebrownstreak69 said :

p1 said :

thebrownstreak69 said :

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

I think most people – even those who put their entire lives on facebook for all to see – would say the difference is the ability to opt out should you wish.

You can’t remove what’s already out there, though.

Hence people being a little worried that the government might be collecting and putting “out there” a whole heap of data about them, when we don’t even know exactly what it is.

#28
osfmar4:50 pm, 27 Mar 13

To me the issue here is whether or not they broke the law, regardless of how small the issue may be. I’m still left very concerned after the response from TAMS… My interpretation is below.

1) HAS TAMS BREACHED THE TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979?
TAMS is taken to have intercepted residents’ communications:
S6 …interception of a communication passing over a telecommunications system consists of listening to or recording, by any means, such communication in its passage over that telecommunications system without the knowledge of the person making the communication.

TAMS is therefore taken to have breached the Act:
S7 A person shall not: a) intercept… a communication passing over a telecommunications system

2) HAS TAMS BREACHED RESIDENTS’ PRIVACY?
Unique Bluetooth data such as device ID or MAC address is to be considered personal information:
“Personal information” means information… about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Ordinarily, data such as IP and MAC addresses are not considered identifiable information. However, the Australian Privacy Commissioner and the Australian Law Reform Commission has given further advice on the matter, stating that these data may become identifying if they are tied to data concerning other aspects of someone’s identity. This includes an individual’s position at a specified time, along with their actions and behaviours, as TAMS has clearly done to identify cars at the entry and exit points in their study.

TAMS is taken to have breached an Information Privacy Principle:
S14 Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
b) the collection of the information is necessary for or directly related to that purpose.
Personal information shall not be collected by a collector by unlawful or unfair means.

TAMS is taken to have interfered with resident privacy:
S13 An act or practice is an interference with the privacy of an individual if the act or practice: a) in the case of an act or practice engaged in by an agency … breaches an Information Privacy Principle in relation to personal information that relates to the individual

#29
thebrownstreak695:03 pm, 27 Mar 13

p1 said :

thebrownstreak69 said :

p1 said :

thebrownstreak69 said :

People put all sorts of private information onto Facebook, Twitter, LinkedIn, etc, and then whinge about this? The biggest threat to our privacy is our own stupid behaviour.

When you put information onto FB, for example, FB own that information, and it gets sent anywhere they like.

I think most people – even those who put their entire lives on facebook for all to see – would say the difference is the ability to opt out should you wish.

You can’t remove what’s already out there, though.

Hence people being a little worried that the government might be collecting and putting “out there” a whole heap of data about them, when we don’t even know exactly what it is.

The government already has a crapload of data about you, and shares it amongst departments and other parties as well.

#30
Gungahlin Al5:36 pm, 27 Mar 13

I think anyone concerned about their privacy being breached by this heinous practice should make sure that they explain their concerns to all their Facebook friends.

Advertisement
GET PREMIUM MEMBERSHIP

Halloween in Australia?

View Results

Loading ... Loading ...

IMAGES OF CANBERRA

Advertisement
Sponsors
RiotACT Proudly Supports
Copyright © 2014 Riot ACT Holdings Pty Ltd. All rights reserved.