When you’re being tracked by a smart trashcan, shouldn’t you have to opt in first?

Are you being tracked by a recycling bin? If you’re a smartphone user who traverses certain parts of London, that rather insane proposition is actually reality. And telling the bin to stop tracking you isn’t a straightforward affair.
In the run-up to last year’s Olympics, 100 recycling bins with advertising screens were installed in the City of London (the financial district) by a startup called Renew. As Quartz reported on Thursday, 12 of these “Renew Pods” were recently fitted with “Renew ORB” devices that use Wi-Fi to sniff out certain information from passing smartphones, namely proximity, speed, duration and manufacturer. The manufacturer is gleaned from the smartphone’s MAC address, which acts as an identifier for the mobile device.

Targeting ads

The idea here, according to a Renew statement, is to “measure variables in market share between mobile handheld providers within the City’s Square Mile — the highest concentration of professionals in Europe.” According to the Quartz report, this information would then be sold to advertisers to help them target their campaigns: high-value goods for iPhone users, and so on.
The analytics and reporting piece of this puzzle comes from a company called Presence Orb. If you don’t want to be tracked by a recycling bin, Presence Orb has an online opt-out form that states (pardon the grammatical errors):

“We understand that Presence Orb is not for everyone. We go to great lengths to keep our data safe and maintain individuals privacy while still allowing an enriching experiences via Presence Orb for these consumer. Below we provide the facility for a consumer to opt a device from future Presence Orb data collection and remove all historic collected information for this device within 7 days of submission. Although we will be sad to see you go we believe this is every device owners right.”

Only there’s a problem with this approach. According to the Article 29 Working Party, a group of European data protection regulators, what those bins are recording is personal data.

Tracking people

An opinion adopted by the working party back in 2011 on mobile geolocation services reads:

“… the combination of the unique MAC address and the calculated location of a Wi-Fi access point should be treated as personal data.”

That means getting the user’s permission before capturing such data. (This is what Google(s goog)’s Street View program got into trouble for, even before it emerged that the cars were also snarfing up fragments of emails and the like.)
Now, the working party’s opinions are advice for regulators looking at how to apply the law, rather than laws in themselves. But UK data protection law states that an individual is entitled “to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller.”
The UK Data Protection Act 1998 also provides an exemption for research purposes, so that might possibly give Renew and Presence Orb a get-out clause – although at least one privacy law expert I’ve asked reckons the exemption wouldn’t apply because the recycling bin arrangement is commercial.
If the research exemption doesn’t apply, then Renew and Presence Orb are supposed to be up-front about their data collection. But how do you inform someone that their smartphone’s unique identifier is being logged as they walk past an innocuous recycling bin? You can’t, unless those ad screens are taken up with warning messages. And as for people knowing where to find the opt-out form, well, let’s be realistic: that also isn’t going to happen unless they’re reading coverage of what’s going on.

Big data problem

This is all yet another reminder of the growing tensions between big data and privacy. If you’re trying to harness the vast amounts of data emanating from smartphones and other personal computing devices – even if you anonymize that data once you’ve collected it – it’s very difficult to guarantee that personal data can’t be extracted afterwards. And in this case, the identifying information can’t even be easily stripped out, because it’s the very information the data-gathering exercise is designed to collect.
Yes, this is like taking cookies – those bits of software that track you as you surf the internet — into the physical world. And that’s why the rules call for informed consent, which means opting in rather than out.
I’ve asked both Renew and the UK Information Commissioner’s Office (ICO) for comment, and will add it in when and if it arrives.