Tracking is no longer just on the rails for Boston's MBTA

Big Conductor could be watching you … but only if you want him (or her) to.

That, of course, is not the way a press release a couple of weeks ago put it, announcing the launch of a pilot program by private contractor Intersection to track riders’ who are using the Massachusetts Bay Transportation Authority (MBTA) system in 10 of its stations in Boston and Cambridge.

The pitch from Intersection, an “urban experience” company created through a merger of media company Titan and technology firm Control Group, is that the program’s goals are to improve the rider experience and to help companies that advertise with the MBTA “increase engagement and interaction with commuters” who are near to their stores – targeted ads, in other words.

This will be accomplished through what Intersection says is, “a secure, closed network of Gimbal Bluetooth Smart beacons,” that will collect no personally identifiable information (PII), since they are, “transmit-only Bluetooth low-energy devices that send out a signal that can only be used by user-enabled apps running on mobile devices to trigger location-specific content.”

The company said riders will be tracked only if they, “download an app that utilizes the technology and opt in, to allow the app to receive the beacon’s signal.”

Gimbal, in a prepared statement, emphasized not only the anonymity of the program, but the choices to riders, who can disable it by turning off location services or Bluetooth on their phones.

The company said it is TRUSTe certified and a member of the Future of Privacy Forum (FPF).

All of which sounds like no surreptitious invasion of personal privacy, since even those who agree to be tracked will remain anonymous.

Not necessarily, according to a number of privacy experts, who say the announced safeguards are too vague to guarantee anonymity.

Privacy and encryption expert Bruce Schneier, CTO of Resilient Systems, said in a world of increasing surveillance by both the private and public sectors, this program probably ranks on the low end of the risk to privacy, although “it depends on the details.” But he said it is difficult to preserve anonymity when downloading an app.

“Can you get into the iTunes store without a credit card?” he asked. “I can’t.”

Others are more emphatic about the privacy risks. Lee Tien, senior staff attorney at the Electronic Freedom Foundation, said even if the beacons don’t collect any data, “it’s unclear to me what the app does with any information it collects. Unless that’s made clear, those who volunteer won’t have done so in an informed way.

“We know that apps also can surreptitiously collect other data on the phone, which can be linked to the ID of the phone,” he said.

And Rebecca Herold, CEO of The Privacy Professor and cofounder of SIMBUS360, said apps are, “some of the most privacy invasive technologies around because of all the data they can suck up from the device – about what the device user is doing, whereabouts, etc., with absolutely no direct interaction with the device users to ask to have data explicitly provided by them.”

Herold and others said there is far too much wiggle room in terms like “personal data,” “consumer information” and “closed network.”

“What does a ‘closed network” mean?” she said. “That no one but their business employees are able to access it? It would imply that they do not outsource access to the data to any third parties, but they do not explicitly state this.”

Things like that also trouble Dennis Devlin, cofounder, CISO and CPO of SAVANTURE. Even though the company says the system will not collect any PII and will be on a closed network, there is clearly some collection going on if riders can receive push notifications from advertisers. “The notice is vague as to exactly what is being collected and how it will be used after collection, and there is no access provision for individuals to see their own data,” he said.

He added that, “there is no such thing as guaranteed anonymity when it comes to geolocation data collected from a mobile device.”

The involvement of an app, or apps, for the program is apparently based on vendors advertising through Intersection with the MBTA. While the press release from Intersection says, “a user must download an app that utilizes the technology,” Caitlyn Kasunich, a media representative for Intersection, said there is, “no overarching pilot program app; there will be third-party apps that become part of the program.”

Indeed, Jason B. Johnson, deputy press secretary of the MBTA, said Intersection is the contracted, “manager of the T’s advertising program. As such, the Pilots Beacon Initiative was not created by the T.”

But Herold noted that a key phrase from the Intersection press release is that the program is designed to show how, “technology can enable citizens to have more unique, tailored experiences with both cities and brands.” She said there is no way to “tailor” experiences without an app that connects individuals to the program, and without PII being involved.

Kelsey Finch, policy counsel at FPF, agrees that is the key element that should concern users.

“Beacons themselves cannot pinpoint smartphone position and do not track smartphone owner movement,” she said. “They can only detect that a Bluetooth-enabled device has entered a particular zone.”

But while the beacons themselves don’t collect any data or send messages, “they enable an app associated with them to understand more precisely where you, or your phone, are,” she said. “It’s the app that collects the data and uses it to send users messages when they are near a particular beacon. As to whether apps can promise not to collect PII, that’s a different question.”

Page Break

Devlin said that is a crucial distinction. “Every device has multiple identities related to the device itself, the carrier, the network interface, the network address, etc.,” he said. “Once collected, such data can potentially be joined with other data to build a more complete profile of an individual that is not anonymous. And suddenly the customer becomes the product, and someone else becomes the customer.”

That last point resonates with others, including Susan Grant, director of consumer protection at the Consumer Federation of America.

She noted that if riders respond to marketing solicitations generated by the app, “that provides information about what the device users buy, how much they pay for things, etc.”

She said it is clear to her that, “this is really not so much about helping people find their way, it’s about increasing the MBTA’s ad revenue.”

Herold said privacy claims without specific details are, “a common marketing gimmick to spin the story away from the privacy issues and instead get their targeted users to see it as only something good.”

She called it “a huge red flag,” and said the public should start demanding that app and smart device developers, “build in effective privacy protections, and also provide objective privacy impact assessment results to validate their claims.”

Kasunich said there are a number of ways besides advertising that the program could help riders, including offering audible directions to the visually impaired, opening elevator doors when someone using a wheelchair approaches or providing alerts when elevators are down or routes are changed.

She said as the program develops, it could help T officials analyze, “anonymized crowd and flow patterns, entries and exits and passenger counts. These data could ultimately help the MBTA understand how to optimally allocate resources at highly trafficked stations, strengthening customer service for riders.

“Another potential use case, which isn’t in place today, is that riders could also be pushed important messages that are related to their journeys, including delays, service alerts, reroutes and wayfinding.”

Those latter benefits might make the program worthwhile for riders, said Ben Edelman, an associate professor at Harvard Business School and an expert in privacy and adware.

He said there are other ways, already in place, to track how riders use the system, but if the program could provide, “tailored commute guidance, it might be useful.

“Such as: ‘Train is coming – if you walk on the escalator, rather than just standing there, you’ll make it and save 6 minutes,’ or ‘Snow on the tracks on your usual route – delays likely – consider alternative X instead.’”

But, as Kasunich said, those kinds of services are not in place. And privacy experts note again that if riders are getting “tailored” information, that means the program is not entirely anonymous.

The MBTA’s Johnson said only that, “If Intersection’s efforts increase non-fare ad revenue, then that is of benefit to the T’s customers.”

Devlin said good privacy principles include, “notice, choice, access and security.” And he said the program does provide notice and choice, since it will only track those who download and use the app.

But, he said that, based on the announcement, “the notice is vague as to exactly what is being collected and how it will be used after collection, and there is no access provision for individuals to see their own data.”

Finch said FPF has written an explanatory Guide to Beacons to help users decide if, and how, they want to use them.