Recent publicity about an Australian university’s practice of tracking the location of people connected to the university’s wi-fi network raises a mixture of policy and legal issues. The media report claims that the legal position is not clear, so this post is intended to help readers understand that position.
The university’s spokesman is quoted as saying that they are “not tracking people but rather simply looking at movements of essentially dots on the page”. This is, apparently, being done for campus planning purposes – e.g. to help determine where to locate a railway stop on campus. The spokesman is also quoted as saying that because the university is not associating the dots with identifiable individuals, they do not notify nor obtain permission from individuals.
From an Australian legal perspective, the federal Privacy Act will apply if the location data is about an individual who is reasonably identifiable. The university might well be expected to argue that the location data is not “about” any particular individual, rather it is about the movements of a larger population and the university has no interest in being able to single-out or identify a particular individual from the data. This is essentially the argument in play in the Ben Grubb case. The Privacy Commissioner has appealed that decision to the Full Federal Court and argument is scheduled for 23 August 2016.
If the location data is not “personal information” for the purposes of the federal Privacy Act, there is still a question about the application of state surveillance devices legislation.
And this is where the outcome varies from state to state.
If the university was located in NSW, the university would, most likely, be committing an offence against section 9 of the Surveillance Devices Act 2007. This conclusion rests on two points:
- the software used by the university to generate the “dots on a page” representing the geographical location of wi-fi enabled devices (such as smartphones or tablets) within range of the university’s wi-fi network is a “tracking device” for the purposes of the NSW legislation; and
- the use by the university of that software occurs without the express or implied consent of the person in lawful possession, or having lawful control, of the wi-fi enabled device the location of which is being monitored.
In NSW, the concept of a “tracking device” is very broad, namely “any electronic device capable of being used to determine or monitor the geographical location of a person or an object”. Clearly, the software is capable of being used for this purpose.
Which then takes you to the question of consent. In this case, the university has admitted that it has not notified or sought consent from affected individuals.
It would be open to the university, as operator of the wi-fi network, to obtain consent from users as part of the initial process to join the network. It is commonplace to require users to agree to terms and conditions when joining up to wi-fi networks for the first time. But that does not solve the issue if the software tracks the location of wi-fi enabled devices that broadcast their existence to wi-fi networks in their proximity (which happens automatically if you have wi-fi enabled on your device). So the software would need to be configured to map only those devices actually connected to the wi-fi network at the time, since you could be confident that consent had been obtained from the users of those devices through the sign-up process.
However, the university in question in this media story is located in Victoria. Victoria also has a Surveillance Devices Act, which contains an almost identically worded offence (see section 8 of the Victorian Act). One very important difference between the NSW and Victorian legislation is that the concept of a “tracking device” in Victoria is much narrower, namely “an electronic device the primary purpose of which is to determine the geographical location of a person or an object”. So attention is then focussed on whether the mapping software used by the university has the primary purpose of determining the geographical location of an object (as opposed to simply being capable of being used for that purpose). If the mapping feature is simply one function of software used to administer the wi-fi network, the university may have a decent argument that the primary purpose of that software is not to determine the geographical location of an object, in which case it would not be a “tracking device” and no offence has been committed.
We are not aware of any prosecutions under these “tracking device” offences for monitoring of this kind (as opposed to instances of individuals placing bugs on vehicles of estranged spouses etc). In NSW, the jurisdiction in which offences are more likely to be committed (albeit probably inadvertently), the Attorney-General must give written consent to the commencement of a proceedings for an offence against the Surveillance Devices Act (see section 56).
Obviously universities are not the only organisations that offer wi-fi to people. For example, retailers, hotels and airports commonly make wi-fi available in their premises. And many of them would likely be interested to analyse the movements of people through their premises. If your organisation is considering undertaking that kind of data collection and analysis, you should consider how best to address the operation of the surveillance devices legislation, as well as general privacy law.