What can be legally used to physically tracking you?

Am I protected from prying eyes?

Posted by Albert Cheng on 21 October 2024

Last Updated: 21 October 2024

Physical Tracking - when the digital world crosses into the real world

Ever wondered how easy it is for someone or a company to physically track your movements? Is it even legal to get that kind of data and what kind of data is needed?

Between AI-based data scraping and cyber criminals, it is becoming easier for people to collect a vast of amount of data on anyone. So how easy is it for someone to get data needed to physically tracking me?

This blog explores the two main types of data used for physical tracking: mobile device data and facial biometric data.

Surveillance Camera Image by Pete Linforth from Pixabay

Mobile Devices/Phones

Data from mobile devices falls under three broad categories:

  1. Telecommunications data - data and metadata sent using a telecommunication service, such as SMS, images, audio, phone calls, which cell tower the phone was connected to, the owner of the SIM card, who the person called etc.

  2. Wi-Fi, Bluetooth and GPS data - this includes both the data itself, as well as metadata, such as which Wi-FI networks did the device connect to and how many times did it connect etc.

  3. Spyware or surveillance software - software installed or placed on a mobile device for the purposes of tracking and surveillance.

I will explore each category separately below.

Telecommunication Data

In general under Australian law, telecommunications data is much more protected and sensitive, meaning it is illegal:

  • to obtain and intercept telecommunications under the Telecommunications (Interception and Access) Act 1979

  • for telecommunciation providers to disclose this telecommunications data and metadata (Telecommunications Act 1997)

The main exception is for law enforcement and security agencies, where they can access this information but generally require a warrant to do so.

Note that while the Telecommunications Act requires telecommunication providers to retain metadata for 2 years, the Telecommunications (Interception and Access) Act forbids providers from keeping the actual contents/substance of the actual communication (e.g. the SMS messages).

Due to the highly regulated nature of telecommunication data, it is generally not easily obtained (or at the very least not easily data scraped at scale). However, in contrast, Wi-Fi, Bluetooth and GPS data can be data scraped or collected at a large scale.

Wi-Fi, Bluetooth and GPS data

Other mobile device data includes Wi-Fi, Bluetooth and GPS/location data, which can be used to track/identify an individual through their device. Devices connected to a Wi-Fi network are uniquely identified using a MAC address, and Bluetooth devices also have a unique identifier called the Bluetooth Device Address (or sometimes known as a Bluetooth MAC address).

Like mailing addresses, these addresses are essential to let the network infrastructure properly communicate with devices over Wi-Fi/Bluetooth. However, it also includes other essential data like Wi-Fi or Bluetooth access points which the device connected to.

However, they can also double as a unique identifier to track an individual’s movements if paired with other data, since most people keep their phones with them when travelling. Wi-Fi and Bluetooth access data can identify the physical location of the device at a point in time (e.g. if a Wi-Fi access point is at point XYZ, all devices connected it to would need to be within XX metres of it). It is similiar to how law enforcement agencies ‘ping’ a cell tower to find the location of a mobile device.

As this data is considered publicly available, activities like Wi-Fi sniffing are considered legal. Wi-Fi sniffing is basically eavesdropping on a Wi-Fi network to see traffic, who is connected to a network, how much data they are sending etc. Sniffing itself is legal, but it is often a precursor to hacking.

As a side note, Android and iOS phones now have MAC randomization features which periodically changes its MAC address to avoid tracking. This makes it harder to tie a MAC address to an individual’s phone, but not impossible. Most network and security software have methods to identify devices on their network, which uses a range of identification techniques beyond just MAC addresses. See my fingerprinting blog post for more details.

When it comes to this type of data, it is only regulated under the Australian Privacy Act 1988 if it can reasonably identify an individual. If so, it is considered ‘personal information’ and cannot be collected or used without the individual’s consent. However, if it is collected and used in a ‘de-identified’ way then Australian privacy laws do not apply.

Practically, this is a grey area as some studies have shown that it only takes 3 or more ‘de-identified’ data points connected together to actually identify someone. I discussed this in length in my previous blog post. In short, due to the nature of big data it is arguable that most de-identified data can actually ultimately reasonably identify an individual if combined in the right way.

However, regardless of the practical effects, the law as it currently stands and is enforced allows many organisations to legally use Wi-Fi and bluetooth signals and connections for many tracking purposes provided it is ‘de-identified’ somehow.

Wi-Fi Network Image by Satheesh Sankaran from Pixabay

For example, Westfield shopping centres explicitly make it known that they track shoppers’ movements using Wi-Fi and Bluetooth data (see their privacy policy and Wi-Fi terms and conditions). This includes identifying which entrance shoppers enter, which shops they linger around the most and which shops shoppers like to visit. For example, shoppers visit the ice-cream store in the morning and then the department store in the afternoon.

Another example of using Bluetooth for physical tracking is traffic flow analysis. Many traffic authorities now use wireless MAC scanners at traffic lights and other major traffic points. When a Bluetooth/Wi-Fi device goes through the intersection, the scanners can calculate the following in real-time:

  • how many vehicles are going through or waiting at an intersection or point
  • the average speed of vehicles going through an intersection or point

These scanners work very effectively in practice to analyse traffic flow and generally do not store the MAC adddress identifier. As most drivers connect their phones to their car via Bluetooth, their Bluetooth is usually turned on already when driving, allowing the scanners to pick up their device when passing through a scanner.

There was a university in Australia that used Wi-Fi data to identify which rooms of buildings were under-utilised and over-utilised. It essentially used Wi-Fi MAC addresses to count the number of devices (and thereby students) on a floor at a point in time.

Realistically, whenever you leave the house, your phone’s Wi-Fi and Bluetooth data is likely being used as some part of tracking system as there are so ubiquitous.

Spyware or surveillance software

Under the Surveillance Devices Acts (both State and Federal) in Australia, using mobile devices to surveil and track individuals is generally illegal. This includes installing certain apps that secretly record conversations and send GPS/location data to another person. Without consent of the other party, these apps are illegal to use.

Note that these laws generally allow employers to monitor their employees on their devices, but require the employee to be notified. For example, some companies have BYO device policies, so in these cases the surveillance and tracking software would be installed on the employee’s personal device.

As with telecommunications data, the Surveillance Device Act does allow law enforcement to access this technology. For example, certain law enforcement agencies have been known to use highly sophisticated tracking software (e.g. Pegasus spyware) on mobile phones to track individuals.

Facial Recognition Technology

Facial recognition data is considered biometric information and ‘sensitive information’ that is protected under the Australian Privacy Act 1988. This means entities cannot collect or use this sensitive data without consent from individuals. The Office of Australian Information Commissioner (OAIC) is the Australian government agency that enforces privacy laws. In the past, they have made a determination that makes it clear that collecting facial recognition data without consent was in breach of the Privacy Act.

As a side note, the OAIC also has stated that social media companies have an obligation under the Privacy Act to prevent large scale data scraping of facial images from their websites. OAIC has even stated that a mass data scraping constitutes a data breach that needs to be reported to the OAIC and to individuals.

The use of facial recognition in commercial settings is quite commonplace in Australia. In retail, the giant shopping centre group Westfield has a SmartScreen Network. These are advanced advertising screens with built-in facial recognition cameras and technology, allowing the screen to dynamically tailor what it shows to target certain demographics based on this data. The screens also scan and collect facial recognition data of anyone that walks past them.

Quividi, the firm that developed the technology, claims that facial detection technology can identify a person’s gender with a high degree of accuracy. Quividi have even taken it a step further - they can dynamically tailor the advertising on the screen based on the gender, facial expression and age of the person that walks past.

Westfield’s privacy policy states this includes using ‘image processing software to aggregate data such as shopper numbers, gestures, behaviours and demographics. These technologies do not identify individual shoppers, or record or retain images of individual shoppers.’ This generic information for example includes the number of young female shoppers in their 20s that view the billboard on Tuesday afternoon.

As they claim the data cannot reasonably identify an individual, it is not covered by the Privacy Act. Therefore, while they are collecting and using biometric data from individuals, they claim they do not actually need any consent from individuals to collect and use this information.

In contrast, other retailers, such as Kmart and Bunnings, actually created unique biometric IDs based on facial recognition data collected on shoppers in their stores. The information was used, for example, to identify shoplifters. As the collected could reasonably identify a person, the OAIC opened an investigation into them for breach of the Privacy Act.

As of writing this blog post in 2024, the investigation is still ongoing. However, since then, these retailers have paused using facial recognition tech in their stores.

Facial Recognition Image by teguhjati pras from Pixabay

Line between Surveillance and AdTech is getting thinner

AdTech refers tools and software that companies use to do targeted advertising. The rise of AI/ML and advanced fingerprinting methods has allowed AdTech to become very sophisticated and personalised. Many AdTech build up very personalised profiles of individuals, including gender, age, financial status and personal preferences. It is a multi-billionaire industry to get the right ads in front of the right target audience.

It’s little surprise that AdTech is also very adept at physical tracking as well. For example, it wouldn’t be surprise to most people if I said that Google knows where you work, when you leave home, when you last visited your dentist and whether you have gone grocery shopping this week.

I discussed in a previous blog post how Google’s Advertising technology works to figure out that you are looking for shoes to buy.

But another way to make money off a massive database of personalised profiles is selling that data onto third parties. Companies that faciliate buying/selling this data are known as data brokers.

AdTech and surveillance essentially use the same technology, albeit for different end goals and clienteles. There’s named a term for it - called Surveillance Advertising. The industry has gotten so good at surveillance advertising that governments often just buys the data from data brokers/AdTech companies instead of collecting surveillance data themselves.

It has been reported that this happens quite a lot. It is legally easier for governments to buy this data rather than obtain warrants to do mass wiretapping/surveillance on its citizens.

Ads Image by Mohamed Hassan from Pixabay

Even for private citizens is it getting easier. Skip tracing is process of locating a person that does not involve breaking the law. Private investigators and debt collection agencies specialise in skip tracing and rely on information accumulated by Data brokers, including non-publicly available data (e.g. from the ATO, Medicare, Centrelink).

So the line between advertising tracking and surveillance tracking is quite thin and in many cases it doesn’t even exist anymore!

Closing Thoughts

So much tracking already happens and it seems unavoidable to go through your-day-to-day life without getting tracked somehow!

Going back to the original question: how easy is it to obtain data to physically tracking someone?. The answer is quite easy, and even easier if you’re willing to break the law.