Transport for London (TfL) plans to make £322m by collecting Tube users' location data and potentially selling it to third parties.
At the end of 2016, TfL ran a pilot which tracked the Wi-Fi signals from 5.6 million phones as people moved around the London Underground, even if they weren't connected to a Wi-Fi network.
TfL publicly stated that the purpose of the scheme was to use the aggregated, anonymised data "to better understand how people navigate the London Underground network, allowing TfL to improve the experience for customers". It is now in consultation about tracking passengers on a permanent basis. The only way to opt out of the scheme would be to turn your Wi-Fi or phone off. Wi-Fi tracking is used around the UK, especially on high streets and shopping centres, to track customers as they move around a store, for example.
However, documents obtained under Freedom of Information laws show that they also anticipate there will be a significant financial benefit from the scheme, in contrast to TfL's public messaging.
Many of the documents list 'financial' as the first benefit of the scheme. In one, a section called Advertising Partnerships states: "Enabling TfL to achieve £322m revenue generation over the next eight years by being able to quantify asset value based on the number of eyeballs/impressions and dynamically trade advertising space."
Another document details TfL's communications strategy for the pilot. The 'key messaging' intended for the public reads: "TfL collects Wi-Fi connectivity data to better understand journey patterns and improve our services" - with no mention of the anticipated financial benefits to TfL.
Lauren Sager Weinsten, chief data officer at TfL, told: "These are living documents. The excitement on this project has been how to create a project that will have great customer benefit and how do we explain to our customers what we're doing and why. We have been very transparent about all the documents and our thinking on this.
"And of course we want to make sure that we're very clear about all the different benefits that we'll see. There's a huge customer benefit and it's very exciting to see the patterned information that comes out of this. "But we also do think that there is an opportunity to improve our secondary revenue that we get through our commercial advertising estate and through our retail developments as well, and that's also important as well."
Asked repeatedly, Mr Sager Weinstein refused to rule out that TfL might in the future sell aggregated customer data to third parties. TfL reinvests all its profits in its services. The organisation notified Tube users with prominent displays about the 2016 trial. The only way for people to opt out of the scheme was to turn off their phone's Wi-Fi while on the underground.
Maria Farrell, internet policy consultant at the Open Rights Group, told: "What they told people at the time was we're going to use this data to improve services. But now thanks to investigative reporting, we find out that it's partly to improve the services, but also it's to exploit people's data for revenue, doing advertising."
TfL worked with the Information Commissioner's Office on the scheme and said that user data was anonymised. But privacy experts have cast doubt on the implementation. Paul-Olivier Dehaye, the cofounder of PersonalData.IO, told: "TfL don't seem to understand what 'anonymised' means in data protection terms. While the pilot was running, the data was merely pseudonymisation, while retaining the technical capacity of easily combining this data with external datasets.
"In essence, the value and dangers of this data are still fully there, but TfL has merely constructed a fiction that the individuals were not identifiable and conveniently assumed that would free them from the legal safeguards." Dr Lukasz Olejnik, independent cybersecurity and privacy researcher, told: "TfL has definitely identified some privacy risks and tried to tackle them. They should be applauded for that.
"It's important to note that TfL does not provide an anonymization scheme. It's called pseudonymization, as the data are not processed in a way making it impossible to calculate the data back, given resources. "Commuters should have clear ways of opting out from Wi-Fi tracking monitoring if they choose so. Designing convenient options is paramount."
Download SafeUM — communicate privately, without advertising and spam.