TfL is going to track all London Underground users using Wi-Fi https://www.wired.co.uk/article/london-underground-wifi-tracking I would like to know the following information: How long is was the raw data with Mac addresses stored during the trial? Who had access to the raw data with Mac addresses during the trial? How long will the raw data with Mac addresses be stored once the scheme has been rolled out across the network in July? Who will have access to the raw data with Mac addresses once the scheme has been rolled out across the network in July? Who has access to the anonymised data from the trial? Who will have access to the anonymised data once the scheme has been rolled out across the network in July? How is access to the anonymised data and raw data monitored/controlled? I would also like a detailed description of the anonymisation methodology used during the trial. If a different methodology will be used for when the scheme has been rolled out in July - then I would also like a detailed description of this methodology.

---

Our Ref:         FOI-0605-1920

Thank you for your request received on 30 May 2019 asking for information about WiFi data collection.
 
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm we do hold the information you require.
 
We take data security and the privacy of our customers very seriously, and have in place a range of policies, processes and technical measures to control and safeguard access to, and use of Wi-Fi connection data. In accordance with our obligations under the General Data Protection Regulation (GDPR) we have published information, including our Data Protection Impact Assessments, on the TfL website to help explain these measures and provide details on the parameters of this data collection: https://tfl.gov.uk/corporate/privacy-and-cookies/wi-fi-data-collection.
 
During the pilot in 2016, raw data with MAC addresses was stored in a restricted area of a secure server for approximately 6 hours before being pseudonymised. At the end of the pilot the hashing procedure was irretrievably deleted along with the Salt. Data access was restricted, by user account, to a small team that had regular privacy and data protection training. A description of our approach in the pilot can be found in our published WiFi findings report on page 23 here: http://content.tfl.gov.uk/review-tfl-wifi-pilot.pdf.
 
In accordance with section 21 of the FOI Act, we are not obliged to supply you with a copy of the requested information as it is already accessible to you elsewhere.
 
Under the scheme which was rolled out across the network in July, raw data with MAC addresses will never be stored. Access to pseudonymised data will remain restricted, by user account, to a small team that has regular privacy and data protection training. Our pseudonymisation of MAC addresses uses a Pepper and a Salt method, and our Salt, Pepper, hashing algorithms and values are stored securely.
 
•         The first time a particular MAC address (e.g. 1234) is received it is hashed with the single Pepper value to produce a new value (e.g. ABXY)
•         We then randomly generate a new Salt. This is hashed with the first value (ABXY) to produce a final value (e.g. CD45)
•         When the same device sends us its MAC address again:
•         The MAC address (1234) is hashed with the Pepper and produces the same value as before (ABXY)
•         The algorithm uses the existing Salt and hashes the two together to produce the same final value (CD45) so this record can be matched with previous records to work out how the device has moved.
 
 
 
If this is not the information you are looking for, or if you are unable to access it for some reason, please feel free to contact me.
 
Please see the attached information sheet for details of your right to appeal.
 
Yours sincerely

Gemma Jacob
Senior FOI Case Officer
FOI Case Management Team
General Counsel
Transport for London

[email protected]

Attachments

Back to top

---