University Tracks Students' Movements Using WiFi, But Says It's OK Because It's Not Tracking Students

from the slippery-slope dept

Tue, Aug 16th 2016 3:28am — Glyn Moody

One of the many revelations from the Snowden files was that Canada's spy agency has been tracking people as they connect to WiFi in different public locations. And if Canada is doing it, you can be pretty sure the NSA and GCHQ are doing the same, since neither is known for being backward in using whatever means it can to snoop on huge numbers of people. Of course, you'd expect spy agencies to be up to these kinds of tricks, and you might also be unsurprised to learn that shops are also tracking you using your WiFi connection. But we might have hoped that universities would have been a little more sensitive to privacy issues than the following news on the Australian ABC News site suggests is the case:

The University of Melbourne has moved to allay privacy concerns amid revelations it is tracking students through their wi-fi usage.

The university said the practice, which looked at where people were moving around campus, helped institutions improve retention rates and the experience of students.

According to the article, the university is using the data for the following reason: The university is trying to work out where people move across the campus to help with planning the new Metro Rail project, which will run through the middle of the campus.
That's certainly a reasonable goal, but the university seems blissfully unaware of the privacy dangers of its data gathering. In particular, the fact that it is interested in which campus room students are in at any given time means that it could probably work out the identities of those using a particular WiFi system by correlating the rooms visited with the different courses taken by each student. The university would then have a record of where all its students went during the day, who they met, and for how long. Apparently meaningless location information is actually incredibly revealing.

There's no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, privacy, students, tracking, wifi
Companies: university of melbourne

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 16 Aug 2016 @ 3:58am

The campus also includes accommodation, which make this tracking very powerful for determining sexual orientation etc.
[ link to this | view in chronology ]
PaulT (profile), 16 Aug 2016 @ 4:32am

"The university is trying to work out where people move across the campus"

Have you tried asking them? OK, there might be concerns about accuracy there, but you wouldn't be facing any "revelations" if you'd asked them up front.

"There's no suggestion that the university is doing anything like this, or even thinking about doing it. But once advances in technology mean that something is theoretically possible, the pressure to put it into practice can become irresistible, as other students have discovered."

The other issue, of course, is that it's not even relevant what the current university administration actually do. If the data is accessible by anybody else, they can use it for whatever they wish, whether that was the original intent or not. Plus, whenever current management is replaced, will the new administration be so honest?

That's why this is always a concern - "trust us, we won't do that" doesn't help if the data is compromised or if the next guy in charge has a different idea on how to run things. You might genuinely state that you won't abuse any new powers, but there's always someone else who will.
[ link to this | view in chronology ]
- David, 16 Aug 2016 @ 5:49am
  
  Re:
  To be sure, the basic mitigating ethics governing large-scale data collection always tend to amount to "don't be evil yet", gradually supplanted by "no-one could have expected us to let all this potential go waste".
  [ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 4:58am

who needs magic when you have wifi
they have means to create a marauder's map
[ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 5:27am

The original story is from here:

http://www.smh.com.au/national/university-students-you-are-being-watched-20160811-gqqet7.html
[ link to this | view in chronology ]
Quiet Lurcker, 16 Aug 2016 @ 5:33am

The university said the practice, which looked at where people were moving around campus, helped institutions improve retention rates and the experience of students.

How are these things even related?

According to the article, the university is using the data for the following reason:

The university is trying to work out where people move across the campus to help with planning the new Metro Rail project, which will run through the middle of the campus.

Again, I see no relation, except insofar as the location data might suggest where not to run the line in the interest of not putting people at risk.
[ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 5:51am

Other universities too
The university I work at had something similar in its strategic IT plan. That was under a different director though, so it might have been dropped.

The idea was both for lecture attendance (more for course evaluation than student assessment) and to identify high traffic/utilization areas on campus.
[ link to this | view in chronology ]
Step, 16 Aug 2016 @ 5:52am

The practice is not confined to the University of Melbourne. There was an article in the Sydney Morning Herald about a week ago with the provocative title "Students be afraid: big chancellor is watching you". The online version is at:

http://www.smh.com.au/national/university-students-you-are-being-watched-20160811-gqqet7.html
At the University of Melbourne, Wi-Fi routers track students as they move through the campus and leave a digital trail with their mobile phones. And at the University of Sydney, students' online activity is matched with their demographic background to predict who might drop out. It's called "learning analytics" and universities say it is the key to improving retention rates and the student experience.
Elsewhere the article adds:
The University of Sydney is also trialling an initiative which uses the data created by students to identify those at risk of dropping out. It uses their enrolment details, which could include demographic data, and information about their engagement during the first six weeks of semester. This engagement data is based on student's interaction with university resources such as videos, reading materials and responses to online questions.
Big Chancellor indeed!

If those two universities are doing such things chances are others as well. Or soon will.

The article goes on to note that at Australia's RMIT university "a team monitors...how often students are logging into the learning management system, submitting assignments and attending classes" and "reaches out to those who appear disengaged" while at the University of Wollongong "the number of times you borrow a book might help determine whether you are an at-risk student"

Big Chancellor is coming!
[ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 6:06am

There's no ethical problem with doing this...
If the university gets the informed consent of the observed first. Of course, then students may say "no" and that would decrease the value of the study as well as making the university work harder (otherwise known as "do it's job", but it seems no authoritarian institution likes actually doing it's job these days). And to get consent they would probably have to have a data deletion policy, so they wouldn't be able to profit from mining the data collected for purposes other than the currently stated one.
[ link to this | view in chronology ]
Ninja (profile), 16 Aug 2016 @ 6:41am

Any form of tracking without consent should be illegal (excluding investigative law enforcement work properly authorized by a court). And in this case you can't protect yourself with standard practices (ie: vpn). I'm guessing you'd need to spoof information on your device (ie: MAC) and prevent other data leakage that's somewhat beyond any average user.
[ link to this | view in chronology ]
- John Fenderson (profile), 16 Aug 2016 @ 6:49am
  
  Re:
  Spoofing your MAC address might work, but you'd need to change it frequently. Perhaps every 15 minutes or so? The only other method I can think of to avoid this would be to turn your WiFi off.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Aug 2016 @ 7:45am
    
    Re: Re:
    Do people really keep their wifi on all the time? I only turn mine on if I have a slew of updates, otherwise it isn't worth the little extra battery drain. I do have "unlimited" data so I only really care about speed...
    [ link to this | view in chronology ]
    - Stephen, 16 Aug 2016 @ 7:52am
      
      Re: Re: Re:
      Do people really keep their wifi on all the time?
      Since many if not most people seem to walk around with their smartphones in their hands, it's a fair bet those who keep their wifi off most of the time are in a minority.
      [ link to this | view in chronology ]
    - John Fenderson (profile), 16 Aug 2016 @ 8:04am
      
      Re: Re: Re:
      Personally, I use Android and Tasker to accomplish a compromise. My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on and connects to that point automatically. When I leave the AP's range, it turns the wifi back off.
      
      This way my wifi is effectively off when I'm out and about, but I don't have to remember to turn it on or off myself.
      [ link to this | view in chronology ]
      - Chuck, 16 Aug 2016 @ 8:29am
        
        Re: Re: Re: Re:
        The problem with this is that, if you were a student at the university, then your phone would probably still have the school's network in your "approved access point" list and still connect to it.
        
        This is the problem. WiFi security revolves around at least some minor level of trust. When it's the network itself that's tracking you, no amount of software security can help you.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 16 Aug 2016 @ 8:42am
        
        Re: Re: Re: Re: Re:
        Yes, this is precisely correct.
        
        I was speaking of the more general case. After all, some retail stores have started using the exact same sort of tracking of anyone that comes into their stores.
        [ link to this | view in chronology ]
      - Anonymous Coward, 16 Aug 2016 @ 4:02pm
        
        Re: Re: Re: Re:
        Haven't looked at this for decades, but the moment a receiver receives, it does a transmission by reflection. So, just by "sniffing" you send out a signal (momentary though it may be and small though it be). Mind you, with so many active sites around you, it may not be possible to actually pick up said signal anyway.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 16 Aug 2016 @ 9:50pm
        
        Re: Re: Re: Re: Re:
        I'm not sure what you're referring to here. When my receiver is sniffing, it is only listening. It is not sending out a radio transmission at all. (I just now confirmed this with some test equipment.)
        
        Your reference to "transmission by reflection" is vague and I can think of a couple of things that you might be referring to, but none of them seem very relevant to this particular issue.
        
        What am I missing?
        [ link to this | view in chronology ]
      - Stephen, 17 Aug 2016 @ 2:06am
        
        Re: Re: Re: Re:
        My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this)...
        If your phone is doing a handshake with a cell tower when it does that "sniffing", then it is necessarily exchanging data packets with the tower.
        [ link to this | view in chronology ]
        
        nasch (profile), 17 Aug 2016 @ 7:19am
        
        Re: Re: Re: Re: Re:
        If your phone is doing a handshake with a cell tower when it does that "sniffing", then it is necessarily exchanging data packets with the tower.
        
        He's talking about wifi, so no cell tower involved.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 17 Aug 2016 @ 7:31am
        
        Re: Re: Re: Re: Re:
        Nasch is right, I'm not talking about cell towers. Also, my Wifi is not engaging in any handshaking to do this. It's just listening for the AP beacons.
        [ link to this | view in chronology ]
      - nasch (profile), 17 Aug 2016 @ 7:18am
        
        Re: Re: Re: Re:
        My phone occasionally "sniffs" the wifi signals in the area (it does not send any wifi signals out when it does this), and if it sees an AP that is on my list of approved access points, it turns the wifi on
        
        How does it check for wifi without turning wifi on?
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 17 Aug 2016 @ 7:34am
        
        Re: Re: Re: Re: Re:
        It does turn the wifi on briefly to listen, but transmits nothing when it does so. It uses the radio chip as a receiver only. The rest of the operating system does not think the radio is on when it does this.
        [ link to this | view in chronology ]
        
        Stephen, 18 Aug 2016 @ 7:10pm
        
        Re: Re: Re: Re: Re: Re:
        It does turn the wifi on briefly to listen, but transmits nothing when it does so.
        So your phone is capturing data packets being broadcast by a wifi router but not sending any of its own?
        [ link to this | view in chronology ]
    - PaulT (profile), 17 Aug 2016 @ 12:26am
      
      Re: Re: Re:
      You answered your own conundrum there. *You* have unlimited data so *you* don't care about the wifi. Others don't, or have maxed out their "unlimited" quotas, etc., so they use wifi. *You* care about the battery drain, others value the wifi data more.
      
      These things tend to be more understandable when you don't assume everyone else has the same needs and resources as you do.
      [ link to this | view in chronology ]
  - Quiet Lurcker, 16 Aug 2016 @ 7:45am
    
    Re: Re:
    Or not use the public wi-fi. I take my smart-phone places where there's free wi-fi. If I don't connect, I don't send any information, and the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity. Now, more than one access points being available might be a bit problematic. Relative signal strengths acquired from a few different points for a given MAC address might enable some reasonably close position estimation (subject to such things as time stamp resolution vs. speed of light for a given distance; effects of human body/furnishings/other devices/etc. on signal strength; positions in 3-dimensional space of the access points as compared to one another, etc., etc...)
    [ link to this | view in chronology ]
    - John Fenderson (profile), 16 Aug 2016 @ 7:59am
      
      Re: Re: Re:
      "the only information that can be gathered from my phone is that a smart phone with such-and-so MAC address sent a ping to identify wi-fi sources in the vicinity."
      
      Right, which means that it's possible to identify and track the movements of your cell phone, even if you don't connect to anything.
      [ link to this | view in chronology ]
    - Tom Mink (profile), 16 Aug 2016 @ 12:07pm
      
      Re: Re: Re:
      If your device pings the access point to see if there's a network, that's enough to establish your location even without establishing a connection. By default most wifi enabled devices like to introduce themselves to every router within shouting distance.
      [ link to this | view in chronology ]
- Padpaw (profile), 16 Aug 2016 @ 6:45pm
  
  Re:
  not a should but in most states it is illegal.
  [ link to this | view in chronology ]
Chuck, 16 Aug 2016 @ 8:24am

Stalker's Wet Dream
Never mind the potential for abuse by school officials, either of their own accord or at the behest of the NSA and their ilk.

What about a stalker? What about a hacker? What about both?

Can you imagine a stalker who also happens to be a decent hacker getting their hands on this data? Live tracking of their potential victim at their fingertips. Holy hell what a bad idea.

As with so many privacy issues today, the question is not "can you trust the authorities with this information?" The question is "can you trust every single person on earth with this information?" Everything CAN be hacked, no exceptions, no exemptions, ever, period. The only way to truly secure data is for the data to not exist in the first place.
[ link to this | view in chronology ]
- John Fenderson (profile), 16 Aug 2016 @ 8:38am
  
  Re: Stalker's Wet Dream
  This has been trivially possible for a very long time now. The only thing that's happening here that's new is that it's being done by institutions on a wide-scale basis. But the technique they're using is as old as Wifi itself.
  
  By the way, this can't even be considered "hacking". All of the information being obtained is being done through known and accepted protocols being used in the intended way.
  
  The issue, really, is that data, legitimately obtained for one purpose, is being used for an entirely different purpose without people's knowledge -- let alone consent.
  
  So, as with many of these things, the real question is "who owns the data"? Is it "your" data, because it is about you, that you've "licensed" for a particular purpose? Or is it the AP owner's data, because they collected what was freely given, and they can use for any purpose they wish?
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Aug 2016 @ 9:39am
    
    Re: Re: Stalker's Wet Dream
    exactly! A+++++ on these comments
    [ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 9:37am

This is interesting use of the technology but I don't understand what exactly can be done about it. So to me it's just more evidence of people using fear tactics to whip people up into an unecessary frenzy about big brother and his evil intentions - ooooo scary!

The wifi system by it's very nature knows where your device is physically located and by that it knows where you (or the person holding your device is located). Thus the administrator(s) of that system know where you/your device is at all times within a reasonable degree of accuracy. "Oh but I don't use wifi, I turn it off" - well your carrier's data system knows where you are too so good luck with that.

There's no such thing as location privacy if you have a cellphone in your posession that's turned on (wifi or not). So stop living your lives in fear. Big brother is always watching. He always has been in some form or another but you've managed to survive despite that fact. Calm down folks. That said, when you hear of cases of someone or some organization taking the ability of this and other types of technology too far - then you can scream to the hilltops. For now, nothing to see here - move on.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Aug 2016 @ 9:58am
  
  Re:
  There is a difference between a system keeping short term records of a devices location, so that it can be communicated with, and some organization collecting that data into a database where they can analyses it for all sorts of information. The first is transient necessary information, and could possibly be used to locate you right now, the second, on a residential campus is going to capture much more than just attendance at lectures.
  Do you really want university staff to be able to figure who is sexually active, and with which taste in partners?
  [ link to this | view in chronology ]
- John Fenderson (profile), 16 Aug 2016 @ 9:55pm
  
  Re:
  "For now, nothing to see here - move on."
  
  I couldn't disagree more. If we just ignore these issues now, they will be decided by default in a way that is very unfavorable for individuals and will become extremely difficult to change.
  
  Now is exactly the time to raise a big fuss about all of this.
  [ link to this | view in chronology ]
Anonymous Coward, 16 Aug 2016 @ 3:33pm

Back when I was in uni, an enterprising student whipped up a program that tracked where any username that was logged in to the mainframe was located, and outputted an ascii map of the location (a modem for remote dial-up, and a map of the lab with an arrow pointing at the specific computer for on-campus access).

This software was extremely useful for finding and meeting up with friends (I even wrapped it in a csh script to alert me if one of my friends was logged in in a nearby lab).

Eventually the university found out and banned the software. Reportedly, some enterprising students had started using it as stalking software.

Sounds like the more things change, the more they stay the same.
[ link to this | view in chronology ]
Lewis Barrett, 17 Jan 2020 @ 6:16am

It nevertheless violates the privacy of students. The university does not have the right to do this without the consent of students. Studying cannot be effective in such conditions. You can go to this site to find a good study program. But if a student pays money, then he will be responsible for his visits, and college can not force him to attend classes.
[ link to this | view in chronology ]