Location Services can Systematically Track Vehicles with WiFi Access Points at Large Scale
The risk of WiFi Tracking has been well recognized. New trends in the automotive industry promise a rapid growth of the number of mobile access points (and thus affected data subjects). While tracking of WiFi-users has been recognized as high potential risk, the risk has already been realized at large scale today for users of mobile access points. In particular, two major location services are already operational today across Europe and systematically report the locations of a large percentage of mobile access points to central collection points controlled by entities outside of Europe. Considering the high data protection risk inherent in location tracking of individuals, this raises the need for mitigation to new levels of urgency.
Location services that come with modern smartphones routinely send the identifiers of visible WiFi networks to servers. This additional source of location information significantly improves the estimate of the current location as compared to using only satellite navigation and visible cellular network. Normally, WiFi access points in fixed known locations are used. The risk that this is also done for access points that move with persons is substantial, however. Such moving access points are for example built into vehicle infotainment systems or are personal hotspots activated in smartphones.
The location of such mobile access points is then picked up world-wide and systematically by a dense network of bystanders who use location services on their smartphones. This can involve devices of pedestrians or smartphones used in vehicles for navigation. The identifiers of visible access points are then predominantly sent to the servers of two non-European location service providers, possibly with storage in third countries.
In this situation, the risk arises that the location of persons is being tracked and complete movement profiles can be collected. The risk is amplified by the fact that some identifiers of access points rarely change. Those of access points built into vehicles are even considered to be “secondary vehicle identifiers”. Considering the sensitive nature of location data in general and long-term movement profiles in particular, the data protection risk represented by location services must be considered high.
The described risk has to be seen in the context of the European Cooperative Intelligent Transport Systems (C-ITS) where the avoidance of tracking of vehicle locations has reached ample attention. This is for example evident in the system design that foresees frequent changes of the identifiers of vehicle2x communications. In contrast, the risks described here have fallen out of scope of C-ITS data protection studies, are likely already verified at large scale today, involve long-term stable identifiers, and it is unclear whether any mitigation measures are implemented.
This report is a follow-up of the data protection impact assessment conducted for the iKoPA project. The report is a prime example for the need to govern unexpected outcomes in research and innovation projects. This is being further studied in the PANELFIT project (Participatory Approaches to a New Ethical and Legal Framework for ICT).
 Markus Ullmann, Tobias Franz, Gerd Nolden, Vehicle Identiﬁcation Based on Secondary Vehicle Identiﬁer -- Analysis, and Measurements, in Proc. VEHICULAR 2017, The Sixth International Conference on Advances in Vehicular Systems, Technologies and Applications, Nice, France, July 23 to 27, 2017, pages 32-37.
 The EU C-ITS Platform has a dedicated “Data protection and Privacy” working group chaired by DG MOVE. This working group has also asked the opinion of the Article 29 Data Protection Working Party which was issued as WP 252, 03/2017.