But Herold noted that a key phrase from the Intersection press release is that the program is designed to show how, “technology can enable citizens to have more unique, tailored experiences with both cities and brands.” She said there is no way to “tailor” experiences without an app that connects individuals to the program, and without PII being involved.
Kelsey Finch, policy counsel at FPF, agrees that is the key element that should concern users.
“Beacons themselves cannot pinpoint smartphone position and do not track smartphone owner movement,” she said. “They can only detect that a Bluetooth-enabled device has entered a particular zone.”
But while the beacons themselves don’t collect any data or send messages, “they enable an app associated with them to understand more precisely where you, or your phone, are,” she said. “It’s the app that collects the data and uses it to send users messages when they are near a particular beacon. As to whether apps can promise not to collect PII, that’s a different question.”
It’s the app that collects the data and uses it to send users messages when they are near a particular beacon. As to whether apps can promise not to collect PII, that’s a different question.
Kelsey Finch, policy counsel, Future of Privacy Forum
Devlin said that is a crucial distinction. “Every device has multiple identities related to the device itself, the carrier, the network interface, the network address, etc.,” he said. “Once collected, such data can potentially be joined with other data to build a more complete profile of an individual that is not anonymous. And suddenly the customer becomes the product, and someone else becomes the customer.”
That last point resonates with others, including Susan Grant, director of consumer protection at the Consumer Federation of America.
She noted that if riders respond to marketing solicitations generated by the app, “that provides information about what the device users buy, how much they pay for things, etc.”
She said it is clear to her that, “this is really not so much about helping people find their way, it’s about increasing the MBTA’s ad revenue.”
Herold said privacy claims without specific details are, “a common marketing gimmick to spin the story away from the privacy issues and instead get their targeted users to see it as only something good.”
She called it “a huge red flag,” and said the public should start demanding that app and smart device developers, “build in effective privacy protections, and also provide objective privacy impact assessment results to validate their claims.”
Kasunich said there are a number of ways besides advertising that the program could help riders, including offering audible directions to the visually impaired, opening elevator doors when someone using a wheelchair approaches or providing alerts when elevators are down or routes are changed.
Sign up for Computerworld eNewsletters.