Airport: “We’re tracking every single footstep you take and can connect it to your mail address, but your privacy is safe because we say so”

A sign on the revolving entrance to a European airport, one sign among many, says “the airport employs wi-fi and bluetooth tracking; your privacy is ensured”. The vast majority of people have no idea what this is, and just see it as one sign among many like “no smoking”. But this cryptic term is an indoor mass real-time positioning for every individual in the area at the sub-footstep level, and the airport knows who many of the individuals are.

When your mobile phone has wifi activated, it transmits a network identity signal – a MAC address – continuously in asking its environment for which Wi-Fi networks are available in the area, looking for known networks to connect to. It is possible to use a network of wi-fi base stations in a limited area to pinpoint the exact physical location of your phone in that physical area – by comparing the signal strength of your phone’s identity ping from multiple stations receiving it, and knowing where those stations are, your phone’s location can be calculated in microseconds with sub-footstep accuracy. And as your phone keps pinging its environment to search for wi-fi networks, the end effect is that your movements are tracked basically down to the footstep level in physical space and the second level on the timeline.

We know this because it caught some rare attention when the sub-footstep individual realtime tracking was rolled out citywide in a mid-size town in Europe, and was cracked down on by that state’s Privacy Board (thankfully).

Let’s take that again: sub-footstep-level identified realtime tracking has already been in place in major cities at the city level.

That’s why it’s positively infuriating to see this vague statement on an airport door, and knowing what it means, but also knowing that it has been deliberately worded to make 99% of people even reading it not understand what it means. And most people won’t even read it.

Your privacy is ensured “because we say so”, apparently.

It gets worse. Your phone is continuously broadcasting its MAC address, right? But the airport has no way of knowing which MAC address belongs to which person, right? So even though this is bad, the airport doesn’t know how you moved, when, and where, and how fast, and with whom… right?

Except, the tracking is done with a Wi-Fi network, remember? Which you can and will connect to, because it broadcasts the name “Free Airport Wi-Fi”. And the only thing you need to provide this network in order to get free and fast net access, thereby connecting with the very MAC address which has been tracked, is your email address.

…and suddenly the airport can connect your physical movements to your email address, and therefore most likely to your identity. It now has the ability to know how you moved through the airport, where you ate, whom you met with, for how long, the list that goes on, a list that shouldn’t be there. The only safeguard against it not doing so and using it against you is a vague “trust us”.

It’s not a random small countryside airport, either. It is Amsterdam-Schiphol, which is the 12th largest airport in the world, and the third largest in Europe after London-Heathrow and Paris-Charles-de-Gaulle.

Your privacy remains your own responsibility.