It’s not often that events in our sphere of technology hackers have ramifications for an entire country or even a continent, but there’s a piece of news from the Netherlands (Dutch language, machine translation) that has the potential to do just that.
Enschede is an unremarkable but pleasant city in the east of the country, probably best known to international Hackaday readers as the home of the UTwente webSDR and for British readers as being the first major motorway junction we pass in the Netherlands when returning home from events in Germany. Not the type of place you’d expect to rock a continent, but the news concerns the city’s municipality. They’ve been caught tracking their citizens using WiFi, and since this contravenes Dutch privacy law they’ve been fined €600,000 (about $723,000) by the Netherlands data protection authorities.
The full story of how this came to pass comes from Dave Borghuis (Dutch language, machine translation) of the TkkrLab hackerspace, who first brought the issue to the attention of the municipality in 2017. On his website he has a complete timeline (Dutch, machine translation), and in the article he delves into some of the mechanics of WiFi tracking. He’s at pains to make the point that the objective was always only to cause the WiFi tracking to end, and that the fine comes only as a result of the municipality’s continued intransigence even after being alerted multiple times to their being on the wrong side of privacy law. The city’s response (Dutch, machine translation) is a masterpiece of the PR writer’s art which boils down to their stating that they were only using it to count the density of people across the city.
The events in Enschede are already having a knock-on effect in the rest of the Netherlands as other municipalities race to ensure compliance and turn off any offending trackers, but perhaps more importantly they have the potential to reverberate throughout the entire European Union as well.
51 thoughts on “A Dutch City Gets A €600,000 Fine For WiFi Tracking”
City council makes a mistake, but the fine gets paid with public tax money.
So, the money just goes full circle…
Not complete, the people of the city pay for the fine what goes to the ,national, goverment.
Full circle would mean no (additional) money is gone from the people’s pockets. That’s not the case here. :-)
Seems like this basically harms the people who were unlawfully tracked in the first place, now their city has a little less money to spend on proper projects.
Sadly most executives or similar higher-ups never gets fined for the damage caused by their bad decisions.
Which is ironically the one thing modern day capitalism so sorely needs.
Coal executives live with bad air, dirty water, and global warming.
They’re counting on dying before any of that affects them directly.
In theory, they should be getting “fined” by being fired by the people the next time elections roll around. (Or via a recall if that’s an option and there are sufficiently motivated people…) :-)
Yes and that’s sad, but I still think €600,000 of taxpayers’ money being wasted is just a drop in the ocean and yet it has indirectly payed for many other tracking services being taken down (hopefully). So I guess it’s not a total waste.
And where does the fine go? That’s a 600k back into the government income….
If the ruling was: “You invaded dave’s privacy, you need to pay dave 600k”, then that’s a loss for “taxpayers”.
It goes from local city taxpayers into state budget. The people of Enschede won’t see much of that back.
The height of the fine is meant as an indication of the severity of the privacy offense. It sets boundaries for what is acceptable within the GDPR and what’s not. Every municipality and institute in The Netherlands wo was still doing rf tracking will now think twice before the continue with that practice, so that’s the gain for the citizens.
The municipality of Enschede has an annual turnover of around 700 million €, so they can endure this fine. My guess is that the reputational damage hurts more because it signals a bad management decision which resulted in the unlawful privacy invasion of it’s citizens.
If they had fined the responsible council members a few thousand each, they would also think twice, without any cost to taxpayers.
The people chose the city council. Vote better.
Have you seen the candidates that get offered? Run yourself.
When there is a difference between what they say and what they eventually do in the next years after they are elected, how do you make a decent choice? All the voter can do, is choose wisely and hope for the best.
Spreading some devices that send out tons of traffic with random mac’s would probably break their whole system anyway. It would not be hard or expensive to do.
That’s a lot of fun.
Too bad the “hotspot” of say a group of 100, 300 or 1000 people seems to be moving slowly through the city. You’d need a whole bunch of them. Not something you can do on your own.
Hmmm. Or you can quickly cycle through say 3^32 mac addresses. DOS the uplink of that little router….. :-)
You only need to put one at each detection location. You can vary the signal strength to simulate movement but I doubt it’s that sophisticated of a tracking system.
48 bit MAC (Media Access Control) address (EUI-48) would be 2^48 possible devices = 281,474,976,710,656. Although the first 28 bits are allocated to individual manufacturers, so if you fixed the first 28 bits to say a block allocated to Apple or HP, Google, Amazon, Microsoft, Sony (the big trackers), then you could rapidly cycle through the bottom 20 bits (1,048,576). The end result would be that they would need to scrub the database of the most commonly tracked items. Of course YOU would need to build up a database of what the most common devices were in your city/shire/town/village, by storing an incremental count of the top the 28 bits of each EUI-48 seen, and definitely not logging the time the detection occurred.
[strike]Simpsons[/strike]someone did it…
Better way is to make devices that sniff traffic from some places and transmit it combined together in different places so no one will know where really “real users” devices are.
And generate some really interesting false patterns. For example, get the MAC addresses of the employees of a company you hate and retransmit them for a few hours near a strip club every Friday night at 5PM + driving time for the route between the two places…
“… random mac’s … It would not be hard or expensive to do.”
Just enable this feature. Android 10 can do it, and probably also IOS.
That sounds like a project that could be done with one of those 3eur esp8266 boards.
Just blast out packets with MAC’s with random Apple and Huawei MAC’s and shitflood the data collection.
Mid level beaurocrat: “But it’s for the children”..
Low level beaurocrat: Ya for sure, we need to know where all the kinder are at all the times.
Whenever I hear this phrase, I know whatever is being spoken of, it’s some sort of scam.
In two words:
In one word:
Next time they will pay Google for that data. Dutch taxpayers will not mind spending some money for they privacy.
It’s a smokescreen. They’ll pay the fine and everyone will continue their lives happy that they are no longer being tracked…
I have to assume that this happens everywhere but they just don’t use it. I’m fairly certain my UBNT gear logs associations with specific APs.
… or they could switch to a privacy-friendly solution, if they really just want to know the number of devices:
I note that this was just a _local government_ that was doing this with personal devices we carry around already….
…if nothing else it highlights the absurdity of tin foil hat brigade claims of chip implants that will supposedly be used for tracking… as in, why would you use an implant when people carry devices full of trackable information already?
Ah yes, those fabled nanochips that are too small to detect and work without electricity or an antenna.
Very easy to make rfid antennas that are too small to be seen by human eye. Lots of biochemical sources of electricity in the human body, so electricity is not a problem. Tons of current academic research is going on to develop ‘nanochips’ for all sorts of legitimate medical purposes. Injected ‘nano’ devices are almost certainly going to be a reality at some point in the near future. The only variables are the actual size and the purpose.
key phrase: in the near future. In other words: they do not exist which was my point.
Not all people carry such devices (or maybe not all of the time). You can still choose not to be tracked (maybe). Implants would remove that option.
Tax increase to pay for the fine to be announced next week. Meanwhile in the US, NYC is tracking everything from EZPass on down.
The fine should have been paid by the people responsible for the decision to the people affected by the decision.
Anything else is baloney.
I still dont understand why people that are so engaged with their privacy, keep broadcasting a pretty unique ID all the time. The only reason people know is because the government is honest about it and actually has warning signs placed. If you dont want to be tracked, disable your wifi, duhh.
Also, that he doesnt understand that you cant hash something with more bits than the amount of bits in the actual data, doesnt really make his point stronger (also means that its probably reversible what would be a problem).
Is this the final decision? As far as I know, they havent gone to the high council yet.
Best comment yet! no connection is always best, and most telco operators track as well, so you’re always logged somewhere.. just keep an eye out for the changes in the TOS..
The most surprising item here is that someone might be surprised they are being tracked.should be no fines, people should just lose jobs. Obviously well planned, funded and ran for some time knowing it was ‘wrong’ to do so. Like the council cares of a fine they don’t have to pay past taxes. This won’t get fixed, they just got caught, use it as some sort of experience. Skirt of like a terms and service agreement evolves over time, depending g on what situations history has taught.
Same happening in Szeged.
hmm.. something to do with hal 2001? i’m afraid i can’t let you do that Dave…🙂
Lol the ol coffers are getting low again? Just make up some crap and sue the heck out of google or MS again like the EU does when it goes broke. Super impressive use of time and govt resources.
@Terry, maybe if google paid their taxes, the government wouldn’t have to extract the money by other means.
I think these sorts of laws are very unfortunate.
We have this strange situation where we live in a technological society where we all use high tech gadgets every day. Yet most people seem to actively work at remaining as ignorant as they can about how the technology that surrounds them and that they depend on works.
If you constantly broadcast a signal and especially if it contains some sort of unique Id then you are trackable. WiFi isn’t magic. It’s radio waves. If you want to go throughout your day without leaving a trail then learn what those gadgets you carry around do and take control of them! If you can’t be bothered to do so then don’t bother to whine about the consequences.
Maybe if lawmakers took an attitude more like that we wouldn’t have such a tech-ignorant world population.
I strongly disagree.
I would agree, if you were the only person controlling the use of tech surveilling on you. That is absolutely not the case. 99% of the people can’t even control the OS on their own devices let alone what it broadcasts to whom.
Surveillance without your control let alone consent is ever growing without most people even noticing.
Who or what could possibly make a change it if not governments and laws?
One big problem I can currently see is the selective enforcement of these laws. While local communties get fined, Google et al. continue to violate the very same laws wholesale without significant consequence.
“Not the type of place you’d expect to rock a continent,…”
Ok, this is off-topic and unrelated to the wifi-fine, but since the article starts with other trivia I can’t help to react to the choice of words. Enschede did in fact suffer from a fireworks explosion in the midst of the town in 2000. Maybe not a continent, but it definitely shook up the region physically, and country emotionally. 23 people died of which 4 firemen. Injured 1000 people, destroyed 400 homes, damaged 1500. https://en.wikipedia.org/wiki/Enschede_fireworks_disaster
Please be kind and respectful to help make the comments section excellent. (Comment Policy)