A Dutch City Gets A €600,000 Fine For WiFi Tracking

It’s not often that events in our sphere of technology hackers have ramifications for an entire country or even a continent, but there’s a piece of news from the Netherlands (Dutch language, machine translation) that has the potential to do just that.

Enschede is an unremarkable but pleasant city in the east of the country, probably best known to international Hackaday readers as the home of the UTwente webSDR and for British readers as being the first major motorway junction we pass in the Netherlands when returning home from events in Germany. Not the type of place you’d expect to rock a continent, but the news concerns the city’s municipality. They’ve been caught tracking their citizens using WiFi, and since this contravenes Dutch privacy law they’ve been fined €600,000 (about $723,000) by the Netherlands data protection authorities.

The full story of how this came to pass comes from Dave Borghuis (Dutch language, machine translation) of the TkkrLab hackerspace, who first brought the issue to the attention of the municipality in 2017. On his website he has a complete timeline (Dutch, machine translation), and in the article he delves into some of the mechanics of WiFi tracking. He’s at pains to make the point that the objective was always only to cause the WiFi tracking to end, and that the fine comes only as a result of the municipality’s continued intransigence even after being alerted multiple times to their being on the wrong side of privacy law. The city’s response (Dutch, machine translation) is a masterpiece of the PR writer’s art which boils down to their stating that they were only using it to count the density of people across the city.

The events in Enschede are already having a knock-on effect in the rest of the Netherlands as other municipalities race to ensure compliance and turn off any offending trackers, but perhaps more importantly they have the potential to reverberate throughout the entire European Union as well.

51 thoughts on “A Dutch City Gets A €600,000 Fine For WiFi Tracking

    1. Seems like this basically harms the people who were unlawfully tracked in the first place, now their city has a little less money to spend on proper projects.

      1. Sadly most executives or similar higher-ups never gets fined for the damage caused by their bad decisions.
        Which is ironically the one thing modern day capitalism so sorely needs.

        1. In theory, they should be getting “fined” by being fired by the people the next time elections roll around. (Or via a recall if that’s an option and there are sufficiently motivated people…) :-)

    2. Yes and that’s sad, but I still think €600,000 of taxpayers’ money being wasted is just a drop in the ocean and yet it has indirectly payed for many other tracking services being taken down (hopefully). So I guess it’s not a total waste.

    3. And where does the fine go? That’s a 600k back into the government income….

      If the ruling was: “You invaded dave’s privacy, you need to pay dave 600k”, then that’s a loss for “taxpayers”.

    4. The height of the fine is meant as an indication of the severity of the privacy offense. It sets boundaries for what is acceptable within the GDPR and what’s not. Every municipality and institute in The Netherlands wo was still doing rf tracking will now think twice before the continue with that practice, so that’s the gain for the citizens.
      The municipality of Enschede has an annual turnover of around 700 million €, so they can endure this fine. My guess is that the reputational damage hurts more because it signals a bad management decision which resulted in the unlawful privacy invasion of it’s citizens.

      1. When there is a difference between what they say and what they eventually do in the next years after they are elected, how do you make a decent choice? All the voter can do, is choose wisely and hope for the best.

  1. Spreading some devices that send out tons of traffic with random mac’s would probably break their whole system anyway. It would not be hard or expensive to do.

    1. That’s a lot of fun.

      Too bad the “hotspot” of say a group of 100, 300 or 1000 people seems to be moving slowly through the city. You’d need a whole bunch of them. Not something you can do on your own.

      Hmmm. Or you can quickly cycle through say 3^32 mac addresses. DOS the uplink of that little router….. :-)

      1. You only need to put one at each detection location. You can vary the signal strength to simulate movement but I doubt it’s that sophisticated of a tracking system.

      2. 48 bit MAC (Media Access Control) address (EUI-48) would be 2^48 possible devices = 281,474,976,710,656. Although the first 28 bits are allocated to individual manufacturers, so if you fixed the first 28 bits to say a block allocated to Apple or HP, Google, Amazon, Microsoft, Sony (the big trackers), then you could rapidly cycle through the bottom 20 bits (1,048,576). The end result would be that they would need to scrub the database of the most commonly tracked items. Of course YOU would need to build up a database of what the most common devices were in your city/shire/town/village, by storing an incremental count of the top the 28 bits of each EUI-48 seen, and definitely not logging the time the detection occurred.

    2. Better way is to make devices that sniff traffic from some places and transmit it combined together in different places so no one will know where really “real users” devices are.

      1. And generate some really interesting false patterns. For example, get the MAC addresses of the employees of a company you hate and retransmit them for a few hours near a strip club every Friday night at 5PM + driving time for the route between the two places…

    3. That sounds like a project that could be done with one of those 3eur esp8266 boards.
      Just blast out packets with MAC’s with random Apple and Huawei MAC’s and shitflood the data collection.

  2. I note that this was just a _local government_ that was doing this with personal devices we carry around already….

    …if nothing else it highlights the absurdity of tin foil hat brigade claims of chip implants that will supposedly be used for tracking… as in, why would you use an implant when people carry devices full of trackable information already?

      1. Very easy to make rfid antennas that are too small to be seen by human eye. Lots of biochemical sources of electricity in the human body, so electricity is not a problem. Tons of current academic research is going on to develop ‘nanochips’ for all sorts of legitimate medical purposes. Injected ‘nano’ devices are almost certainly going to be a reality at some point in the near future. The only variables are the actual size and the purpose.

  3. I still dont understand why people that are so engaged with their privacy, keep broadcasting a pretty unique ID all the time. The only reason people know is because the government is honest about it and actually has warning signs placed. If you dont want to be tracked, disable your wifi, duhh.

    Also, that he doesnt understand that you cant hash something with more bits than the amount of bits in the actual data, doesnt really make his point stronger (also means that its probably reversible what would be a problem).

    Is this the final decision? As far as I know, they havent gone to the high council yet.

    1. Best comment yet! no connection is always best, and most telco operators track as well, so you’re always logged somewhere.. just keep an eye out for the changes in the TOS..

  4. The most surprising item here is that someone might be surprised they are being tracked.should be no fines, people should just lose jobs. Obviously well planned, funded and ran for some time knowing it was ‘wrong’ to do so. Like the council cares of a fine they don’t have to pay past taxes. This won’t get fixed, they just got caught, use it as some sort of experience. Skirt of like a terms and service agreement evolves over time, depending g on what situations history has taught.

  5. Lol the ol coffers are getting low again? Just make up some crap and sue the heck out of google or MS again like the EU does when it goes broke. Super impressive use of time and govt resources.

  6. I think these sorts of laws are very unfortunate.

    We have this strange situation where we live in a technological society where we all use high tech gadgets every day. Yet most people seem to actively work at remaining as ignorant as they can about how the technology that surrounds them and that they depend on works.

    If you constantly broadcast a signal and especially if it contains some sort of unique Id then you are trackable. WiFi isn’t magic. It’s radio waves. If you want to go throughout your day without leaving a trail then learn what those gadgets you carry around do and take control of them! If you can’t be bothered to do so then don’t bother to whine about the consequences.

    Maybe if lawmakers took an attitude more like that we wouldn’t have such a tech-ignorant world population.

    1. I strongly disagree.

      I would agree, if you were the only person controlling the use of tech surveilling on you. That is absolutely not the case. 99% of the people can’t even control the OS on their own devices let alone what it broadcasts to whom.

      Surveillance without your control let alone consent is ever growing without most people even noticing.

      Who or what could possibly make a change it if not governments and laws?

      One big problem I can currently see is the selective enforcement of these laws. While local communties get fined, Google et al. continue to violate the very same laws wholesale without significant consequence.

  7. “Not the type of place you’d expect to rock a continent,…”

    Ok, this is off-topic and unrelated to the wifi-fine, but since the article starts with other trivia I can’t help to react to the choice of words. Enschede did in fact suffer from a fireworks explosion in the midst of the town in 2000. Maybe not a continent, but it definitely shook up the region physically, and country emotionally. 23 people died of which 4 firemen. Injured 1000 people, destroyed 400 homes, damaged 1500. https://en.wikipedia.org/wiki/Enschede_fireworks_disaster

Leave a Reply to JohnCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.