NSW government drops a Catch: Bus Wi-Fi is a privacy nightmare

Why is public transport connectivity so hard, anyway?

Privacy activists and the NSW Greens in Australia have come out against the NSW State Government's umpteenth Wi-Fi-on-buses trial.

The reason: instead of trying to offer the Wi-Fi itself, as has happened in past attempted-but-abandoned rollouts, the Baird government is letting a company called Catch run the hotspots.

Catch is an offshoot of outdoor advertising company APN Outdoor, which billboards at bus stops, big-screen ads and the like, and it has the kind of privacy policy you'd expect from an advertising company.

The potential data slurp includes name, address, phone number, employer, drivers' license number and date of birth – remember, that's just to get access to a Wi-Fi hotspot.

Once you've connected, the company also says it may snoop on your connection to look for “products and services you may be interested in”. If it then sees you near its billboards, it might collect your location; and if it can associate its profile with other public information (such as Facebook posts), that'll get sucked into the Catch panopticon as well.

Even credit card numbers get a mention as being up for collection, along with IP address and MAC address collection.

The Register checked in with the Australian Privacy Foundation, and among the answers we received from its members, two key issues stood out.

The first was that the breadth of data collected just to connect renders a VPN pointless: “you've already sold the farm”.

The second is that Catch asserts its users have the right to connect anonymously – something that seems difficult to reconcile with the broad and intimate data collected.

The NSW Greens picked up the issue over the weekend. The party's transport spokesperson Dr Mehreen Faruqi said the level of collection is excessive, and called on the government to make it clear to Sydney commuters how much data Catch is catching.

“The NSW Government needs to find safer, more responsible ways of providing better services and getting up to date with technology that is on offer”, he told the Australian Broadcasting Corporation.

APN Outdoor, however, says privacy concerns are overblown, because the privacy policy does not represent what will be collected, only the extent of permission a user gives. Here's its statement to The Register in full, provided by a spokesperson:

“I think you may have been misled. The privacy policy proposes such data may be collected, not will be collected.

“In the first instance the passenger will agree to general use Terms & Conditions, they will not be required to enter any personal information. However, in accordance with the Privacy Act, a passenger would be required to enter personal details such as address, date of birth etc. if they were to actively opt-in to entering a promotion, competition or other transaction on the Catch network if they were to occur in the future.

“It is also a trial so we have a long way to go.”

+Comment: The Register agrees with Dr Faruqi.

It seems excessive to include drivers' license numbers or credit card numbers in the list of things that “may” be collected. Since 2010, credit card breaches have been a staple of infosec stories.

The amount of data Catch includes in its policy is easily sufficient for identity theft if user data is somehow exposed.

APN Outdoors did not directly address our question about how data collected by Catch will be secured.

The Register was also unable to locate either APN Outdoor or Catch on either the Australian Communications and Media Authority's list of licensed telecommunications carriers; nor in the Telecommunications Industry Ombudsman's membership (they may however hold either a license or membership under some other entity name).

That question was not answered by the APN Outdoor spokesperson.

The Register also asked the office of state infrastructure minister Andrew Constance for comment. ®

Biting the hand that feeds IT © 1998–2021