Privacy fears over Sydney light rail services pinging data from passengers' phones
Sydney web developer Indra Arifin stopped catching the light rail after discovering his data was being collected without his permission. (ABC News: Greg Bigelow )
Indra Arifin spotted a sign on a tram door on his morning commute to work and what it told him made him stop catching Sydney's light rail.
As he hopped aboard the L2 line in Surry Hills on a Monday morning in September, the web developer noticed a poster on the inside of the tram door advising passengers of a trial taking place.
Passengers could scan a QR code to find out more.
The poster in question on some of Sydney's light rail services, which showcases a QR code for commuters. (Supplied: Transdev)
That's how Mr Arifin discovered his Media Access Control (MAC) address, a 12-digit-number assigned to devices like phones, was being collected in an opt-out only system from the moment he got on the tram.
The QR code led to a Transport for NSW-branded web page that told passengers "wi-fi sensor technology" was being used on some Sydney light rail services in a trial "to collect data to help improve the network".
"The wi-fi sensors will collect MAC addresses, route and travel times and log data," it read, confirming they would not collect passenger "names, browsing history or contacts".
Passengers were reassured data pinged from phones would be "filtered, anonymised and aggregated" but also told "the MAC address from your device may, if collated with other information about that person, be capable of identifying an individual".
The web page did not specify exactly how long the data would be held, just not "longer than is reasonably necessary".
'Haven't been on the light rail since'
Mr Arifin said "the phrase 'to opt out' feels like I'm already opting in".
"It's a bit off just because I didn't know about this and now suddenly, I'm in it without me knowing in the first place."
Commuter Indra Arifin has concerns with the opt-out model. (ABC News: Greg Bigelow)
Mr Arifin said he does not necessarily disagree with the collection of MAC addresses but has concerns with how it is being done.
"I haven't actually been on the light rail since I noticed this thing," he said.
"It's more about the permission … I feel comfortable to opt-in instead of having to opt-out," Mr Arifin noted, claiming that there are no notices about the trial on the light rail stop before passengers step on to the service.
"My main concern is they're collecting people's data without their permission."
How commuter data is stored
The data is collected by Flowly, a private tech company based in La Réunion, which is a small French island off the coast of Africa.
To opt out of the trial, passengers must either have wi-fi capabilities turned off on their devices before they get on the light rail or give their MAC address within three hours of it being collected by filling out an online form.
Commuters have not been told how long their data will be retained. (ABC News: Timothy Ailwood)
After that Flowly said "your MAC address will have been made entirely anonymous … and we will not be able to identify it".
The data is encrypted and "stored at a secure data centre in NSW".
The sensors collecting passenger data are operating on seven out of the 76 trams currently in the tram network for a year until March 2025.
David Vaile, the co-convenor of UNSW's cyberspace law and policy community and chair of the Australian Privacy Association, is unconvinced by the trial's promises.
"No-one can promise if they keep your information safe if it's held online anymore, anywhere," Mr Vaile said.
"They've given what I think is an excessively strong assurance that everything will be OK and you can't be identified.
"The reality is under certain circumstances you can be."
Mr Vaile questioned the need for MAC addresses to be collected. (ABC News: Timothy Ailwood)
He said while "a MAC address alone is not your name", if cross-referenced with other information, it "could potentially connect back to you".
Mr Vaile also questioned whether the light rail needed to gather MAC addresses to understand passenger flow.
"If you were really trying to do that, I'm sure there are ways you could get most of what you need in a lot less intrusive way," he said.
A spokesperson for Transdev, the private operators of the light rail, said MAC addresses were "immediately encrypted then anonymised and de-individualised … on secure servers", which "means the encryption process is irreversible".
They said their collection process means "there is no way to link a MAC to other data or an individual".
Trains and buses not collecting MAC addresses
Other modes of public transport in NSW are not using the Flowly trial to monitor passenger movements.
Instead, a Transport for NSW spokesperson said it relied on smart ticketing systems and Opal cards to track "travel patterns based on tap-on and tap-off data".
A Transdev spokesperson said their way gave "more insight into origin-destination information by filling the 'tap-on/tap-off' data gap," which included "special event patronage where no data is available due to integrated ticketing and student usage of shuttle services".
Operators of the light rail, Transdev, said the MAC addresses were "immediately encrypted". (ABC News: Timothy Ailwood )
According to the spokesperson, Flowly "complies with NSW privacy regulations" and will "inform future improvements".
Transdev confirmed a partnership with Flowly but there was "no cost for this trial".
"The Flowly trial was publicised on the Transport for NSW news pages and posters will remain in place on board the trams with active sensors for the remainder of the trial," Transdev said.
They defended the opt-out system because it enabled "the large volume of travel flows needed to give a comprehensive view of a network's performance".
Mr Vaile said while it may help with data collection for the company, it was worse for passenger privacy.
"Opt-out is convenient to them but it's really inconvenient for you."
For Mr Arifin, he is concerned for passengers who might not see the Flowly trial poster on a packed tram.
"They will think that it's just a normal ride on the light rail not noticing that the light rail is collecting more data than it's supposed to."
These days, he catches the Metro to work instead.