Are New York’s Free LinkNYC Internet Kiosks Tracking Your Movements?

LinkNYC kiosks have become a familiar eyesore to New Yorkers. Over 1,600 of these towering, nine-and-a-half-foot monoliths — their double-sided screens festooned with ads and fun facts — have been installed across the city since early 2016. Mayor Bill de Blasio has celebrated their ability to provide “the fastest and largest municipal Wi-Fi network in the world” as “a critical step toward a more equal, open, and connected city for every New Yorker, in every borough.” Anyone can use the kiosks’ Android tablets to search for directions and services; they are also equipped with charging stations, 911 buttons, and phones for free domestic calls.

But even as the kiosks have provided important services to connect New Yorkers, they may also represent a troubling expansion of the city’s surveillance network, potentially connecting every borough to a new level of invasive monitoring. Each kiosk has three cameras, 30 sensors, and heightened sight lines for viewing above crowds.

Since plans for LinkNYC were first unveiled, journalists, residents, and civil liberties experts have raised concerns that the internet kiosks might be storing sensitive data about its users and possibly tracking their movements. For the last two years, the American Civil Liberties Union, Electronic Frontier Foundation, and a small but vocal group of activists — including ReThink LinkNYC, a grassroots anti-surveillance group, and the anonymous Stop LinkNYC coalition — have highlighted the kiosk’s potential to track locations, collect personal information, and fuel mass surveillance.

Now an undergraduate researcher has discovered indications in LinkNYC code — accidentally made public on the internet — that LinkNYC may be actively planning to track users’ locations.

Mayor Bill de Blasio speaks at a press conference next to a LinkNYC public internet kiosk on Feb 18, 2016.

You’re the Product

Plans to replace the city’s payphone booth network with Wi-Fi-enabled kiosks were first announced by de Blasio in 2014. Less than a year later, the city awarded a contract to a chameleon-like consortium of private companies known as CityBridge. It was an attractive deal: LinkNYC kiosks, at no cost to the city, would provide free internet coverage to anyone walking by. CityBridge, in turn, would be responsible for the installation, ownership, and construction of the devices, with plans to earn back its expenses through advertising. The twin 55-inch displays will eventually carry targeted ads derived from the information collected about kiosk users.

These terms raised alarms among internet researchers and privacy experts, who were quick to point out that nothing in life is truly free. “As we know,” Benjamin Dean, a technology policy analyst, told attendees at a New York hacking conference in 2016, “When you’re not paying, you’re not the customer — you’re the product.”

The key player in CityBridge is known as Intersection, and one of Intersection’s largest investors is Sidewalk Labs, with whom it also shares the same offices and staff. Sidewalk Labs CEO Daniel Doctoroff is the chair of Intersection’s board. Sidewalk Labs is owned by Google’s holding company, Alphabet Inc. In other words, the plan to blanket New York City with 7,500 camera-equipped obelisks has been largely underwritten by the company formerly known as Google — a corporation whose business model depends on selling your personal information to advertisers. As Doctoroff, who was also the city’s former deputy mayor of economic development, has said of the kiosks: “By having access to the browsing activity of people using the Wi-Fi — all anonymized and aggregated — we can actually then target ads to people in proximity and then obviously over time, track them through lots of different things, like beacons and location services, as well as their browsing activity. So in effect, what we’re doing is replicating the digital experience in physical space.”

In March 2016, the New York Civil Liberties Union raised multiple concerns with the mayor’s office about LinkNYC’s vast and indefinite data retention and the possibilities for unwarranted NYPD surveillance. The NYCLU asked whether environmental sensors and cameras would be hooked up to NYPD systems, including the Domain Awareness System (built by Microsoft). LinkNYC has since updated its policy to state that it will take reasonable efforts to notify users if their information is being shared with law enforcement.

In May of this year, Charles Meyers, an undergraduate at New York City College of Technology, came across folders in LinkNYC’s public library on GitHub, a platform for managing files and software, that appear to raise further questions about location tracking and the platform’s protection of its users’ data. Meyers made copies of the codebases in question — “LinkNYC Mobile Observation” and “RxLocation” — and shared both folders with The Intercept.

According to Meyers, the “LinkNYC Mobile Observation” code collects the user’s longitude and latitude, as well as the user’s browser type, operating system, device type, device identifiers, and full URL clickstreams (including date and time) and aggregates this information into a database. In Meyers’s view, this code — along with the functions of the “RxLocation” codebase — suggests that the company is interested in tracking the locations of Wi-Fi users in real time. If such code were run on a mobile app or kiosk, he said, the company would be able to make advertisements available in real time based on where and who someone was, and that this would constitute a potential violation of the company’s privacy policy. In 2016, LinkNYC’s privacy policy made it clear that it did not collect information about users’ precise locations. “However,” it states, “we know where we provide WiFi services, so when you use the services we can determine your general location.”

LinkNYC disputes these speculations. David Mitchell, Intersection’s chief technology officer, told the Intercept that the code was never intended to be released and was part of a longer-term research and development process. “In this instance,” he explained over email, “Intersection was prototyping and testing some ideas internally, using employee data only, and mistakenly made source code public on Github. This code is not in use on the LinkNYC network.” An Intersection spokesperson added that LinkNYC does not collect users’ clickstream data or browsing history, and that it has not used the “RxLocation” codebase to collect user data. LinkNYC did not respond to repeated questions about the function or purpose of the code.

The Intercept asked four technologists, including a computer forensics investigator and an expert on Wi-Fi location tracking, to independently review the code. Each confirmed that the code could execute commands as Meyers had described, but they emphasized that it was not possible to determine the purpose of the code and whether it was actually running on any kiosks or devices based on the information given. They concluded that it was unlikely that the code was currently in use, as its unfinished security features pointed to the fact that it appeared to be in progress, possibly for a mobile product. “We don’t know why it exists, but the fact that it exists is creepy,” explained Surya Mattu, a research scientist and artist. “There’s no way properly to interrogate this further as a third party.”

For many researchers and privacy experts, this lack of third party oversight represents the most significant issue. Privacy experts told The Intercept that the lack of clarity surrounding LinkNYC’s leaked code points to the larger lack of transparency surrounding the kiosk’s operations. Despite their omnipresence in the city’s major public spaces, LinkNYC’s pervasive data collection is not constrained by any auditing mechanisms, explained Daniel Schwarz, a technology fellow at the NYCLU. “Without transparency and external auditing of the source code, as well as what data is collected, for what purpose, and how it is being monetized by the company,” he said, “there is no way to verify whether the privacy policy is working to protect users’ data.”

A few hours after The Intercept contacted LinkNYC for comment, the company demanded that Github remove Meyer’s copy of its code due to copyright violations.

Pedestrians pass one of the new Wi-Fi kiosks that offer free web surfing, phone calls and a charging station on August 24, 2016 in New York City.

Connecting — and Controlling — Communities

As LinkNYC expands across the globe — Intersection has unveiled plans for kiosks in Philadelphia, Toronto, and the U.K. — so too does the scope of the concerns surrounding it. Shahid Buttar, the EFF’s director of grassroots advocacy, has warned of the possibility of mission creep — that is, the expansion of LinkNYC’s uses beyond its stated purpose to provide free Wi-Fi. “There’s no reason to presume that a current statement of policy will constrain the consortium of the future,” Buttar said.

LinkNYC’s current privacy policy already shows that the company sweeps up enormous amounts of sensitive data from all users, such as “MAC address (anonymized), IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, device type, and device identifiers.” LinkNYC’s privacy policy classifies this information as technical, rather than personal, data. It may occasionally “supplement anonymized Technical Information we collect from you with information collected by third parties. Third parties may include advertising partners or other providers that help us understand our users.”

This distinction, privacy experts say, ignores the fact that device identifiers — even when anonymized — provide more than enough information to tell advertisers, law enforcement, or malefactors who we are, since most phones and computers are used by the individuals who own them. Knowing that a device has been in multiple locations, along with the history of the Wi-Fi networks it has visited, can provide enough information for someone to find out where individuals live, work, commute, shop, and so on. A recent Associated Press investigation found that many Google services for Android devices and iPhones were storing location data even if when users had turned on a privacy setting to prevent Google from doing so.

According to privacy watchdogs, the rollout of the kiosk’s cameras have shown how the mission has already expanded beyond its initial purview. In 2016, LinkNYC disclosed that the kiosks “may” contain cameras; by 2017, the cameras were operational. LinkNYC’s privacy policy states that cameras do not keep video records for more than seven days and that the camera footage is used to “improve the services.” But opting out is not an option: Just by walking down the block, it is possible to be swept into its audio or video feeds, which can capture a nearly 360-degree view of their surroundings. Civil liberties experts have concerns about the circumstances under which CityBridge will share its ongoing taping with law enforcement. What’s more, according to documents obtained by ReCode, Sidewalk Labs is selling kiosks to other cities that will be able to “monitor pedestrian, bike and car traffic, track passing wireless devices, listen to street noise and use the kiosks’ built-in video cameras to identify abandoned packages.” Intersection’s chief innovation officer told MIT Tech Review that it was considering upgrading kiosks to support augmented reality and autonomous vehicles.

The NYCLU and EFF stated that the ambiguity surrounding Meyer’s discovery of the code underscores the need for community-driven initiatives to protect the privacy and civil liberties of users. As EFF has noted, there are no means for New Yorkers to participate in decisions about how data from LinkNYC kiosks will be used, with whom they will be shared, for how long they will be retained, or whether the parameters under which they are initially collected might expand in the future. In response to Meyer’s findings, ReThink LinkNYC is calling for third-party oversight to confirm that the company’s software does what it says it does.

The New York City Mayor’s Office did not respond to a request for comment on the calls for auditing and stronger oversight. Samir Saini, Commissioner of the New York City Department of Information Technology and Telecommunications (DoITT), wrote in an email to The Intercept following the publication of the story that “as a public project, LinkNYC can only exist if it conforms to the City’s unambiguous commitment to user privacy. That means the City does not, and will never, allow the network operator — CityBridge — to exploit individual identifiers or precise location of LinkNYC users. If, at any time during our careful oversight of CityBridge, we discover practices that violate the Privacy Policy, we will direct CityBridge to immediately cease and desist from that practice. It is unfortunate that CityBridge inadvertently posted code on Github for an R&D project they were working on. CityBridge is not permitted to use code that tracks the precise location of users on the LinkNYC network.”

In a follow-up email to The Intercept, Saini explained that city’s audits will be “triggered when DoITT feels that an investigation of specific franchisee practices is necessary.”  At present there are no regular audits of the CityBridge agreement to determine whether LinkNYC is violating users’ privacy.

“We don’t know if it’s being held to its standards because there is so much opacity and not enough transparency surrounding the system,” explained Buttar. “There needs to be some designated processes with public accountability and participation before the kiosk system and private organizations that constitute the consortium can propose changes unilaterally on millions of users.”

Correction: September 18, 2018
This article has been updated with comments from Samir Saini, commissioner of the New York City Department of Information Technology and Telecommunications, who contacted The Intercept after publication. Saini clarified the LinkNYC privacy policy and explained that CityBridge does not retain the right to collect information about the specific websites users visit on their own devices.

Update: September 10, 2018
Charles Meyers filed a counter notice with Github, challenging LinkNYC’s takedown demand, and he has made the code he found available again here.