Traffax Systems are designed to provide the level of privacy protection needed to support your application.
The use of MAC addresses as identifiers is the key to the anonymity of this monitoring technology. MAC addresses are not associated with a specific user account (as is the case with cell phone probes) or any specific vehicle (as with automated toll tags).
- Individuals have the ability to "out-out" by setting their Bluetooth-enabled device. Users concerned with privacy can set the discovery option of their device (referred to as 'Discovery Mode' or 'Visibility') so that it will not be detectable.
- Traffax Inc. implements Bluetooth traffic monitoring technology in full compliance with the IEEE international standards. The method of detection and information recorded by Traffax sensors and software do not circumvent any security or privacy protocols. The inherent protection provided by Bluetooth prevents tracking a person based on their Bluetooth device without first isolating the device in order to determine and record its MAC ID. Only with this step could this information be used in a way that would jeopardize an individual’s privacy.
- Traffax BluFAX sensors and software can be configured to support the data security features appropriate to the needs of customer applications.
Level 1: Basic Privacy Protection
Level 1 configuration is based on the inherent protection provided by Bluetooth combined with appropriate data use and security practices. BluFAX is among the least intrusive forms of traffic data collection available. MAC addresses are assigned to individual devices by manufacturers at the factory and are not associated with any specific user account (as is the case with cell phone probes) or any specific vehicle (as with automated toll tags) and are not linked to a specific person through any type of central database, thus minimizing privacy concerns. MAC addresses are assigned at the Bluetooth electronic chip manufacturers, and are not tracked through the sales chain. Furthermore, individuals can control whether their Bluetooth enabled device can be detected. Users concerned with privacy can set options in their device (referred to as 'Discovery Mode' or 'Visibility') so that the device will not be detectable. The identity of the device owner cannot be determined on the basis of data collected by BluFAX devices. However, if the MAC address of a specific device is known, it is possible to isolate data for that device within data sets.
Any public entity dealing with sensitive personal information has established policies for its use and dissemination. Similar policies should be implemented for retention and dissemination of the Bluetooth MAC IDs. Such policies include:
Destroy any base level MAC ID information after processing. The MAC IDs are needed only to obtain travel time samples. After processing, discard or permanently encrypt any base level MAC ID data.
Use industry standard encryption and network security. Access to sensitive data is not a new problem. Proper security protocols, passwords, encryption and other methods should be incorporated into the data systems that store and process the MAC ID data.
Level 2: Encryption during Processing
BluFaxWeb, our real-time software,s contains an encryption algorithm with a verified, one-way cryptographic hash function to mask the MAC_IDs that are detected by the sensor. The hashed MAC_ID is stored and used as a substitute for the actual MAC_ID in the system. The hashed Mac_ID acts as the key to allow matching of time stamps among sensors within the system. The hashed MAC_IDs are displayed anywhere in the system where a MAC_ID might be displayed.
Level 3: Randomization and/or encryption of the data at its source:
In addition to safeguards during data processing, additional measures can be introduced in the sensors that make impossible to recover the unique MAC ID. These methods include encryption and randomization. The general processes are described below.
Encryption includes any method to transform the MAC ID data into a form which requires special knowledge (such as an encryption key) to recover the original information. It also includes hashes and other methods intended to make it difficult for a casual observer to the data stream to be able to recover the original information. Standard encryption may be introduced at the sensor level to encode the MAC ID. This would preserve the uniqueness of the tag so that matching could be performed (even on the transformed value), without exposing the MAC ID.
Randomization includes any method that deliberatively degrades the data so that individual observations are no longer globally unique, meaning that the ability to track a person based on their MAC ID is theoretically impossible. A simple example of this would be to truncate the original 3 numbers of the MAC ID. For the purpose of determining travel time, even a truncated MAC ID is sufficiently unique to sample traffic data, yet it is not sufficiently unique to identify a single Bluetooth device from the global population of Bluetooth devices. There are a number of methods for randomization.
Truncation of the MAC ID address (as previously explained) or any method that omits any particular digit of the original MAC ID address.
Numerical ordering of the MAC ID address digits. For example, a 12 digit MAC address of 08:79:AC:34:21:BA would be recorded as 01:23:47:89:AA:BC. Again, this is unique enough to determine travel time, but destroys the ability to associate a signal observation to a particular device.
Quotient method. All MAC IDs are divided by an integer divisor. The quotient of the division is used for travel time matches. This introduces uncertainty in determining the possible range of original MAC IDs that resulted in the quotient. The uncertainty scales with the integer divisor.
Any combination of the above methods
These methods are implemented in the sensor, not at the central processing. By implementing randomization measures at the detector, it becomes physically impossible to obtain the complete and globally unique MAC address, further protecting privacy.