Exposed code found online indicates that LinkNYC may be preparing to monitor the movements of its users.

Since their introduction in early 2016, LinkNYC kiosks have become a familiar part of the New York City landscape, with over 1,600 towering nine-and-a-half-foot structures installed across the city. These kiosks feature double-sided screens displaying advertisements and informative content, along with Android tablets that anyone can use to search for directions and services. They also offer charging stations, 911 buttons, and phones for free domestic calls, making them a valuable resource for New Yorkers.

However, while providing these services, the kiosks have also raised concerns about the expansion of surveillance in the city. Each kiosk includes three cameras, 30 sensors, and heightened sight lines for viewing above crowds. This extensive monitoring network has the potential to connect every borough to a new level of invasive surveillance.

Since the inception of LinkNYC, journalists, residents, and civil liberties experts have expressed concerns that the internet kiosks may be storing sensitive user data and even tracking their movements. For the past couple of years, groups such as the American Civil Liberties Union, Electronic Frontier Foundation, and anti-surveillance group ReThink LinkNYC, along with the anonymous Stop LinkNYC coalition, have voiced their apprehensions about the kiosks’ ability to collect personal information and fuel mass surveillance.

Recently, an undergraduate researcher made a startling discovery after finding indications in the LinkNYC code that had been accidentally exposed online. The code suggests that LinkNYC may be actively preparing to monitor users’ movements, potentially exacerbating concerns about the invasive nature of the kiosks’ surveillance mechanisms.

You’re the Product
Plans to replace the city’s payphone booth network with Wi-Fi-enabled kiosks were first announced by de Blasio in 2014. Less than a year later, the city awarded a contract to a chameleon-like consortium of private companies known as CityBridge. It was an attractive deal: LinkNYC kiosks, at no cost to the city, would provide free internet coverage to anyone walking by. CityBridge, in turn, would be responsible for the installation, ownership, and construction of the devices, with plans to earn back its expenses through advertising. The twin 55-inch displays will eventually carry targeted ads derived from the information collected about kiosk users.

These terms raised alarms among internet researchers and privacy experts, who were quick to point out that nothing in life is truly free. “As we know,” Benjamin Dean, a technology policy analyst, told attendees at a New York hacking conference in 2016, “When you’re not paying, you’re not the customer — you’re the product.”

The key player in CityBridge is known as Intersection, and one of Intersection’s largest investors is Sidewalk Labs, with whom it also shares the same offices and staff. Sidewalk Labs CEO Daniel Doctoroff is the chair of Intersection’s board. Sidewalk Labs is owned by Google’s holding company, Alphabet Inc. In other words, the plan to blanket New York City with 7,500 camera-equipped obelisks has been largely underwritten by the company formerly known as Google — a corporation whose business model depends on selling your personal information to advertisers. As Doctoroff, who was also the city’s former deputy mayor of economic development, has said of the kiosks: “By having access to the browsing activity of people using the Wi-Fi — all anonymized and aggregated — we can actually then target ads to people in proximity and then obviously over time, track them through lots of different things, like beacons and location services, as well as their browsing activity. So in effect, what we’re doing is replicating the digital experience in physical space.”

In March 2016, the New York Civil Liberties Union raised multiple concerns with the mayor’s office about LinkNYC’s vast and indefinite data retention and the possibilities for unwarranted NYPD surveillance. The NYCLU asked whether environmental sensors and cameras would be hooked up to NYPD systems, including the Domain Awareness System (built by Microsoft). LinkNYC has since updated its policy to state that it will take reasonable efforts to notify users if their information is being shared with law enforcement.

In May of this year, Charles Meyers, an undergraduate at New York City College of Technology, came across folders in LinkNYC’s public library on GitHub, a platform for managing files and software, that appear to raise further questions about location tracking and the platform’s protection of its users’ data. Meyers made copies of the codebases in question — “LinkNYC Mobile Observation” and “RxLocation” — and shared both folders with The Intercept.

According to Meyers, the “LinkNYC Mobile Observation” code collects the user’s longitude and latitude, as well as the user’s browser type, operating system, device type, device identifiers, and full URL clickstreams (including date and time) and aggregates this information into a database. In Meyers’s view, this code — along with the functions of the “RxLocation” codebase — suggests that the company is interested in tracking the locations of Wi-Fi users in real time. If such code were run on a mobile app or kiosk, he said, the company would be able to make advertisements available in real time based on where and who someone was, and that this would constitute a potential violation of the company’s privacy policy. In 2016, LinkNYC’s privacy policy made it clear that it did not collect information about users’ precise locations. “However,” it states, “we know where we provide WiFi services, so when you use the services we can determine your general location.”

LinkNYC disputes these speculations. David Mitchell, Intersection’s chief technology officer, told the Intercept that the code was never intended to be released and was part of a longer-term research and development process. “In this instance,” he explained over email, “Intersection was prototyping and testing some ideas internally, using employee data only, and mistakenly made source code public on Github. This code is not in use on the LinkNYC network.” An Intersection spokesperson added that LinkNYC does not collect users’ clickstream data or browsing history, and that it has not used the “RxLocation” codebase to collect user data. LinkNYC did not respond to repeated questions about the function or purpose of the code.

The Intercept asked four technologists, including a computer forensics investigator and an expert on Wi-Fi location tracking, to independently review the code. Each confirmed that the code could execute commands as Meyers had described, but they emphasized that it was not possible to determine the purpose of the code and whether it was actually running on any kiosks or devices based on the information given. They concluded that it was unlikely that the code was currently in use, as its unfinished security features pointed to the fact that it appeared to be in progress, possibly for a mobile product. “We don’t know why it exists, but the fact that it exists is creepy,” explained Surya Mattu, a research scientist and artist. “There’s no way properly to interrogate this further as a third party.”

For many researchers and privacy experts, this lack of third party oversight represents the most significant issue. Privacy experts told The Intercept that the lack of clarity surrounding LinkNYC’s leaked code points to the larger lack of transparency surrounding the kiosk’s operations. Despite their omnipresence in the city’s major public spaces, LinkNYC’s pervasive data collection is not constrained by any auditing mechanisms, explained Daniel Schwarz, a technology fellow at the NYCLU. “Without transparency and external auditing of the source code, as well as what data is collected, for what purpose, and how it is being monetized by the company,” he said, “there is no way to verify whether the privacy policy is working to protect users’ data.”

A few hours after The Intercept contacted LinkNYC for comment, the company demanded that Github remove Meyer’s copy of its code due to copyright violations.

LinkNYC: Connecting Communities and Raising Concerns about Control

As LinkNYC expands across the globe — Intersection has unveiled plans for kiosks in Philadelphia, Toronto, and the U.K. — so too does the scope of the concerns surrounding it. Shahid Buttar, the EFF’s director of grassroots advocacy, has warned of the possibility of mission creep — that is, the expansion of LinkNYC’s uses beyond its stated purpose to provide free Wi-Fi. “There’s no reason to presume that a current statement of policy will constrain the consortium of the future,” Buttar said.

LinkNYC’s current privacy policy already shows that the company sweeps up enormous amounts of sensitive data from all users, such as “MAC address (anonymized), IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, device type, and device identifiers.” LinkNYC’s privacy policy classifies this information as technical, rather than personal, data. It may occasionally “supplement anonymized Technical Information we collect from you with information collected by third parties. Third parties may include advertising partners or other providers that help us understand our users.”

This distinction, privacy experts say, ignores the fact that device identifiers — even when anonymized — provide more than enough information to tell advertisers, law enforcement, or malefactors who we are, since most phones and computers are used by the individuals who own them. Knowing that a device has been in multiple locations, along with the history of the Wi-Fi networks it has visited, can provide enough information for someone to find out where individuals live, work, commute, shop, and so on. A recent Associated Press investigation found that many Google services for Android devices and iPhones were storing location data even if when users had turned on a privacy setting to prevent Google from doing so.

According to privacy watchdogs, the rollout of the kiosk’s cameras have shown how the mission has already expanded beyond its initial purview. In 2016, LinkNYC disclosed that the kiosks “may” contain cameras; by 2017, the cameras were operational. LinkNYC’s privacy policy states that cameras do not keep video records for more than seven days and that the camera footage is used to “improve the services.” But opting out is not an option: Just by walking down the block, it is possible to be swept into its audio or video feeds, which can capture a nearly 360-degree view of their surroundings. Civil liberties experts have concerns about the circumstances under which CityBridge will share its ongoing taping with law enforcement. What’s more, according to documents obtained by ReCode, Sidewalk Labs is selling kiosks to other cities that will be able to “monitor pedestrian, bike and car traffic, track passing wireless devices, listen to street noise and use the kiosks’ built-in video cameras to identify abandoned packages.” Intersection’s chief innovation officer told MIT Tech Review that it was considering upgrading kiosks to support augmented reality and autonomous vehicles.

The New York Civil Liberties Union (NYCLU) and Electronic Frontier Foundation (EFF) have highlighted the need for community-driven efforts to safeguard the privacy and civil liberties of LinkNYC users, citing the ambiguity surrounding the discovered code. Despite concerns, there are no established means for New Yorkers to participate in decisions regarding the use, retention, and sharing of data from LinkNYC kiosks or whether the data collection parameters might change in the future. ReThink LinkNYC has called for third-party oversight to verify the company’s software, in response to the findings.

However, the New York City Mayor’s Office did not respond to requests for comments on the need for stronger oversight and auditing. Samir Saini, Commissioner of the New York City Department of Information Technology and Telecommunications (DoITT), stated that the LinkNYC project must conform to user privacy, and precise location tracking of users is not allowed. While CityBridge inadvertently posted code on Github, which violated privacy policies, they are not permitted to use code that tracks the precise location of LinkNYC users. The commissioner assured the public of the city’s commitment to protecting user privacy by directing CityBridge to cease such practices immediately.

Commissioner Saini explained in a subsequent email to The Intercept that the city conducts audits of CityBridge on a case-by-case basis when specific franchisee practices are deemed necessary for investigation. As of yet, regular audits have not been conducted to determine whether LinkNYC is violating user privacy.

Sahir Buttar, a policy director at the Electronic Frontier Foundation, stated that the lack of transparency surrounding the system has made it impossible to determine if the standards are being upheld. Without designated processes that include public accountability and participation, there is a risk that the kiosk system and private consortium could unilaterally propose changes affecting millions of users.

Correction: September 18, 2018 This article has been updated to reflect clarifications from Samir Saini, commissioner of the New York City Department of Information Technology and Telecommunications, who contacted The Intercept after the article was published. Saini explained that CityBridge is not permitted to collect information about specific websites users visit on their own devices.

Update: September 10, 2018 Charles Meyers filed a counter notice with Github after LinkNYC requested a takedown of the code he discovered. The code is once again available for public access here.