Since first appearing on the streets of New York City in 2016, LinkNYC’s free public Wi-Fi kiosks have prompted controversy. The initial version of the kiosks’ privacy policy was particularly invasive: it allowed for LinkNYC to store personal browser history, time spent on a particular website, and lacked clarity about how LinkNYC would handle government demands for user data, among others issues. While CityBridge, the private consortium administering the network, has thankfully incorporated welcome changes to its use policy, several problems unfortunately remain. 

What is LinkNYC? 

The LinkNYC system, announced by the Mayor’s office in November 2014 after inviting competitive bids from private industry, includes over 1,000 public kiosks spread across all five boroughs of New York City. Each kiosk offers free high-speed wifi, phone calls, a charging station for mobile devices, and a built-in tablet capable of accessing various city services, such as emergency services, maps, and directions. Funded by advertisers who pay for time on the two 55” displays on either side of each kiosk, the system requires no payment from users or taxpayers.

On the one hand, the spring 2017 revisions to the CityBridge privacy policy substantially improved it over the original 2016 version, which allowed nearly limitless retention of user data, including browsing history. In particular, the adoption of limits on the time during which CityBridge will retain user data, and the commitment not to track browsing histories for users who use their own devices, render the LinkNYC service today far more respectful of privacy than it was when the system was first launched.

In the wake of its 2017 policy changes, LinkNYC still collects what it describes as “Technical Information,” including information such as IP addresses, anonymized MAC addresses, device type, device identifiers, and more, for up to 60 days. Additionally, the LinkNYC kiosks have cameras that store footage for up to 7 days.  

Despite the positive privacy-minded revisions, the policy still fails to provide a pathway for public participation and includes no reference to remedies for potential violations. The story underlying the activation of LinkNYC cameras provides an illustration of these overlapping concerns. 

Opaque Processes Precluding Public Participation in Policy

Beyond the welcome updates to the CityBridge privacy policy, there appears neither any process allowing public participation in the governance of the kiosk system, nor a redress mechanism for potential violations. 

The process of setting policy remains thoroughly opaque. Even CityBridge’s welcome spring 2017 revisions prove the point: our colleagues at NYCLU wrote a letter to the Mayor’s office, which then engaged in negotiations with the private companies who together comprise the CityBridge consortium. Thankfully, the back door process between the Mayor’s office and the companies produced a better result than the previous policy.

Going forward, however, there is no means for New Yorkers to participate in decisions about how data from Link kiosks will be used, with whom it will be shared, for how long it will be retained, or whether the parameters under which it is initially collected might conceivably expand in the future. 

Separate from privacy and freedom of expression, but closely related to them, are principles of transparency and public process. Without opportunities to participate in the construction of policies that affect them, New Yorkers and visitors who use the kiosks are reduced to the position of being sources of data, rather than users with needs to be served. 

Unspecified Remedies and Redress

The transparency and public process problem is most poignant looking forward. In the wake of any potential violation or breach of the CityBridge policies, however, there is a parallel problem with respect to the lack of any process for resolving problems in the past.

Data breaches are a reality that we must consider. 2016 was a record year for data breaches, reflecting an increase of 40% from the year before, according to the nonprofit Identity Theft Resource Center. CityBridge fortunately collects and stores much less information than it did when the LinkNYC system first launched, which mitigates the potential impact of a data breach and renders the possibility far less threatening than other recent examples.

Beyond the event of a data breach is the possibility of CityBridge data being misused. Even if a CityBridge data center is never hacked by a malicious actor or foreign intelligence agency, what happens if a LinkNYC employee sells user information to third parties in violation of the consortium’s commitments?

LinkNYC’s failure to create a process, acknowledge any rights, or permit any remedies for potential violations all remain problematic. As noted by Rethink Link NYC, a local community organization in the Electronic Frontier Alliance, “Even the best privacy policy is worthless without oversight or accountability.”

Those Cameras Prove the Point

In addition to collecting and retaining some data about users’ interactions with the kiosks, the LinkNYC towers also include sensors and cameras. Apart from their role in normalizing everyday surveillance, the story underlying their activation demonstrates the lack of process undermining public accountability.

 An initial 2016 disclosure that the kiosks “may” have cameras somehow evolved—without a public mandate, and without any public process—into a 2017 policy allowing the cameras to operate and record users. CityBridge retains the footage for 7 days. 

The emergence of constant surveillance through a program ostensibly extending public services, without any apparent public oversight, suggests the need to be vigilant when programs that claim to make cities “smart” fail to respect privacy. 

While the privacy policy has improved, it still allows CityBridge to disclose retained video data to “…improve the services,” which could include any number of uses invisible to end users. Also, it isn’t clear to what kind of law enforcement requests will cause the footage to be disclosed, or what process CityBridge will undertake to potentially resist such requests that undermine speech, dissent, other constitutional rights, or the rights of discrete minority groups. 

Some New Yorkers, such as activists working with Rethink Link NYC, and opera singer Judith Barnes, have creatively drawn attention to these concerns, and others they have raised beyond those shared by EFF. For instance, Rethink Link NYC argues that “the city is getting paid because third-parties (unaccountable to this privacy policy) are getting unprecedented information from passers-by,” and notes that “bridging the digital divide doesn’t require turning the whole city in the one massive corporate surveillance network.”

We encourage everyone concerned about digital rights to raise their voices, and applaud these New Yorkers for taking creative action to raise awareness among their neighbors and visitors.

We also appreciate the efforts that CityBridge and the City of New York have made to improve LinkNYC’s privacy policies and practices. That said, we invite them to do more by providing a pathway for public participation and constructing remedies for potential breaches or misuse.