On her way to work in the morning, Indra Arifin saw a sign on a tram door that told her to stop catching Sydney’s light rail.

While boarding the L2 line at Surry Hills on a Monday morning in September, the web developer noticed a poster on the inside of the tram door informing passengers that a trial was taking place.

Passengers can scan the QR code to find out more.

This is how Mr. Arifin discovered that his Media Access Control (MAC) address, a 12-digit number assigned to devices such as phones, was collected in a system that could only be disabled from the moment he boarded the tram.

The QR code directed passengers to a Transport for NSW branded web page, which told passengers that “wi-fi sensor technology” was being used in a trial on some Sydney light rail services “to collect data to help improve the network”.

“Wi-fi sensors will collect MAC addresses, route and travel times, and log data,” it said, confirming that it would not collect passenger “names, browsing history, or contacts.”

Passengers were assured that data sent from phones would be “filtered, anonymised and aggregated”, but also informed passengers. “The MAC address on your device can identify a person if blended with other information about that person.”

The web page doesn’t specify exactly how long the data will be retained, but it is “no longer than reasonably necessary”.

‘I haven’t taken the light rail system since that day’

“The term ‘give up’ makes it sound like I’m already involved,” Mr. Arifin said.

“It’s kind of weird because I didn’t know about it and now all of a sudden I’m involved in this without even knowing it in the first place.”

Mr Arifin said he was not at all opposed to the collection of MAC addresses, but he had concerns about how it was done.

“I haven’t taken the light rail since I noticed this thing,” he said.

Mr Arifin claimed there was no notification about the trial at the light rail stop before passengers stepped into the service, adding: “It’s more about permission… I feel comfortable getting involved rather than having to give up.”

“My main concern is people collecting their data without their consent.”

How is commuter data stored?

The data is collected by Flowly, a private technology company based in La Réunion, a small French island off the coast of Africa.

To opt out of the trial, passengers must turn off Wi-Fi features on their devices before boarding the light rail system or provide MAC addresses within three hours of receipt by completing an online form.

Thereupon, Flowly said, “Your MAC address will be completely anonymized and we will not be able to identify it.”

The data is encrypted and “stored in a secure data center in NSW”.

Sensors collecting passenger data are currently operating on seven of the 76 trams on the tram network for a year until March 2025.

David Vaile, co-convener of UNSW’s cyberspace law and policy society and president of the Australian Privacy Association, was not convinced by the hearing’s promises.

“They gave me what I thought was an extremely strong assurance that everything would be fine and that you would not be identified.

“The truth is, under certain circumstances you might be.”

“A MAC address by itself is not your name,” but if cross-referenced with other information “it could potentially get back to you,” he said.

Mr. Vaile also questioned whether light rail should collect MAC addresses to understand passenger flow.

“If you’re really trying to do this, I’m sure there are ways you can get most of what you need in a much less intrusive way,” he said.

A spokesman for Transdev, the private operator of the light rail, said MAC addresses are “immediately encrypted on secure servers, then anonymized and de-individualized”, which “means the encryption process is irreversible”.

They said their collection process meant there was “no way to connect a MAC to other data or to a person.”

Trains and buses do not collect MAC addresses

Other forms of public transport in NSW are not using the Flowly trial to track passenger movements.

Instead, a Transport for NSW spokesman said it relied on smart ticketing systems and Opal cards to track “travel patterns based on tap-on and tap-off data”.

A Transdev spokesperson said their method “provides more insight into origin-destination information by filling the ‘touch/touch’ data gap”; this includes “integrated ticketing and special event patronage for which no data is available due to student use” transportation service.

Flowly “complies with NSW privacy regulations” and will “inform you about future improvements,” according to the spokesperson.

Transdev confirmed its partnership with Flowly but said “this trial didn’t cost anything”.

They advocated for the opt-out system because it enabled “the large volumes of travel flows required to provide a comprehensive view of a network’s performance.”

This may help collect data for the company, but it is worse for passengers’ privacy, Mr. Vaile said.

“Going out is convenient for them, but really inconvenient for you.”

Mr Arifin is concerned about passengers who cannot see the Flowly trial poster on a full tram.

“They will think this is a normal trip on light rail, without realizing that light rail collects more data than it should.”

These days he takes the subway to go to work.