The recent concerns surrounding digital billboards near Toronto’s Union Station stem from the use of facial detection technology, systems that scan passersby to estimate demographic information such as approximate age and gender. While these tools do not store images or collect identifiable biometric data, their deployment in a high-traffic, unavoidable public space has triggered renewed scrutiny over consent, transparency, and the broader use of surveillance-adjacent technologies in Canada. Although the public reaction may make this feel like an emerging issue, this type of technology is not new. Facial detection and audience-measurement systems have been used in advertising, retail, and major transportation hubs for more than a decade. Shopping malls, airports, and international entertainment districts have frequently deployed cameras embedded in digital signage to analyze dwell time, foot traffic, and demographic patterns. A notable example occurred in 2020 when federal and provincial privacy commissioners found that mall kiosks in Canada captured images of millions of shoppers to estimate demographics without meaningful consent, leading to regulatory inquiries and public pushback.
Similarly, the broader practice of passive device tracking, monitoring smartphones via Wi-Fi and Bluetooth signals, has been in common use for years, particularly in large entertainment and commercial districts. Las Vegas casinos, retail centers, and event venues were among the earliest adopters of these systems. By collecting anonymous probe signals emitted by smartphones searching for networks or Bluetooth connections, operators can track movement patterns, dwell times, repeat visits, and crowd behaviour in real time. These systems do not require a person to connect to any network; the simple act of carrying an active device is often enough for tracking sensors to detect it. While many organizations claim that device identifiers are anonymized, privacy experts have long warned that re-identification can occur depending on how data is handled or combined with other sources.
What makes the current situation noteworthy is less the technology itself and more the increasing sensitivity surrounding surveillance and data collection, especially when such tools appear without clear consent mechanisms. Public expectations around transparency have evolved significantly, and the placement of these billboards at a major transit hub, where individuals cannot meaningfully opt out, elevates concerns. Adding to this is uncertainty created by the recent sale of the billboard operator’s digital media division to a U.S. company, prompting questions about future oversight, data governance, and the consistency of privacy practices under new ownership.
While facial detection and device-tracking technologies have long existed, their use in crowded public environments underscores persistent gaps in communication, regulation, and public trust. As public awareness grows and regulatory frameworks tighten, organizations deploying these tools will face increased pressure to ensure visible, meaningful consent, robust privacy protections, and transparent explanations of how data is collected and used.
If facial detection, biometric analytics, Wi-Fi tracking, or Bluetooth-based monitoring technologies were to fall into the wrong hands, the potential for misuse becomes significant. Even tools designed only to estimate age or gender can be reconfigured or combined with other data sources to covertly identify individuals and track their movements across multiple locations. A malicious actor could capture and store facial images, match them against publicly available photos, and build detailed behavioural profiles, all without a person’s knowledge. When integrated with Wi-Fi or Bluetooth signals emitted by smartphones, these systems can form persistent digital fingerprints, enabling long-term monitoring of routines, frequented locations, and personal habits.
Misuse of such technologies could also involve inferring sensitive personal attributes. Advanced analytics may reveal emotional states, stress levels, health indicators, ethnicity, socioeconomic markers, or social patterns, all of which could be used to target, manipulate, or discriminate. Threat actors could exploit these systems for stalking, harassment, targeted surveillance, or to track high-profile individuals such as executives, political figures, or employees. In a corporate context, compromised systems may be used for espionage, monitoring competitor meetings, identifying clients or partners, or collecting data that provides an unfair strategic advantage.
From a criminal perspective, combining facial and device data could support more sophisticated social engineering or fraud schemes by identifying individuals who fit specific demographic or behavioural profiles. Foreign governments or intelligence entities could use the same technology to monitor diaspora communities, track political dissidents, or observe the movements of diplomats and business leaders. At a broader scale, unchecked deployment of these tools could lead to mass surveillance systems capable of real-time crowd monitoring, behaviour scoring, or population-level analytics, eroding privacy and civil liberties.
While these technologies are often marketed as anonymous and low risk, their misuse could enable widespread tracking, profiling, and exploitation. This underscores the importance of strict controls, transparent practices, strong regulatory frameworks, and secure data governance, particularly when these systems are deployed in public, high-traffic environments where individuals have limited ability to opt out.
Our Teams
Our team at Paladin Risk Solutions is well positioned to assist stakeholders who may be concerned about the unauthorized use of facial detection systems, covert cameras, Wi-Fi/Bluetooth tracking devices, and other forms of illicit surveillance technology within their environments. Through our specialized Technical Surveillance Countermeasures teams, we conduct comprehensive sweeps of facilities to identify and mitigate hidden or illegally installed monitoring tools.
Our experts use advanced detection equipment to locate concealed cameras, unauthorized networked devices, covert transmitters, rogue Wi-Fi access points, Bluetooth beacons, and other forms of electronic surveillance equipment that may be collecting data without consent. Beyond detection, we provide stakeholders with detailed reports, risk assessments, and recommendations to strengthen their information security posture and ensure compliance with privacy requirements. Whether the concern involves workplace surveillance, corporate espionage, unauthorized monitoring in sensitive areas, or emerging biometric-based threats, Paladin Risk Solutions offers discreet, thorough, and highly technical TSCM services designed to protect the privacy, integrity, and operational security of organizations across Canada.
In addition to our TSCM capabilities, the BlueSky intelligence team provides stakeholders with a proactive layer of monitoring, analysis, and threat identification relating to illicit surveillance technologies. Our analysts actively track trends involving biometric monitoring, covert data collection tools, and digital advertising technologies that may pose privacy or security risks. We monitor open-source intelligence, dark-web discussions, industry developments, and online forums where threat actors may share methods for deploying hidden cameras, Wi-Fi sniffers, Bluetooth beacons, or other tracking devices. BlueSky can also assist organizations by conducting targeted intelligence assessments on locations, vendors, or technologies of concern; identifying pre-incident indicators; and providing early warning for suspicious activity near sensitive sites. Through real-time intelligence feeds, custom reporting, and advisory support, our team helps organizations understand emerging threats, evaluate potential vulnerabilities within their environments, and implement preventive measures before harm occurs. This integrated intelligence capability ensures stakeholders have both situational awareness and the strategic context required to safeguard their people, assets, and operations from unauthorized surveillance and data-collection risks.