Forgot your password?
typodupeerror
Advertising United Kingdom Cellphones Privacy Wireless Networking

Londoners Tracked By Advertising Firm's Trash Cans 189

Posted by timothy
from the time-for-spoofing dept.
schwit1 asks "How can I automatically have my wi-fi turn off when I leave the house unless I specifically turn it back on?" and provides this excerpt from Wired to illustrate why that would be useful: "Hundreds of thousands of pedestrians walking past 12 locations unknowingly had the unique MAC address of their smartphones recorded by Renew London. Data including the "movement, type, direction, and speed of unique devices" was recorded from smartphones that had their Wi-Fi on. First reported by Quartz, the data gathering appears to be a Minority Report-esque proof-of-concept project, demonstrating the possibility for targeted personal advertising. 'It provides an unparalleled insight into the past behavior of unique devices — entry/exit points, dwell times, places of work, places of interest, and affinity to other devices — and should provide a compelling reach data base for predictive analytics (likely places to eat, drink, personal habits etc.),' reads a blog post on the company's site. In tests running between 21-24 May and 2-9 June, over 4 million events were captured, with over 530,000 unique devices captured. Further testing is taking place at sites including Liverpool Street Station." (The name sounds a bit like a government project, but Renew London is actually an advertising / marketing firm.)
This discussion has been archived. No new comments can be posted.

Londoners Tracked By Advertising Firm's Trash Cans

Comments Filter:
  • by LordNimon (85072) on Sunday August 11, 2013 @03:17PM (#44537047)

    The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.

    There needs to be an update to iOS and Android that gives users the option to disable this feature (I can't remember the official name). Users should understand that it will take longer to find access points, but in exchange, they get vastly increased privacy.

    • by girlintraining (1395911) on Sunday August 11, 2013 @03:25PM (#44537097)

      The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.

      Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. It's sortof how packet-switched networks operate: It needs a source and destination. What you're talking about is a Probe request, a special type of packet when a station needs to obtain information from another station. This other station is typically an AP, but not necessarily.

      Any connection made over wifi needs to broadcast a probe frame, and these are by definition unencrypted. Any station on the same channel can see them. Thus the only way to prevent broadcasting your MAC address is to disable wifi entirely. It is in no way "optional" for connecting to another wifi network, and many cell phone users want this functionality because auto-connecting to unsecured wifi allows for data transmission without incurring fees from their provider. The iPhone, for example, can receive OTA updates via open wifi, as can Android.

      They aren't doing it solely to "discover nearby networks faster"; It actually saves the user money.

      • by dnadoc (3013299) on Sunday August 11, 2013 @03:51PM (#44537251)
        What he meant was "The 802.11 protocol does not require cell phones to broadcast their MAC addresses when disconnected from an AP" Sure you need to send the MAC address to connect - he knows that. You don't need to send anything if you don't want to connect. It's not hard to write an app that turns off wifi outside of particular physical area. That addresses the concern they're talking about. They don't care about background data usage on the phone when they're not using it.
        • by LordNimon (85072) on Sunday August 11, 2013 @04:51PM (#44537547)

          Thank you for understand exactly what I was trying to say. However, it's not necessary to disable wifi completely. Instead, the phone should just not send any probe requests, and it should not automatically connect to an insecure network that it has never seen before.

          • [...]it should not automatically connect to an insecure network that it has never seen before.

            Well, if that's what you meant, then you're in luck. As you originally wrote, "There needs to be an update to iOS and Android that gives users the option to disable this feature." That's not necessary, because there are (and have always been) a grand total of two toggles in the Wi-Fi settings on iOS: "On/Off" and " Ask to Join Networks ."

        • by sjames (1099) on Sunday August 11, 2013 @05:33PM (#44537765) Homepage

          It doesn't even have to go that far if you don't want. Just passively listen for known APs and only connect to those. Then add something friendly like a "look for WiFi" button to send out a probe when the user actively wants to connect to something and no known APs are broadcasting beacons.

          • You can go further and (as some phones do) prompt the user with "wifi base stations available; do you want to try to connect" when you see unknown APs. This can still be implemented without sending out any signal.
      • by Solandri (704621) on Sunday August 11, 2013 @03:57PM (#44537291)

        and many cell phone users want this functionality because auto-connecting to unsecured wifi allows for data transmission without incurring fees from their provider.

        Saying people want to auto-connect to unsecured wifi networks is like saying people want to be able to drive at 150 mph. Yeah everyone would like to do it, but they realize it's such a stupid thing to do that almost nobody willingly does so. A random unsecured wifi net in a public area is the perfect setup for a man-in-the-middle attack to harvest your email and bank login and passwords. At a minimum, automatically connecting to them should be disabled by default on all devices, and preferably there should be no way to enable such a "feature".

        If you want to connect to an unsecured wifi network, you should have to make a conscious decision and take a deliberate action to do it. Auto-connecting to them is colossally stupid. So there is no need for your phone to be automatically scanning wifi nets in a manner which exposes its MAC address. If you find yourself in a random location and would like to manually connect to an open wifi net which you feel you can trust, then the phone should give up its MAC address.

        If a probe request to identify nearby wifi nets requires a MAC address, that's a deficiency in the wifi handshaking standard IMHO. The phone should generate a random one just for that probe request to bypass that deficiency.

        • Re: (Score:2, Insightful)

          Saying people want to auto-connect to unsecured wifi networks is like saying people want to be able to drive at 150 mph. Yeah everyone would like to do it, but they realize it's such a stupid thing to do that almost nobody willingly does so.

          Driving at 150 MPH is legal in many areas. The Autobahn, Montana during the day... And it's not stupid. As well, they're going considerably faster than 150 MPH with their phones; They're going at 670,616,629 mph.

          A random unsecured wifi net in a public area is the perfect setup for a man-in-the-middle attack to harvest your email and bank login and passwords.

          Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL. I can wait.

          Auto-connecting to them is colossally stupid.

          So is carrying a cell phone in public, according to some. People don't have to use military-grade encryption to browse wikipedia; There's plenty of things that

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Montana now has a day time speed limit (and has since 1999):

            http://en.wikipedia.org/wiki/Speed_limits_in_the_United_States#No_speed_limit [wikipedia.org]

          • by girlintraining (1395911) on Sunday August 11, 2013 @05:48PM (#44537867)

            I love how ignorant slashmods keep marking this as 'troll' while others who actually understand networking keep marking it informative. Sadly, the technical proficiency of people on this site continues to track lower month over month since the Dice takeover.

            Now people who suggest that the people who designed the internet might have known what they are doing are moderated down while the paranoid tin foil hat crowd gets modded up for suggesting that changing the protocol is a simple handwave and people with decades of experience in this sort of thing are incompetent...

          • by Arker (91948) on Sunday August 11, 2013 @07:42PM (#44538517) Homepage Journal

            You're both right, a little at least. It's perfectly safe to connect to whatever random wifi you run across and use it in the sense it's intended, in the case that you are absolutely certain anything important is actually being encrypted at the application layer where it should be.

            For most people, in the real world, they have no idea. Application programmers seem to do a really lousy job of it (as in usually dont even try) so it's certainly not safe to assume. Probably smarter in many cases simply to set your phone to only connect to networks you program it specifically to connect to. And encrypt them, so they cannot be trivially spoofed.

            IF they are actually broadcasting their MAC when NOT attempting to connect to a network, that would be a bug to stomp. But I am pretty sure that part was just GPs ignorance.

            And, btw, you SHOULD use encryption to browse wikipedia. You should, in fact, use HTTPS Everywhere [eff.org] and attempt to encrypt every single piece of data that is sent out, redundantly. This is because if you only encrypt things that you are worried about being seen, the encryption is suspicious in and of itself, and anyone investigating you for any reason (even just 'because your traffic passed our sniffer') is going to at least see exactly the data they are looking for, they will see the endpoints even if they cannot break the encryption. That 'meta data' may be more valuable than the encrypted message itself.

            So if you want digital privacy, dont just encrypt important documents. Encrypt every single thing you can, and encourage others to do the same. An internet where only super-sekrit documents are sent encrypted is a fertile environment for snoops. One where the amount of traffic that is encrypted at the application level already nears 100% may be the only way to regain the privacy that we have lost in the digital era - and it certainly cannot hurt.

            • by darthflo (1095225)

              And, btw, you SHOULD use encryption to browse wikipedia.

              Great advice, and not only for the reason you stated. Several recent attacks (BEAST, CRIME, BREACH) will use unencrypted connections originating from your browser to discover information transmitted in its encrypted connections.

          • Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL. I can wait.

            It doesn't matter what the bank or retailer gets the data over, it matters what your phone sends it over. All too often people start browsing from an insecure entry point and only later move to a secure part of a site. This allows the MITM to change links or redirects in the insecure part and hence get the user to either enter their authentication details unencrypted or get them to enter them encrypted but to a domain the attacker controls (and therefore has a "legitimate" certificate for).

            Plus ssl isn't as secure as people might like to think, for example apparently there were CAs out there who would still sign certs using md5 after md5 collision attacks became feasible allowing attackers to get themselves a cert with CA powers that was trusted by browsers*. There have also been recent attacks on SSL itself, and attacks on the way browsers combine compression with ssl.

            * http://www.win.tue.nl/hashclash/rogue-ca/ [win.tue.nl]

          • by gsslay (807818)

            Driving at 150 MPH is legal in many areas. The Autobahn, Montana during the day... And it's not stupid.

            Sorry, unless you are a professional racing driver with lightning reactions, driving at 150MPH is always stupid. And even if you are a racing driver, on public roads you can never anticipate what unexpected thing the driver next to you may do. At 150 MPH your safe margin of error is zero. Happy to put your life in their hands? Happy to risk the life of everyone about you?

            But back on topic; the idea of not automatically connecting to every network available is sound. Even if you aren't logging into you

          • by darthflo (1095225)

            Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL.

            There are a bunch of ways of working around and/or breaking SSL. Please read up on ssl stripping and the recent series BEAST/CRIME and BREACH. The former will terminate an ssl connection early, rewriting all links and references from http to https. The latter will place an agent script in any http pages requested and use cross-domain requests to disclose secure information.

            I think

        • by Kaenneth (82978)

          All you need is an encrypted VPN tunnel, and an unsecured WiFi access point should be safe (aside from the issues in this article, in that they can track your MAC address connecting... but what if you generate random mac addresses per connection attempt?)

      • by Anonymous Coward on Sunday August 11, 2013 @04:10PM (#44537353)

        The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.

        Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. [...]

        To discover a nearby access point 802.11 only requires that you listen for the broadcast.
        To connect to it, yes, you need to exchange MAC addresses - but this is only required if you actually want to connect to the AP.

        The GP is correct, actively throwing your MAC address around to networks you have no desire to connect to is not required by the protocol and should be disabled by default.

        Now, if your phone wants to go whoring around with every open AP just to save on wireless data transfer, that's a different problem...
        Probably also something that should be disabled by default.

      • by PPH (736903)

        The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.

        Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. It's sort of how packet-switched networks operate: It needs a source and destination. What you're talking about is a Probe request, a special type of packet when a station needs to obtain information from another station. This other station is typically an AP, but not necessarily

        Discover != Associate.

        Your cell phone (or any WiFi client) can listen for and enumerate available networks. The MAC address does not need to be sent until a connection is to be made. If your phone is set to automatically connect to any passing network, that's an entirely different can of worms. And smart trash cans are the least of your worries.

      • by DrXym (126579)
        The solution would be for the phone to periodically generate a random MAC for the purposes of scanning hotspots. If a user explicitly chooses to connect to a wifi hotspot the genuine MAC is presented and the connection proceeds with that. The behaviour could be turned on by default without affecting the user experience in any way. The random MAC could change every hour or so making the information transient and relatively useless to anybody who is snooping on it.
    • by slick7 (1703596) on Sunday August 11, 2013 @04:44PM (#44537517)
      Most people "need" less access to the internet and start paying attention to reality.
    • by mjwx (966435)

      The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.

      There needs to be an update to iOS and Android that gives users the option to disable this feature (I can't remember the official name). Users should understand that it will take longer to find access points, but in exchange, they get vastly increased privacy.

      Android already has this option.

      In Android 4.x (4.3 here) go to Settings and slide the WiFi setting to "Off".

    • Just use a N900. It won't unnecessarily broadcast its MAC address.

      Of course, then you have to deal with it being so slow and swapping all the time, and the interface that's clunkier than a museum jalopy. As I like to say, the N900 is a piece of crap. But it's the best piece of crap in the world!

    • They may get "vastly increased privacy" in return for their phone not working optimally and increased mobile bills because they still get charged for the amount of traffic they use. The cell phone provider tracks them just the same and those records are kept for a long time so the government can get them if they wish so. Yes, some "free market" party getting similar data on you and selling it to anyone interested is going to have a much bigger impact on the life of the people that "have nothing to hide", bu

    • Another solution is changing MAC address every day. I think a one line cron job would do it on GNU/Linux. Unfortunately I have an Android/Linux/run/some/binaries/from/untrusted/places/to/gain/root toy, instead.

      Besides, those who really can track you have the IMEI.

  • Llama or Tasker (Score:5, Informative)

    by The MAZZTer (911996) <megazzt@gma[ ]com ['il.' in gap]> on Sunday August 11, 2013 @03:18PM (#44537053) Homepage

    Former is free and can do what you need, latter costs a few bucks but is apparently far more versatile.

    This is for Android, of course.

  • Cell phones (Score:5, Insightful)

    by girlintraining (1395911) on Sunday August 11, 2013 @03:18PM (#44537059)

    If you're carrying a cell phone around, you might as well surrender any idea that your movements are not being tracked by 3rd parties without your knowledge or consent. Retailers like Target are installing ANPR systems in surveillance cameras, their wifi routers are already watching for probe attempts from cell phones as a way of monitoring where you are in the store (how long did you spend in the women's section? Where on the floor did you stop to look at advertising?) and modules are also installed to track cell phone transmissions and ESNs to uniquely identify customers at checkout (you use a credit card, and now your ESN is linked to your name)...

    Trash cans are watching you. Buses are equipped with similar sensors. If you are carrying a cell phone, someone, somewhere, knows exactly where you are and is going to sell this information. You are not carrying a cell phone these days: You're carrying a tracking beacon with two-way communication capability.

    • Re:Cell phones (Score:5, Interesting)

      by clonehappy (655530) on Sunday August 11, 2013 @04:43PM (#44537509)

      Here are a few simple rules I follow to try and mitigate the amount of my data that third-parties can get their hands on, at least as far as mobile devices are concerned:

      1. Turn Wi-Fi on only when you're around trusted (or at least known) APs. This would be at work, home, friends houses, etc. Out in public, that's why I pay for an LTE connection, no worries about Starbucks or Target's Wi-Fi doing anything nefarious. Keep Wi-Fi off unless you actually plan on using it.

      2. Turn Bluetooth on only when you plan on using it. For me, this is when I'm using my headset at work, which is rare as I would rather use my desk phone, or when I'm streaming music to my car radio or home audio system. Otherwise, I try to keep it off.

      3. When I don't need push email, data is turned off altogether. Yep, a really smart dumbphone until I need it to be an actual internet connected smartphone. This means that real-time tracking data is at least only stored until the next time I connect.

      4. What you say about tracking transmission on licensed cellular bands, if true, I guess turn the damn thing off when you don't need it is as good as solution as any, but now you're defeating the purpose of having a mobile device at all. As far as Target tracking ESNs and anything going across licensed cellular bands, here in the States at least, it runs afoul of numerous laws and FCC regulations, and I hope that if they are doing this (I really have a "citation needed" in my head on that one) that they find out really quick why they shouldn't be.

      I realize how ridiculous it sounds to be turning connections on and off all the time, but that's only until I think about how ridiculous it is that every device is trying to grab my MAC addresses and make a profile on me. I also realize that governments and service providers are going to know, at the very least, where I am at all times based on which cell site I'm connected to, at least until when (or if) the time comes that we can get stronger privacy legislation passed and actually taken seriously. But just because the 3-letter agencies and cellular providers know, doesn't mean every questionable app I've ever installed and every trash bin I pass by also needs to know.

      Long story short, only use what you need, when you need it, and never trust third party apps or infrastructure unless you have a good reason to, which is almost never as far as I'm concerned.

      • Re: Cell phones (Score:2, Interesting)

        by Anonymous Coward

        I find it simpler to change my MAC address twice a week. I don't care if they track something that they can never associate with me.

      • by mrbester (200927)

        I turn all data services off when I'm not using my phone as well, but I do it to extend the battery life.

      • by houghi (78078)

        I realize how ridiculous it sounds to be turning connections on and off all the time

        I do so all the time. Turning on and off Blue-tooth, Wifi, 3G and even my GPS is something I do by pressing one icon for each.
        If nothing else, it is to save energy.

        Or you can turn on Airplane mode. Also just a 1x1 widget away on my Android.

        Being not reachable once in a while is nice. People can leave a message or send an SMS and I will reply when I am good and ready. My friends do the same, so no issues there.

      • by tlhIngan (30335)

        You know, cellphones also use the.. um., cellular bands. It's only a matter of time before the stores use the cellphone frequencies as passive receivers to get unique IDs and such and track you that way.

        Tracking by MAC addresses is just easy. However, your phone still has a nice trackable serial number.

        Unless you turn your phone off in the store, that is.

        Perhaps that's what people should do - just put your phone in airplane mode. There you go, tracking denied!

      • I realize how ridiculous it sounds to be turning connections on and off all the time, but that's only until I think about how ridiculous it is that every device is trying to grab my MAC addresses and make a profile on me.

        So automate it. I use Locale for my android; I can setup various rules telling it to enable and disable various services based on time, geographical location, etc.

    • Re:Cell phones (Score:4, Insightful)

      by digitallife (805599) on Sunday August 11, 2013 @05:08PM (#44537631)

      This is nothing new, except for the specific technologies involved. Stores have been doing similar things for as long as they have existed. For example, years ago Walmart was identifying what demographics specific customers belonged to based on the way they walked on the store cameras, and Target [forbes.com] was doing it based on their purchasing habits.

      You simply cannot avoid being tracked in our modern world, and you have to go to a lot of effort to even minimize it. For the longest time I did not have a Facebook account, until I realized that Facebook already has a large entry in the database for me based on other people tagging my name and email and following me around with their huge tracking network embedded in half of all websites.

      Check out the new Slashdot iPad app [apple.com]

    • by Molochi (555357)

      ESNs do seem like a better way to establish marketing data and to serve Minority Report style targeted ads (or criminal suspect tracking) than MAC addresses.

    • by msobkow (48369)

      Remember the threat of implanted RFID chips?

      As far as I can see, smart phones are voluntary multi-protocol RFID chips on steroids.

      I don't own one; I don't want one. I don't even want a basic feature phone -- leave a message and I'll call you back. I do not need to be attached by an umbilical cord to the world. It used to piss off my boss, but so be it -- my time off is my time. Period.

  • Disinformation ? (Score:2, Insightful)

    by Anonymous Coward

    Isnt there something like aircracks airbase that could be run nearby that would make this data useless? Something that just spits out mac addresses at random for the system to pickup?

  • > "How can I automatically have my wi-fi turn off when I leave the house unless I specifically turn it back on?"

    At first I couldn't think of a solution. It's really a matter of remembering to do it yourself. ...and then I remembered, cells with wifi also have gps... Why couldn't there be an app that will only turn on wifi when gps coordinates closely match a list? Possible GUI -- bring up app, touch "allow wifi from here". Coordinates are memorized, and wifi is turned on only X number of feet from tha

    • "I'd buy that for a dollar".

      Sure, only one problem: GPS doesn't work well indoors and sucks battery like it's going out of style.

      • by maliqua (1316471)

        sometimes it works, if the apps smart enough it would turn wifi on when you get to your yard or entrance perhaps, have an option to enable wifi when gps is unavailable if you want.

        there are solutions

        i dont find gps to be much of a battery issue, but i'm one of those guys that remembers to charge his phone every night when he goes to bed

      • I haven't seen GPS sucking my battery down particularly fast with either an old iPhone 3GS or an iPhone 5. Wifi seems to be a bigger drain (especially on the 3GS).

        But back to the problem at hand - at first look it seems to be easy, but the devil is in the details. It seems like manually turning it off would be the best option, since he's going to have to resort to that at least some of the time unless he's never, ever using wifi away from his home. If he's turned wifi on, he probably wants it to stay on - a

        • by maliqua (1316471)

          The simplest way would be if connection is lost to the access point you manually enabled it resorts back to gps and default behaviors

        • by jrumney (197329)

          I haven't seen GPS sucking my battery down particularly fast with either an old iPhone 3GS or an iPhone 5.

          Are you actually using the GPS, or you just have it switched on? On my Android phone, there is no difference in battery usage whether it is switched on or off. I know this, because Android disabled the ability for applications to switch the GPS on/off in an update, to prevent tracking behind your back, so the rules I had set up to disable GPS unless I was in my car stopped working, and battery life w

          • Hmm... I thought the implication was just having it on was the problem. But I see your point.

            Thing is, when I'm using a map app (Waze, Google Maps, whatever) I'm generally in my car. And since those apps tend to keep the display on, I usually plug the thing in - because the display definitely eats battery. I don't play many games on my phone, so I don't really have a good point of comparison for screen only versus screen + GPS - if I'm not using a map app, I don't have the screen on for long periods of time

            • by adolf (21054)

              "On" and "being used" are two different things.

              On the phones I've used extensively (OG Droid, Droid 4) using the GPS kills the battery faster than playing games, watching movies, or doing anything else really. It pulls enough current that the battery gets hot, which makes even less energy available.

              End result: OG Droid, with new and fully-charged battery: Dead in less than an hour with GPS being used, whether or not the display is on or the device is doing any other meaningful work.

        • by dbIII (701233)
          One popular free user created application on the N900 is just a big button on the screen that turns wifi on or off. It's not the only phone with multiple desktops now so it's not as if there isn't screen space on the newer phones.
    • by paedobear (808689)
      AirPatrol have some tech that sort of does what you want, but it's very much enterprise orientated.
    • Llama [google.com] for Android can do this. By default it uses cell towers to track your location.
    • Re: possible new app (Score:2, Informative)

      by Anonymous Coward

      I use Tasker for this. My profile is set up so that when I'm paired with any of the cell towers near my house it will enable WiFi and try to connect to my home network. Tasker costs $3 and setting up this sort of config shouldn't take more than an hour.

      The app also has a billion other uses. When I'm at work my phone will automatically be silenced, and when I plug in headphones my music player opens and my volume is set properly.

    • by jrumney (197329)

      "I'd buy that for a dollar".

      Locale [google.com] is a bit above that budget, at $9.95.

      Tasker [google.com] is closer, at $3.95.
      Llama [google.com] is free, and you can donate [google.com] your 1.00 (euro = US$1.24).

      I think all of these will support tracking cell towers to determine location, so you do not need to waste battery polling GPS location constantly.

    • "I'd buy that for a dollar".

      Llama for Android is even free.

  • by jamstar7 (694492) on Sunday August 11, 2013 @03:26PM (#44537101)
    How ARE those Dockers working out for you?
  • by technomom (444378) on Sunday August 11, 2013 @03:35PM (#44537165)

    If you have Android, Tasker works great for this sort of thing. Simply set it up to trigger a profile based on your GPS location.

  • How about an app that changes the MAC to something new and random every time the interface has been disconnected longer than three minutes?

    • by exomondo (1725132)

      How about an app that changes the MAC to something new and random every time the interface has been disconnected longer than three minutes?

      MAC address filtering would be great fun then.

  • one in wallet / car to turn wifi off
    one by front door / hall table to wifi on
  • by goldcd (587052)
    Is excellent for scripting actions (although you need to root really).
    e.g. in this case you could define geographic areas (your home, your office etc) where WiFi is turned on, and get it to turn off in all other areas.
  • Legit uses? (Score:3, Informative)

    by aggles (775392) on Sunday August 11, 2013 @04:16PM (#44537379)
    Several airports in Europe are using the same non-associating probe technique to figure out if enough security lines are open. By knowing the time from pre to post security location of a MAC address, they can tell how well traffic is flowing. Since people beyond security, on average, spend several Euros per minute, it is better for the airport to minimize the security delay. Good for passengers too.
    • by huge (52607)
      True. Atleast HEL [helsinki-vantaa.fi] is using that but based on Bluetooth instead of WIFI. Article mentions CPH, OSL and LHR using it as well.
  • At some point, if there does not exist already, there will be a market for MAC addresses and information that is linked to them.

    .
    Marketeers like Acxiom [acxiom.com] and SurveySampling [surveysampling.com] are probably lusting after the ability to link a MAC address to a social media account, or a person's demographics.

    • by exomondo (1725132)

      At some point, if there does not exist already, there will be a market for MAC addresses and information that is linked to them.

      Why? What are you going to do with a MAC address and a bunch of tracking data? Are you going to assume that MAC address represents a person?

      • by TheP4st (1164315)
        1. Record time and place of a handful of your credit card purchases.
        2. Run a search for all MAC addresses that were at these locations within a set time frame and find the one that pop up at each one.
        3. ?
        4. Profit!
        • by exomondo (1725132)
          So now you're assuming such people also have a list of your credit card purchases, that you always use a credit card and it's always the same one and that it's yours and not somebody elses (my wife and I often use the same card which means the MAC address correlation fails). And then you also have the fact that most people turn over their phones at 2 years max (though more often sooner, the apple store near me is always full of people warrantying their phones) so the data would be awfully noisy and untimely
          • by TheP4st (1164315)

            So now you're assuming such people also have a list of your credit card purchases

            Many businesses would have, yes. In the case of chain retailers, restaurants an so forth it would be quite a simple feat to match up your personal data with the MAC address of your device.

            that you always use a credit card and it's always the same one

            Why would that be necessary? it would be enough to match credit card X with Device Y on just 10 different occasions to with quite a high degree of certainty determine who device Y belong to. If a second credit (or debit) card with the same owner likewise can be correlated with device Y then the degree of certainty would of

            • by exomondo (1725132)

              Many businesses would have, yes. In the case of chain retailers, restaurants an so forth it would be quite a simple feat to match up your personal data with the MAC address of your device.

              Why would that be necessary?

              Because I rarely use my credit card, in fact much of the time I use cash or debit card, not to mention i usually have wifi off to preserve battery.

              it would be enough to match credit card X with Device Y on just 10 different occasions to with quite a high degree of certainty determine who device Y belong to.

              So if you've visited the same restaurant (or chain) on 10 different occasions using the same payment method carrying the same device with wifi turned on...you don't see how noisy that dataset becomes?

              If a second credit (or debit) card with the same owner likewise can be correlated with device Y then the degree of certainty would of whom the device belong to would increase, not decrease as you suggest?

              That's if it's even the same owner's name on it and not cash or debit card.

              Really?

              Yes, really, just look at how limited and specific you've had to define the case for doing

  • Solution? (Score:4, Interesting)

    by Alsee (515537) on Sunday August 11, 2013 @04:37PM (#44537479) Homepage

    The Globally-Unique MAC addresses seem to be a pretty blatant security and tracking problem. I've been increasingly wondering why we don't simply start randomizing the MAC address every time the device is turned on, or perhaps even randomizing it for each new connection.

    Yes, in principle this could result in a random address collision between two devices. However MACs are 48 bits... this means you'd need to have over 16 million devices simultaneously connected to the same access point before there's a substantial chance of two of them randomly colliding. I'd call that a rather pretty negligible trade off to obtain some privacy and security. And if one device does detect a MAC collision it could simply re-randomize.

    As for additional "security risks" of randomizing MAC addresses, not really. It's already trivially easy for someone to deliberately fake your MAC address on their own device. So no new threat there. If anything, I think randomizing (and regularly re-randomizing) the MAC address would be a security benefit. If someone does deliberately fake your MAC address, the target lock is neutralized when your device re-randomizes.

    -

  • Data including the "movement, type, direction, and speed of unique devices" was recorded from smartphones that had their Wi-Fi on.

    All of that was recorded from the phone? Or was it actually only the MAC which was recorded at multiple points and times, which allows the rest to be inferred?

  • If you have an iPhone, you can prevent these "rogue" Wi-Fi points from sniffing you by changing a simple setting.

    Look in "Settings/Wi-Fi/Ask to Join Networks" and just switch it on. Done.

    Androids and others probably have something similar.
    • I presume you meant switch it off, so it doesn't ask to join new networks. Do you know for certain if actually stops looking entirely, or just doesn't ask? I automatically have it off 'cause it's a pain in the ass when you're driving around and wifi invitations start popping up all the time.

      • by Sir Holo (531007)
        If you switch it to OFF, your iPhone will automatically join any open WiFi access point. Better to live with the annoying "Do you want to join?" dialogs all the time, because the alternative allows the tracking described in the article.
        • by dave420 (699308)
          You don't seem to understand what the issue is. Just your iPhone seeing what wifi networks are out there is enough for you to be tracked. The only solution is to turn off wifi, or figure out how to get your device to not send its MAC address when looking for available networks. Being asked for permission to join a network doesn't affect this one bit.
  • Drains the battery anyways. Turn it on when I want and need it, turn it off again when I'm done.

  • by kbg (241421) on Sunday August 11, 2013 @07:53PM (#44538555)

    Just use Llama if you have an Android phone:

    Llama - Location Profiles [google.com]

    It's totally amazing. I use it to turn off WiFi when I leave the house and turn it back on when arrive at work.

  • He thought the idea that he debuted at BlackHat [blackhat.com] was somehow new or revolutionary. I think the only thing he may have done differently than this advertising agency is to have each node connect to the other nodes using Tor.
  • by Greyfox (87712)
    1) Write program to randomly change device's mac address every second (IIRC ifconfig can do this, so it could easily be a simple shell script.)

    2) Discard device in trash can.

    3) Profit?

  • by Flere Imsaho (786612) on Sunday August 11, 2013 @08:49PM (#44538797)

    I'd love to see activists "recycle' some iron oxide and aluminum powder in these fuckers.

    I'm about ready for some real action in response to the marketing-scum and paranoid guberments sweeping away our right to privacy *frowns*

    • by xaxa (988988)

      I'd love to see activists "recycle' some iron oxide and aluminum powder in these fuckers.

      That's been done before (see http://en.wikipedia.org/wiki/List_of_terrorist_incidents_in_London [wikipedia.org] and search the page for " bin").

      There's a page where you can submit MACs to opt-out of the service. Setting up a scanner somewhere in the City (i.e. the financial district -- every other part of London funds recycling bins without outsourcing it to advertisers) and automatically submitting them to the opt-out site would be good.

      I don't work in the City, or I'd give this a try.

  • If its not associated with an access point, the wifi chip gets switched off. You have to turn it on to associate and it stays on until you go out of range, and then it flicks off again. I dont want it on unless I ask. And I dont want to have to remember to turn it off. So when it loses its AP, it goes down.

  • by hankwang (413283) on Monday August 12, 2013 @05:53AM (#44540285) Homepage
    This article actually starts as a question, but there are only a few posts addressing practical ways to deal with it. I for one use Smart Wifi Toggler [google.com] on Android. It decides when to switch on Wifi based on cell tower locations. I use it mainly because it saves some battery.
  • You can use llama and tasker.

  • looks like officials have been called in.

    http://www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/ [theregister.co.uk]

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...