
Count the people around you by monitoring wifi signals - captn3m0
https://github.com/schollz/howmanypeoplearearound
======
guscost
Disclaimer: I work at Density
([https://www.density.io](https://www.density.io)) building an anonymous
people counter.

MAC address tracking is a good simple way to get an approximate number of
people: it's very easy to install, it requires only a WiFi antenna, and the
data is easy to translate into a count. However, there are privacy and legal
concerns which have prompted phone vendors to obfuscate this data. And there
can easily be zero (or more than one) broadcasted MAC address per human, even
when filtering by OUI.

Retailers have been using specialized "people count" technology like infrared
break-beams, thermal cameras, and CCTV+CV systems for a long time. CCTV is the
most accurate by far, but it's also commonly considered to be an invasive
level of surveillance (and rightly so). It's also not particularly accurate in
adverse situations. At Density, we looked at (and tried) many of these
technologies - but ultimately found them lacking because they were either too
invasive or too inaccurate. The device we've built uses a lower-resolution
depth-only sensor because it can return extremely accurate results, without
having the capability for facial recognition or other analysis techniques that
are harmful to privacy. So far the technology is working very well - with an
algorithm based on a deep-learning "human classifier" we're seeing accuracy
above 99% in many of our deployments.

Here's a cool (and in-progress, excuse our dust) summary of some issues that
the technology has to navigate:
[https://faq.density.io/algo/](https://faq.density.io/algo/)

~~~
politician
What do you think about a radar approach like Google's Project Soli?

~~~
weej
Isn't Soli more for natural user interface (NUI) detection via radar wave
disruptions? I'm not sure it would provide very granular detection and he'd
have a lot of false positives.

I was thinking more in terms of lidar tracking of people. It's been around for
nearly a decade and works quite well.

~~~
guscost
Unfortunately, as far as I know LIDAR is still prohibitively expensive for
this. Someone did invent a solid-state LIDAR system recently, which seems like
a good sign.

~~~
weej
Fair point. I was solely thinking from a technical solution not the
practicality around deployment. My employer has biased my bubble on thought
process. "Oh, yes, this is easy to solve, and I see it on campus (Disney -
imagineering office).

------
arayh
It sounds like a lot of people aren't too familiar with the "people counter".

[https://en.wikipedia.org/wiki/People_counter](https://en.wikipedia.org/wiki/People_counter)

It's commonly used by some retail and shopping malls to "estimate" traffic and
conversion. It's great for determining peak times and visit duration. This
kind of technology has been commercialized for some time now.

~~~
dpods
My wife manages a retail store and they use this tech to track sales
conversions by the hour. Gross sales / Number of people walking in the store
broken out by hour. Each conversion rate for each hour is tied back to the
manager on duty for that hour so they can see how effectively the store is
managed. They also take weather into account since that has a strong effect on
foot traffic for an outdoor mall.

~~~
bigiain
I'm now considering building a battery powered RasPi device that'll rapidly
switch the MAC address on the WiFi adaptor and masquerade as extremely busy
periods as I walk through a shopping mall...

~~~
redwards510
> Pry-Fi comes with a War mode, which when enabled tries to make your Android
> device appear like dozens of people. Just wandering around an area under Wi-
> Fi location surveillance for a few minutes can ruin the tracking data for
> the period of your stay.

[1]
[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi&hl=en)

------
jimmychangas
> It may be illegal to monitor networks for MAC addresses, especially on
> networks that you do not own

Isn't it odd that you can't read electromagnetic signals penetrating your
walls without your consent?

~~~
rhacker
It's like if they said "Fuck" on the radio and then decided to arrest anyone
that possibly heard the transmission.

~~~
t413
It's a great example of the breakdown in understanding of a system. People
envision WiFi as a wireless pipe or cable whereas in reality you're
broadcasting in every direction out to infinity.

When reality doesn't match peoples' expectations they legislate a 'fix'
(making listening illegal) rather than fixing the fundamental technical issue
(with encryption, randomized IDs, etc).

------
jasonhong
Our research group also had a similar idea to this back in 2006, though
looking at laptops (since this was before smartphones really took off). This
was also before MAC randomization, as many other posters have pointed out.
Here's our research paper if you're interested:
[http://cmuchimps.org/uploads/publication/paper/86/putting_pe...](http://cmuchimps.org/uploads/publication/paper/86/putting_people_in_their_place_an_anonymous_and_privacy_sensitive_approach_to_collecting_sensed_data_in_location_based_applications.pdf)

Two ideas to consider for next steps, if you're interested. One is to
crowdsource the data, to build out a map of places and how busy those places
are. You would need to add in a lot of privacy mechanisms though, e.g. only
sharing data of mostly public places vs homes. You could also build out a map
of interesting places based on this (e.g. we used foursquare data in our past
research to build out clusters of places, see
[http://livehoods.org/](http://livehoods.org/))

Another is to estimate how busy a place really is based on traffic, in terms
of #people, and #seats or #tables available. This could be especially useful
for campuses (where is a good place to study?) or cafes. You might need some
crowd-based approach to label ground truth, and it's unclear what the
incentive would be.

We did consider commercialization back in the day, but never came up with a
plausible business model. It's not clear why business owners would want this,
and they might even have an incentive to cheat. Though I would definitely say
that cities would be interested in this data, e.g. urban planners or depts of
public works. They have so little data about what is actually going on in a
city. For example, we spoke with people who wanted to know the effects of
closing a bridge or closing off a street.

~~~
slig
> Another is to estimate how busy a place really is based on traffic, in terms
> of #people, and #seats or #tables available. This could be especially useful
> for campuses (where is a good place to study?) or cafes. You might need some
> crowd-based approach to label ground truth, and it's unclear what the
> incentive would be.

Google Maps does that. Search for a popular cafe on your area and you should
see the "Popular times" graph with live data.

~~~
copperx
I assume they do that by tracking how many Androids are at a given location;
so that doesn't count those who are using iOS. Given Android's dominance
though, not counting iOS devices might not be even skew the results
significantly.

~~~
matt4077
The pervasiveness of Android would mitigate _random_ errors. It alone can not,
however, mitigate systematic errors. Apple Stores (and, employing stereotypes
for maximum effect, art galleries and organic food stores) would be
undercounted.

But, wait: Google only gives you relative data over time, where that error is
irrelevant. Never mind.

------
xyproto
Great, now it's possible to create a "party detector" that will change the
music and lights if there are enough people at home or in specific rooms.

~~~
pbhjpbhj
Get raided by the police ...

Clippy: "It looks like you're having a party, I'm switching on the disco
lights and music."

~~~
kkarakk
i've seen twitch streamers get swatted and their viewers start their
lights/play "fuck the police" via alexa via paid donation TTS software. this
just removes one step in the process

------
dom96
I did something similar for macOS, my aim was to see how effective deauthing a
router is (turns out it's incredibly effective, the readme has more details)
and as a side effect the app shows a list of all WiFi traffic. It was a pretty
fun project.

1 - [https://github.com/dom96/deauther](https://github.com/dom96/deauther)

~~~
msravi
The readme doesn't seem to say - how does one install/run it?

~~~
dom96
Uploaded a binary to make the usage a little easier. Haven't used it in a
while but should work, give it a try:
[https://github.com/dom96/deauther/releases/download/v0.1.0/d...](https://github.com/dom96/deauther/releases/download/v0.1.0/deauther_macosx_0.1.0.zip)

------
io_io
A very common way of measuring traffic volumes is via bluetooth MAC address
broadcasts. The Wisconsin DOT even makes the traffic counts derived from this
data interactive and public:
[https://wisdot.maps.arcgis.com/apps/webappviewer/index.html?...](https://wisdot.maps.arcgis.com/apps/webappviewer/index.html?id=2e12a4f051de4ea9bc865ec6393731f8)

~~~
acct1771
Interesting....evermore vehicles being BT enabled == traffic's always
increasing?!

Sounds like great job security for DOTs.

------
jcfrei
Thought about this too a while back. If I remember correctly the "issue"
(actually I consider it a feature) with most modern smartphones is that they
will randomly change their MAC address in order to prevent exactly this kind
of tracking.

~~~
gkfasdfasdf
Do you have any idea how often they change? Like if you were only looking
counts of distinct MAC addresses, could you shorten the listening window so
that an individual phone would have the same address?

~~~
cjnicholls
On probe requests this can be very often(< second or within 50 frames),
especially in the case of IOS. On Android MAC randomisation is implemented
only on a handful of specific devices and some vendors dont at all. Mac
randomisation is flawed at the least and can still be used to identify an
individual in some cases. The paper below lists techniques explored by the US
Navy published in 2017.
[https://arxiv.org/pdf/1703.02874.pdf](https://arxiv.org/pdf/1703.02874.pdf)

~~~
gsich
But the nature of Probe Requests make tracking very easy.

------
markovbot
I thought I remembered schollz (the GitHub user that this is under) from
something else, and sure enough, I did! They did another interesting thing
with wifi that I believe I discovered from hackernews years ago (appears to
have evolved somewhat since then):

[https://github.com/schollz/find3](https://github.com/schollz/find3)

------
bjoli
I did something similar using my jobs open network, a raspberry and nmap. I
was able to correlate devices to people, and depending on which floor they
were on they had different DHCP IP ranges. I then made a webpage out of it
that let me see who was where. People changed devices too often and I was
lazy, but if I could have figured out how to get people's hostnames I could
probably make the process a lot simpler.

~~~
chooseaname
Not the least bit creepy.

~~~
bjoli
I know, I know. To my defence it was more to see if it could be done than
anything else. I have actually used the very same nmap technique in an
argument with a "I have nothing to hide" coworker.

It is a great example of how a simple concept like "I can see other devices
connected to the network" can be transformed into "I can log who is at work
when". This could be done with a $45 device. With $500 I could make something
much more nefarious with regular arduinos.

~~~
brokenmachine
How would the arduinos make it more nefarious?

~~~
bjoli
Several devices,camera at the entrance, Bluetooth LE, not having to do obvious
network monitoring. We have loads of good places to hide them, and I suspect
they would go unnoticed for years

------
electriclove
I carry 2 phones and use an iWatch. Will I register as 3 people?

~~~
komali2
I'm sensing bold new avenues for Citizens United.

~~~
matt4077
“Yes, my plus-one is all of Microsoft. If corporations are people, corporation
is person, my friend”

------
renholder
I did something similar[1] in C++ (on Windows - I know, I know...) but I
feared that the rate of the scan requests could inadvertently cause me to be
"interesting": even though I was only storing the IDs in memory - due to GDPR
- which, from the wording of another comment[2], sounds like _could_ still
land me in trouble.

It's interesting (and a bit frightening) to see just how many devices (e.g.:
APs, mobile phones, dash cams, etc.) there are discoverable out in the wild.

[1] -
[https://github.com/felsokning/Cpp/blob/master/Public.Cpp.Res...](https://github.com/felsokning/Cpp/blob/master/Public.Cpp.Research/Public.Cpp.Research/WlanObtainBssids.cpp)

[2] -
[https://news.ycombinator.com/item?id=18932906](https://news.ycombinator.com/item?id=18932906)

------
krick
I wonder if there are any studies on how reliable this is, especially in a
crowd. This can be very useful, but I see many ways how the assumption of "MAC
addresses" = "people" can be broken:

* As stated in the docs, not everyone has a phone, they estimate it being 70%, but I wonder how accurate this is in different regions for different crowd sizes and applications (cafe visitors vs a parade)

* As stated in the comments, some individuals carry multiple WiFi capable devices and it can be much more than 1 per person

* How large can a crowd get, before signals get jammed to a point this method stops being useful?

* Many people prefer mobile data and sometimes even don't turn WiFi on

So, I mean, it obviously can be used practically, but I struggle to estimate,
how much should I believe what the device reads w/o actually seeing the crowd.

------
macthrow
I've been researching and working with this for some years now. There's a lot
of stuff that can interfere with the quality/accuracy of the numbers (e.g. MAC
randomization). I found out that there's also various ways to circumvent and
improve upon those problems.

~~~
justsomeguy1981
If you have found a way to circumvent the latest iPhone MAC randomisation I
would be very very interested to talk to you.

------
sorenjan
It would be fun to connect several receivers and use multilateration to
estimate positions and make a heat map over the local area.

------
jaimex2
Retailers and government do this, sometimes they track you as you move around.
Pry-Fi is a great little app if you have an Android phone and root :D

[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi)

Basically just blasts thousands of MAC addresses into the air flooding their
counters and ruining their data.

~~~
oda
[https://github.com/wi-fi-analyzer/mdk3-master](https://github.com/wi-fi-
analyzer/mdk3-master) might be a better tool for the job

------
rainbowzootsuit
The arpa-e SENSOR [1] program is working on several technologies for people
counting for sake of doing Demand Controlled Ventilation (DCV)[2]. People
counting is part of the ASHRAE 62.1 calculation [3] for demand controlled
ventilation. Also, simple N>0 occupancy counting is useful for home HVAC
system setbacks.

I sat in an ASHRAE technical session presentation the other day about the
program. All of the technology goals intend for the people count results to be
anonymous, and for the technology to be "open source."

Cost goals are <$0.06/ft^2 for residential and <0.08$/ft^2 for commercial
systems.

[1]
[https://arpa-e.energy.gov/?q=programs/sensor](https://arpa-e.energy.gov/?q=programs/sensor)

[2]
[https://en.wikipedia.org/wiki/Demand_controlled_ventilation](https://en.wikipedia.org/wiki/Demand_controlled_ventilation)

[3]
[https://ashrae.iwrapper.com/ViewOnline/Standard_62.1-2016](https://ashrae.iwrapper.com/ViewOnline/Standard_62.1-2016)

------
gregod
There is also
[https://github.com/cyberman54/ESP32-Paxcounter](https://github.com/cyberman54/ESP32-Paxcounter)

"Wifi & Bluetooth driven, LoRaWAN enabled, battery powered mini Paxcounter
built on cheap ESP32 LoRa IoT boards"

------
adanto6840
I've long been curious why McDonalds (and the like) don't have automated
license plate readers, similar in concept to people counters (though more
invasive I suppose) on their drive-throughs.

I'd think they could very quickly & automatically begin collecting data about
income, repeat vs new customer, even streamlining the order process by
recalling past orders or upselling, etc.

It seems like an area that is incredibly ripe for data collection & analysis;
I almost wonder if there isn't a business in here, selling this feature-set as
as B2B service.

For the record, I prefer not to be 'tracked' \-- I don't know that I can
realistically say it would actually impact my fast-food selections though. The
concept does intrigue me nonetheless.

~~~
maxerickson
I feel like fast food needs to stay focused on keeping the food they are
serving fresh and on quick service.

Those factors should completely swamp anything that can get teased out of
reams of data.

------
zwarag
Thats cool. I wanted to do something similar with ESP-8266 to track visitors
in a tourist attraction I worked for. But as it turned out it was illegal by
law because a law forbids to track people through "electromagnetism". As it
turned out it the reason for the law was to not make it possible to track
people in their apartments by registering wherever they where watching TV and
similar stuff.

We never wanted to track an individual person and would have hashed the MAC,
nor did we want to get any data from them (phone brand or whatever). We wanted
to be sure to not have more than 1000 people in the building (another law) and
for security reasons we did not have turnstiles at the exit.

At the end we had to use cameras that counted heads...

------
worldexplorer
I could think of interesting use. In India currently mini Kumbh
Mela([https://en.m.wikipedia.org/wiki/Kumbh_Mela](https://en.m.wikipedia.org/wiki/Kumbh_Mela))
is going on. Police and organisers can use this technique to estimate and
monitor crowd. I bet they are already using sophisticated crowd monitoring
techniques
([https://tech.economictimes.indiatimes.com/news/technology/ku...](https://tech.economictimes.indiatimes.com/news/technology/kumbh-
mela-becomes-a-lab-for-tech-industry-to-study-crowd-management/51804234)) but
more the merrier.

------
wstuartcl
It would be worthwhile to also scan bluetooth discoverable devices and try to
normalize the two for cases where:

* you usually see entry and exits of both and can start to map them as "one" user. * you see only wifi entries and exists without corresponding bluetooth (maybe user usually has bluetooth turned off or is out of range of BT capture). * You see only BT with no corresponding wifi (user has discoverable bt but wifi off).

The normalization is complicated as wifi/bt range are pretty different (unless
you have hardware to extend the pickup for bt) -- but if you deal with a time
window slide (and repeat event correlations) it should be possible.

------
rmoriz
I'm currently monitoring for Wifi probes with a RPI 0W and external Alfa USB
adapter.

Interestingly, some parcel services use handheld barcode scanners that don't
even try to randomize their MAC or hide their name.

(German blog post [https://blog.rolandmoriz.de/2019/01/08/eine-flasche-
metadate...](https://blog.rolandmoriz.de/2019/01/08/eine-flasche-
metadaten-2-wifi-probes/) )

------
petercooper
To avoid the privacy issues around MAC addresses, etc, is there any way to
simply count the number of "variations" of signal in the area? So rather than
having to process any data, you base your count on things like signal strength
and other indicators of a "unique" signal?

------
louismerlin
I wrote a similar program 2+ years ago (it is very rough around the edges).

I used ARP-scan to log and monitor the MAC addresses of the people on the
network.

Had a lot of fun at the time !

[https://github.com/louismerlin/spydeer](https://github.com/louismerlin/spydeer)

------
tzhenghao
Sounds like this might just be more reliable than a tally counter [1] :) the
future is here

[1] -
[https://en.wikipedia.org/wiki/Tally_counter](https://en.wikipedia.org/wiki/Tally_counter)

------
propogandist
Does this get around MAC anonymization done by iOs and Android? Researchers
have shown it can be defeated, but curious if this takes it into consideration

------
doggydogs94
Do most people have WiFi active on their phones? I usually leave WiFi off
(nuisance factor), but maybe that’s just me.

------
saadalem
Do someone have a dataset about how do behave micro/radio waves when they
interact with matter ?

------
Cynddl
Although there is a remark about the potential legal issues in the US, it
should also be noted that capturing and storing MAC addresses without explicit
consent is not GDPR compliant, and not legal in Europe.

~~~
eeeeeeeeeeeee
Couldn't almost any WiFi router, and thus the user of that router, then be in
violation of GDPR simply by logging which MAC addresses attempt to connect to
that router? Even connections by accident (selecting the wrong SSID).

I know my Netgear router has a history of basically any connection attempts
and their MAC address; it does this by default, not sure I can even turn it
off.

And how would you even present a GDPR notice to the user prior to logging that
kind of information?

~~~
casylum
Sticker on the window?

There is an issue with retailers tracking shoppers movements in a store.

FTC take on the issue: [https://www.ftc.gov/news-
events/blogs/techftc/2015/04/privac...](https://www.ftc.gov/news-
events/blogs/techftc/2015/04/privacy-trade-offs-retail-tracking)

------
ilovecaching
Wrong thread :(

~~~
usmannk
Did you comment on the wrong topic perhaps?

