
London’s Tube Network to Switch on Wi-Fi Tracking by Default in July - dmmalam
https://techcrunch.com/2019/05/22/mind-the-privacy-gap/
======
forthispurpose
Is it just an impression or is UK indeed the most enthusiastic of all Western
countries when it comes to performing mass surveillance on its citizens?

Seems like it runs way deeper and broader than in US

~~~
dvno42
Opinion but I'm getting that impression, I was visiting Britain earlier this
year and to gain entry to a sit down restaurant (Denny's type place), I was
required to produce my passport or ID so that a copy could be scanned and
saved before being granted entry (this was the norm for locals as well).

~~~
viraptor
You've possibly been scammed in some way. Watch out for weird things happening
in your name. This is not normal and most likely not legal.

~~~
Mindwipe
There are plenty of nightclubs that do this, and police frequently mandate
that they do so as a requirement of operating their alcohol license in the UK.
It's completely legal.

It would be very unusual for a restaurant to do so, but I'm wondering if it
might have been a restaurant with a nightclub attached (if we're talking
central London here maybe Tiger Tiger?). That's quite plausible.

~~~
viraptor
You have to show your ID for the alcohol venue sometimes - that's common. But
I've never seen anyone actually scanning one to get a copy.

~~~
jdietrich
Some bars and nightclubs use ID scanners for verification purposes. A machine
vision system is much better than a bouncer at spotting fake IDs or knowing
what a Latvian driving license is supposed to look like. The scanner can also
check names against a list of banned patrons, which may be shared between
venues.

[https://www.patronscan.com/id-scanner-for-
bars/](https://www.patronscan.com/id-scanner-for-bars/)

~~~
kwhitefoot
Surely a Latvian driving license looks just like any other European driving
license? Driving licenses in Europe were standardised years ago.

But I do see your point.

~~~
kalleboo
As far as I can see, the content is standardized but the design and security
features vary a lot
[https://en.wikipedia.org/wiki/European_driving_licence#Galle...](https://en.wikipedia.org/wiki/European_driving_licence#Gallery)

------
walterbell
Note that iOS "grey" color for WiFi does NOT mean disabled - you can still be
tracked. A diagonal line across the WiFi symbol = off.

Use "Settings" to turn WiFi completely off, or disable WiFi via Control Center
_before_ turning off Airplane Mode.

This stateful & confusing button behavior was added in recent iOS releases. If
Apple cares about privacy, they can enable the original iOS behavior via
permanent opt-in setting and MDM policy.

~~~
lathiat
Though iOS also randomizes and regularly rotates the MAC address used for WiFi
probing and only uses your real MAC once you connect.

So in disconnected mode, or, if you've never actually connected to that wifi
network, you'd think that wouldn't really work?

~~~
walterbell
When WiFi is enabled, iOS devices broadcast a list of known SSIDs and possibly
the MAC addresses of some known routers. Has that changed?

[https://arstechnica.com/gadgets/2012/03/anatomy-of-an-
iphone...](https://arstechnica.com/gadgets/2012/03/anatomy-of-an-iphone-leak/)

[https://lists.immunityinc.com/pipermail/dailydave/2012-March...](https://lists.immunityinc.com/pipermail/dailydave/2012-March/000070.html)

~~~
lathiat
I can't speak to that with accuracy (other than the fact that information is
from 2012)

But it doesn't make sense to me it would be probing for known networks in it's
disconnected state.

~~~
walterbell
Infosec experts will comment in due course, since there are now a few million
reasons to find out definitively.

------
hkai
For someone living in Asia, it's crazy that people in Western countries have
to always fiddle with their phone to search and connect to Wi-Fi, because
their plans are expensive or the tunnels don't have coverage.

~~~
retrac98
Coverage is an issue underground, but plans are cheap now, at least in the UK.

I think my phone plan costs me something like £12 per month and I get more
data than I ever use from my phone (30GB), and unlimited minutes/texts.

~~~
heavenlyblue
Which network is it?

~~~
retrac98
O2

------
Silhouette
As a curious data point, when I bought a new phone and then signed up for a
new SIM-only plan with a UK provider not so long ago, they made a big deal
about how I now had access to free WiFi on the Underground. This was not
mentioned at all during the sign-up process and not something I requested or
opted into.

TfL do say they won't identify individuals, but for the purposes of data
protection law anything that _could_ be used to identify a specific individual
is in scope, so these kinds of systems (and similar ones that have been used
in places like shopping centres for a while) might be skating on thin ice if
there are also, for example, sufficient CCTV cameras around and recording for
an individual to be identified from those and then matched against their
phone.

It looks like TfL have been cagey about exactly what precautions are being
taken here, and they certainly have other mechanisms that could potentially be
used to identify individuals such as CCTV and data from payments and
entry/exit barriers, so given the scale of the Underground network and the
number of people likely to be affected, it wouldn't surprise me if these kinds
of stealthy phone-tracking systems started to come under greater regulatory
scrutiny before long.

------
severine
I use the aptly named Wi-Fi Privacy Police, from F-Droid:

 _Prevents your smartphone or tablet from leaking privacy sensitive
information via Wi-Fi networks. It does this in two ways:

It prevents your smartphone from sending out the names of Wi-Fi networks it
wants to connect to over the air. This makes sure that other people in your
surroundings can not see the networks you’ve connecte to, and the places
you’ve visited.

If your smartphone encounters an unknown access point with a known name (for
example, a malicious access point pretending to be your home network), it asks
whether you trust this access point before connecting. This makes sure that
other people are not able to steal your data._

Link:
[https://f-droid.org/es/packages/be.uhasselt.privacypolice/](https://f-droid.org/es/packages/be.uhasselt.privacypolice/)

Does it work? Am I being naive?

edit: Formatting, grammar

------
xfitm3
I don't believe its purely for advertising. Wifi tracking and IMSI catching
are already done at airports, makes sense its expanding to other travel
locations. It's sad that London is becoming a total surveillance state and
everyone seems to be ok with it.

------
softgrow
It's not just the UK. Prospect Council in Adelaide Australia have "Prospect
Fast WiFi" [https://networkprospect.com.au/prospect-fast-
wifi/](https://networkprospect.com.au/prospect-fast-wifi/). It costs a little
to provide, but they get back actionable metrics for assessing how much foot
traffic there is and then evaluate policy effectiveness for their main street.
A much richer data source for next to nothing compared to other methods of
tracking visitors to the area. Still I'm surprised that TfL wants that level
of detail as they already log people in and out of the (transport) system, so
can easily measure how well things work (or not).

~~~
frosted-flakes
I remember reading about this when they were still piloting it a while back.
Entry and exit info is valuable, but doesn't help when there are multiple
routes between those stations that you want to compare. Also, it can identify
seemingly rounadabout routes that people take for whatever reason (quieter,
fewer transfers, more transfer but more likely to get a seat, want to avoid
taking the same train as Mad Mary from the office, etc.), but I don't know
what they do with that information.

------
shereadsthenews
I'd like to know how any educated and rational person ever formed the belief
that they were going to go about in public, on the tube, with a radio
transmitter in their pants, and nobody is allowed to notice. It's a very
public and very not private activity.

------
jaabe
I wonder how this is legal. I work for a Danish municipality and we once used
WiFi tracking to help us build a better inner city. The data were wiped of any
identifying features, because we really didn’t care who went were, we just
wanted to track the flow of citizens in general.

It was still deemed illegal under the government adapted GDPR laws because we
didn’t have consent. So how on earth is London getting away with this, and I
guess you could say the same about their CCTV footage?

------
nmstoker
Wondering if these changes will finally make the data service more robust for
users.

The main issue seems to be that it's so hit and miss about correctly
recognising you, failing with messages about being logged in in too many other
locations, so you get blocked from about half the stations as you travel
across the network on a typical commute

------
dharma1
Having actual WiFi coverage in the tunnels would be a good start. Now it only
works at the stations, maybe for 15 seconds at a time, on each stop. It's
awful

------
KaiserPro
from what I remember of the pilot, they actually did a good job of anonymising
the data.

Basically every mac address/SSID group was md5'd with a salt that was rotated
daily. I _think_ that each station had a different salt too. But this was to
track user movement though one station, not across the network.

There is of course, no guarantee that they will do this again

~~~
shpx
There's 2^48 MAC addresses. You can crack 2^48 MD5 hashes in 3 hours using a
single Nvidia GTX 1080 Founders Edition

[https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...](https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40)

[https://www.wolframalpha.com/input/?i=2%5E48+hashes+%2F+25+b...](https://www.wolframalpha.com/input/?i=2%5E48+hashes+%2F+25+billion+hashes+per+second)

------
londons_explore
Can they _please_ get on with switching on 3G?

4G has come out, and 5G is about to come out, all in the time they've spent
delaying.

------
magwa101
Didn't Bostrom say the only way for us to survive was through massive
surveillance, sounds about right.

------
sys_64738
All part of the Snoopers Charter.

------
markive
So typical of the UK these days..

------
saagarjha
> secure, privacy-protected data collection

This is frequently an oxymoron in practice…

