

You Are a Rogue Device (2013) - jamesbritt
http://www.thestranger.com/seattle/you-are-a-rogue-device/Content?oid=18143845

======
panarky
Good reporting, though I wish the author wouldn't bury the most important
paragraph at the end of a longish piece.

This is not a purely local issue. It's a coordinated Federal surveillance
program masquerading as a local initiative.

    
    
      If federally funded, locally built surveillance systems with
      little to no oversight can dump their information in a fusion
      center—think of it as a gun show for surveillance, where agencies
      freely swap information with little restriction or
      oversight—that could allow federal agencies such as the FBI and
      the NSA to do an end-run around any limitations set by Congress
      or the FISA court.

~~~
honksillet
How would one go about FOI requesting the location of all these devices?

~~~
mutagen
Federal government will say it's a local issue, talk to SPD. SPD will
eventually cite confidentiality agreements with Aruba Networks. When pressed,
one of them will provide outdated and/or incomplete data citing jurisdictional
boundaries and pleading lack of technical resources to adequately address the
request.

They've already repeated the drone playbook, public apologies and assertions
that only certain capabilities will be used.

~~~
droopyEyelids
Your answer sounds suspiciously like "give up before trying". I say the
correct answer is try, and if you're thwarted, think about it and try some
more.

If anyone is interested in getting involved, you can call or email the EFF.
[1] They've done stuff like this before, and they'll help you get started. If
you want someone else to get involved, donate to the EFF. [2] Or even the ACLU
[3], because they'll eventually be the ones to defend some victim of the
system.

[1] [https://www.eff.org/about/contact](https://www.eff.org/about/contact)

[2] [https://supporters.eff.org/donate](https://supporters.eff.org/donate)

[3] [https://www.aclu.org/donate/join-renew-
give](https://www.aclu.org/donate/join-renew-give)

------
nostromo
Google should follow Apple's lead and spoof the phone's mac address while wifi
scanning to prevent this kind of tracking.

[http://www.tomsguide.com/us/ios-8-mac-address-
randomization,...](http://www.tomsguide.com/us/ios-8-mac-address-
randomization,news-18937.html)

~~~
kjjw
Is no one else in the least bit cynical about the timing of MAC randomisation
from Apple? Release iBeacon, then shut off an approach others could use to
build a competing system.

~~~
moreati
I'm moderately cynical about Apple's motivations. I think they've done it
because it helps them make money, not for any altruistic reason. Having this
feature helps Apple sell iPhones to us, and the iBeacon platform to
advertisers.

I don't think that makes a difference though, because Bluetooth LE beacons
(iBeacons) are better in this respect - regardless of Apple's motivations.

If your Alice's iPhone senses Bob's iBeacon then no information is revealed to
Bob about Alice - an iBeacon can't receive, they're transmit only [1]. It's
only once Alice installs Bob's app that Bob can get an indication that Alice
is near one of his iBeacons.

1\. [http://radar.oreilly.com/2014/03/ibeacon-
basics.html#_iaW3P0](http://radar.oreilly.com/2014/03/ibeacon-
basics.html#_iaW3P0)

~~~
wyager
> I think they've done it because it helps them make money, not for any
> altruistic reason.

These are not orthogonal concepts.

~~~
moreati
You're right, I should have said: altruism was a secondary concern.

------
klinquist
If your wifi is on, cities are not the only people tracking your location.
It's a huge industry - Euclid Analytics, Cisco, and others are providing
stores with a customer's path, dwell times, etc. Connecting your MAC to your
person is trivial with more than one visit to a store in which you pay with a
credit card.

It should be noted that iOS 8 randomizes the MAC address during wifi probes,
so with iOS 8 you will not be trackable unless you install the store's app.

~~~
dandv
You can massively fuck with stores trying to track people, and infect their
databases with fake MAC addresses, using Pry-Fi -
[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi)

~~~
finnn
"infect" doesnt quite seem to fit, but yeah +1 for Pry-Fi. I just wish it
would let me set a specific MAC for a specific SSID. ie xfinitywifi will let
you on if your mac is 00:11:22:33:44:55

------
dperny
Reminds me of ctOS from Watch_Dogs.

In the game, the fictional Blume Industries sets up a massive, city-wide
network, connecting almost everything to the central ctOS supercomputer. One
of the ways they build public support for this system is by first providing
free wifi to the public in and around Chicago.

I know this isn't perfectly analogous, but wifi networks popping up for
ostensibly benevolent purposes and then being used to track people seems close
enough to warrant a mention.

~~~
jugfjfkugl
How old are you?

~~~
recursive
I'm not sure if this helps you out, but I'm 33, and it also reminds me of
ctOS.

------
ronnier
This system was disabled.

[http://www.komonews.com/news/local/Police-deactivating-
contr...](http://www.komonews.com/news/local/Police-deactivating-
controversial-WiFi-network-in-Seattle-231692161.html)

[http://seattletimes.com/html/latestnews/2022269628_spdwirele...](http://seattletimes.com/html/latestnews/2022269628_spdwirelessxml.html)

~~~
sleepybrett
Except they are still broadcasting SSIDs... so not so disabled.

------
GabrielF00
Isn't it much more likely that they're building this network for their own
internal needs? Police cars have computers, fire department personnel
sometimes need to download building plans on site, etc.

~~~
flatline
I'm sure that is _part_ of what they are building it for. But given all the
data from Aruba about the system's tracking capabilities, and the department's
dodgy answers about its intended use, I think it would honestly be a stretch
at this point to think that's _all_ they are building it for.

~~~
GabrielF00
You can probably request a copy of their grant proposal via FOIA. Having seen
similar grant proposals for other cities (admittedly not in a few years) I
would guess that their primary rationale is ensuring connectivity for first
responders even if the cell network is down due to a disaster or some other
event. I would be surprised if they considered surveillance to be a factor.

------
mmaunder
From the documentation for Analytics and Location Engine 1.2.1 (ALE):

 _Location API

This API retrieves Retrieves historical location objects for a specific MAC
client. The last 1000 historical locations are stored for each MAC address.
This API also publishes a location event if ALE receives an RSSI reading from
a single AP for a station...._

The API appears to return an X/Y coord pair which is associated with a campus,
building or floor map. It also returns an accuracy value for the XY pair.

I dug into this because I was curious if it was getting actual GPS coords but
it looks like it's using access point data and floor maps and (now I'm
guessing) it may be using multiple RF antennas per AP which lets it separate
an area into pie slices. That and signal strength will give you not-too-bad
location data.

From:

[http://support.arubanetworks.com/Documentation/tabid/77/DMXM...](http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=13705)

~~~
fennecfoxen
Yeah, things like location engines aren't for an outdoor citywide deployment,
they're really more for trilaterating your position within a controlled area
so you can localize someone's device to one corner of the office. It also
helps if you have information on the floor plan so you can adjust the signal
strength for attenuation from walls -- that's the kind of precision you're
looking at.

On a citywide level, though, you don't need that to get an idea of where
people have been bringing their phones, just the detection by the access point
in question is a major piece of information, readily placing you within a
block or so of most APs. Of course, besides the wifi angle, the cell phone
companies have something a lot like this too, and sometimes sell it or give it
to law enforcement anyway.

------
ZoFreX
> How well can this mesh network see you? How accurately can it geo-locate and
> track the movements of your phone, laptop, or any other wireless device by
> its MAC address? Can the network send that information to a database,
> allowing the SPD to reconstruct who was where at any given time, on any
> given day, without a warrant? Can the network see you now?

I feel like Betteridge's law applies here. Yes, it could. Maybe it does. Do
you have any evidence of these claims? Nope.

> Note that he didn't say the mesh network couldn't be used for the
> surveillance functions we asked about, only that it wouldn't.

Yes, that literally every enterprise access point in existence could be used
for that type of surveillance, so of course he didn't say it couldn't be used
for that. That would be lying. So what more assurance could we possibly have
than "it wouldn't"?

~~~
msandford
I think there's a big difference between a large enterprise's access points
and those that cover a city.

First off if your employer is spying on you, you at least have a chance to
quit and get another job. Further that new job might not require that you move
to avoid surveillance. Also many/most employers don't care enough about
specifically where all their employees are to do such a thing. Finally a lot
of the employers who do care enough have implemented ID badges. ID badges
don't necessarily give you a happy feeling inside since they make it obvious
that management doesn't trust everyone equally. But at least the tracking that
they do is explicit: you know you're getting logged every time you badge
through a door.

Imagine the outcry if a city implemented a badge ID system that you needed
just to travel anywhere. That literally conjures images of "Papers, please"
and the like.

The problem is that they have -- without any real, widespread public knowledge
or approval -- implemented a small portion of a fairly draconian we-track-you-
everywhere kind of system.

------
cortesoft
A MAC address is NOT a 'fingerprint'. Anyone could broadcast any MAC address,
so I can't imagine it holding up in court as evidence.

~~~
w4
True, but that assumes a degree of technical fluency, which American courts
have repeatedly failed to demonstrate.

------
neutronman
Ruckus Wireless can do this as well and works a bit better IMO than Aruba.

------
bcl
The title needs to be updated to reflect the article date.

~~~
dang
Ah yes. Thanks.

------
honksillet
This is Detective Monty Moss.
[http://i.ytimg.com/vi/MIg3We8iXbw/0.jpg](http://i.ytimg.com/vi/MIg3We8iXbw/0.jpg)
If you see him at a restaurant or shopping or out with the family, _politely_
approach him and _politely_ let him know that you don't appreciate his
efforts.

