

Smartphone-monitoring bins in London track places of work, past behavior - alt_
http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/

======
d5ve
I read somewhere recently about companies buying up this MAC address data from
individual shops and using it as an additional profiling source. If you walk
into a store and end up purchasing something, then your MAC would be linked to
any payment details. At which point, the profiling company would know who you
are, and where you go.

I started writing a small proof-of-concept android app to randomise the WIFI
MAC to make it more difficult to track a phone and its owner. The android API
doesn't support changing the MAC, so it requires a rooted phone.

Mostly working code can be found at:
[https://github.com/d5ve/RandoMAC](https://github.com/d5ve/RandoMAC)

It's made tricky by being unable to change the MAC whilst the WIFI is enabled,
and re-enabling the WIFI resets the MAC back to the hardware one. Also by my
total inexperience with android apps and java.

------
anigbrowl
This is OK because it's for business so yay freedom.

...admittedly I'm having a hard time seeing how this squares with EU data
protection laws but I'm sure the UK will pursue an opt-out in the name of free
markets. I'm not kidding, sadly.

Also, that video...WTF.

~~~
justincormack
They are claiming it is not personally identifiable. Expecting these to be
hacked shortly...

~~~
kenshiro_o
How so? The MAC address is unique for each device and makes it much more easy
to identify an individual. Anyway, I did not consent for this data to be
collected when I walk down the City to go to or come back from work. However,
given the recent events with PRISM I doubt our concerns will be adequately
addressed...

~~~
keithpeter
MAC address number of device needs to be mapped to the name of the person
whose contract includes the device. I'm not sure how an advertising company
would go about doing that.

MAC address is stored apparently so _device_ movement tracking past other bins
& in and out of shops can happen. As suggested in the article some qualities
of the owner of the device could be inferred.

Possibly irrelevant comment: I bought a pay as you go mobile broadband dongle
in a UK computer shop recently as I wanted to access internet from a location
with no wifi. Paid cash (as it happened, I tend to for smallish transactions)
and topped the device up in a newsagents' shop with top-up card that came in
the box, again cash. I didn't realise we could still do that. I've since
topped up by cash machine so there is an audit trail now.

------
ColinWright
There is further discussion over here:

[https://news.ycombinator.com/item?id=6194832](https://news.ycombinator.com/item?id=6194832)
(wired.co.uk)

In addition, here are some other sources for the same story:

[https://news.ycombinator.com/item?id=6181893](https://news.ycombinator.com/item?id=6181893)
(qz.com)

[https://news.ycombinator.com/item?id=6183485](https://news.ycombinator.com/item?id=6183485)
(qz.com)

[https://news.ycombinator.com/item?id=6184423](https://news.ycombinator.com/item?id=6184423)
(theatlanticcities.com)

[https://news.ycombinator.com/item?id=6187750](https://news.ycombinator.com/item?id=6187750)
(vice.com)

------
Bjoern
Its quite fascinating that many are not aware of how much data their phones
are revealing. In this regard this is a rather interesting and technical
presentation on how to exploit such data and going a step further.

"Terrorism, Tracking, Privacy And Human Interactions. Daniel Cuthbert and
Glenn Wilkinson, SensePost at 4CON 2012 in London."

[http://www.youtube.com/watch?v=Vsn7_4qUdwk](http://www.youtube.com/watch?v=Vsn7_4qUdwk)

Found a short summary attempt here.
[http://www.securityg33k.com/blog/?p=629](http://www.securityg33k.com/blog/?p=629)

------
danielhughes
I work in the advertising industry and can say with confidence that for most
companies the value of this sort of data is far outweighed by the negative
backlash. Look for example at the way retailers initially flirted with in-
store tracking and now are abandoning that technology. That fact coupled with
the likely legislative reaction leads me to think that this practice won't
last long.

What concerns me most is the prospect of governments doing this sort of
snooping. It will probably begin with a justification that the data are
valuable for managing traffic patterns and for urban planning (or other
seemingly harmless purposes). But then ultimately it will be used by the
government for other purposes.

It might actually be a good thing if in the short term a few companies abuse
the technology to the point that the public wakes up to the amount of
information broadcast by their wireless devices. Perhaps it will motivate the
industry to add more security as a default setting (iCloud VPN anyone?).

~~~
slig
> What concerns me most is the prospect of governments doing this sort of
> snooping. It will probably begin with a justification that the data are
> valuable for managing traffic patterns and for urban planning (or other
> seemingly harmless purposes)

Can't just the government ask _very nicely_ to TelCos for this kind of data?

~~~
danielhughes
Sure the NSA can do that. But this kind of monitoring is accessible enough
that even the smallest agencies and local governments can enjoy the same
powers to abuse our privacy.

------
a3n
And the data is just a warrantless request away from a government demand, so,
bonus.

------
drunkenmasta
Doesn't the same thing happen in the US? Didn't At&t just announce a new (opt
out) privacy policy? \- program one "External marketing & analytics reports"
\- ..."for example, we might provide reports to retailers about the number of
wireless devices in or near their store locations by time of day and day of
week, together with the device users' collective information like ages and
gender." \- program two "relevant advertising including wireless location
characteristics" \- "we're currently creating a new 'wireless location
characteristic' that will help us use local geography as a factor in
delivering ads. location characteristics are types of locations - like 'movie
theaters. people who live in a particular geographic area might appear to be
very interested in movies, thanks to collective information that shows
wireless devices from that area are often located in the vicinity of movie
theaters."

------
pktgen
I don't know anything about the internals of 802.11, so these are just random
thoughts:

\- Could the spec be modified (or maybe it already has such a mechanism?) to
allow APs to broadcast themselves every 1-2 seconds, and remove this device
polling mechanism?

\- Instead of device polling constantly, could devices simply sniff the entire
flow for frames containing a src/dst MAC address of any known APs (i.e. APs
the user has selected to auto-connect to)? And only perform the polling when
the user is in the AP selection screen?

\- Another 'hack': since we're mostly talking smartphones which all have GPS
now, could devices be set to only poll for APs if they're in an area they know
a recognized AP is in? Probably battery life concerns though.

------
malandrew
Is it possible to perform constant MAC address cycling on an Android phone?

This is a business doing this and it may not last long due to privacy laws,
but I wouldn't be surprised if exceptions were make for the UK government to
use these to track its citizens.

------
tehwalrus
Thanks for the warning, I'll now be disabling wifi when I'm walking around in
London (and other British cities, just in case.)

