
Tracking devices hidden in London's recycling bins are stalking your smartphone - Leander_B
http://qz.com/112873/this-recycling-bin-is-following-you/
======
casca
This has some interesting legal implications. The UK has a Data Protection Act
that requires organisations to register with the ICO (Information
Commissioners Office) and comply with a number of requirements.

Renew London is not registered with the ICO, nor is any company with a similar
name at their postcode [1].

So either they believe that they're exempt, or that it's under a different
name.

The ICO has a self-assessment tool [2] to work out whether an organisation is
required to register. I'd suggest that the big question is: "Are you
processing personal information?". The definition is:

 __‘Processing’ means doing any of the following with the information:

    
    
        obtaining it
        recording it
        storing it
        updating it
        sharing it
    

‘Personal information’ means any detail about a living individual that can be
used on its own, or with other data, to identify them. __

So based on that, they 're processing personal information and are legally
required to register and comply. The ICO is not seen as an overly strong
regulator, but they might be convinced to investigate after the inevitable
headlines in the papers.

[1]
[http://www.ico.org.uk/esdwebpages/search](http://www.ico.org.uk/esdwebpages/search).
Postcode is E1 6DY from their website in the press release [2]
[http://www.ico.org.uk/for_organisations/data_protection/regi...](http://www.ico.org.uk/for_organisations/data_protection/registration/self-
assessment)

~~~
sjtgraham
It's not clear that a MAC address is personal information. The ICO's own
guidance [1] gives the example of telephone number being personal information
if the number is in the telephone directory, making a reverse lookup to
identify the owner possible. Is such a directory available for MAC addresses
possible? Given a hypothetical MAC address 0c:fd:c3:de:00:d5, could you
identify a person with that alone?

[1]
[http://www.ico.org.uk/upload/documents/library/data_protecti...](http://www.ico.org.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf)

~~~
chrischen
It is not possible unless the user voluntarily associates his personal
information with that mac address.

It is possible to harvest this information covertly. Up until iOS 7, it's
possible for _any_ iphone app to get your mac address. So if you also provide
your personal information, an app could covertly associate them.

~~~
sehrope
It doesn't have to be voluntary. If I have a list of all the MAC
addresses/timestamps and can cross reference that against a different known
list of people times (ex: credit card transactions, rewards card, even face
recognition) then you can associate them. With enough data it can be _very_
exact.

~~~
chrischen
If you had face recognition and rewards cards, you wouldn't even need a MAC
address to track someone.

~~~
krichman
The rewards card would be in one location, you could then know that person's
identity at all stores via cell phone connections or cameras.

~~~
chrischen
It can be feasible if the enough credit card or reward card usage data is
gathered for you, across all the stores you visit. Hard, but possible. Still
for a lot of users the entropy will be too high.

~~~
cbhl
[https://news.ycombinator.com/item?id=2942967](https://news.ycombinator.com/item?id=2942967)
87% of the U.S. Population are uniquely identified by {DOB, gender, zip}
(latanyasweeney.org) (278 points, 712 days ago, 101 ocmments)

~~~
chrischen
Yes but you'd have to uniquely identify by store visit patterns, and assuming
you use a trackable method like credit card, loyalty card (universal one), AND
have your wifi turned on.

You listed a lot of dimensions, whereas to make the correlation between mac
address and customer info, you only have 1 dimension (visits/location) to do
the correlation with.

~~~
krichman
I think it would be easy to link either your credit card or your image (if
they were doing that) to your MAC if you only made two trips to the same
franchise with wi-fi on.

For example, imagine they have cameras that can image your license plate. You
go there twice -- they have one MAC and two sets of possible plates. The odds
that you and another person were both shopping at those times is pretty low.
Now they have license plate, make/model of the car, can probably triangulate
the wi-fi to know what you bought each time with reasonable fidelity...

------
ColinWright
There is further discussion over here:

[https://news.ycombinator.com/item?id=6194160](https://news.ycombinator.com/item?id=6194160)
(arstechnica.com)

In addition, here are some other sources for the same story:

[https://news.ycombinator.com/item?id=6181893](https://news.ycombinator.com/item?id=6181893)
(qz.com)

[https://news.ycombinator.com/item?id=6183485](https://news.ycombinator.com/item?id=6183485)
(qz.com)

[https://news.ycombinator.com/item?id=6184423](https://news.ycombinator.com/item?id=6184423)
(theatlanticcities.com)

[https://news.ycombinator.com/item?id=6187750](https://news.ycombinator.com/item?id=6187750)
(vice.com)

------
buro9
On one of the forums I am on, the debate has moved to whether a MAC address is
an identifying piece of information. Especially given the high likelihood that
a phone is not a shared device.

They're also using the MAC address to identify the device, and I suspect from
that to estimate the demographic:
[http://new.pitchengine.com/pitches/60f7865a-f3ac-4167-920c-5...](http://new.pitchengine.com/pitches/60f7865a-f3ac-4167-920c-52faeea0564a)

This seems to be echoed by some legal people:
[http://www.huntonprivacyblog.com/2011/05/articles/article-29...](http://www.huntonprivacyblog.com/2011/05/articles/article-29-working-
party-opines-on-geolocation-services/)

> Unique identifiers (such as MAC addresses) should only be stored for a
> maximum period of 24 hours, and should subsequently be deleted or
> anonymized.

And they have an opt-out page:
[http://www.presenceorb.com/optout.aspx](http://www.presenceorb.com/optout.aspx)

But how many people would opt-out of something they didn't know was tracking
them?

~~~
voltagex_
I wonder how long it would take you to POST all the possible iPhone and
Android MAC addresses to that opt out page.

~~~
buro9
And to do it in a random order to ensure they couldn't just ignore the opt-
outs based on sequence.

~~~
baruch
You'd also need to do it from multiple ips to avoid hellbanned or effectively
filtered later on (presumably they log from which IP the request came from).

~~~
Karunamon
Get on Tor, send a random number of requests between 1 and 3, wait a few
seconds, regenerate the tor circuit, do it again.

------
nns
As someone living and working in London, I pass more than a couple of these
'bins' every single day.

These bins are quite strategically placed (1) in the heart of the square mile
- the prime financial district and tourist hub of London city (2) especially
around bus stops and city squares in this area - which have some form or other
of free city wide wifi networks - where one would be waiting for enough time
(consuming lunch, waiting for bus, meeting a friend, shopping...) to be an
ideal consumer for targeted advertisement.

They also have an extremely amusing design which makes them look slick - but
extremely unlike waste bins - infact you have to look at them closely to find
where you need to dispose off your waste. This was one thing that amused me
extremely when I first saw them - the strange inconspicuous design - but
things make much more sense in the light of this article.

As someone who's targeted more than once a day by these things, I see this as
a breach of privacy and expect to be informed that data about me is being
collected and stored and maybe used for commercial purposes in the future
(irrespective of the ICO technicalities and loop holes).

As a human, its a fundamental breach of trust and I would personally not see
these things with the same inconspicuousness they have been designed with to
deceptively integrate and blend into our daily environment.

------
deizel
Update 18:15 09/08/2013-- "[We collect anonymised and aggregated MAC data --
we don't track individuals or individual MACs. The ORBs aggregate all footfall
around a pod for three minutes and send back one annonymised aggregated report
from each site so the idea that we are tracking individuals again is more
style than substance," says Memari in an email. "There are applications in the
future which Quartz focused on but during the trial period we are only looking
at anonymised and aggregated MAC data".

He adds, "as some of the technology we will be testing will be on the
boundaries of what is regulated and discussed it is our intention to discuss
it publicly and especially collaborate with privacy groups like EFF to make
sure we lead the charge on [adding necessary protections] as we are with the
implementation of the technology"

~~~
doctorstupid
That is not consistent with their stated intention of targeting individuals
with ads. They made that quite clear in the video.

------
harrytuttle
Low tech solution: fire.

When a couple have gone up, it will no longer be cost effective.

I really don't like the idea of tracking such things. It's bad enough in the
internet but being stalked outside is not acceptable.

~~~
drdaeman
If you don't like being tracked then don't practically scream your hardware's
identity around. This is what you do when you use 802.11. Trying to legally
regulate such things is like pronouncing your and peer's name in clear (even
if you use cryptic language), in every sentence you say out loud, then telling
others no not notice nor remember that.

Want the privacy the sane way? Go make vendors to introduce security features
(like short-lived euphemeral MACs), so communicating party names won't be
meaningful to others.

~~~
sunglasses
Unfortunately, nobody is competing on such features. There is simply no (even
paid) alternative available.

~~~
drdaeman
There's always an option to enforce requirement of such features using the
legal system.

If laws can and are (ab)used by governments and their TLAs to legally force
equipment vendors and service providers to create various surveillance
features and misfeatures (backdoors, security strength limitations), it's only
reasonable that they must be used to create privacy-enhancing features for the
public good, too.

------
ihsw
One can only wonder when it will be illegal to _not_ have a tracking device
(smartphone) attached to you.

~~~
fauigerzigerk
Long before before that it will become suspicious.

------
linker3000
You can just imagine a future press release from those involved, citing an
'enhanced...experience' \- which is general marketing speak for "we're going
to try and squeeze more money from you with targeted advertising". What a
shitty way to contribute to society.

~~~
krichman
There's a commenter on HN who thinks so;

[https://news.ycombinator.com/item?id=6196981](https://news.ycombinator.com/item?id=6196981)

I tend to disagree, I don't think tracking my habits to more effectively
manipulate and target me is an enhanced experience.

------
cupcake-unicorn
This is very interesting.

So I never was much of a network analyst, forgive me - is there any way to
guard against this while still leaving your wifi on, without something like
cycling MACs? I wasn't aware that when you scan for Networks, that you're
actually exchanging some packets with those networks - I thought you were just
picking up on a broadcast one way. Shouldn't there be some sort of "stealth
mode" where you're not leaking packets everywhere?

It actually seems like if this was the case, I'm surprised it hasn't been used
in other ways. Say a burglar breaks into my house with his iPhone in his
pocket. Could I later prove it was him by pulling up some log on my router
that was picking up MAC addresses going by? And why isn't there some software
(to my knowledge) that does the same thing for surveillance - logging all the
MAC addresses and creating alerts if a new one comes into the area?

~~~
lutusp
> is there any way to guard against this while still leaving your wifi on,
> without something like cycling MACs?

No -- the adaptor's MAC is an essential part of the transaction, while cycling
MACs would be a dead giveaway and would increase attention paid to that system
and its travels.

Turning off the adaptor is the only meaningful way to avoid tracking.

> Say a burglar breaks into my house with his iPhone in his pocket. Could I
> later prove it was him by pulling up some log on my router that was picking
> up MAC addresses going by?

Yes, but only in a society that would allow this kind of tracking of people,
each of whom is presumed to be innocent. Usually a person is first identified
as a suspect, after which a technical track can be made. But a person who is
not already regarded as a suspect can't be (legally) subjected to this kind of
surveillance.

> And why isn't there some software (to my knowledge) that does the same thing
> for surveillance - logging all the MAC addresses and creating alerts if a
> new one comes into the area?

Because this is privileged information having to do with privacy, and
violating it would confront certain well-established civil rights that vary
from country to country.

~~~
cupcake-unicorn
I get and agree with your last two answers, but if that's the case, why has
this kind of thing started popping up on a commercial scale? They certainly
would have more to answer for, legally, if privacy laws were violated.

And just because an app like that may violate privacy rights, I mean, you
still see things like Firesheep, packet sniffing, network surveillance tools,
all published with the caveat to just use for "testing".

It seems to me that the laws are somewhat murky, as evidenced by this article,
and I would be surprised if there was any law in the US against me keeping
track of MACs that came into the range of my router. With your argument I
couldn't set up a surveillance camera outside my house either.

~~~
cynwoody
The burglar's phone's MAC address in your router's nicely timestamped log
would be evidence, I would think, albeit less iron-clad than surveillance
video of him taking your stuff. It would serve to bolster the prosecution's
case, should the police manage to find the perp though other means. E.g., the
thief might have been found fencing your Vermeer. He might claim to have
acquired it innocently from someone. In that case, the jury would find your
log interesting as they weigh the evidence.

An interesting question is whether the MAC address alone could be used to
trace the perp. The first 24 bits of the 48-bit MAC address identify the
company that manufactured the adapter. Then the question would be, did the
company that put the adapter into the phone cross-reference its MAC with the
phone's serial number and the serial number with the owner.

A smart thief would turn his phone off during a job. Routers logging MAC
addresses are probably a much less serious problem than cell carriers keeping
logs of which phones were where when.

~~~
dredwerker
MAC addresses aren't unique but just nearly unique.

~~~
lutusp
No, they're unique. Each manufacturer is given a block of MAC addresses, and
they assign them like serial numbers to each NIC they build. Each cell phone,
WiFi access point, and normal NIC, has a unique MAC. If this were not the
case, if two devices had the same MAC, the risk of a network collision would
exist, and manufacturers, aware of this risk and the damage it would do to
their reputation, act to prevent it in their own interest.

------
gasull
GreenPower for Android turns off your wifi when you're not using it. It's
meant for battery life. Now it's also good for privacy.

[https://play.google.com/store/apps/details?id=org.gpo.greenp...](https://play.google.com/store/apps/details?id=org.gpo.greenpower&hl=en)

------
will_
I had a little start-up idea a while ago .. albeit only tangentially related
to this one.

Make a deal with JC Decaux, or some similar out-of-home advertising company to
place cameras (strategically) around the City of London.

Nominally to provide personally tailored advertising, the significant
secondary purpose is to use face recognition to identify individuals-of-
interest: specific traders, fund managers and so on.

This enables us to analyse facial expression, gait, maybe body temperature to
determine mood, then look for correlations in the stocks and markets that
these individuals trade.

I think that this will be legal, since all the information that you are using
is (nominally, at least) legal, and gained in a public place.

After all, if it is OK for the authorities to place the whole population under
close surveillance, they cannot possibly object if we turn around and do the
same thing to their paymasters, can they?

------
borplk
I'm no fan of fighting these things with technology and workarounds as I
believe these issues need to be addressed at the legal level and the
technology battle is just an arms race that you can never win.

However, might be a good idea to write a mobile app that changes your MAC
address periodically (not sure how hard it is)

------
swamp40
People have been waiting for this technology infrastructure to get in place
for years.

It's a shame the recent NSA fiasco will scare people away now and set this
back another 5 years.

There are some phenomenal experiences possible.

~~~
zxcdw
Do you find that marketing/advertising is about _creating experiences_?

I find it is about bullshitting people as much as you can, change my view
please.

~~~
swamp40
100+ years of radio and 60+ years of television shaped the lives of almost
everyone alive on the planet. Brought to you _free_ by advertising.

Closing in on a _million_ free apps available at both Apple and Android
marketplaces. Brought to you _free_ by advertising.

Skype. How many poor families scattered across the world has Skype helped?

Those are significant, life changing _experiences_ \- not bullshit.

------
lo_fye
Hilariously, all 3 "unique" MAC addresses in that marketing image are
identical: 00-14-22-01-23-45

They changed the font colour of the word "Mac", but not the actual address.
Plus, Mac should be MAC.

McFail.

~~~
skeletonjelly
Yeah I think their point still remains though. They referred to it as "MAC" in
the text of the article at least. Probably just the designer.

------
marshray
I think I even took a picture of one of those when I was in London last Fall:
[https://twitter.com/marshray/status/321038712735690754](https://twitter.com/marshray/status/321038712735690754)

EDIT: That may not have been my own picture in that tweet. But still ISTR
having snapped a similar one.

------
ZeroMinx
Stupid question; can I not opt out of this by turning wifi off while walking
around these places?

~~~
cylinder714
Yes--if you turn WiFi off, your phone won't broadcast its MAC address, so
there's nothing for them to track.

Nordstrom stores in the US were caught tracking shoppers via their phones' MAC
addresses earlier this year. All the more reason to turn off WiFi if you're
not actively using it.

~~~
anigbrowl
All the more reason why the US needs a robust data protection act, despite the
howls of outrage this will cause in Silicon Valley.

~~~
lelandbatey
Reading through these comment, I get the feel that many people feel that this
kind of observation is wrong in some way. I'm confused about this, since it
seems like it's built on the solid social contract that we are free to observe
anything that happens I'm a public space. I actually just wrote about this
subject this morning.[0] The possibility that I might be observed in public
has never bothered me, and I'm curious to hear what other people have to say.

[0] - [http://xwl.me/md/erj28mbe62ap193](http://xwl.me/md/erj28mbe62ap193)

~~~
krichman
It's because when we say being observed in public, we assume it to be someone
looking at us and then basically forgetting all about us. We don't think about
security cameras watching us and having a single party aggregate all of that.
And we don't know our cell phones are broadcasting a unique barcode to
everything even if we do know the cell towers can triangulate and log our
location. (By we I mean our family members, not us on HN.)

Adding technology to the observation makes it so much stronger that I think
there should be a new discussion about it by our various governments.

------
newser1337
This is nothing to the security problems that will arise with the upcoming
Google Glass.

------
ivix
thirty üyyyQWJ

