Interestingly, the unbranded Android phones I have (one looks very much like an iPhone, ironically enough) all came with this "feature" of a random MAC every time the WiFi is turned on/off, although that was more likely the manufacturer not bothering to give each one a unique MAC.
All the more reason to keep the WiFi turned off unless you're actually using it, and this might be a bit on the paranoid side, but I do the same for the cell radio (airplane mode) - it's on only when I'm expecting a call or making one.
At the other end of the scale, this tracking via MAC almost invites making them think several million customers have suddenly entered the store...
Though accurate, "clueless" is a bit harsh. I don't expect the general public to know the implementation details of WiFi any more than I expect them to understand how a catalytic converter works. The beauty of an abstraction is that you get to reap its benefits without understanding precisely how it works.
...and get to be manipulated and screwed over by the people who do.
While I don't expect the general public to know the details of WiFi down to e.g. the level of the 802.11 spec, I think that some general ideas, like the difference between passive/active scanning, are both simple enough to be understood by analogy and critical to privacy that they should be known more prominently.
So if my home AP ESSID is Einstein, MAC=deadbeef every time I enter a store my home AP MAC is still being recorded as well as the relative movement throughout the store. As well inter-relational data could be inferred by other AP MAC addresses if I visit a friend or family member it's likely that probe will connect us.
Relations are based on unique data just because some of the data is 'scrambled' it's reliance on static data is it's weakness.
If the same client (iPhone) probes for a list of SSIDs with one random MAC and then probes for the same list again a short while later with a different randomised MAC, you could still track that individual based on the list of networks they probe for.
If the client MAC is randomised for every single new 802.11 probe that makes it harder but you could still track based on a single unique SSID probed for (i.e. something more unique than NETGEAR).
I'm going to look into this and possibly update my tool iSniff GPS.
Incorrect, this occurs for all networks! I've had some fun with Wifi Pineapples before.
 By the gods, this is such a stupid idea. Aren't beacons often sent at a 10Hz rate? Assuming that we've associated with a network that actually sends beacons, why wouldn't remaining silent, listening for the beacon, then associating work just as well as probing?
- whether to automatically connect to any networks
- whether to use active scanning (and if it's off by default, I should be able to force one); passive scanning is fine unless you need to connect to networks without SSID broadcast, since it's just listening. Probably saves a tiny bit of battery too.
- better management of SSID list; I find the design where items in the list appear/disappear dynamically while you're trying to manipulate it rather irritating to use. I would prefer if there was an option to control whether the list gets updated, so it will stop accumulating useless networks. Finally, one for iOS (and Windows 8, which has regressed in this area): make it possible to forget and/or otherwise manage networks that are not in range.
The system that I'm familiar with only tracks where you're going. It didn't (as of a couple months ago) have any way of linking your mac back to a consumer profile.
They want your:
place of birth
identity document type
identity document number
cellular phone number
name of cellular provider
landline phone number
barcode from your boarding pass
I'm happy to say that the trend in the United States and Canada has been toward less or zero information for using wifi. Less than 10 years ago, it was quite common to see all sorts of questions to use wifi. And Internet cafes used to demand ID in the United States and Canada (and they still do in Brazil).
I also remember checking into a Brazilian hotel, where they wanted Brazilian guests, at least, to specify their highest level of formal education (!), as well as profession, date of birth, and the city from which the guest arrived and the city to which the guest planned to travel next.
I wonder if the last two are specifically meant to aid law enforcement investigations.
Unless it requires you to click a confirmation link or something similar to that, just use a fake address at one of the example.TLD domains.
If they DO require confirmation, use mailinator or a similar service.
It helps the same purpose as the loyalty cards, especially the ones that outgrow the original business (I'm looking at you both Tesco ClubCard and Nectar Card). Getting "points" by using those at other businesses like petrol stations helps them profiling you for "better" advertising. They also keep you a bit more loyal to their associated brands, but we already knew that bit :)
In addition, if we find a good way to provide information to the store owner about how his or her store is being browsed and used, it is likely that stores will provide better shopping experiences.
Then there's "better shopping experiences" which most people's BS translators will read as "worse shopping experiences / persuading people to spend more than they intended".
To be clear, I'm not arguing that it is justified or moral. Whatever you think about 'right' or 'wrong', you have to realize that a person who builds a store is going to want to know everything about how his or her store is used. EVERYTHING. That's not good or evil, that's just logical.
Acting like it should be self evident to a store owner that tracking users is inherently wrong is just ignoring the viewpoint of the store owner wholesale. Does not lead to good policy.
Malls and stores have been doing this for years. See e.g. http://retailnext.net.
At least in europe a bunch of cities also deploy these trackers in public squares for commerce/tourist tracking.
Also... Yes keeping your phone in Airplane mode is a bit paranoid.
Once they have that, your MAC address becomes personal. They know what that MAC buys, how long they spend in the store, how much they spend in the store, how often they visit, etc.
Couple that with the fact that with enough WiFi APs, you can triangulate a certain MAC to a specific location in the store, match with the cameras, etc. Probably track you to your car if they wanted with their satellites watching their parking lots.
And then we get into the problems created when these stores either start sharing this info, or the vendor they hire to install their tracking system starts approaching full coverage of the nation / developed world.
Keep in mind this isn't 'crazy future minority report' stuff. These are all things they are either doing now or could easily do now. All in all, it's just another damn piece of info about me that was once personal and now no longer is. "The amount of time Ben Reaves is spending looking at adult diapers is trending up. Flag their profile for incontinence."
But we're not just talking shopping experiences here- the data, algorithms, and extra tracking that fuels the (perhaps extreme) future I described above has costs, mostly in personal privacy. Maybe I don't want the conglomerates (and the government, since we all now know they've got their 'black boxes' in the datacenters) to know my penis size, how good my relationship with my father is, what medical conditions I have, and just about everything else one can think of. However, this is the future we're headed towards.
Secondly, I think _greim_ said it very well in this post elsewhere in the thread: "Giving marketers deep psychological and behavioral insight increasingly enables them to circumvent rationality and "hack" consumers in various ways." There is a fine line, I think, between offering exceptional shopping experiences and manipulating your customers.
Can you please elaborate on your point?
This definitely seems to be a valid reason why people would be against being tracked. We don't want to be more easily manipulated (through the data that the ones doing tracking are able to acquire) and coerced into buying things we don't want/need (but the ones doing tracking want us to buy).
Would it be accurate to describe it like this: the consumers' interests are to be rational, less easily manipulated and "unhackable", and being tracked is a threat to those interests.
On the other hand, the store owners are trying their best to get their products sold, so their interests are opposite of the consumers, to find ways to sell as many things as possible.
If that's accurate, I find it interesting that there are these underlying "wars" occurring within a single species. In fact, a single person may wake up and go to work one morning, serving in the position of the one doing the "tracking" and fighting against the interests of consumers, then in the evening they may go shopping and end up on the other side, fighting against the interests of the ones doing tracking.
In general - I want to give people who don't know me personally (and especially people trying to sell me anything) less power to catch my attention and pull at my impulses, not more.
* or whatever it is makes transactions pareto optimal.
Meanwhile, behavioral economists have shown humans aren't even great at pursuing happiness; perhaps they have reached their high water mark, but they're certainly not completely wrong.
In my view, yes. Being rational is by definition the only way to make my life better. The harder it is to be rational—to perceive the truth through all the layers of bullshit and manipulation—the less I trust my own conclusions, and free markets in general.
Have you met any humans lately? We all have divergent interests, differently expressed in different aspects of our lives. The entirety of law and politics is this.
When I walk around I see many billboards advertising products for which I have no use (e.g. female hair care products). If tracking technology could replace those with things I actually might buy (even if male hair care products) then I would be a touch happier.
I see dating ads, cars advertisements, feminine healthcare products, insurance ads, etc. What do I want to see? Travel accessories, computers, hardware, games, tech gadgets, etc. I never see these ads.
Why doesn't Google say, hey, you're going to see Adsense all over the internet, advertisements before videos on YouTube, etc. Would you like to select a few categories so that time is spent seeing some cool products that are relevant to you?
I've been on the internet for 15+ years, and no one stopped to ask just once. I could select categories in about 20 seconds that would be more accurate than all this data collection and profiling that happens every day.
Instead, I just block ads, and install ad block on every computer I come across. I make my living off ad revenue, but ads are absolutely awful, irrelevant and too often malicious. If they gave me the option to select some categories in the past, I probably would have discovered some decent products to buy, and keep them turned on. But nope, I can't recall clicking an ad in the past decade.
I can report that it has indeed made me happier, as compared to when the ads were "Click here, Millionth visitor, and win a prize!". The dragnet advertising is a constant assault on your intelligence.
It also helps that the targeted ads I am seeing are tasteful & well designed.
I adblock 90%+ of the time, but I let ads through on some websites.
Also, I like to research, in general. Which means I can often come across and get deeply into some very odd subjects and it seems there are some odd correlations out there in society. For example, after doing a bunch of research on different world religions and their origin stories, I started getting ads for the Mormon church, and strangely, for all types of gambling websites, destinations and attractions. None of this advertising was of any use.
Seeing tailored advertisements brings me a feeling of despair, in the sense that your personal privacy is being exchanged for money. It only serves as a sad reminder that you must actively fight to protect it, and that we, as consumers, are failing at it right now.
> I don't see how buying something because some marketing convinced you of its worth is irrational.
It's not as much that they convinced me to buy something, it's that they did it by using data they got by essentially spying on me.
> What's bad or irrational about being manipulated by marketers and advertisers? I don't see how buying something because some marketing manipulated you into thinking it was worth buying is irrational.
How would you feel if every time you were in a store, an employee followed you around and took notes on your actions?
> How would you feel if every time you were in a store, an employee followed you around and took notes on your actions?
Most people would feel uneasy/bothered by that. But are those emotions warranted? If we did not get such emotions, would the same scenario be okay? Or are the emotions a consequence of the true reason why we're against such behavior.
It's also worth noting that the employee following you around is a visible behavior, while being tracked via Wi-Fi mac addresses is much less intrusive.
It's less visibly intrusive, but the effect is the same. Our instincts aren't very good at reacting to effects we can't see, having evolved in a world where there were no undetectable ways for someone to follow us. Thus, we should consider what our natural reactions would be to a person doing the thing we want to use technology to do, before we create the technology to do it.
We should also consider the underlying causes of certain emotions, and whether or not they should be warranted.
Many phobias are unwarranted fears, so the goal is to eliminate the emotion rather than the underlying source. But the decision to _try_ to eliminate the fear can only be done after identifying and confirming that the fear is indeed unwarranted and unhealthy.
On the other hand, if the emotion is warranted, then it's completely valid.
What I'm suggesting is that human emotion serve as a really good indicator, but they cannot be taken as the absolute truth. It's best to investigate the actual facts and come up with logical conclusions. So neither trusting emotions blindly, nor ignoring them completely is the best course of action, but something in between.
My other beef here is that this is just another way to further dumb down and make retail employment completely mindless.
To answer your question directly, one of the advantages could be that they can optimize the store layout better so you don't have to walk as much to find what you want.
(There are other disadvantages and advantages, by listing one of them I don't exclude the existence of others, but I can't cover everything.)
But stores do not want to do that. Stores know you want a pint of milk and loaf of bread. They put these two items far apart which means you need to walk past all that other stuff, this increasing the chance you'll buy something else.
Tracking technology isn't going to ne used to make my experience nicer unless that translates into more money fornthe store.
You, me, perhaps: what about other buyers, many of whom don't come to the store with detailed checklists? Their experience involves a fair amount of in-store exploration. For them placing milk and loaf of bread far apart might arguably be beneficial, because it makes them go past all of that other stuff they may forget to buy otherwise. Indeed, I imagine such customers are also easier to upsell to and more prone to impulse purchases of products that yield better margins—and that's part of the shopping process they visit the store for. Alas, people seem to enjoy buying things.
In short, I wouldn't be so confident that a store with more ‘rational’ layout would score better in the eye of the customer, even all else equal.
Disclaimer: I don't work in this area of business and this is purely my speculation.
Why isn't it most profitable for the stores to provide the best experience for customers in order to be most profitable?
Suppose there are two stores:
- Store A. Offers decent experience for the customer.
- Store B. Offers much better experience for the customer.
One would naively expect and hope that, given those two choices, more people would prefer to go to the better Store B and hence it would be more profitable. Hence the stores would try to do their best to serve the customer interests.
Why is it instead more optimal for stores not to optimize for the happiness of its customers?
Could it be because customers are not adept at recognizing which stores offer better experience for them, _and rewarding_ such stores by preferring them over other stores?
1) The most important criterion for me when looking for a store, is walking distance. I don't want to bike, or drive to the store. So the closest store is almost guaranteed to win my business.
2) The second most important criterion is the price. I'm still a student so I'm a bit careful with my spending. So if a store is much much cheaper, and not too much further, then I might go there when I have big errands to run.
3) I am pretty much insensitive to the layout of the store. I'm already walking 10-15 minutes to get there, so 30 seconds between milk and bread is no problem really
Anyway, my point is that in my case, the reason why the "better" store doesn't win is that I don't really care about the criterion used to define it as "better". So going back to your point, a store doesn't have anything to do to serve my interest other than being close to my apartment and lowering the prices. The rest is almost totally irrelevant to me.
The customer here is the product manufacturers and distributors, and the product is shelf space. In big box and department stores, strategic shelves like end caps and the area near the escalators are paid placements.
Ditto for the supermarket. Ever notice that in different chains, Coke or Pepsi is always either in the front or back of the store across locations? That's because they bid on the preferred location.
Retailers are focusing on stuff like this because most mass retailers have unsustainable business models and aren't making money at the core job - selling stuff to people.
Same thing with Google and TV commercials. For some people, privacy and security and saving time is a better experience, but for most, saving a few dollars here and there is a better experience.
Politicians = It takes time. Once they are elected terms last a long time and then people often have to choose a "new evil"... They can't just say welp, I don't support you anymore that'll solve the problem.
An Apple store is not laid out like that. I always see the big ticket items upfront and the accessories in the back. Most people don't impulse buy things that expensive.
You just walked past the shiny new things twice while you were there buying a cheap accessory. Maybe you noticed something you'll buy in the near future.
Meanwhile, the big ticket items are window dressing, and people who haven't bought an iDevice don't need accessories for one yet.
Are the two things mutually exclusive? Wouldn't it be better if they were one and the same? What can be done to make that so?
"By entering this store, we will permanently record your location every 60 seconds. The main purpose of said data collection is attempting to stitch your actions on the internet to store visits to more effectively sell advertising. Further, we will sell this data to many companies, most of whom we don't directly interact with. Our privacy 'policy' will most likely never be audited, and the worst possible outcome of violations is a fine in the low millions of dollars. We will hand this information over to police and lawyers if they clear the high bar of, well, asking for it. The nsa doesn't bother asking."
What do you think people would choose?
My guess is that most people would not be okay with that and choose to opt out.
But my question/argument is, would that be a rational decision? I don't see a lot of benefit for the customer to deny the store those options, so why do it if there's nothing to be gained from denying.
> attempting to stitch your actions on the internet to store visits to more effectively sell advertising
I think this is the key factor. If people see themselves as susceptible to such manipulation, then it does benefit them to deny such behavior to prevent stores from affecting them negatively.
Does that matter? We live in a capitalist democracy. One of the tenets of capitalism is that consumers should be well-informed and "vote with their dollars/feet", and the core principle of democracy is that the individual citizens get to decide how their society is run. We don't live in a LessWrong-ocracy where the world is run based on somebody's idea of rational objectivity or whatever.
I'm in politics so I know exactly how frustrating it can be when the average Joe doesn't necessarily agree with your vision of a rational decision, but if that's the case, the solution is to change their minds, not to circumvent or obfuscate to get around them.
 - I'm thinking Westerners in general, but I'm American, so I may be over-generalizing, we're good at that :-)
If the argument is that it's good for the people tracked, why hide it?
(EDIT: Deleted the first paragraph; I can't find the reference.)
Interesting to compare to Google who tracks customers around the internet. Crucially, if you don't log in to a Google account you are only one 'clear cookies' away from erasing your profile (I wonder occasionally if Google reconstructs profiles across different cookie sessions or not ...). At least on that side, you have some control. You can't change your MAC address nearly so easily.
That is necessary to keep the gateway from having to issue a thousand ARP requests (one for every packet you send from a different MAC), but there is no reason why the MAC chosen to connect to the network couldn't change every time you disconnect and reconnect. That would at least prevent you from being tracked between visits to the store [using this tracking method], even if you actually use the network.
I can narrow down a huge list to a very short list using above information along with the probes being sent out co-related to the signal strength. Timing of each probe can also be leveraged in uniquely identifying,most probes are sent in interval from each device. Those probes that come in equal intervals are likely from the same source, leveraged against signal strength you can likely identify a small crowd. To take it even further you can calculate the signal as absorbed through the store to signal congestion and possibly other metrics.
Even by sticking to a certain subsets of OUIs, it's still probably fine. On top of that, listening to traffic (even after picking an in-use MAC) would allow you to determine if someone else is using that address.
But still, I agree, it would be very hard to have everyone connect to your wifi.
It's opt-out for consumers, and in order to opt-out, you must register your MAC address with them.
I really hope that cycling MAC addresses becomes easier on mobile devices, if not automatic.
 Assuming you even know that this service exists (which most consumers don't, because why would the store owner tell them that they're doing this?)
That's terrible! Poor them!
That said in some airports, changing MAC address is illegal. Now that the iPhone will support the feature and most owners will have no idea what's happening, I guess these airports will have to change policy :-)
Would you mind providing some links? I'm interested to see how it's laid out
Edit: I'm really getting confused with downvoting on HN. How exactly is this comment poor?
Apologies if you knew that and I'm just not understanding your point.
EDIT: sorry, I've had too little coffee today for proper reading comprehension. Clearly you think it'd be nice too and are not empathizing with the snoops and marketers.
My guess is that the stores that are using this tech are mostly concerned about how long the average person has to wait in the checkout line, not whether Joe Blow is was in the store.
This will now become much more difficult to do.
"We'd like to learn a little about your shopping habits, and that includes sending anonymized data about your time in our store. In exchange for this, we'd love to offer you 25% off this purchase and 10% off all future purchases".
Face recognition comes to mind as a technology that can replace this, and perhaps as a result of the MAC scrambling we will see a bigger push for face recognition in stores.
This will be an interesting competition. Google, for openness and transparency; Apple, for control and privacy.
I'm not entirely sure what you mean — that Google openly and transparently tracks user behaviors so that they can make money on targeted advertising?
If you try to compare the two companies, I'd say the difference is that Apple charges you a premium for their devices (thus making money), while Google gathers data about you so that it can be sold to advertisers (thus making money). Theoretically, each company could do both, but recently Apple started differentiating itself by actually emphasizing privacy and limiting access to data about users, in many places.
I do agree that it will be interesting, though.
Naturally they are both vying for leverage. To borrow a line from The Lords of Strategy, "the key way to think about competitive advantage is to think about how to design ecology in such a way to achieve goals you’re trying to pursue" .
Apple monetises device sales. It fiercely protects those sales by ensuring everything one does in its ecosystem is done through its devices. That fortification gives it more freedom with user data, which it can play against Google by encrypting and anonymizing its users' activity.
Google, on the other hand, monetises its access to user data. It fiercely protects that access by ensuring everything one does in its ecosystem runs through its servers. That fortification gives it more freedom with devices and standards, which it can play against Apple by encouraging modularity, adaptability, and customisation.
I don't really see it. They have released some stuff as / contributed to open source, but so has Apple.
By transparency, do you mean their real name policy?
Google is for "openness" only when it doesn't impact their bottom line.
I love some of the hyperbole that gets written on HN about Google/Android.
Where do you even get some of this nonsense?
Like Netflix vs. YouTube. Netflix fights for your ability to stream HD videos comfortably because you pay for the service. YouTube crams a perfectly-buffered, crisp HD ad down your throat before leaving you with a video that might stutter or fail to load even at 480p. Sure, people can't complain when it's free (though they do), but I think it really limits what an experience can be, and I don't consider that particularly user-centered.
Anyway, just my thoughts.
Edit: Fixed some parallel structure
The disconnect is there for many videos where a perfectly buffered ad precedes a slow buffering video or something, but they seem to use that technology on some user videos too I think - or something similar.
Due to the nature of how CDNs work the ads don't normally need special treatment.
They simply benefit from being 'very popular videos'. Meaning they stay hot in all edge caches because everyone, everywhere is watching them all the time.
1. The advertisers who pay google get their money from us, added to the prices of the things we buy. There is no free lunch.
2. The overhead cost of advertising is huge and we pay for that too.
3. We pay the opportunity cost of a product that cannot put users first because they live or die by giving advertisers what they want (and what we want indirectly and secondarily). This includes both the cost of lost privacy as well as well as design that optimizes advertising revenue. As has been said, we are more Google's products than we are their customers.
4. We pay the social costs. Democracy and the free market assume people make voting and purchasing decisions based on facts and reason. Advertising as predominantly about manipulation and deceit. I believe this is the most expensive cost of services that rely on advertising revenue.
Added together, we are paying a lot more for "free" web searches and email than if we could just straight up pay Google for straight-up ad-free versions.
[This is a condensed version of a more detailed case with reference links that I made here: https://news.ycombinator.com/item?id=7485773]
I don't see how this move is anything out of line with something Google might do. Google can track you because you're using their services on their OS. They don't need a network of WiFi access points to triangulate your location, they can just read it out of your phone's GPS receiver. Randomizing your MAC when scanning for networks is in the same nature as enabling SSL by default for Google services -- it doesn't hide anything from Google (or, as the case may be, from Apple) but it hides things from other people you don't want observing you.
Yes, Apple certainly wouldn't develop/release a product whose sole purpose is to track user's physical presence, with the primary use point being able to sell the ability to push 'app usage':
This is about the ability to track handsets, and how Apple wants to corner the market on tracking their own handsets.
In order to for it to be used to track users, the user would have to run an app that detects the beacon and then communicates back to the business. In other words, the user has to opt in to tracking.
You are wrong, the point of iBeacon is to allow an app to track its position.
Apple is not about privacy, they're about controlling what they consider to be their customers. They will be the gateway the users go through for any service whatsoever. They get their 30% no matter what.
The big difference is opting in and consent. That’s what’s important. Also, yeah, Apple get their 30% – but only if apps actually cost anything. Those store apps usually don’t cost anything (the stores want to sell the stuff in the stores, not apps) so they will cost Apple money, not make Apple money.
I don’t really get where you see the incentive for Apple to do this, besides privacy.
Also, iBeacon broadcasts can be detected by Android, or any other platform that wants to. I'm surprised no one has said this on the thread. It's clearly not about Apple lock-in.
Here's an Android library for doing it: http://developer.radiusnetworks.com/ibeacon/android/
It's difficult to reconcile this claim with their participation in PRISM et. al., previous long-term storage of cell tower locations, ownership of a mobile ad network, and wanton abuse of the patent system to stifle competition.
- I don't see how constructing a database of cell tower locations violates privacy. They are beacons used for finding the user's location when they have location services turned on.
- iAd is a joke of an ad network, and stores a negligible amount of user data compared to Google's. It's also relatively easy to reset tracking on iAd, for the few apps that do use it.
Sure we do. PRISM has an NSA part and a company part. The company had to build out their end in order to participate in PRISM.
However it's important to realize that compliance in some form with NSLs and warrants was not optional for Apple. By not participating in PRISM they would simply have turned over the same data on each request by manual means.
That modality is probably an even bigger threat to user privacy than PRISM. In PRISM, Apple's legal team would have to vet each and every single NSL or warrant and then manually activate an automated process to ship the required data over. While Apple didn't release a ton of details about how they implement it, this automated process is precisely the thing that can be done without a raft of Apple employees having to map/reduce it all manually (and possibly leak part of it themselves, maliciously or accidentally).
They were storing location history: http://www.cnn.com/2011/TECH/mobile/04/20/iphone.tracking/in...
Edit: FWIW, "track" is the word used in the CNN article I linked.
Edit: there are more ways for data to get into the "cloud" than "iCloud".
Use (or abuse) of the patent system seems entirely orthogonal to privacy/security.
> I still haven't changed my mind
Well you should have. You've been thoroughly shot down. The fact you don't accept that says more about you than anyone else.
I'll admit I haven't invested my best efforts into my comments on this thread, but where other than an Apple thread would every single comment by one person be downvoted beyond -4? It's not worth the effort if one knows one's comments will be grayed out anyway.
Even mpyne's much more thorough comment was downvoted, so it's clear that the downvotes aren't strictly targeting poor argumentation. Furthermore, if that were the case, there's no reason to target every single comment by a person equally, as inevitably some of them must be better argued than others.
I never shifted any goalposts. All I said was that it's difficult to reconcile user IBM's claim that Apple wants to be the "privacy" company with their actual behavior, then provided clarifications when prompted.
Where? I see lots of disagreement, but no disproof. Show me the counterargument of the form, "Apple can be trusted despite these events because...".
It's easy to shoot somebody down. Just yell louder. What I've yet to see is a solid refutation to any of the things I said. A downvote is argumentatively equivalent to yelling, "Shut up!" So let's see how many "Shut ups" there are, and how many refutations.
It takes 5 counted downvotes to bring a comment from +1 to -4, where all of my other comments currently lie (I don't know how the HN anti-voting-ring algo turns clicks into actual downvotes, so there may be even more). However, beyond -4 points the comments can still get lighter. I'll assume that #aeaeae is the original -4 comment, since it's the darkest of my comments on this thread. I also have comments at #bebebe, #cecece and #dddddd. So I'll count #ae as 5, #be as 6, #ce as 7, and #dd as 8 or more.
Original comment - https://news.ycombinator.com/item?id=7865747 - #dddddd - 8+
Location history - https://news.ycombinator.com/item?id=7865843 - #bebebe - 6
[Tracking] - https://news.ycombinator.com/item?id=7866011 - #dddddd - 8+
[Logging] - https://news.ycombinator.com/item?id=7866147 - #dddddd - 8+
Physical access - https://news.ycombinator.com/item?id=7866013 - #dddddd - 8+
Cloud sync - https://news.ycombinator.com/item?id=7866132 - #cecece - 7
Good citizen - https://news.ycombinator.com/item?id=7865835 - #dddddd - 8+
Worthy of trust - https://news.ycombinator.com/item?id=7865835 - #cecece - 7
Thanks, everyone - https://news.ycombinator.com/item?id=7866375 - #aeaeae - 5
Total: 65+ downvotes
Still don't know - https://news.ycombinator.com/item?id=7865810
This again? - https://news.ycombinator.com/item?id=7865877
Tracking semantics - https://news.ycombinator.com/item?id=7866094
User's devices - https://news.ycombinator.com/item?id=7865867
Do you have proof - https://news.ycombinator.com/item?id=7866098
Orthogonal - https://news.ycombinator.com/item?id=7865778
Big corps not good - https://news.ycombinator.com/item?id=7865871
Total: 7 comments (4 one-liners)
So again, where's the refutation? MAC address randomization is awesome, but why can I trust Apple to take the position of the "privacy" company?
Simply rolling out iBeacons does not replicate the copious data that one can currently get by monitoring WiFi probe requests. iBeacons, as designed, broadcast packets at a set rate using Bluetooth LE, and devices scan for those broadcasts. There is no two-way communication, and no probe requests from client devices.
In order for a company to use information from an iBeacon installation, they must have software running on the client scanning for unique iBeacon UUIDs, optionally filtered by "major" and "minor" uint16s to represent separate locations and nodes. Apple limits iOS apps to scanning for 20 UUIDs at any given time.
If the user does not have software that in some way scans for and does something with data from a particular iBeacon UUID, then the implementer gets no information. Thus, iBeacons move control over location and identity data from third parties to users. If a user installs, say, a Target iOS app, it can now scan for an iBeacon UUID that Target generates and can roll out across the country. Only once the user has made that affirmative choice can Target acquire information about that user or device.
It is possible that iBeacons will provide the copious amounts of data themselves, and this is the first step to that end, as the parent points out.
The only way an iBeacon could be used to track is in concert with an app running on the user's phone that communicates back to the business, letting them know you're near the beacon. In other words the user has to opt in to tracking, which is how it should be.
It's still a good thing IMO.
FWIW, once you read about a PoC of an attack/tracking vector on HackaDay, you can be sure it's already in production tracking you.
* BlueTooth Sniper Rifle
* Tracking people by air pressure chips in car tires
I think those have traditionally been set by network admins, not randomly chosen by devices, but pretty much: nobody apart from local admin coordinates addresses with the local bit set.
> What would be advantage of paying to the IEEE for a universally administered block?
The promise that no device built by other legit companies will have an address from that assigned block, so customers won't have to worry about MAC address conflicts, provided they use only widgets from those who honor the assignment scheme.
And yes, I've been involved in a criminal proceeding where the government tried to claim that changing a wifi MAC was evidence of malice.
PNS syndrome plus one?!
In reaction to the iOS news, the developer of Pry-Fi wrote this post about the state of the application:
Since the phone-specific Wifi stacks/drivers seem to be the main compatibility problem, I guess MAC randomization could be implemented as a Cyanogenmod feature on the device level.
From my office in downtown Los Altos, I can currently see a FitBit Flex, a FitBit One and a couple of phones -- the randomized MAC address is all that prevents someone bad from tracking them (BTLE scanners/phones are cheap!).
I guess you could still use the 15 minute MAC to track people through a train station or other semi-public space (to gather metrics on where people are coming from and going to). If you had a lot of antennas then you could circumvent the MAC cycling by linking devices in the same area with the same name and similar RSSI...
With Bluetooth, not just phones, but a lot of car stereos advertise their MACs.
Here's my setup (Fedora, so YMMV).
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="iwlwifi", RUN+="/usr/local/bin/change-mac.sh wlp0s1"
if [ "$#" != "1" ]
echo "mac changer script must be given iface name as argument: $@"
echo "Using default of wlp0s1 instead."
/usr/sbin/ifconfig $iface down
/bin/macchanger -r -b $iface #change to any random MAC address
/usr/sbin/ifconfig $iface up
Every single time my laptop boots up, it randomizes it's MAC address.
You can also read the comments that various organizations filed about this:
I hope all the people with IOS8 won't be charged with wire fraud.
BTW AFAIK Android uses hostapd/wpa_supplicant.
Its beyond by technical abilities, but hopefully someone submits some patches. (Or Jouni graciously does the deed. Because he is awesome.) HINT HINT WINK WINK.
Also, does this apply to the other ID being broadcast, the Bluetooth MAC?
There's been plenty of debate about whether this rapid DHCP behavior is desirable (e.g. Is the improvement in user experience worth the potential for conflicts and/or other issues on networks not expecting this?), but, either way, I don't see how that behavior can be fairly characterized as polite.
 - http://www.density.io/