2014-07-28 11:45:18

Thought I'd post about this after hearing about it on BBC's technology program Click this weekend. Many places that offer free wifi are using it to track people's wifi enabled devices as they move around, even if they don't connect to it.

All devices capable of connecting to a computer network have something called a mac address, nothing to do with Apple before you jump to conclusions. By listening to wifi devices' pinging to search for networks and so on, which includes the device's mac address, the wifi network can measure signal strengths from various antennae and get an idea of where the device is. The same can be done with devices which have Bluetooth enabled using Bluetooth receivers. Shops are using it to tell how long you spend in a particular aisle, and the British city York is planning to roll it out to the entire city.

Here's the important bit, you aren't asked permission for this. In addition if you do use the public wifi network the terms and conditions say they can track your traffic which includes social network profiles, they can then tell your age, gender, who you're friends with and potentially your interests and what part of the world or country you come from.

So how do you avoid this? Obvious answer, switch off wifi and Bluetooth when you leave the house unless you really need it. iOS8 plans to include a system to periodically change your device's mac address and I'm sure someone has already figured out how to make Android do this. If you need to use the wifi network you can always use a virtual private network or VPN, some advanced home routers can offer this function or you can set it up using a computer that stays at home or use a third party service. A VPN bounces all your internet traffic off the VPN server before it goes out, the traffic still has to travel through the internet between you and the VPN server but this "tunnel" as it's called is encrypted. Be aware though that some wifi hotspots may block the use of VPN.

Personally I'm hoping iOS will eventually include a function to automatically turn off wifi when you leave home based on a geofence, for me that would be the ideal solution. Of course YMMV, I'm not saying don't use these wifi services just make sure you know what you're giving them in return. The key here is informed choice, it's up to you whether you think the trade off is worth it but it's important that we consciously make that decision rather than accidentally stumbling into it.

cx2
-----
To live by honour and to honour life, these are our greatest strengths and our best hopes.

2014-07-28 20:26:19

I don't think Apple will advocate turning off the radios entirely, because they make use of them themselves, for geolocation.  Also, they have iBeacon, which requires Bluetooth and (surprise!) performs many of the same kinds of tracking that these Wi-Fi based solutions do.

Sadly, as long as their are parasites who think we owe them all a favour (and that's what these trackers are, parasites, on the same moral and ethical level as spammers and scammers) the arms-race will continue a pace. The iOS randomisation feature is known to interfere with some configurations using MAC address filtering (which you shouldn't be doing anyway, because it's a complete waste of time and effort) and iOS is already leaking the names of your previous networks just trying to rejoin hidden networks that you may have used (thanks, purveyors of security by obscurity), which makes you easy meat for someone with inexpensive equipment spoofing Wi-Fi networks that you're trying to connect to. Therefore it may be wise to avoid open networks altogether, although to be honest even I can't do that, and you may want to change your home wireless network SSID to something less personal, which I just can't be bothered to do for the sake of those parasites.

I wouldn't normally advocate using a VPN, because I believe that all secure transactions should be secure--we should be upgrading the Internet to HTTPS, and using secure protocols. However, if you're going to use open networks, then keeping people from learning where you go is probably not a bad idea. It's either that, or recognise when you're out in the open, and refrain from doing anything touchy. It seems clear that there are bad people trying to harvest information being sent over unsecured Wi-Fi.

Just myself, as usual.

2014-07-28 20:54:58

To add to this topic, any transmetter can be track. This inludes your favorite radio station. This als in cludes your cell phone. Basicly, anything that can be use to comunacate with others can be track. I would say that's life, but that wouldn't be vary nice to say would it? LOL. HTH.

All that is gold does not glitter, Not all those who wander are lost; The old that is strong does not wither, Deep roots are not reached by the frost. From the ashes a fire shall be woken, A light from the shadows shall spring; Renewed shall be blade that was broken, The crownless again shall be king.
DropBox Referral

2014-07-29 10:12:31

Perhaps CW but the tools to track cellular signals aren't in common use by your average shop. Bluetooth beacons and the like are, not to mention the potential for a shopping centre to offer its own wifi and use that to track individuals both in and around it.

Sebby, protecting your data from other users of an open wifi network is a good point. Still even if the connection were secure I still wouldn't trust the operator of the hotspot with my traffic. Internet security really does need a big overhaul, I can't believe there's still no check that emails are coming from a genuine address and that the originating server matches up to that address. If for example an email was said to come from random person at aol dot com there's no check to see if there is an address random person at aol dot com, or that the email originated with AOL and not somewhere in China or some other country known for... creative internet practices.

cx2
-----
To live by honour and to honour life, these are our greatest strengths and our best hopes.

2014-07-29 10:27:02

Hello, there is a way to turn of wifi when you leave home via a geo fence. It is done by a app called IFTTT.
It works like this. If that happens, do that. It basicaly  means that for example when you post something on facebook the app also posts it on twitter if you told it so.
It works with so called ressepies and channels. The channels are like facebook, twitter iOs notifications etc.
So, in order to create a recepie, you would activate the locations services channel in the app, and  enable the wifi channel. to create a new recepie where you tell the app when I leave home, turn of wifi.
Before you can tell the app that you leave home, first activate the location services channel and tell the app your address.
I hope this helps. If there are more questions, please ask them here.

Hail the unholy church of Satan, go share it's greatness.

2014-07-29 17:05:30

Ok, guys. I will first of all say that these trackers are of complete ivnurance and I absolutely dispise unauthorized tacking of your device. Sure, the device relays information across said network, but I think that this tracking is invaision on privacy. There is, however, a method of payback and a way to break free from it on android. It is not illegal, and it can really come in handy. You need to be rooted on your android for it to work. The app is called prifi. When you run the app, you will be presented with a number of options. In the background, when your devices wifi is off or not connected to a network, your devices mac address will be constantly pseudorandomized. And it can also do this when wifi is on, if you tell it too. So the next time you go to a place you've visited before with that device, they will see a different mac address. They will still see a similar identity, but they will never see your device's information again. This will slowly poison the trackers database with useless information they will only see once, however it will not cause serious harm to the trackers, just fill it with useless information. There is also an option in pryfi called "go to war!" This is very fun. What go to war does is it emulates dozens of people on the same network and device! This is very useful. When you go to a particular shop or similar area with public wifi, you can connect to it, and then go to war as soon as you are connected and you can make the war last your entire stay in that area. Just walking around a particular area can really work to your advantage as it will start to flood the tracker database with useless information that is not even close to your identity. For proof,
see the app here on google play
It only works on rooted devices. How easy or hard rooting is depends on the device you have, so you will have to search your particular device.

2014-07-29 17:30:30

As to your email point, there was once a time when it was considered no problem to send email with the actual address of the author on it. Strange idea, I know, but it worked, because people trusted one another. If you sent the email by way of someone or something else, you would indicate their identity in the Sender: field.

You mentioned AOL, well, they recently deployed DMARC, which does more or less what you asked for, insisting that messages with a particular author domain are signed with the domain's signing key, and/or that the author domain authorised email originating from particular IP addresses to represent it. Naturally, this fucked up mailing lists fairly comprehensively, since both conditions can't be true for email relayed through a list server.

And this is where I get fairly defensive when people say that email is "Broken"; it's not broken at all, it's operating *exactly* as designed. Unfortunately, "Exactly as designed" is neither what people expect nor, apparently, what people desire from a more secure email environment. The people who pushed DMARC did so knowing the breakage they would cause, but they didn't care because the big security picture dictates that we solve the problem of having a trusted user-visible field. I think they're somewhat ethically challenged, but I accept the premise, and now that it's clearly going forward, I'm a reluctant supporter of it.

Just myself, as usual.

2014-07-29 18:02:45 (edited by cx2 2014-07-29 18:18:12)

I never said email was broken, simply that it is no longer handling the requirements of users. I used to use spampal with an add in which asked the domain an email claimed to be from whether that address existed as a way to class something as junk or not junk, it worked pretty well. The problem with AOL's system seems to be backward compatability more than anything, and with spampal at least you could set a whitelist and if you got enough emails from the same address it'd let them through after a while.

Systems that work on implicit trust may have worked fine in the early days but now the internet is accessible by the masses you need authentication.

That prify go to war thing sounds hilarious, I'm half tempted to cobble together a RasPi running Android linked to a wifi adapter and an RC car battery pack in a backpack just so I can screw with trackers.

Edit:
I've tried the IFTTT and LIFTTT apps and neither seems accessible with voice over, drat it.

cx2
-----
To live by honour and to honour life, these are our greatest strengths and our best hopes.

2014-07-29 18:46:08

I never said you said email was broken. I'm just responding to all those who think it is. smile

Yahoo, who also deployed DMARC, estimate that there are 30k or so mailing list servers affected by the change. Is it such a trivial matter? All my lists are now upgraded, and I recommend that all other list admins deploy it.

Just myself, as usual.