5

Elaborating from this question : Bluetooth/WiFi Identity tracking in public spaces - How to discover?

Questions:

How are they tracking me :

  1. From a hardware perspective
    • Is it a mac address that they are getting from my device by blasting wifi
  2. From a software perspective
    • I assume they are using some sort of wifi based triangulation
  3. How is it legal?
    • Is it because it is public space?

Background if Unfamiliar

Alphabet Google's Sidewalk Lab's

Researchers Piotr Sapiezynski, Arkadiusz Stopczynski, Radu Gatej and Sune Lehmann point out that "large companies such as Google, Apple, Microsoft, or Skyhook, combine Wi-Fi access points with GPS data to improve positioning, a practice known as 'wardriving'." The actual "how" is "proprietary to large companies."

Smartphone location tracking via Wi-Fi signals, motion sensors for subway riders

I know very little about this subject and would like to learn more. I do know that it was such a large issue in NYC that the ALCU stepped in:

In March of 2016, the NYCLU sent a letter to the Office of the Mayor warning that, under the previous privacy policy, CityBridge, the company behind the LinkNYC kiosks, could potentially retain a vast amount of information about users – often indefinitely. The NYCLU contended that this gave CityBridge the ability to build a massive database that could pose a risk of security breaches and unwarranted NYPD surveillance.....Under the old policy, users had to submit their e-mail addresses and agree to allow CityBridge to collect information about what websites they visited on their devices, where and how long they lingered on certain information on a webpage, and what links they clicked on. The privacy policy only offered to make “reasonable efforts” to clear out this massive amount of personally identifiable user information, and even then, only if there was 12 months of user inactivity. That meant that New Yorkers who used LinkNYC regularly could have had their personally identifiable information stored for a lifetime and beyond.

CITY STRENGTHENS PUBLIC WI-FI PRIVACY POLICY AFTER NYCLU RAISES CONCERNS

Community
  • 1
Ted Taylor of Life
  • 105
  • 8
  • Use VPN and recent Android version to avoid all of that. In Android 6+ the MAC address is randomized so triangulation doesn't work. For ISP monitoring use VPN. – Aria Sep 13 '17 at 18:00
  • @Aria Thanks for the comment. I did not know that and will do so. How would I a non-android user protect themselves? Is it simply: turn off wifi when in public? – Ted Taylor of Life Sep 13 '17 at 18:21

1 Answers1

3

Q: 1. From a hardware perspective Is it a mac address that they are getting from my device by blasting wifi

-From the CityBridge website:

Q. How long is data stored?

Technical information from individual sessions, such as session length, device type, and device language is stored for up to 60 days before it is deleted. An example of this data is a monthly report of average session lengths.

Anonymized MAC addresses will be stored for up to a year from your last session to allow seamless network access. Other operational technical information, such as monthly subscriber counts and total network utilization may be stored indefinitely.

CityBridge indicates that they do not store any personal information in their databases at all in the Q&A section, yet they do mention that they store connected devices' MAC addresses, which is a contradiction of their own stated policy about not collecting personal information in my opinion.

Q: 2. From a software perspective I assume they are using some sort of wifi based triangulation

-In the case of tracking, it wouldn't necessarily need to be a triangulation based algorithm as they would be able to log which access point (AP) a user is connected to as said user is moving through the city. This would actually give CityBridge a fairly accurate path map for connected users depending on how many APs they've installed and how close toegther they are. Users' devices are going to connect to the strongest AP signal for the highest connection speeds.

Q: 3. How is it legal? Is it because it is public space?

-Yes and no...simply being in public space does not give a company the right to track anyone. What makes this a legality grey area is the fact that users must "register" their devices and agree to a ToS to connect to the CityBridge service. Keep in mind that when you agree to connect to, install, download anything....especially free services, you're pretty much giving the developers/companies the right to whatever information they require in the ToS you've agreed to.

Please also keep in mind that public wifi is insanely unsecured. Other users could easily sniff traffic from other users on the network and compromise the systems connected. This is actually a big issue in public spaces like Starbucks and McDonalds.

Two easy reads

http://lifehacker.com/5853483/a-guide-to-sniffing-out-passwords-and-cookies-and-how-to-protect-yourself-against-it

http://www.androidauthority.com/capture-data-open-wi-fi-726356/

cclater
  • 135
  • 6
  • 1
    If your phone has both the Bluetooth and WiFi radios turned on then the location is even better. Using a combination of WiFi triangulation and Bluetooth signal strength they can tell where exactly you are in a store and guess what products you are looking at. The Bluetooth radio also has a MAC address that can be correlated with the WiFi data. If the WiFi MAC and Bluetooth MAC are randomized at different times then a history of multiple MACs could be tracked for one device. – HackSlash Sep 18 '17 at 21:43
  • 1
    @HackSlash - true, but the CityBridge APs would have to have integrated bluetooth beacons in discover mode to track these devices, wifi hardware isn't going to innately discover or track that protocol as anything more than noise or a rouge unidentified signal for the most part...if possible at all. I could not find anywhere on the CityBridge website where they have done this. It is definitely possible though and they are not providing these details. I did however find that they have USB charging stations which would definitely add another layer of tracking if they chose to do so. – cclater Sep 19 '17 at 13:27