Monitoring via Mobile Devices’ Unconnected WiFi

I’ve written a lot about the amount of data we willingly disclose, and how to try to minimize it. A couple of recent articles caught my eye about the degree to which we shed information, even when we don’t mean to.

Most mobile devices have the ability to connect to wireless networks, and that’s generally a good thing because we can minimize the amount of cellular data we use, we can get faster connections, and we can get functionality like FaceTime. Like most people, the wifi function on my phone is always on because it’s too big a hassle to turn it off when I leave the house, and I didn’t think much about it. However, a couple of other people have.

First, there was the news out of the UK that recycling bins produced by a company called Renew were monitoring the wifi signals put out by mobile devices carried by pedestrians so the video screens on the bins could figure out the best ads to show.

Every device that can connect to a network has a unique code assigned to it called a MAC address. When you have the wifi turned on, your mobile device is constantly looking to connect to networks and broadcasting the device’s MAC address to any wireless network that is listening.

The idea behind the Renew bins is something like this:
Say a coffee chain wanted to win customers from a rival. If it had the same tracking devices in its stores, it could tell whether you’re already loyal to the brand and tailor its ads on the recycling bins accordingly. “Why not Pret?” the screen might say to you. Over time, the bins could also tell whether you’ve altered your habits.

The company analogizes the collection of the MAC address to a website dropping a tracking cookie on a person’s computer. This might’ve been a poor choice of analogy, because in the EU the use of tracking cookies is regulated under each country’s data protection laws and users have to be informed about the cookie and given the opportunity to opt out. See the UK Information Commissioner’s website for an example. As a result, Renew has been told to remove the bins and a complaint about them has been submitted to the UK ICO.

But at least the Renew recycling bins were in the open. The recent Black Hat conference saw a demonstration of a tool called the “Creepy Distributed Object Locator” or “CreepyDOL”. The conference session description for CreepyDOL gives a flavor for it:

Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors, who is fed up with the hard work of tracking your target’s every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.

When the wifi connectivity on your mobile device is turned on, it broadcasts MAC addresses, the names of recently connected networks, and other data. Between the MAC addresses and the other data, that creates a “fingerprint” of your device that could be used to track the physical movement through a neighborhood or entire city over an extended period of time. If the names of the wireless networks a device has recently connected to are sufficiently unique (e.g., “1000Mass” – which could be an apartment building at 1000 Massachusetts Ave. in Washington, DC), the CreepyDOL system may be able to know where the owner of the device works, lives, or hangs out.

The CreepyDOL system uses a bunch of small, black boxes can be plugged into a wall socket. The device monitors the signals of all wifi devices within range, automatically connects to any available wireless networks, sends the data it collects to all other nodes on the CreepyDOL network, and receives any data collected from other nodes. A person with access to this kind of system could use it for stalking to simply vacuum up data that could be sorted out later. When the developer of the system used it on his own iPhone, he discovered that the system collected his use of a dating website where his photo was displayed and other services broadcasting via his wifi connection that disclosed his full name and other information.

So, another entry into the list of things the normal person can do to protect privacy:

Turn off the wifi on your mobile device unless you’re at home.

Advertisements

About John Nicholson

I'm a transactional attorney who focuses on structuring and negotiating large outsourcing transactions (both on and offshore). As part of my work, I've specialized in: - Structuring and negotiating large outsourcing transactions (both on and offshore) including IT outsourcing and various BPOs (including HRO, Facilities Management, Procurement, Finance and Accounting), large systems development and implementations; - Assisting with development of RFPs, proposal evaluation, down select, and negotiation; - US and European privacy laws, including US Safe Harbor, and state privacy and data breach notification laws; and - Privacy, security, legal and contractual issues associated with cloud computing. I'm a frequent speaker on outsourcing, privacy and security issues. Before becoming a lawyer, I was the acting IT director for a mid-size company prior to hiring the CIO and project manager for the company's Oracle Financials implementation.
This entry was posted in cybersecurity, mobile apps, privacy and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s