Sophos Cloud Optix
Next time you’re in a public place, have a good look around you and see if you’re being followed.
You (probably) won’t see anyone actually tailing you, but if you have your smartphone with you it’s possible that your movements are being keenly observed.
A couple of months ago we reported on the sinister and faintly Dr Whoish tale of London’s spying rubbish bins. These uncannily observant, space-age trash cans were part of a trial by advertisers that monitored peoples’ movements by tracking the unique IDs of their mobile phones.
All WiFi-capable devices broadcast a unique ID, a Media Access Control (MAC) address, when they’re looking for networks (and so long as WiFi is enabled they are always looking for networks).
Which means that if you walk around carrying a smartphone with WiFi enabled then you are broadcasting your own unique radio beacon and it’s easy to track your movements.
MAC address tracking, also known as Mobile Location Analytics (MLA), is of serious interest to companies trying to sell you things.
MLA in the wild
It’s early days but according to the Washington Post there are as many as 40 MLA companies in the USA, some with sizable venture capital funding, and they’re already logging thousands of customer interactions every day on behalf of retailers.
And it’s going on in the UK too. After we published the spying bins story our editor mentioned in passing that The Oracle, a large but not especially remarkable shopping mall in the UK town of Reading, had signs saying it was tracking customers’ mobile phones.
A few days later she took a photo of one of the mall’s signs.
The text reads:
To provide a better shopping experience for our customers we anonymously survey the movement of mobile phones to help show us how the centre is used.
No personal data is recorded at any time.
The Oracle, like the London bins, is apparently only surveying anonymous data. However turning e4:ce:8f:1f:f7:ba into Mark Stockley by cross referencing existing personal data would be trivial in a retail environment.
Some retailers already use purchase data from store cards to produce detailed personal profiles and highly targeted, personal advertising.
Their pockets are deep and their appetite for knowing all about you is well established so if retailers aren’t already combining MLA data with the personal information they have on you it’s just a matter of time – the analytics industry certainly thinks so.
MLA code of conduct
On October 22 a group of the leading MLA companies announced they had agreed an industry code of conduct. The code, which may be an attempt to head off more draconian FTC regulation, is light on detail but it sets out a number of important principles:
- Users of MLA technology will have to provide clear signage, with an industry standard symbol, in a conspicuous location.
- Data will be de-identified and de-personalised unless a consumer has provided affirmative consent.
- Affirmative consent is required for:
- linking personal information to a MAC address.
- contacting a consumer based on MLA data.
- Users will be able to opt-out of MLA by adding their MAC addresses to a central registry of devices that shouldn’t be tracked.
The MLA industry should be congratulated for proactive self-regulation like this and for avoiding the quagmire that has engulfed the Tracking Protection Working Group tasked with drafting similar Do Not Track rules for the web.
Particularly noteworthy is their approach to combining MLA data with personal information; it will require consumers to explicitly opt-in.
Unfortunately when it comes to basic, anonymous, tracking the code says you’re fair game until you opt out.
Using your phone’s MAC address broadcasting to track your movements is a serious subversion of the purpose of that broadcast. Even if it shortens the waiting time at your favourite store, it should, in my opinion, require your permission rather than your forgiveness.
We should also be very cautious when it comes to claims of data anonymisation. As AOL famously demonstrated, anonymous data can turn out to be a lot less anonymous than you think.
Luckily there is an easy way for smartphone users to defeat the anonymous tracking; simply turn off WiFi and Bluetooth on your mobile phone.
Please tell us what you think about this in our comments below. I’m very curious to know if any of you have encountered this kind of tracking already or if there are MLA signs in public places you visit. If you see one and you have a camera handy take a photo and share it with us on Twitter.
Finally, since it’s National Cyber Security Awareness Month and you’re reading about smartphones why not take a few minutes to check that you’re following our 10 tips for securing your smartphone too.
This article isn't correct. The phrase "All WiFi-capable devices broadcast a unique ID, a Media Access Control (MAC) address, when they're looking for networks" is incorrect – that is not how it works.
Even if your phone has WiFi enabled it only performs passive scanning for WiFi networks i.e.its radio is only receiving. The only way a shop can track you is if you have ever connected to their in-shop wifi service and have it in your phones list of networks it knows about. Then only when you come in range of their network will your phone give away its existence and be trackable when it negotiates a connection.
I believe Bluetooth works in a similar way.
Phones will do both active and passive scanning. The passive scan is as you describe, the active scan is the phone asking if any of its preferred networks are nearby. The broadcast happens often enough to allow tracking of movement within the confines of a single store.
Mark has that right!
Mark is 100% correct. Once you have some wireless networks entered in your device for automatic connection, such as your home or office, the device will expose the mac. This is basically every device. Regarding identity association, the article is correct and Spot On, it is trivial to associate a mac address with an particular individuals identity. This can be done in a number of ways. One of the ways to associate the particular wireless mac, is to place the wifi snooper below the counter at the cash register. One can associate the mac address and signal strength (rssi) with a current credit/debit transaction or membership card with over 90% reliability. With very few repeated visits, this rises to basically 100% accuracy. Identities and consumer activity analytics are very valuable (and saleable).
It’s actually worse than this. You can also glean a lot of personally identifiable stuff from the broadcast. If you see ssids of “starbucks”, “Foo Widget Co” and “TomSmithsHouse” along with a bunch of DNS lookups for “TomSmithsIphone” … You can start guessing a lot about people.
Many of us have been aware of the tracking by vendors. I keep GPS turned off on my Android phone. I guess that I'll have to turn off the WiFi as well except for when at home. Thanks for the heads up on this.
Awesome article. I recall a friend saying something like this about a year ago, but I didnt pay attention to him so much. Now that you are recalling it, yes I will turn off my wi-fi when I leave home and bluetooth as well.
Just random thoughts: Some department stores already do anonymous tracking studies using their security cameras, to learn how shoppers progress through the store, which displays attract their attention versus which ones they just whiz by without a second look, etc. You could duplicate that a little with really short range Wi-Fi signals but probably not at the same level of detail. It would help them track repeat visits, but unless it was correlated to purchase info, they wouldn't know if the person with the phone was buying anything. I bet employees start having problems with battery life, too.
I think it could be used for a lot more than that.
It could be correlated with interest on a particular visit without needing purchase info. For example: imagine going to the purfume counter at a department store and not buying anything and then seeing nothing but expensive ads for purfume on the way out. All you need to know to do that is that MAC address e4:ce:8f:1f:f7:ba went to the purfume counter, didn't go to the checkout and is now on the stairway.
What if the information is shared with other shops in the same mall?
After a few non purchases in a few shops you might be able to tell what I'm interested in. Perhaps I've looked at purfume, hand bags and shoes by now. Perhaps at one point I visit the gents toilet. I don't visit the mall often so this shopping trip might register as unusual. By now it looks like I'm a man and it's starting to look like I'm shopping for my wife or girlfriend, perhaps for a present. Perhaps I only come to the mall twice a year – once in December and once at an other time. Since I'm a last minute shopper my wife's birthday is likely to be very soon – in the next few days.
With *very little* data we're already honing in on my age, sex, disposable income and marital status. We're also able to do the same data for my wife and even begin to take useful guesses at her birthday.
–> Perhaps I only come to the mall twice a year
Only twice, you lucky man!
1. Birthdays – Never forget this
2. Holidays – Never forget this
3. Anniversary – Never forget this
4. When you say or do the wrong things – Never do this
5. Because she wants to feel special – Do this often
And the list goes on…
People are living in a dream world if they think this won't end up being used by lawyers and the government in the near future.
The lawyers are already trying to get to the NSA data.
I often use my phone to create shopping lists and check things off as I go along the aisles.
Perhaps it is time I went back to my Palm III. it was just as easy to do it on that device. (Or perhaps pencil and paper.)
I never have my wi-fi turned on unless I'm at home, and I don't turn on 3g unless I absolutely have to have it on for a particular reason (ie checking weather reports for an area in which I travel) and and very very seldom use bluetooth. I leave them off mostly for extended battery power when I'm away from home or vehicle, but I'm just naturally wary of the less-scrupulous personages tapping into info that I *might* have in my phone.
If you have an Android phone and want to turn off wifi when out and about and don't mind having GPS turned on you could use "Profile Scheduler". It's an app that you can schedule different "profiles" for the phone based on different triggers. It is possible to make it turn wifi on/off when at certain locations using the GPS.
You could make the phone only have wifi on when at your "home" coordinates (or any number of locations).
give me an old basic mobile any day but they are getting harder to find. so with a smart phone I switch off the wifi and the bluetooth and the gps and block unwanted calls and keep it updated with a virus checker.
Does anyone know whether Android 4.3's always-on WiFi scanning for location is passive or active? I assume it's passive, but I haven't found any information to confirm that, and unless there's something hidden in my wireless router UI, I don't have the equipment to test it myself.
Can it connect to a network that isn't broadcasting its SSID?
I'm not talking about connecting to WiFi networks.
Android 4.3 adds a "scanning always available" option. With that set, even when you turn WiFi off, apps that want location data can still get it through WiFi scanning. The idea is it uses less power than GPS.
I assume that passive scanning would be sufficient for this, because all it needs is to know what's around. It shouldn't need to broadcast anything, because it's not trying to connect. But I'm not sure if that's what it actually *does.*
My understanding has always been that any device with Wifi will only scan passively for networks that it has previously joined, unless the network had SSID broadcast turned off. It that scenario, the device always actively scans for the SSID in question, exposing both the MAC address of the device and the SSID of the network.
In the office we even had our security consultant (hacker) observe wireless traffic when a phone was nearby. Admittedly we were looking for SSIDs, not MAC addresses. Perhaps it is time to re-run the test, and look for the MAC address of the phone instead.
From the paper today in Brisbane Australia
Pedestranised streets in Brisbane and the Gold Coast have or will track shoppers through the streets, though anonymously.
I’ve also seen demonstrated at the AusCERT conference this year a tracking system for a building operating in 3D showing whether unauthorised devices were entering secure areas.
When turning off wifi and such, people still want a mobile signal. I think that signal can be used in the same way, because it uses a unique identifier as well. Put up a few antennas in the store, and triangulation is done!
A caveat to regularly changing yor device's broadcast MAC address is that networking will not work in the local WiFi network if you happen to choose an address that is already being used by another shopper with a WiFi connection at that retail location at that moment. Considering that the there are 2 to the 48th power possible MAC addresses (that's 281 trillion or 281,474,976,710,656 dresses), it is unlikely that you will have a broadcast “collision” with someone else’s device in use at the same store. Even if you do, all that it means is that Wi-Fi will not work for you in that retail location during your visit.
Since the first half (6 numbers) of the MAC address is reserved for the network adapter's hardware manufacturer, you can type in a new MAC address with a prefix that matches a manufacturer that is not even in the Wi-Fi adapter business or is even out of business. A directory of MAC addresses by company is here – http://hwaddress.com/company.html.
“Anonymization” technology is still not advanced enough to come for the rescue. However It seems to be the only solution to protect the privacy of individuals.