CAT | Tracking
The city of Chicago is getting ready to deploy several monitoring stations on light poles along Michigan Avenue. In addition to collecting environmental information like sound volume, light intensity, and air quality, the devices will also count people by detecting wireless signals from passing mobile devices.
The system is designed to only count devices without capturing unique identifiers. While this may be true, it would certainly be easy to change in the future with only a tiny tweak to the software.
This set up looks similar to the tracking trashcans I discussed last year.
Capturing this kind of data is inevitable, and would be invisible if the city had not announced its intentions. The key will be to ensure appropriate protections for collected information, whoever does the collecting. It is refreshing that all of the data captured as part of this project will be published immediately. Assuming nothing is held back that will give a clear sense of exactly what kinds of information can be extrapolated from the raw data.i
Additionally architectural changes like the random MAC addresses in iOS 8 can significantly improve privacy in the face for such monitoring and tracking.
A federal appeals court in Atlanta ruled that there is an expectation of privacy in cell tower location information, and therefor it is protected by the Fourth Amendment. This runs counter to other recent rulings that allow access to the information without a warrant under the Stored Communications Act.
The recent ruling relies on precedent from the 2012 Supreme Court decision in United States vs. Jones which stated that a warrant was required to place a tracking device on a suspects car. Phone records provide the same information, just with a different technical means.
This would not apply to intelligence gathering activities, nor would it prevent access to your location information with a warrant. It is a move to recognize that our personal information, about which we have real privacy interests, is increasingly existing in the networks of third parties. Laws that assume anything sensitive would be on paper and stored in your house or on your person are absurdly outdated.
For now this is only a local precedent. The issue will almost certainly end up in the Supreme Court at some point.
News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.
This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.
Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked.
More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.
The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.
This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.
Of course, Apple is also working hard to track us all with iBeacons at the same time….
Recent iOS updates have automatically re-enabled Bluetooth for many users who keep it turned off for battery conservation or privacy reasons.
The increasing use of iBeacons and other Bluetooth based tracking systems make this a bigger privacy worry than before. Tracking via Bluetooth is now a widely and actively used tool in retail and other areas.
Conspiracy theorists suggest that Apple is doing this intentionally to increase the usefulness of iBeacons to track people, and thus encourage their adoption. While this is an appealing idea, the jury is still out on this one.
If you are concerned about this kind of tracking, you can quickly disable Bluetooth in the control center on your iPhone by sweeping up from the bottom of just about any screen and tapping the Bluetooth button. It is fairly easy and convenient to keep Bluetooth turned off most of the time, and just enable it when you want to use a wireless headset or other Bluetooth device for a short while.
The ability to use remotely loaded images in HTML emails for tracking has been known for years, but perhaps not widely known.
The On The Media: TLDR podcast just re-surfaced the issue in the above article, where they talk about a free Gmail plugin called Streak, which provides this capability.
It automatically embeds the hidden images in emails you send, then lets you see when and even where the recipient opens them.
Because they appear to use IP address based locations, you can block the “where” part by using Anonymizer Universal.
You can block this tracking completely by turning off the loading of images in your emails. Of course, if you then choose to load images, know that you are also enabling tracking. If you block image loading you will also find that your email become much less attractive and significantly more difficult to read.