hckrnws
Digital signs in Brookline are collecting data from your phone as you walk by
by internetter
As others have pointed out, mac randomization mostly greatly reduces privacy risk. I'm not sure wifi scanning emits your mac address unless you connect to hidden ssid's. Bluetooth devices always bark out some kind of beacons when turned on.
This is basically a door people counter made for areas where you couldn't have a door. Malls used that tech 30+ years ago, little LED sensor that counted up every time the beam was broken. Small LCD screen usually at the bottom of the gates you pass through going in. If not a gate, then usually a beam with a reflector on the other side and the screen was on back of the beam/sensor unit.
For this use case, easier to count active mac addresses to figure out how busy each area is, doesn't have to be precise but it lets the town and advertiser know whether it makes sense to install a sign somewhere. Gives a general idea of ad impressions and is way cheaper and less intrusive than using cameras.
With that out of the way, I'd be more concerned if these were like other kiosks that also broadcast wifi and that connection was collecting unique information. This should be the main concern, this is where the good easy to correlate personal information is. That and cameras on advertising devices that do face/attention recognition.
MAC randomization partially reduces privacy risk. But there is a separate issue where your phone broadcasts a list of its known SSIDs (so that it can autojoin known networks and switch between multiple routers on the most recent network - I believe Lockdown mode disables this). So if your home WiFi router has a unique name, your phone is constantly shouting it, asking if this SSID is nearby.
The MAC randomization means that it will be a different MAC shouting this SSID every time. But the billboard vendor can see there is someone walking past it each day at 10am looking for a wifi network with SSID "PrettyFlyForAWifi."
And they can search that SSID in a public wifi map like Wigle.net to find the location of your house.
To mitigate this, find the most common router name in your country and use that for your home network.
I guess it's `xfinitywifi` https://wigle.net/stats#ssidstats
But....... if I do that, and my neighbors all definitely have it, how does my phone know which one to connect to? Am I leaking my password to my neighbor's APs, or does it use a hash somehow?
How do I tell my friends "My Wi-Fi is xfinitywifi... not that one... not that one... uh just put in the BSSID"
Update: The answer [0] is basically that if the probe request is for an SSID of an open network, then a malicious access point can say "that's me" and the client will connect. (Also, note the "that's me" is not a response per se, but a separate advertisement for a network with that name.) But if it's for a WEP or WPA/2 network, the client won't connect unless the malicious router also knows the password for that network, because the handshake used to generate encryption keys requires that the client and access point agree on a shared secret.
A malicious router doesn't know ahead of time whether the SSID in a probe request refers to an open network, so it could try to establish it and see if the client connects. (Even for closed networks, it's also possible there is a bug in some client software that would ignore errors caused by the server supplying the wrong key?)
You don't leak your password. There is some kind of hashing involved, but I can't remember the details and don't want to comment with incorrect information.
Hopefully someone who knows the answer will reply... :)
> Bluetooth devices always bark out some kind of beacons when turned on.
They don't, as far as I know.
Bluetooth EDR ("classic Bluetooth") doesn't broadcast anything at all as far as I know, and only listens for connection requests (that need to know your MAC address to be able to ping you).
Bluetooth LE devices are a bit more noisy in terms of broadcasting but support privacy addresses for service announcements.
There was a Soofa sign near my house across the river in Somerville that (now that I think about it) I haven't seen for a while now. The branding wasn't quite as prominent as the Brookline Bank sponsored one in the photo. As I recall it displayed a vaguely useful calendar of local and city events, plus a question you could reply to on Twitter so they could show "engagement".
I'm not surprised nor especially troubled that the sign gathers pseudonymized MAC addresses in hourly buckets. In the last several years there's a mini-trend of startups attempting to provide more or less anonymized smartphone traffic data to cities and towns for urban planning purposes.
In theory this is good! Ideally it helps city hall be more data driven and see things that might not filter up to city hall, in a "pave the cowpaths" way (E.g,. do we need a new circulator shuttle stop? What's happening that one weekend in May that drives so much foot traffic and that we're not aware of at city hall, and should send a police detail to control that intersection? Oh, that brewpub has an annual event we didn't know about that blew up on Instagram.)
In practice I think the problem is the wins tend to be minimal compared to the effort involved.
All that said, I don't love the conspiratorial, low-trust assumptions you're encouraged to make by the bare statement "They’re collecting data from your cell phone."
But without privacy regulations I suppose that's where things will inevitably go -- people will assume a priori that "data collection" is itself threatening. (I certainly foresee a lot of rich retirees agitating to cancel the contract at the next Brookline town meeting.) So I wonder if the main benefit of better privacy regulation in the US would be preventing further deterioration of the basic trust that allows the "collective intelligence" vision of the 00's to come to fruition.
American here - it is foolish to trust so much; history has shown again and again that a few determined actors, often wearing a uniform, can and do "fleece the sheep" for fines, tracking or whatever else.. With that said, there are plenty of benign or even constructive uses for traffic data. This is not traffic data alone. The worst offenders of privacy violation and aggressive monetization with or without consent, can do a lot of damage.
Large retailers were doing this a decade ago.
Doesn't MAC randomization used by both Apple and Android devices make this redundant?
I'm no legal expert but it seems like this data might be subject to FOIA requests - or at least should be anyway. If it is truly anonymized (yeah, right) then it could be released publicly.
I'm not really sure what the general public would actually do with this data - but they paid for it so they should have access. Even better would be to not collect it at all. Is there some way to increase the cost of collecting/storing data like this so that more municipalities/organizations will just consider stuff like this "not worth it"?
Even in cases where courts have found that the government (or their agents e.g. a police officer) didn't have the authority to surveil the public without a warrant they were able to purchase private data and construct a parallel chain of evidence that didn't involve the warrant-less surveillance.
I've already submitted a FOIA – request 2024-0103[0]. I requested all raw data made available to the town since this feature was made available in 2021. If this is successful, I will submit one to neighbouring towns as well, and will release it on my blog (here[1]).
Edit: I have mixed feelings on this initiative as a whole. "Bike Counters" are frequently used by cyclists, for instance, to argue areas need better infrastructure. The question is how can it be done in a non-invasive way, and this data should absolutely be public if it's being collected
[0]: https://townforms.com/FOIADirect-BrooklineMACitizens/Public/...
Comment was deleted :(
Who would you FOIA? iOS and Android randomly and locally select a 47 bit number and change it every now and then. I don't think it's ever sent off-device.
The town of Brookline itself. They contracted with Soofa and would likely have responsive records in the form of contracts at the very least. It's not obvious who owns some/all of the data so you might not get the actual MAC addresses - or as others have mentioned you'd get a lot of "random" hits so it would be more difficult to track returning individuals.
Regardless - these are elected officials and their departs using public money for what some might consider surveillance. What's the issue with a little sunshine on how this all works?
Ah, got it, I was thinking you were referring to the mobile OSes and the details of their MAC randomization implementations.
My understanding is that apple's MAC randomization tries to give each SSID a different MAC but records the mapping so that the next time you connecct to a known SSID you get the same MAC.
I can see why they would choose to do this -- it provides some privacy while not confusing most users (who might have to reauthenticate, or might no longer be in an allow list). I'd prefer to get a new one each time I connected to an SSID but I'm sure I'm in the minority.*
I wouldn't be surprised if every one of these devices had the same SSID. Why not?
* 99.999% of the population wouldn't know a MAC if it bit them on the nose, and I'm sure prefer it that way. Not an unreasonable position to take, TBH.
> My understanding is that apple's MAC randomization tries to give each SSID a different MAC but records the mapping so that the next time you connecct to a known SSID you get the same MAC.
And that's if you actually joined the network (who joins a billboard's wifi network these days? Celluar data is plentiful even for cheap plans). If not, the only MAC that's sent is a random phone that's reset every scan/15 minutes (forgot which one it was).
It keeps the max address when connected. Overall the whole this doesn’t work anymore since any 10 years. It’s false information to a certain degree..
It will work for people just passing by.
What does work is sending out btle beacon signals, putting a sdr 5G cell.
The whole market for this kind of tracking is filled with fake data..
>putting a sdr 5G cell.
That sounds super illegal because the spectrum 5G operates on requires a license to use. You can partner with cell carriers to use their licenses, but why would they partner with you? They'll be quite happy to use their existing infrastructure and hoard the data for themselves.
You can get 5g extenders.
For example, if your connection is bad, some provider offer indoor 5G stations. Not sure how they deal with the license in that case
As far as I've been able to tell from testing, Android's does this too.
Edit: unless you enable "Wi-Fi non-persistent MAC randomization" in developer options (this should be the default imo, and should be a per-network option like persistent randomization and device mac address)
I want this feature on by default, but recognize that all but a tiny number of users will be confused and inconvenienced by this when using a public wifi.
Imagine using this in India where they law requires that every public wifi require a phone number to authenticate before use.
Don't some people turn off randomization so that their router can assign a fixed internal IP address?
Yes, but that setting is per network (at least on iOS). I only turn it off for my home network.
Same on android. It defaults to per-network and the only way to change it is per network.
If by some people you mean a small proportion of a small community like Hacker News then yes.
Were they only using the data externally, or were they also selling/sharing it with third parties?
Longer! Since the early 2000s.
Habits:
- Leave home: turn wifi off, turn mobile data on
- Arrive home: turn wifi on, turn mobile data off
- Bluetooth off unless paired with car / earbuds
*Need to check MAC randomisation settings
Habits -> Shortcuts.app -> Automation -> Personal automation on a geofence
Hehe, yes, except I have Location off unless navigation is required ;)
- Always in Airplane mode
- Wi-Fi on at home
- Wi-Fi off outside home
- Only enable the cell radio if I'm expecting an incoming call or about to make an outgoing call
I live in hell and it's everyone else's fault, everyone is wrong but me.
*everyone is wrong but us
;)
Why? This makes your location less accurate, breaks Airdrop (on iOS), and doesn't really help privacy given that MAC randomization has been a thing for a while now.
One exception is if you have ever connected to a hidden SSID: Due to how the protocol works, your phone has to broadcast that SSID name occasionally to probe for any access points nearby that might be part of it. Newer iOS versions specifically warn of this when connecting to one.
Why does my location have to be accurate? Why does my location have to be known by my phone at all, outside of when I need to do something location related?
Everybody uses their phone differently of course, but I'd find it very inconvenient having to enable Wi-Fi every time I want to check my location on a map.
I don't think it's too much to ask of a mobile OS to make that safely possible without exposing PII over the air to any advertisers nearby.
"To avoid data collection from Soofa signs, they would either need to turn off their phone’s wifi detection and Bluetooth or avoid the signs as a whole."
These should be defaults.
Android has options to WiFi scanning off. Does OSX?
Well, iOS is apparently supposed to allow for turning it off.
But that doesn't actually work. Saying that as an iPhone user who keeps turning Bluetooth off in the Settings app, but it doesn't stick. It's always on again a day or so later (the next time I check).
So either iOS is buggy in this regards, or it's not actually possible to turn Bluetooth off permanently. :(
In addition, even if you go into the settings app and turn off wifi (which is supposed to be an actual disabling, unlike toggling the wifi in the quick access menu, which is automatically undone after a certain amount of time), it will be turned on again the next time the device reboots.
I just tested this on my iPhone, and kibwen’s claim is false. The wifi remained disabled after a reboot.
And I just tested it on my phone, and my claim is true. iPhone 15, latest OS version. Happens every single time.
This would be strange behaviour in countries where mobile data is unmetered and people primarily use their phone as their wifi.
Verified my wife’s phone behaves identically to mine. WiFi turned off via settings stays off after a reboot.
Comment was deleted :(
Are you able to leave it off for a few days and see if it magically turns back on without you touching it?
No, I don't have a spare phone.
Shortcuts.app -> Automation -> Personal -> At time of day -> Turn {WiFi,Bluetooth} off
It's not buggy, it's covering for the 90% of people out there that forget they turn it off and then helplessly wonder why things are not working.
Off means OFF. Just because some illiterates (definitely nowhere near 90% of the population) can’t tap an icon I shouldn’t be forced to set up an ios shortcut to _actually_ turn wifi or bt off.
The fact that I can’t then add the shortcut to the control center is just insult to injury. The shortcuts widgets don’t cut it.
While I’m ranting, the fact that a simple shortcut that uses system default apps (Recognize music and then opens Notes to paste the title and artist) requires me to enter a passcode to run – with the Allow Running When Locked setting on – makes me doubt settings in iOS mean anything.
It's not about tapping an icon, it's about the understanding that turning things off has non-obvious consequences on other bits of features, an understanding that can only be reached by getting down technical rabbit holes.
e.g (just one example) turning WiFi completely off degrades the ability to geofence, one's automations may be delayed or non-functional and one would be bewildered as to why. Turning WiFi off one day, forgetting about it, then having apparently unrelated things not work the next day is hard to diagnose.
There's a next-day trigger for sure for the WiFi disconnect+no-auto-reconnect ("disable WiFi" in the support page†) but I must admit that I don't know what's the exact trigger - if any - for the master WiFi switch in Settings.app ("turn WiFi off" in the support page†) to be turned back on. Next day? After a software update (e.g an automated nightly one)? Exiting hotspot mode? As you suggested, a bug? Nothing and it's people forgetting they have turned it back on "temporarily"? The support page† doesn't say anything about it.
Should one desire to enforce WiFi off as a policy, the shortcut can act as a safety net around all these cases, the tool is available to help automatically enforce the policy, and I don't think it's helpful to sit and hold one's breath til one turns blue because it shouldn't do what it's doing, refusing the opportunity to get control back.
I agree that Shortcuts is awfully limited, sometimes inexplicably so. I mean, picking up a random wallpaper from a Photo album every X hours should be entirely doable, yet there's just no way to do it.
† https://support.apple.com/en-us/102412
EDIT: I have tried the hotspot thing.
- set iOS WiFi off
- request hotspot connection from another device
- iOS WiFi turns on
- if no known autojoin AP is in range
- iOS WiFi turns on
- hotspot connection succeeds
- upon hotspot disconnect iOS WiFI stays on (BUG #1: should restore WiFi off)
- if a known autojoin AP is in range
- iOS WiFi turns on
- iOS WiFi connects to AP (BUG #2.a: should not connect to AP)
- hotspot connection fails (BUG #2.b: caused by #2.a?)
- WiFi stays on, connected to AP (NOT BUG: consequence of #2.a)
- (optional) re-request hotspot connection
- iOS WiFi disconnects from AP
- hotspot connection succeeds
- upon hotspot disconnect iOS WiFI stays on (NOT BUG: consequence of #2.a, which caused WiFi state == on at second hotspot-request-time)
- iOS WiFi eventually joins AP
This may happen unattended if the requesting device has "auto-join hotspot" enabled.Bear in mind that just magically turning things back on also has non-obvious consequences as well.
Especially if you're relying on something to be in the state you (literally) configured it to be in, and it turns out the software makers "know better than you". :/
Oh, it's definitely buggy. But that idea of a workaround is reasonable, thanks. :)
No idea about Apple OSes but to avoid data collection and save battery I turn WiFi off when I leave home and Bluetooth is on only inside my car. That should prevent any problem.
Shortcuts.app -> Automation -> Personal automation on a geofence
That said:
- data collection ranges from minimised to eliminated by features like MAC randomisation
- battery impact of WiFi + BT on but disconnected is a rounding error
I understand that this is "harmless" tracking but, out of equal parts spite and paranoia, it still makes me want to stick my device in a Farady bag when I'm out and about.
As stylish a tinfoil tote would be, I think it would be detrimental to legitimate uses like receiving signals.
Yeah, that's a given.
About the only functional use I can think of would be if devices still had headphone jacks, you could probably get away with snaking headphones out and listening to music/podcasts/whatever you'd already downloaded.
What is the contract between Soofa and the City of Brookline?
> Assistant town administrator Devon Fields, who led the implementation of the program before her recent departure from the position, [...] The town’s transportation division previously had an employee who worked directly with Soofa regarding data collection, but they left the department more than a year ago and have not been replaced. [...] the department has not been actively using information collected by the boards, [...] Fields will be the incoming deputy city manager of operations for the city of Chelsea.
Is that contract regretted by the city? If so, how much?
(The journalist seemed to hint that the program was a flop for Brookline, but didn't get much into that. For a career move, Chelsea is a different kind of Greater Boston city than Brookline is, so could be a more interesting challenge, or better growth opportunity.)
> Is that contract regretted by the city? If so, how much?
I haven't researched the exact terms of the contract, but it's possible the signs were pro-bono, as
1. Part of it is that advertisers can pay ~$100-$250 a month to display ads on these signs and I'm guessing soofa takes a cut 2. In Brookline, these were sponsored by Brookline Bank, so they get free advertising
Many commenters point out that Bluetooth MAC address randomization on phones mitigates most of the privacy risk, but forget that most other devices – even including the pressure sensor in you new car's tires – use a static address that allows you to be tracked.
What's the best way to anonymously ruin their data?
Should be relatively easy to "flood the zone" with tons of fake MACs as you walk by. Once they realize 100 million people did not really visit that sign, they might reconsider.
An enterprising person could probably design a casing for a solar powered Pi and stick it to the top of the kiosk.
Reminds me of the guy who created rolling traffic jams on google maps by pushing around a wheelbarrow full of phones.
Or just set up your own recorder at each sign and replay the last week’s traffic in random order.
I was wondering that too. Instead of having to guard my phone's settings all the time to prevent leaking data, I'd rather poison the well. It would be interesting to see if you can use a Flipper Zero to flood these devices with fake or corrupted data (and perhaps cause some interesting side effects).
Flipper Zero doesnt have wifi (though there are external solutions).
Probably easier to do what you describe with a laptop or smartphone.
How does a randomized mac address or "ip address" provide demographic info? Either this is terrible tech journalism because they're making shit up or it's terrible tech journalism because the company is doing something much more concerning but they don't understand it and can't articulate it.
It serves the purpose of redirecting public funds into a private company's coffer.
> collecting data from prople's phones ... and then sharing that information with the town
By "sharing" I assume they mean "selling". The question to ask is who in the city approved this and what is their relationship with Soofa?
Seems a bit like kind of privacy theater worrying about these kind of things.
A town close to me has a sign that shows the number of people that have gone past on the sidewalk. Possibly counts stuff by a magnet/weight sensor or such in the ground. Never have thought that was in any way a privacy problem. Neither is this.
Why give these bastards an inch?
Why give anyone any permission you can deny? Why build wind turbines that "ruin the view" either?
That kind of extreme NIMBY attitude would have us living in caves if it wasn't for the other side. The worst of it is that it just attacks what is honest and visible the first, encouraging dishonesty and secrecy because stuff like this would never actually come to hurt you in any tangible way. I hope you come to realize that.
also this liveoverflow video I particularly enjoy: https://www.youtube.com/watch?v=UeAKTjx_eKA&t=937s
I'm curious how often governments (as opposed to businesses) have done this?
People need to know. There are no new crimes, but they're always wrong.
I learned about this from an old book, called "No Place to Hide" (2006) about how shopping malls have these chokepoints, that have Bluetooth and other data sensors to collect EMIDs etc. today I think it's even worse. Data from mobile devices are being pinned and harvested constantly.
Maybe one day, Apple? will allow us to see and block pinging signals attempting to harvest data.
https://www.simonandschuster.com/books/No-Place-to-Hide/Robe...
> Maybe one day, Apple? will allow us to see and block pinging signals attempting to harvest data.
Your phone is the one doing the pinging. I guess Apple could stop it doing that, but then it would be slower to get your location and the Airtag system would be less effective.
Tangentially: Where is Soofa sourcing these giant e-paper displays? I’ve only seen them this size in Brookline.
I already put my phone in airplane mode whenever I enter a business, but now I have to keep my phone in airplane mode when I'm just walking around in public?
Or just use one that supports MAC randomization when probing for networks, like any iOS or Android device released within the last couple of years.
I do that already, but I'd rather just not appear at all. I admit this is a position of hostility, but my hostility towards stuff like this has been well-earned over years.
That's going to be tricky, though – infrared/ultrasound sensors will be able to establish your physical presence in front of these things even without you carrying any electronics.
I wouldn't have nearly as much of a problem with that, honestly, as long as it's not face/gait/etc. recognition.
The problem is that the tech industry has been so abusive about electronic data collection for so long that it's burned through even the smallest sliver of trust about such things.
Yes. I already do that because the cell network doesn't need to know where I am when I'm not even using it.
Given that most phones now spoof that MAC and rotate it this is basically just measuring footfall. Not ideal but also doesn’t seem overtly privacy harmful
Cue the ACLU moving the MAC address goalpost up a few layers to "quite sensitive" "IP information".
Says that the MAC addresses are encrypted. Are they hashed, or truly encrypted? If encrypted, they can be decrypted.
The BLE MAC address consists of a random periodically changing part and a deterministically generated part based off encrypting the random part with a device-specific secret key (the Identity Resolving Key). This allows paired devices to identify the BLE advertiser since they know the IRK, while random devices like signs would not know the IRK and thus would not be able to deanonymize the MAC address. This feature is called Resolvable Private Addresses (RPA).
Comment was deleted :(
Comment was deleted :(
> When a phone has wifi searching enabled, it is constantly sending out signals to attempt to connect to a network.
This is one thing with iPhone that infuriates me. Even if you "turn off" the WiFi it will always turn back on after a short time and connect to known networks. or if I change to another location with a known network it will automatically connect to it after turning the WiFi back on. For the life of me I can't find a way to keep it off consistently.
I created custom shortcuts for actually turning off Bluetooth and Wifi, and use those exclusively instead of the dark pattern buttons in control center.
You can also turn them off in Settings. Also anytime a macOS or iOS update is applied, Apple turns back on Bluetooth even if it was turned off.
They want you to leave them on so their Find My network can function, regardless of what the user wants.
When Soofa started, they managed to get USB-charging benches installed around the Boston area.
The concern I raised at the time was that the company was being allowed to install general purpose equipment housings in prime heavy-foot-traffic locations -- and the company could use these to deploy surveillance capitalism equipment they controlled.
Looks like that's a direction Soofa is going in.
“I’ve never heard anyone cite useful data, you know, useful to the rest of us, that resulted from the Soofa signs being located in various locations,” said Brookline select board Vice-Chair John VanScoyoc in an interview with Brookline.News. He elaborated that the data being collected does not offer any new perspective that couldn’t be easily observed.
Is this a challenge to attackers to find a use case for the data?How they are going to infere demographic info from MAC addresses?
This has been happening for literal years now.
A German adtech company was going to do this in collaboration with Shazam, I strongly suspect the GDPR put paid to that.
> The signs also collect IP addresses.
Uh, false? What IP address? This sentence is meaningless, users don’t connect to the sign, so there’s no IP to it.
This article is just scaremongering by people who don’t know technology.
Agreed, there is no IP address to collect, so this part of the article is inaccurate.
The rest of the article is not necessarily scaremongering, but they don't explain the issue well: it's not just a "giant clicker" as described, because it collects personally identifiable information (cellphone MAC address) without permission. This would be illegal in many other countries.
Additionallu, they claim the data is "encrypted" but since it's not an open algorithm it's possible that it's flawed, either because it's deterministic or reversible.
> personally identifiable information (cellphone MAC address)
On many phones they rotate. Are they still PII?
I mean, all encryption is reversible, that's sort of the point :P I'd much rather it was hashed instead
FUD. Collecting randomised MAC addresses is hardly something I would worry about. And if you are paranoid you turn off the wifi.
If they don’t convey information why would they bother collecting it?
Because 4/5ths of the tech sector has been built on the back of absurdly low interest rates and gesturing to the future, shrugging your shoulders and saying "monetizing user data"?
Maybe to follow users during a single discrete trip through the space?
I realize these are public spaces we're talking about but to what extent are we willing to have our bodies and behaviors amplified, stored, copied, and otherwise scrutinized before we're allowed to feel some inherent right to personal privacy has been violated
If all the things to worry in the world, even in the narrow subsection of data privacy which feels like a 1st world human right, this particular case is not the one to worry about. Worry about how much Meta and Alphabet know about you, worry about the governments, but not the roadsign. Feels like a distraction
If they employed someone with a clicker to count the number of passers by would you feel that your privacy had been violated? What if they used a light beam that counted every time someone passed through it?
I had the same thought but then the kiosk could do that and they wouldn’t need to transmit the MAC to their server.
I guess mac address tracking is better than the facial recognition method K-Mart was using.
Crafted by Rajat
Source Code