Hacker News new | past | comments | ask | show | jobs | submit login
Tracking devices hidden in London's recycling bins are stalking your smartphone (qz.com)
131 points by Leander_B on Aug 11, 2013 | hide | past | favorite | 73 comments



This has some interesting legal implications. The UK has a Data Protection Act that requires organisations to register with the ICO (Information Commissioners Office) and comply with a number of requirements.

Renew London is not registered with the ICO, nor is any company with a similar name at their postcode [1].

So either they believe that they're exempt, or that it's under a different name.

The ICO has a self-assessment tool [2] to work out whether an organisation is required to register. I'd suggest that the big question is: "Are you processing personal information?". The definition is:

‘Processing’ means doing any of the following with the information:

    obtaining it
    recording it
    storing it
    updating it
    sharing it
‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them.

So based on that, they're processing personal information and are legally required to register and comply. The ICO is not seen as an overly strong regulator, but they might be convinced to investigate after the inevitable headlines in the papers.

[1] http://www.ico.org.uk/esdwebpages/search. Postcode is E1 6DY from their website in the press release [2] http://www.ico.org.uk/for_organisations/data_protection/regi...


It's not clear that a MAC address is personal information. The ICO's own guidance [1] gives the example of telephone number being personal information if the number is in the telephone directory, making a reverse lookup to identify the owner possible. Is such a directory available for MAC addresses possible? Given a hypothetical MAC address 0c:fd:c3:de:00:d5, could you identify a person with that alone?

[1] http://www.ico.org.uk/upload/documents/library/data_protecti...


The makers of the bins have a video showing a named person walking around, and the bin collecting information on that person's likes and dislikes.

The video makes a comparison between their bins and cookies, describing this as "cookies in real life".

It seems difficult to compare their tech to cookies (which have EU wide regulation) and to show information collected about an individual and to then claim exemption from UK data protection laws.

(https://news.ycombinator.com/item?id=6194160)


It is not possible unless the user voluntarily associates his personal information with that mac address.

It is possible to harvest this information covertly. Up until iOS 7, it's possible for any iphone app to get your mac address. So if you also provide your personal information, an app could covertly associate them.


It doesn't have to be voluntary. If I have a list of all the MAC addresses/timestamps and can cross reference that against a different known list of people times (ex: credit card transactions, rewards card, even face recognition) then you can associate them. With enough data it can be very exact.


If you had face recognition and rewards cards, you wouldn't even need a MAC address to track someone.


The rewards card would be in one location, you could then know that person's identity at all stores via cell phone connections or cameras.


It can be feasible if the enough credit card or reward card usage data is gathered for you, across all the stores you visit. Hard, but possible. Still for a lot of users the entropy will be too high.


https://news.ycombinator.com/item?id=2942967 87% of the U.S. Population are uniquely identified by {DOB, gender, zip} (latanyasweeney.org) (278 points, 712 days ago, 101 ocmments)


Yes but you'd have to uniquely identify by store visit patterns, and assuming you use a trackable method like credit card, loyalty card (universal one), AND have your wifi turned on.

You listed a lot of dimensions, whereas to make the correlation between mac address and customer info, you only have 1 dimension (visits/location) to do the correlation with.


Personally, I heavily use credit cards[0], loyalty cards[1], and I leave my wifi turned on all day because Google Maps gets grumpy when I turn it off.

In practice, I find that I've needed a lot fewer dimensions than I'd expect to find people; when I was in grade school one time I cross-referenced the attendance list (for a last name), the reverse phone lookup in the white pages, and a map of the school district boundaries to figure out where a classmate lived.

I think that repeated visits to a grocery store like a Safeway would be a really good proxy for home ZIP code. Every Safeway I've visited in the SF bay area has a wifi access point, and I wouldn't be surprised if it was logging the MAC addresses of phones that pass by. Maybe some hackers will try to optimize their route home and pick a grocery store that's half way between work and home, but I hypothesize that a large enough number of people choose to run to the nearest grocery store for that "one item they forgot to buy for dinner" or for dedicated weekly shopping trips that you could draw reasonable conclusions about aggregate behaviour.

[0] I like buying stuff online; it's kind of unavoidable there.

[1] I always get this weird sense of power when I buy peaches at the Safeway at full price during off-peak and then the next week they go on sale for "Safeway Club" cardholders at the store I usually shop at.


I think it would be easy to link either your credit card or your image (if they were doing that) to your MAC if you only made two trips to the same franchise with wi-fi on.

For example, imagine they have cameras that can image your license plate. You go there twice -- they have one MAC and two sets of possible plates. The odds that you and another person were both shopping at those times is pretty low. Now they have license plate, make/model of the car, can probably triangulate the wi-fi to know what you bought each time with reasonable fidelity...


How many samples? All you need to do is wait until they tell you who they are by associating that MAC addr with a hotspot.

Share "anonymous" data with vendors who provide wifi access, and suddenly Sephora knows where you live and where you work and can remind you that you're almost out of La Prairie Crème Cellulaire Platine Rare when you bin your cup of coffee outside the office.


Not in a public directory similar to a telephone book, no. At most you could learn the make/model of their nic.


There is further discussion over here:

https://news.ycombinator.com/item?id=6194160 (arstechnica.com)

In addition, here are some other sources for the same story:

https://news.ycombinator.com/item?id=6181893 (qz.com)

https://news.ycombinator.com/item?id=6183485 (qz.com)

https://news.ycombinator.com/item?id=6184423 (theatlanticcities.com)

https://news.ycombinator.com/item?id=6187750 (vice.com)


On one of the forums I am on, the debate has moved to whether a MAC address is an identifying piece of information. Especially given the high likelihood that a phone is not a shared device.

They're also using the MAC address to identify the device, and I suspect from that to estimate the demographic: http://new.pitchengine.com/pitches/60f7865a-f3ac-4167-920c-5...

This seems to be echoed by some legal people: http://www.huntonprivacyblog.com/2011/05/articles/article-29...

> Unique identifiers (such as MAC addresses) should only be stored for a maximum period of 24 hours, and should subsequently be deleted or anonymized.

And they have an opt-out page: http://www.presenceorb.com/optout.aspx

But how many people would opt-out of something they didn't know was tracking them?


I wonder how long it would take you to POST all the possible iPhone and Android MAC addresses to that opt out page.


And to do it in a random order to ensure they couldn't just ignore the opt-outs based on sequence.


You'd also need to do it from multiple ips to avoid hellbanned or effectively filtered later on (presumably they log from which IP the request came from).


Get on Tor, send a random number of requests between 1 and 3, wait a few seconds, regenerate the tor circuit, do it again.


…and make yourself into Weev II.


Yeah, there is no way you'd be able to do that in the US without getting charged with wire fraud at least.


Given that this is about London, being tracked in public is already a forgone conclusion.


I never really buy into the idea that just because there is some tracking (for any definition of `some`) that we should accept all other tracking.

Anyone with a credit/debit card has been tracked since the day they got it, but it doesn't mean that every subsequent intrusion should blithely accepted.


My comment posted as a reply to the wrong comment. Oops.

Anyhow, I agree. My reply was in response to another comment which seemed to imply that this program was the difference between being tracked or not, which is a silly sentiment in London.

I agree in principle that this kind of tracking isn't okay. I'm just not sure that the implications are worse than the status quo in this case.


As someone living and working in London, I pass more than a couple of these 'bins' every single day.

These bins are quite strategically placed (1) in the heart of the square mile - the prime financial district and tourist hub of London city (2) especially around bus stops and city squares in this area - which have some form or other of free city wide wifi networks - where one would be waiting for enough time (consuming lunch, waiting for bus, meeting a friend, shopping...) to be an ideal consumer for targeted advertisement.

They also have an extremely amusing design which makes them look slick - but extremely unlike waste bins - infact you have to look at them closely to find where you need to dispose off your waste. This was one thing that amused me extremely when I first saw them - the strange inconspicuous design - but things make much more sense in the light of this article.

As someone who's targeted more than once a day by these things, I see this as a breach of privacy and expect to be informed that data about me is being collected and stored and maybe used for commercial purposes in the future (irrespective of the ICO technicalities and loop holes).

As a human, its a fundamental breach of trust and I would personally not see these things with the same inconspicuousness they have been designed with to deceptively integrate and blend into our daily environment.


Update 18:15 09/08/2013-- "[We collect anonymised and aggregated MAC data -- we don't track individuals or individual MACs. The ORBs aggregate all footfall around a pod for three minutes and send back one annonymised aggregated report from each site so the idea that we are tracking individuals again is more style than substance," says Memari in an email. "There are applications in the future which Quartz focused on but during the trial period we are only looking at anonymised and aggregated MAC data".

He adds, "as some of the technology we will be testing will be on the boundaries of what is regulated and discussed it is our intention to discuss it publicly and especially collaborate with privacy groups like EFF to make sure we lead the charge on [adding necessary protections] as we are with the implementation of the technology"


That is not consistent with their stated intention of targeting individuals with ads. They made that quite clear in the video.


Low tech solution: fire.

When a couple have gone up, it will no longer be cost effective.

I really don't like the idea of tracking such things. It's bad enough in the internet but being stalked outside is not acceptable.


Yeah, you try setting fire to a bin in the City of London. See how far you get.


You'd probably be best off burning them by "recycling" some sort of timed firebomb. Ideally this would be done with something that has some plausible deniability (have somebody "recycle" some crumbled newspaper before you, then "recycle" a (modified?) cigarette butt).

Of course firebombing the cans is probably very more illegal than just dumping a can of lighter fluid into it and throwing in a match... I mean, even that is arson, nothing to sneeze at. You would have to balance the possibility of being caught with the punishment if you are caught.


I wonder how it would cope with a raspberry pi with wifi cycling through random cloned mac addresses.


I wonder how many write cycles its flash memory is good for.


If you don't like being tracked then don't practically scream your hardware's identity around. This is what you do when you use 802.11. Trying to legally regulate such things is like pronouncing your and peer's name in clear (even if you use cryptic language), in every sentence you say out loud, then telling others no not notice nor remember that.

Want the privacy the sane way? Go make vendors to introduce security features (like short-lived euphemeral MACs), so communicating party names won't be meaningful to others.


Unfortunately, nobody is competing on such features. There is simply no (even paid) alternative available.


There's always an option to enforce requirement of such features using the legal system.

If laws can and are (ab)used by governments and their TLAs to legally force equipment vendors and service providers to create various surveillance features and misfeatures (backdoors, security strength limitations), it's only reasonable that they must be used to create privacy-enhancing features for the public good, too.


How many people really know and/or understand that though?


My first thought was to agree, but my second thought was to wonder how much worse this makes things.

The mobile network already locates you well enough for the spooks to find out who you're meeting. I live in Melbourne; half our mobile network is owned by Singapore, and god knows how much was made in China. The spooks are scary, but the network has become essential.

No doubt computers accelerate threats to life and freedom, as they do to everything else. It got that way a long time ago, when IBM tabulating machines powered the holocaust. The problems are Singapore and China, which are being solved, and Australia, where parts of the solution are failing. Those solutions are human instead of technical.


Setting these things on fire probably leads to you becoming the subject of investigation by the local constabulary.

I'd suggest taking some bits from a discarded microwave oven, assembling said bits into a directed microwave transmitter and blasting the business end of the bin with a few hundred watts of microwave energy. For extra brownie points you could modulate the signal so it looks like an 802.11 transceiver on steroids.

Now you only need to 3D-print a box for it/connect it in some way to an Arduino or Raspberry Pi and you'll be lauded on hackaday.com!


What's the licensing situation for the 2.4GHz spectrum in the UK? In the US, they're part 15 devices that must accept interference from licensed users of that spectrum. Radio amateurs are licensed users of that spectrum.

While I doubt it's legal to get your ham license and pump 1500 watts into your least favorite Wifi network, I'd certainly enjoy reading about the resulting court cases. Federal jurisdiction, local jurisdiction... always entertaining.


Ah, but that assumes they know what you're doing. Microwaves have no qualms about passing through plastics, do they? Just don your best suit, carry an attaché case like an aspiring FleetStreeter and look interestedly at the ad under the snooping device. I don't think it takes 1500 W to bring it down - nor do I see how you'd achieve that power output from a discarded household magnetron - but a few hundred watts at close range will surely make the things' 'ears' ring.

If microwaves are not your thing you could try your hand at an EMP projector, even though it might be harder to make sure only the targeted device kicks the bucket.


Arson is a serious criminal offence!

You'd do better to steal the entire bin.


I would supposed wrapping it with a little tinfoil might get you down to littering.


One can only wonder when it will be illegal to not have a tracking device (smartphone) attached to you.


Long before before that it will become suspicious.


You can just imagine a future press release from those involved, citing an 'enhanced...experience' - which is general marketing speak for "we're going to try and squeeze more money from you with targeted advertising". What a shitty way to contribute to society.


There's a commenter on HN who thinks so;

https://news.ycombinator.com/item?id=6196981

I tend to disagree, I don't think tracking my habits to more effectively manipulate and target me is an enhanced experience.


This is very interesting.

So I never was much of a network analyst, forgive me - is there any way to guard against this while still leaving your wifi on, without something like cycling MACs? I wasn't aware that when you scan for Networks, that you're actually exchanging some packets with those networks - I thought you were just picking up on a broadcast one way. Shouldn't there be some sort of "stealth mode" where you're not leaking packets everywhere?

It actually seems like if this was the case, I'm surprised it hasn't been used in other ways. Say a burglar breaks into my house with his iPhone in his pocket. Could I later prove it was him by pulling up some log on my router that was picking up MAC addresses going by? And why isn't there some software (to my knowledge) that does the same thing for surveillance - logging all the MAC addresses and creating alerts if a new one comes into the area?


> is there any way to guard against this while still leaving your wifi on, without something like cycling MACs?

No -- the adaptor's MAC is an essential part of the transaction, while cycling MACs would be a dead giveaway and would increase attention paid to that system and its travels.

Turning off the adaptor is the only meaningful way to avoid tracking.

> Say a burglar breaks into my house with his iPhone in his pocket. Could I later prove it was him by pulling up some log on my router that was picking up MAC addresses going by?

Yes, but only in a society that would allow this kind of tracking of people, each of whom is presumed to be innocent. Usually a person is first identified as a suspect, after which a technical track can be made. But a person who is not already regarded as a suspect can't be (legally) subjected to this kind of surveillance.

> And why isn't there some software (to my knowledge) that does the same thing for surveillance - logging all the MAC addresses and creating alerts if a new one comes into the area?

Because this is privileged information having to do with privacy, and violating it would confront certain well-established civil rights that vary from country to country.


I get and agree with your last two answers, but if that's the case, why has this kind of thing started popping up on a commercial scale? They certainly would have more to answer for, legally, if privacy laws were violated.

And just because an app like that may violate privacy rights, I mean, you still see things like Firesheep, packet sniffing, network surveillance tools, all published with the caveat to just use for "testing".

It seems to me that the laws are somewhat murky, as evidenced by this article, and I would be surprised if there was any law in the US against me keeping track of MACs that came into the range of my router. With your argument I couldn't set up a surveillance camera outside my house either.


> I get and agree with your last two answers, but if that's the case, why has this kind of thing started popping up on a commercial scale?

It's one thing to monitor MACs flying around a network, it's quite another to defend the monitoring in a court of law or use the results in a legal action.

In the U.S., for a member of law enforcement to search a person, a house, or monitor someone's communications, he must have reasonable cause to suspect that a crime is being or has been committed by that person. Absent "reasonable cause", the law can't monitor our communications. And as I type this, I realize these ideas are probably out of date, inconsistent with current events and rulings.

> It seems to me that the laws are somewhat murky ...

Not really, they're just not enforced until someone complains that his rights have been violated. But it's also true that privacy is being eroded in a major way right now, and the law hasn't really kept up -- there are laws on the books that, once tested in court, will probably be cast out. If that's the sense in which you mean "murky," then you're right.

> I mean, you still see things like Firesheep, packet sniffing, network surveillance tools, all published with the caveat to just use for "testing".

Strictly speaking, there's no problem until and unless it's a third party that's being monitored -- that person can complain that his right to privacy has been violated, even if no use is made of the monitored communications.

In principle. :)


The burglar's phone's MAC address in your router's nicely timestamped log would be evidence, I would think, albeit less iron-clad than surveillance video of him taking your stuff. It would serve to bolster the prosecution's case, should the police manage to find the perp though other means. E.g., the thief might have been found fencing your Vermeer. He might claim to have acquired it innocently from someone. In that case, the jury would find your log interesting as they weigh the evidence.

An interesting question is whether the MAC address alone could be used to trace the perp. The first 24 bits of the 48-bit MAC address identify the company that manufactured the adapter. Then the question would be, did the company that put the adapter into the phone cross-reference its MAC with the phone's serial number and the serial number with the owner.

A smart thief would turn his phone off during a job. Routers logging MAC addresses are probably a much less serious problem than cell carriers keeping logs of which phones were where when.


MAC addresses aren't unique but just nearly unique.


No, they're unique. Each manufacturer is given a block of MAC addresses, and they assign them like serial numbers to each NIC they build. Each cell phone, WiFi access point, and normal NIC, has a unique MAC. If this were not the case, if two devices had the same MAC, the risk of a network collision would exist, and manufacturers, aware of this risk and the damage it would do to their reputation, act to prevent it in their own interest.


GreenPower for Android turns off your wifi when you're not using it. It's meant for battery life. Now it's also good for privacy.

https://play.google.com/store/apps/details?id=org.gpo.greenp...


I had a little start-up idea a while ago .. albeit only tangentially related to this one.

Make a deal with JC Decaux, or some similar out-of-home advertising company to place cameras (strategically) around the City of London.

Nominally to provide personally tailored advertising, the significant secondary purpose is to use face recognition to identify individuals-of-interest: specific traders, fund managers and so on.

This enables us to analyse facial expression, gait, maybe body temperature to determine mood, then look for correlations in the stocks and markets that these individuals trade.

I think that this will be legal, since all the information that you are using is (nominally, at least) legal, and gained in a public place.

After all, if it is OK for the authorities to place the whole population under close surveillance, they cannot possibly object if we turn around and do the same thing to their paymasters, can they?


I'm no fan of fighting these things with technology and workarounds as I believe these issues need to be addressed at the legal level and the technology battle is just an arms race that you can never win.

However, might be a good idea to write a mobile app that changes your MAC address periodically (not sure how hard it is)


People have been waiting for this technology infrastructure to get in place for years.

It's a shame the recent NSA fiasco will scare people away now and set this back another 5 years.

There are some phenomenal experiences possible.


I don't understand this viewpoint. It seems to me like advertisers are more likely to use extra data to be more manipulative, the same way they do it by targeting ads on the internet. What kind of improved experience are are imagining?


Do you find that marketing/advertising is about creating experiences?

I find it is about bullshitting people as much as you can, change my view please.


100+ years of radio and 60+ years of television shaped the lives of almost everyone alive on the planet. Brought to you free by advertising.

Closing in on a million free apps available at both Apple and Android marketplaces. Brought to you free by advertising.

Skype. How many poor families scattered across the world has Skype helped?

Those are significant, life changing experiences - not bullshit.


Google, Google Maps, Google Street View.

Those are experiences.

Free to the world, paid for by advertising.


Hilariously, all 3 "unique" MAC addresses in that marketing image are identical: 00-14-22-01-23-45

They changed the font colour of the word "Mac", but not the actual address. Plus, Mac should be MAC.

McFail.


Yeah I think their point still remains though. They referred to it as "MAC" in the text of the article at least. Probably just the designer.


I think I even took a picture of one of those when I was in London last Fall: https://twitter.com/marshray/status/321038712735690754

EDIT: That may not have been my own picture in that tweet. But still ISTR having snapped a similar one.


Stupid question; can I not opt out of this by turning wifi off while walking around these places?


Yes--if you turn WiFi off, your phone won't broadcast its MAC address, so there's nothing for them to track.

Nordstrom stores in the US were caught tracking shoppers via their phones' MAC addresses earlier this year. All the more reason to turn off WiFi if you're not actively using it.


All the more reason why the US needs a robust data protection act, despite the howls of outrage this will cause in Silicon Valley.


Reading through these comment, I get the feel that many people feel that this kind of observation is wrong in some way. I'm confused about this, since it seems like it's built on the solid social contract that we are free to observe anything that happens I'm a public space. I actually just wrote about this subject this morning.[0] The possibility that I might be observed in public has never bothered me, and I'm curious to hear what other people have to say.

[0] - http://xwl.me/md/erj28mbe62ap193


It's because when we say being observed in public, we assume it to be someone looking at us and then basically forgetting all about us. We don't think about security cameras watching us and having a single party aggregate all of that. And we don't know our cell phones are broadcasting a unique barcode to everything even if we do know the cell towers can triangulate and log our location. (By we I mean our family members, not us on HN.)

Adding technology to the observation makes it so much stronger that I think there should be a new discussion about it by our various governments.


How is passing legislation going to stop people from doing things like this?


This is nothing to the security problems that will arise with the upcoming Google Glass.


thirty üyyyQWJ




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: