NY Times - Apps Tracked the DC Rioters

I’ve been a slashdot reader for about 20 years. Usually their stories are a day or two late, saw this tonight:


Seems apt for the category. Original NYT link in the above article.

Who needs to be tracked by your apps when you are voluntarily posting incriminating evidence to your own social media feed?

1 Like

I thought the moving green dot NY Times graphic was kinda cool.

But I don’t think all those green dots were voluntarily posting anything. I do think most phones were just in their jacket pockets.


Just like with the Occupy movement, having mini-GPS devices on you (or around you) is not a good idea when protesting.

Quick YouTube link for context:

Even by association you can be implicated regardless of your actual involvement.

Edit: On a practical side I havent found a way to automate resetting the advertising id on Android, it’s an easy setting to forget to use on the regular (perhaps by design).

You don’t need any apps to be tracked all you need is a 1990’s brick phone ( not that it would work on 4g anymore, but you get my drift) They track the signal.

In the UK, they provide Wifi in stations on the London underground, - if you’re travelling with WIFI enabled, they’ll track your MAC address through stations. (assuming you connect.)

Even if you don’t connect the infrastructure is deployed to follow probe requests from your Wi-Fi through the transport network.

(Officially the use for this technology is to track station occupancy, (e.g. give advanced warning of significant crowds, (which become dangerous) in stations.)

If you plan to break the law, it is perhaps not best to take a literal radio beacon with you!


Use the kill switch, Luke. :wink:

I always HK WiFi before leaving the house. Why transmit probes and who knows what else if you aren’t intending to use WiFi? If nothing else, it should reduce power consumption and extend the time between charges.

That is true but it is not necessarily as precise as GPS, such as may be obtained by an app and then transmitted by an app (or recorded on the device by the app or by the underlying operating system for future use by the government).

Perhaps though in the case of Capitol Hill, it is littered with Stingrays. :rofl:

It does come down to as @danielr says: if you plan to break the law, don’t take your tracking device with you. However I would go further: even if you plan only lawful protest, don’t take your tracking device with you.

Do you assume user get tracked this way or are there real cases of people who have been tracked? Just asking out of curiosity. Btw, you don’t have to connect to be tracked via WiFi. Enabling it is the only thing that’s needed. See https://www.crc.id.au/tracking-people-via-wifi-even-when-not-connected/

Based on this: https://tfl.gov.uk/corporate/privacy-and-cookies/wi-fi-data-collection
(official government web site)
it is not an assumption on @danielr’s part but instead is fact.

The web site makes clear that individuals can be tracked. Presumably the MAC address is hashed or encrypted.

If you are asking … has UK law enforcement / security agency ever used it to track / locate / apprehend someone? That is not known but I guess: if not so far then it will happen.

From that web page:

However, if you would like to opt-out, you can do this by turning off Wi-Fi on your device, turning your device off or putting your device into airplane mode while at our stations.

Translation: There is no ‘opt out’ except to kill your WiFi.

A good thing we are all getting Librem 5 phones then, isn’t it? :slight_smile:


“data will be held for two years” according to another article,

which also says that, during the trial, MAC addresses were being hashed (with the obvious privacy weakness) but with the full roll-out MAC addresses are now “tokenised”, whatever that exactly means.

I wonder how MAC address randomization figures in all this. However if it were me, I would be using the HKS!

Hashing: computing hash value using selected algorithm from the original input. The same hash value will always be generated for the same input.
Tokenising: generating random unique value (token) and associating it with original value. New value will be generated each time for the same input.
(this is not formal/academic definition)

In a nutshell - the association (aka de-tokenisation table) is the piece that glues token and value together, hence if association table is destroyed the value is truly anonymous. You can use various context-based deanonymisation algorithms to guess the original value but there is no strong association.

And is it?

This is crucial. If data is held for two years (as quoted by me) then does “data” include the association table? How often is the association table destroyed, if ever? How often will the token reset?

Deanonymisation is a concern but in the extreme case if the unique token is retained for some time and the government is certain about your location within the underground network at one time then your location is compromised continuously until the token resets. There is no need for complex deanonymisation algorithms.

Of course, a random unique value (token) would be difficult to distinguish from an encrypted value (where the encryption key changing is equivalent to tossing away the association table). Is TfL’s source code auditable? I think not. :frowning:

From what I’ve read about the UK government, I wouldn’t trust that any of this is not available directly, on an ongoing basis, to them.

This is something to focus the mind between security an convenience.
constantly turning wifi on and off may be more hassle than some people want.
leaving the device at home is certainly more hassle than I want! (I mean I bought it to use it.)

yes, they actually mass tracking, (link is already posted now.)
And as I said in the first, you don’t need to connect, you only need to probe for networks, (something your device near constantly does…)
but that doesn’t answer if they track individuals… the answer to that question is also yes.
they have/do track individuals to see what route choices passengers make in their networks.

This is not just available to governments…
The data given up in the wifi probe includes every network your device ever connected to. (your device is constantly looking for it’s past connections e.g. constantly polling “home_wifi” are you there.
and probe monitors are surprisingly easy to make, (https://null-byte.wonderhowto.com/how-to/log-wi-fi-probe-requests-from-smartphones-laptops-with-probemon-0176303/)

Here is a practical example. (I’ve just made this up, it’s not a real person)
Say I’m in a coffeeshop in Oxford UK. and have a device that captures probes.
A person arrives and I see their phone is searching for “oxford tube”, “Starbucks”, “SEH FELLOWS & STAFF”, “McDonalds free”, “SKY9BFBB” and “2CGuest”
I can identify the woman visually as I only see the probes when she enters the shop.

Do you want to tell me where she has previously eaten, (Mcdonalds) drinks (Starbucks), gets her car washed (2c), where she lives and where she works… SEH, St Edmunds hall (part of the university.) we also know she’s gone to London by bus/coach at least once using the oxford tube coach.

Here is her preferred car wash. (look for the purple dot.)

Here is her home…

Note this “woman” never signed up or subscribed to being able to be monitored… all she did was connect to a few networks and then walk into a coffeeshop.
It’s services like Wigle, (that have gamified war driving) that gave up all her privacy in a fast easy and free way… - Wigle users have gone past my house, my wifi SSID is on there, and if my probes are captured, (say at an airport) potential thieves will potentially know that I am out of the country. AND where I live.) - I am not a wigle user. someone else decided to make that decision about my privacy (and potentially my security) for me! (you can search for yourself and see if your WIFI is there.)

Whether it is actually used, or who may be using it, is difficult to say. (I can’t imagine authorities leaving such a tool on the table. - especially when they don’t need to collect the geographical data, and only need to record probe data.
(whilst TfL declared that they were collecting data, I’m not sure that there is an expectation of privacy on data that you are broadcasting. e.g. wifi probes.)
(to “everyday people” like me, it is not useful to know where you life or work…)


I didn’t mean to imply what actually happens with the data, only what you can do with the data. Just in my practice dealing with gdpr we always move from hash to tokens because you cannot prove the data is anonymous with hashes, but you can with tokens (as long as you prove you truncate association table frequently enough or discard it on the fly).

Can you distinguish a token from an encryption of the MAC address with a random key? (The random key is ostensibly changed e.g. daily but in reality archived / backed up / sent to “GCHQ” / …)

That will be task for auditors. visually you cannot even distinguish hash from token (as long as you don’t disclose hashing algorithm). So I’m not about pretending being compliant with gdpr, but about being compliant with gdpr :slight_smile:

1 Like

Other than that the straight hash for a given MAC address will always be the same, whereas encryption with a key that changes every day, or genuine random new assignment every day (discard association table every day), changes every day.

However during the trial when they used a hash, they actually salted it (as reported anyway). So if they changed the salt every day then even hashing would give comparable results.

I wonder which MAC address is being hashed anyway. The MAC address of the sending device (which due to MAC randomization might not be useful for their purposes) or the MAC address (BSSID) that it is probing for? In the latter case there may be many such BSSIDs per sending device.

This is the fundamental problem with government - there is no trust and there is no verify.

If I went to the UK (fat chance of that right now) and I had my L5, I would definitely use the WiFi HKS.

It’d be interesting to get some technical detail on how they are tokenizing. fundamentally they must assign the same token, as the purpose of the system is not just tracking station occupation but also tracking occupation through the network.

For example, when they see my device enter the network at a station in the morning, they see my device pass through a number of stations, dwell in a station as I change lines (I’m also assuming that looking at which AP receives my probe the strongest they can tell my journey through the station, to the platform, and work out which end of the platform I stand on) then through a few more stations to my destination.
(so they got “in time” data…)
In the evening when they see my device enter at the final station, they can reasonably assume I’m going back to the station I started at, so they’ll know. we currently have 3000 people at Oxford Street, and this guy changed at Oxford street this morning,
Also, it’s actually beneficial to check past journeys also and say the owner of this device always changes at oxford street. (e.g. there is a high possibility they will add to station congestion.
-then they can see significant station crowding issues that are about to happen, and slow the trains, or half the trains, in the tunnels waiting for platform congestion to clear. (i.e not just about an individual, it’s about the movement of masses.)

(changing the method used to create anonymity daily would provide more privacy, but also lessen the functional use to the network. - e.g. can’t check journey history.)

But it is more than that.
It’s consistently using the kill switch where you are. (not just when travelling.)
It is not connecting to “public” networks, not connecting to work networks,
Regularly purging your remembered connections. etc.
it’s changing your home networks to not advertise SSID presence so that if you are out, your home network names are not exposed. - and then accepting that you can’t use certain devices that might
require the SSID to be visible (e.g. cheap wifi light bulbs.)

There isn’t a cheap trick to privacy or security, hardware kill switches are one part of what for most would be a significant lifestyle change to achieve true security.

For many, (myself included!) this kind of cost of privacy feels like a high price.

That observation was directed at mainstream phones - where there is “on”, “off” and “maybe off” i.e. you can never be sure whether anything is really off unless the battery is stone cold dead. So security and privacy can only be guaranteed by leaving the tracking device at home. I assume that most if not all of the “DC Rioters” have mainstream phones. (Leaves me wondering whether there are any “AC Rioters”.)

The Librem 5 allows me to turn WiFi off and be 100% confident that it is really off. I always turn the L5 WiFi off when I leave the house, which really isn’t a hassle. That isn’t because I am intending to break the law. :wink:

I bought the L5 to use it … and I bought the L5 with HKSs to use them. :wink:

Australia copies most of the bad ideas from the UK, so I expect our train transport network will soon be riddled with WiFi surveillance, if it isn’t already.

They come and go.

1 Like