"Surveilling the Masses with Wi-Fi-Based Positioning Systems"

Apple devices’ WPS can provide worldwide snapshot of 2 billion WiFi BSSIDs’ precise location : Apple Wi-Fi Positioning System open to global tracking abuse • The Register

The University of Maryland research paper (PDF; 16 pages) “Surveilling the Masses with Wi-Fi-Based Positioning Systems”: https://www.cs.umd.edu/~dml/papers/wifi-surveillance-sp24.pdf

Apple plans to fix it with randomization.

Portable travel router manufacturer GL-iNet has the same problem, but does not plan to fix it.

Don’t stand, don’t stand so, don’t stand so close to me.


Personal protective measure:

The researchers say that they reported their findings to Apple, Starlink, and GL.iNet, and note that one way to keep your BSSID out of WPS databases is to append the string _nomap to the AP’s Wi-Fi network name, or SSID – the SSID is set by the user while the BSSID is a hardware identifier.


_optout should also be appended to opt out of Microsoft’s systems. Something like myssidname_optout_nomap.



Exactly the same approach as Mozilla Location Services:

MLS - Opt-Out

See also:


I wonder how long it will be before some country’s government passes a law that says it’s legal to kill anyone on the streets unless they changed their WiFi’s SSID to _dontkillme on the end, since requiring people to append suffix strings to WiFi SSIDs is a totally reasonable requirement for users to knowingly make decisions.

1 Like

Yes this is right. And it is very ugly and cause some surveilling impacts.

The Op-Out-Addition Options in the ssid are a shame. Why should i update my 40+ SSID Settings in the Devices, just to rename the SSID. Would love if i could set some AP-Announcement Change for Future Sessions, so that the SSID would Change by reconnecting to the AP.

We do not have it cause this could used as a MiM Attack on wireless Networks. However a WPA3 already handle out kind of a session crypto key and Android and Apple Devices use Wifis Adapter Mac Address Randomization. Which consumes up my available Ip4 Space on my WLAN and its 12 hour leases.

Keep up2date your wifi routers, every 3 or 6 month!

1 Like

Indeed. Not very convenient. Even less so if you have multiple SSIDs, as I do.

I think this approach has been chosen because when the WiFi standards were first specified, it wasn’t envisaged that there would be a need to include a “Do Not Track” flag in the beacon frame or, alternatively, a “Please Track Me” flag - so there is no better, alternative functionality. Maybe a future WiFi standard will explicitly cover this.

A FAQ in my country is: I've just got a new router. How do I update the SSID in my PV equipment when I don't have the password / don't know how?

The answer is always … just set the new router back to what the SSID was on the old router.

Applying that problem to this topic then … many people would lose access to their PV equipment if they wanted to opt out of this surveillance.

Of course it is a bit lame that people don’t know how to administer their own PV equipment but the practical reality is that if you make it difficult to opt out then many people won’t do so.


I blame gouvernments for not protecting us for this kind of abuse of our equipment.
Instead of defining ways to work around this abuse, there should be a law stating that these kind of actions are forbidden, unless there is an signed agreement of the owner (of that device).


I don’t like the wifi access point tracking either. But when we brodcast something from our property to ourside of our property, we insert ourselves in to the public domain. What would happen if someone asked google to not show their property from space in Google Earth? Would we be right to demand and expect that Google comply? I believe in a person’s right to privacy. But can we expect that others not observe and catalog what we do in public? At best, maybe stalking laws might apply. But that is a pretty weak arguement also, since google is an equal opportunity stalker. It’s not personal. They stalk all of us. They’re vultures that just want to make money on the collective population. Should we give the government the power to limit who can database which kinds of information? Should we prohibit the sale of certain kinds of public information? Who would get to decide which public information can be sold and which kinds of public information is illegal to sell?

I would like to see the federal government require that Google, Apple, and Microsoft to limit their terms of service to only one page with 11-pt font and that anyone can simply opt-out completely without without losing any features on their phone. But that’s not going to happen. Government is probably Google’s biggest customer.

1 Like

Nope, not the government, but the person or group of persons who are subject in the matter should be asked and say yes or no to such request
In Germany Google needs to blur your house if you do not agree to be showed in streetview.
Same should apply to Google earth for all ppl in no matter what place on earth one lives.


I agree, and there should be an opt-in requirement, not an impossible to enforce, opt-out option in some locations. If they had to get your permission to include your home, you could then ask yourself “what’s in it for me?”. Google’s business model would then fall apart as everyone wants to get paid what they think having their home included, is worth to them. That amount of money is probably collectively more than Google gets paid.


Signed by what, some proprietary signature software that the government will require everyone to run? (Patented by Adobe.)

You can always trust the Trust Plus Portal Veritable Signature System (Verified)

1 Like

Your personal handwriting on paper, no technical solution.

Sadly you can not trust proprietary software.

1 Like

Some businesses might still be happy to be included in StreetView.

The differences between the WiFi example and the StreetView example are modest though. In days of yore, it was OK to photograph anything that was publicly visible. But that was before the rampant privacy invasion of Surveillance Capitalism. What really is the difference between electromagnetic radiation at two difference frequencies (visible light v. 2.4 GHz)?

In either case it is private property, not a public place - and I think there is a plausible case to require your consent before any kind of publication. (Note however that publication differs from surveillance. It would be better to stop this at the surveillance stage.)

Google has been ordered to limit its collection of WiFi information to basically SSID and BSSID, and to discard all the rest of the packet information that its surveillance picked up (for houses that are foolishly not encrypting their traffic).

The bottom line is that Google will get away with anything that it is allowed to get away with.

With the right powers that works. Look up Pine Gap. And I’m sure it’s not the only government facility that is censored in that way. :wink: But, sure, if you personally asked for your house not to be shown, I wouldn’t expect that you will get any joy.


We can not hide pictures of our streets or if someone collect live Data from our wifi. But we can not allow it, or let algorithm use it.

We can have a time range delay like 12 Month or 10 Years on that information to use. And have a check up on Data an Algorithms to it. Right now we are far away from that issue and have collected real time information from ourselves in on Elons low Orbit Starlink every X Minutes. So. Its bad but we have to stand it.

Apple got captured and its underlying issues where put in the news light. So that was not this bad at all. We need to discuss it to have appropriate laws.

As for open information: They should be open and to get from a source that not known your ip Address or Device when you get it :wink:

So we can at least force them to access that information free and share it anonymously to all.

1 Like