Forgot your password?
typodupeerror
Privacy United Kingdom Technology

London Bans Recycling Bins That Track Phones 179

Posted by samzenpus
from the no-trash-talking dept.
judgecorp writes "In a swift response to a media storm, the City of London has closed down a trial of recycling bins which track the phones of pedestrians. Renew provides recycling bins funded by digital advertising, and has been told to stop a trial where bins tracked phones. Although the CEO of Renew claims there was no intention to breach privacy, his own marketing material says otherwise."
This discussion has been archived. No new comments can be posted.

London Bans Recycling Bins That Track Phones

Comments Filter:
  • by sinij (911942) on Monday August 12, 2013 @01:08PM (#44543253) Journal
    Removing bins will not fix underlying protocol implementation problem. This has to be treated as any other vulnerability and patched, so it is not possible.
    • by mcrbids (148650)

      Wow. Talk about ignorance aloud. And on Slashdot!

      The "issue" to be addressed is the need for a way to uniquely identify a device as distinct from other devices. This is accomplished by the use of a number called a MAC address. Because it uniquely identifies a device, it can be used to (gasp!) uniquely identify a device.

      That's what Renew (the company in question with the "smart bins") was doing... logging MAC addresses announced by wifi cards as they try to moderate a wifi connection.

      • by compro01 (777531)

        And what need is there to announce the MAC address when not connected to anything?

        • That's the point, the bins were offering up a fake WAP in order to get the devices MAC address when they tried to connect. If you have Wifi off, then this wouldn't happen. But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.

          • by compro01 (777531)

            But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.

            I'm thinking that must be a British thing. My GS3 (on Virgin/Bell) in Canada doesn't autoconnect to anything WiFi unless you've previously explicitly connected to a given network and AFAICT, there's no option to even make it do so.

            • by Ash Vince (602485) *

              But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.

              I'm thinking that must be a British thing. My GS3 (on Virgin/Bell) in Canada doesn't autoconnect to anything WiFi unless you've previously explicitly connected to a given network and AFAICT, there's no option to even make it do so.

              It's not a british thing, its apparently how android and maybe iphones work. Even though you were not actually connecting to the wifi access point as it came into range your phone does a little hello to get a signal back and determine range and stuff that included its MAC address. They then logged the MAC and monitored whether the signal was getting stronger or weaker in order to figure out your rough direction of movement. Apparently all this was done even when you just walked past the bloody things even t

            • The UK Mobile networks either operate their own public wifi networks (O2 and T-Mobile) or have an agreement with another wifi operator such as BT to provide access for their customers. The phones are configured to connect to that wifi network when in range, so that when you go to a busy location such as a train station or shopping centre, it takes pressure off the network, and the customer benefits because the data they use doesn't count towards their bundled allowance.

      • by ericloewe (2129490) on Monday August 12, 2013 @01:37PM (#44543585)

        Here's the problem:

        If the user doesn't say "I want to connect to 'Trash can Wi-Fi'", why should the phone decide on its own to connect to 'Trash can Wi-Fi' without asking?

        If the phone doesn't (stupidly) try to connect to any open network it sees, it doesn't broadcast its MAC address whenever some dubious access point asks for it.

        • by Carewolf (581105)

          If you have set up the phone to connect to a hidden SSID, then it will broadcast it MAC (and the hidden SSID) all the time asking if it is there.

          It can also prompt for nearby access points instead of waiting for them to announce themselves, this also broadcasts their MAC.

          The first is easy to solve (don't use hidden networks ever). The second one can be a bit of a compatibility issue.

          • by sjames (1099)

            It should be able to listen passively unless you tell it you want to connect. Unfortunately, most aren't set up for that.

          • The first one almost never happens. The second one isn't much of a compatibility issue, from what I know, just a very minor inconvenience (waiting a few seconds at most until the access point broadcasts its existence).

        • by Z00L00K (682162)

          The phone don't connect, it just announces the MAC address in the request when it's looking for a valid access point. You only need devices that can listen, they don't have to talk back to the phone.

          It's a low level protocol issue. It's hard to identify a person knowing the MAC address, but if you find a phone or know the MAC address of a specific phone you can see where it has been.

          So far we know that someone has used this with the intent for commercial interest, but realize that this can as well be the to

          • by sjames (1099)

            It's not hard to connect name and MAC address with a bit of data mining. For example if the POS terminals see MAC X every time John Q makes a purchase, then MAC X is John Q.

        • by afidel (530433)

          Yep, it's one of the most irritating things about my Android phone, even after I explicitly turn off WiFi I still get popups about available wireless networks, why is the damn phone powering a radio I told it to turn off? I'm not sure if it's trying to connect to those detected networks without my ok but it wouldn't surprise me in the least if it was since it failed to listen to me in the first place.

          • I've never seen that behavior with the Evo 4G or HTC One. If wifi is off, the radio is off (as far as I can tell). I was looking at the comments wondering why people are walking around with wifi enabled, I don't see any point in doing that. It's actually kind of stupid, you're draining the battery and exposing yourself to whatever vulnerabilities would use wifi.

          • by icebike (68054)

            Yep, it's one of the most irritating things about my Android phone, even after I explicitly turn off WiFi I still get popups about available wireless networks, why is the damn phone powering a radio I told it to turn off? I'm not sure if it's trying to connect to those detected networks without my ok but it wouldn't surprise me in the least if it was since it failed to listen to me in the first place.

            Pictures or it didn't happen. Not on Android, and not on any cell phone. Off means off.

            Turning off wifi powers down the wifi, and down means off.
            You can still get prompts for bluetooth.

            • by afidel (530433)

              No pics necessary, it's in the source check out this [androidpolice.com] link. My phone does the same thing but unlike under 4.3 there's no obvious way to turn it off without turning off all WiFi notifications.

              • by icebike (68054)

                Apparently you didn't read you own link.

                The important thing to keep in mind is this if you hate this, you can turn it off. The option is just buried under an "advanced" menu. Turning off "Scanning always available" will make "off" for Wi-Fi really be "off."

                And further, its only on a leaked version of 4.3, not anyone's production version.

                • by Yer Mom (78107)

                  Just looked at my Nexus 7, running the production version of 4.3. That option is present, though it defaults to off.

          • by Xenx (2211586)
            While I wouldn't want to call you a liar, my android devices definitely don't behave like that. If the wireless is off, the wireless is off.
        • Auto-connecting to open wifi is an option that's set to on by default by most carriers.

          • by icebike (68054)

            Auto-connecting to open wifi is an option that's set to on by default by most carriers.

            Carriers have nothing to do with wifi. And further, you have to explicitly connect to each router the first time. No phone automatically connects to random open wifi routers unless you set it to. (There are apps that will attempt this for you).

      • by sinij (911942)
        There are multiple issues here:

        a. MAC addresses being broadcast without any regard to who is listening. Even when not negotiating/partaking in a connection.
        b. MAC address is static.

        Compare above situation to banking. You have a bank account number, it uniquely identifies you but it is not transmitted unless you initiate transaction (and even then only on need-to-know basis) plus it can be changed at any time. Now imagine that instead of MAC these bins were skimming banking information (without inte
        • by icebike (68054)

          Mac addresses were originally designed to be static, but in the real world almost every smartphone uses software mac addresses.
          Their nics are built to allow MAC changing. For Android there are any apps for that. [google.com]

      • This is accomplished by the use of a number called a MAC address.

        Easily defeated by spoofing. And don't give me that "but few know how to do it" nonsense. Its not difficult and people learn how to do things when they realize they need to do it. REAL ignorance is believing that using MAC addresses for anything involving ID or security is a good idea.

        • by sinij (911942)
          This is problematic on many levels. Just like with "desktop Linux", expecting technical competency for average user is unrealistic assumption. Masses will not spoof MACs, because they don't even know what it is or care to find out.

          MAC is not used for security, but rather identification. It is your device's static identity where it can be easily mapped to owner's identity. The underlying issue isn't that some marketing scumbags collecting MACs, it is that once these MACs collected it is trivial to aggregat
      • by sjames (1099)

        There's no reason for the devices to be broadcasting the mac when it is not in use. There''s also no reason it can't generate unique ids on demand and discard them when it is done talking. For example, it can take the time since last boot in milliseconds, hash it and XOR it with the actual MAC address setting the locally administered flag. Or, just don't send out probe requests unless the user has told it to look for new APs.

        The issue is that people don't like being stalked every waking moment. The one-off

    • by mspohr (589790) on Monday August 12, 2013 @01:37PM (#44543589)

      There is something I don't understand here.
      If I have my WiFi turned on and it is set to automatically connect to "known" access points but not set to connect to random unknown access points, why would it broadcast my MAC?
      I can understand that it will listen for a "known" access point and when it finds one, send the MAC to connect and that is fine.
      However, why would it broadcast my MAC if it has no intention of connecting?

      • by icebike (68054) on Monday August 12, 2013 @02:48PM (#44544475)

        With your question, you've touched the heart of the problem.

        Lazy software designers (those working for wifi chip designers) are sending mac addresses even while they are not associated with any network.
        Some say that these only occur when you have previously associated with a hidden SSID network, but that is not the only case, and most
        modern chip sets send a mac address all the time for no reason at all.

        Its not part of the standard to broadcast your mac unless you are a router. But since the advent of ad-hoc networks, there are a lot
        phones that broadcast it all the time looking to join an adhoc network. Furthermore, bluetooth also broadcasts its mac all the time
        and often bluetooth and wifi are built into the same chip.

        • by robot5x (1035276)
          so for example in my iphone setting wi-fi menu, there is a button 'ask to join networks'. Underneath it says

          'known networks will be joined automatically. If no known networks are available, you will have to manually select a network'.

          So where the network is unknown, it won't connect automatically. But you're saying it will still nevertheless broadcast my MAC to available APs??

          • by icebike (68054)

            Known networks are those that you have previously connected to. This terminology is true for both iPhones and Android.
            If a new network appears, even if it requires no password, it will not be connected to automatically.

            It appears that most wifi devices (not limited to android or IOS) still broadcast their Mac Address even when you
            do not attempt to connect. The standard says that this should be done for Access Points/Routers, but
            the problem is that almost every device out there does this for no apparent re

          • by LordNimon (85072)
            So where the network is unknown, it won't connect automatically. But you're saying it will still nevertheless broadcast my MAC to available APs??

            Yes. It does this so that it doesn't have to wait for the APs to send their beacons. The AP sees the probe request, and sends out a beacon right away, instead of every tenth of a second. Supposedly, this saves time.

            However, I wonder what the value of this feature is. If you have a dozen nearby phones, all sending probe requests every second, then the AP i
      • However, why would it broadcast my MAC if it has no intention of connecting?

        As I mentioned in yesterday's thread about this, to much applause and condemnation by people who apparently don't understand how packet-switched networks work at layer 2...

        Broadcasting is to find out what's available or in-range. This is done because broadcasting the SSID is not mandatory in the 802.11(a/b/g/n) spec. As a result, almost every device defaults to sending a probe packet containing a list of preferred networks. A receiving station can then reply to that with the equivalent of a "yes, I'm here"

        • by mspohr (589790)

          Thanks for this explanation.
          I would think that one could have a setting for your phone wifi which would not broadcast your MAC and would only listen for SSIDs. When a "known" SSID is found, the the MAC could be sent to establish the connection. This would avoid the problem of walking around with a personally identifiable beacon in your pocket.
          This would still leave the problem of connecting to stations where they do not broadcast an SSID but this "feature" doesn't seem to be of much value to anyone.

      • by zzsmirkzz (974536)
        You're missing that this is wireless technology and there is no way to directly connect to one AP while ignoring all others (at least in the connection phase). Every packet is broadcast to every antenna that can receive it, every packet is coded with the MAC address of the source (so the recipient knows who sent it and can reply) as well as the intended recipient (or all if it is a real broadcast). AP's that aren't listed as the recipient should drop/ignore packets they receive that aren't addressed to them
        • by mspohr (589790)

          I was proposing that my smartphone should have a setting which would keep it from broadcasting my MAC address all of the time but only broadcast it when it "hears" a known wifi access point. My phone only needs to broadcast my MAC address when it wants to connect. The rest of the time, it should just listen and stay quiet.
          There is no need to broadcast my MAC until I want to connect.
          This would eliminate the ability of London garbage cans (as well as Macy's, Target, Walmart, etc.) to track me.

    • by timeOday (582209)
      What do you mean it's "not possible?"

      I would think simply re-generating a random MAC address each time you enable WiFi would work well enough.

      • by icebike (68054)

        What do you mean it's "not possible?"

        I would think simply re-generating a random MAC address each time you enable WiFi would work well enough.

        There are times when you want to use your real mac (or at least the same mac you used last time you connected).

        Mac filtering is sometimes used to limit who can connect.
        DHCP servers use mac to give out the same IP upon re-requests, and can run out of IP addresses if a gazillion phones power up with ever-changing mac addresses.

        But if the software could use the same mac each time it connected to a specific router, then that SAME MAC could be what ever random mac was in use at the time it first connected with t

    • by Molochi (555357)

      True, there aren't a lot of reasons for your phone's wifi to be spamming its MAC all the time, unless it is also configured to connect to any open AP in range. That itself is a BadIdeaTM without an autostarting VPN client.

  • Given the level of tracking going on by the government in the UK, espescially London, if the spooks there are not already doing this themselves, they will be soon.

    • by ackthpt (218170)

      Given the level of tracking going on by the government in the UK, espescially London, if the spooks there are not already doing this themselves, they will be soon.

      It's a wonder your mobile isn't photographing where you are and what you are doing and adding that to the pool of publicly recorded video. Probably only a matter of time on that front.

      "no-trash-talking" uh more of a "bin ban, banning bin bother"

  • by some old guy (674482) on Monday August 12, 2013 @01:10PM (#44543277)

    I should think that this is really just GCHQ exercising it's exclusive sovereign right to track everyone, everywhere, all the time.

    The American way is more efficient: let business collect the data and then the government can demand to share it.

    • Exactly; it's not 'we're putting a stop to this because it's wrong,' but rather 'we're putting a stop to this because you're not being sneaky enough, and that jeopardizes our own domestic spying operation.'

  • Wow, London has decided that there is such a thing as too much surveillance? Maybe the pendulum has finally reached the end of the swing. Hey, a guy can hope.

    • No. (Score:2, Funny)

      by Anonymous Coward

      Here is what they want:

      The voice came from an oblong metal plaque like a dulled mirror which formed part of the surface of the right-hand wall. Winston turned a switch and the voice sank somewhat, though the words were still distinguishable. The instrument (the telescreen, it was called) could be dimmed, but there was no way of shutting it off completely.

      [snip]

      In the far distance a helicopter skimmed down between the roofs, hovered for an instant like a bluebottle, and darted away again with a curving flig

    • its the shock factor which did it, the Local Government had no idea this was happening and the suddenly read about it in national papers as being a completed and implemented system on their doorstep without them knowing anything about it.

      i bet if they had been told about it in advanced they would have been happy to let the system run.
    • by Feyshtey (1523799)
      Or maybe they found a very convenient non-government scapegoat they can point to and say, "Look what we're doing to protect you! Do you see now that what we do is really not that bad!?"
  • by AmiMoJo (196126) * <mojo@@@world3...net> on Monday August 12, 2013 @01:11PM (#44543287) Homepage

    Why no criminal investigation, or at least massive fine under Data Protection laws?

    • Re:No prosecution? (Score:4, Informative)

      by sinij (911942) on Monday August 12, 2013 @01:27PM (#44543475) Journal
      >>>Why no criminal investigation, or at least massive fine?


      Likely because phone is actively broadcasting information in the public space. If I go out shouting my Social Security number, others are not liable for overhearing it or even writing it down.
      • by gl4ss (559668)

        actually they are...

        and remember this is the UK where court orders have been for shutting people up about who dates who on the side - which you could know by just having been in the same bar with them.

      • by AmiMoJo (196126) *

        Doesn't matter. Under UK law you have to deal with people's data in a safe manner, with their consent and only keep it as long as you have a legitimate use for it.

        I can tell you are not British because we don't have social security numbers. In Europe data protection and privacy are protected far more it seems.

      • by jxander (2605655)

        Just being in the public space doesn't mean someone has the right to systematically record all of the info they see/hear

        At lunch today, I handed my credit card to a waiter to pay for a meal. By your logic, that waiter should be allowed to copy down all of the info from my card, because it's a public space. Multiply that by every customer at that restaurant, and then by the total number of restaurants in that chain.

        And you think this is OK, because the numbers embossed on my card aren't encrypted?

        • by tragedy (27079)

          At lunch today, I handed my credit card to a waiter to pay for a meal. By your logic, that waiter should be allowed to copy down all of the info from my card, because it's a public space. Multiply that by every customer at that restaurant, and then by the total number of restaurants in that chain.

          That's a very interesting analogy to me. It throws into sharp relief the problem here: having to resort to shaky legal principles when the real problem is a poor technological implementation. With cell phones and wireless Internet, the problem is that the protocols being used should not be uniquely identifying themselves in the clear with any random hotspot. Unique IDs for devices on the network are fine, but they should be randomly assigned and negotiated on the fly. If device identification is necessary f

    • Who's to say that isn't coming?

      The corporation has taken the issue to the Information Commissioner's Office.

      This isn't even an actual ban - the company has only been asked to stop, and has done so.

  • This is why... (Score:4, Interesting)

    by gstoddart (321705) on Monday August 12, 2013 @01:14PM (#44543337) Homepage

    This is why I keep wi-fi disabled on my mobile devices unless I need it.

    I've found I don't particularly want my device to be phoning home to people when I'm not looking, and I've also found leaving wi-fi on absolutely impacts my battery life.

    Stuff like this is only going to get worse as various advertisers decide they're entitled to more information than we're willing to give them.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This is why I keep wi-fi disabled on my mobile devices unless I need it.

      That's odd. My phone doesn't send out probes. Like most phones it listens for beacons and connects to those I've told it to. It's possible on some phones to tell it to probe, but that's a bad idea for many reasons.

  • They could have actually followed you around, autoplaying ads.

    "Quick! To the stairs!"
  • by djupedal (584558) on Monday August 12, 2013 @01:35PM (#44543565)
    Bins tracking phones tracking bins tracking phones tracking bins....when will it all end?
  • by s.petry (762400) on Monday August 12, 2013 @01:54PM (#44543775)

    Subject says it all. How was this allowed to happen? Garbage bins don't need to other people, they need to track when they are full and need to be emptied. I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.

    I do realize that the US probably has similar or worse programs that we are not yet aware of. I know they have been working on billboard advertising to track people and believe it has been implemented in NYC to some extent. We, all of the free people, need to put an end to this! Nothing good can come from this level of tracking people!

    • >Subject says it all. How was this allowed to happen? Garbage bins don't need to other people, they need to track when they are full and need to be emptied.

      They do if they're going to start showing targeted ads if the test-program works out.


      >I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.

      Maybe you need to adjust your drug intake.
    • I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.

      Care to back that up with anything or are you just talking out of your arse?

      As far as I can see, they are just an advertising company that have struck a deal to provide bins in exchange for advertising space. No reason to think any council money was used to fund this.

  • London, the city with more closed circuit cameras than anywhere else on Earth, wants to ban spying on pedestrians? Or is it only a concern when someone other than the government has control over the information?
  • by Ioldanach (88584) on Monday August 12, 2013 @02:17PM (#44544055)
    Currently wireless devices negotiating connections to nearby WiFi points need to exchange MAC addresses in the initial exchange of data, on an essentially open channel, because all data exchanges recognize each other with the MAC address, to determine routing.

    Perhaps the spec could be augmented by allowing a randomized MAC address that is not tied to the device. Define the first octet so manufacturers don't assign anything to it, and leave the remaining bits as completely random. Make the next part of the packet the public half of a key pair that the device expects responses to come back to. Allow the same random MAC address scheme to be used by either side of the connection. Only accept packets that can be properly decoded with the private key of the key pair, which eliminates the problem of random MAC address collisions. As a part of negotiating the secured connection, when exchanging the private key also exchange the real MAC address only after the secured connection is complete. Or, never use the real MAC address and retain the random MAC address for the duration of the connection.

  • Can we just ban tracking phones? Who care what does it...
    Wait... let me rephrase that... can we just ban "tracking"? My commercial or government entities?
    Free people should not be tracked by anyone.

  • Given the reaction to Google's "wardriving" StreetView cars, they had to have known this would be banned.

"Don't discount flying pigs before you have good air defense." -- jvh@clinet.FI

Working...