London Bans Recycling Bins That Track Phones 179
judgecorp writes "In a swift response to a media storm, the City of London has closed down a trial of recycling bins which track the phones of pedestrians. Renew provides recycling bins funded by digital advertising, and has been told to stop a trial where bins tracked phones. Although the CEO of Renew claims there was no intention to breach privacy, his own marketing material says otherwise."
Removing bins will not fix underlying problem (Score:5, Insightful)
Re: (Score:3)
Wow. Talk about ignorance aloud. And on Slashdot!
The "issue" to be addressed is the need for a way to uniquely identify a device as distinct from other devices. This is accomplished by the use of a number called a MAC address. Because it uniquely identifies a device, it can be used to (gasp!) uniquely identify a device.
That's what Renew (the company in question with the "smart bins") was doing... logging MAC addresses announced by wifi cards as they try to moderate a wifi connection.
Re: (Score:3)
And what need is there to announce the MAC address when not connected to anything?
Re: (Score:2)
That's the point, the bins were offering up a fake WAP in order to get the devices MAC address when they tried to connect. If you have Wifi off, then this wouldn't happen. But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.
Re: (Score:2)
But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.
I'm thinking that must be a British thing. My GS3 (on Virgin/Bell) in Canada doesn't autoconnect to anything WiFi unless you've previously explicitly connected to a given network and AFAICT, there's no option to even make it do so.
Re: (Score:2)
But most carriers default their phones to auto-connect to open WIFI to save themselves bandwidth.
I'm thinking that must be a British thing. My GS3 (on Virgin/Bell) in Canada doesn't autoconnect to anything WiFi unless you've previously explicitly connected to a given network and AFAICT, there's no option to even make it do so.
It's not a british thing, its apparently how android and maybe iphones work. Even though you were not actually connecting to the wifi access point as it came into range your phone does a little hello to get a signal back and determine range and stuff that included its MAC address. They then logged the MAC and monitored whether the signal was getting stronger or weaker in order to figure out your rough direction of movement. Apparently all this was done even when you just walked past the bloody things even t
Re: Removing bins will not fix underlying problem (Score:2)
The UK Mobile networks either operate their own public wifi networks (O2 and T-Mobile) or have an agreement with another wifi operator such as BT to provide access for their customers. The phones are configured to connect to that wifi network when in range, so that when you go to a busy location such as a train station or shopping centre, it takes pressure off the network, and the customer benefits because the data they use doesn't count towards their bundled allowance.
Re:Removing bins will not fix underlying problem (Score:4, Insightful)
Here's the problem:
If the user doesn't say "I want to connect to 'Trash can Wi-Fi'", why should the phone decide on its own to connect to 'Trash can Wi-Fi' without asking?
If the phone doesn't (stupidly) try to connect to any open network it sees, it doesn't broadcast its MAC address whenever some dubious access point asks for it.
Re: (Score:3)
If you have set up the phone to connect to a hidden SSID, then it will broadcast it MAC (and the hidden SSID) all the time asking if it is there.
It can also prompt for nearby access points instead of waiting for them to announce themselves, this also broadcasts their MAC.
The first is easy to solve (don't use hidden networks ever). The second one can be a bit of a compatibility issue.
Re: (Score:2)
It should be able to listen passively unless you tell it you want to connect. Unfortunately, most aren't set up for that.
Re: (Score:2)
The first one almost never happens. The second one isn't much of a compatibility issue, from what I know, just a very minor inconvenience (waiting a few seconds at most until the access point broadcasts its existence).
Re: (Score:2)
The phone don't connect, it just announces the MAC address in the request when it's looking for a valid access point. You only need devices that can listen, they don't have to talk back to the phone.
It's a low level protocol issue. It's hard to identify a person knowing the MAC address, but if you find a phone or know the MAC address of a specific phone you can see where it has been.
So far we know that someone has used this with the intent for commercial interest, but realize that this can as well be the to
Re: (Score:2)
It's not hard to connect name and MAC address with a bit of data mining. For example if the POS terminals see MAC X every time John Q makes a purchase, then MAC X is John Q.
Re: (Score:2)
Yep, it's one of the most irritating things about my Android phone, even after I explicitly turn off WiFi I still get popups about available wireless networks, why is the damn phone powering a radio I told it to turn off? I'm not sure if it's trying to connect to those detected networks without my ok but it wouldn't surprise me in the least if it was since it failed to listen to me in the first place.
Re: (Score:2)
I've never seen that behavior with the Evo 4G or HTC One. If wifi is off, the radio is off (as far as I can tell). I was looking at the comments wondering why people are walking around with wifi enabled, I don't see any point in doing that. It's actually kind of stupid, you're draining the battery and exposing yourself to whatever vulnerabilities would use wifi.
Re: (Score:2)
Yep, it's one of the most irritating things about my Android phone, even after I explicitly turn off WiFi I still get popups about available wireless networks, why is the damn phone powering a radio I told it to turn off? I'm not sure if it's trying to connect to those detected networks without my ok but it wouldn't surprise me in the least if it was since it failed to listen to me in the first place.
Pictures or it didn't happen. Not on Android, and not on any cell phone. Off means off.
Turning off wifi powers down the wifi, and down means off.
You can still get prompts for bluetooth.
Re: (Score:2)
No pics necessary, it's in the source check out this [androidpolice.com] link. My phone does the same thing but unlike under 4.3 there's no obvious way to turn it off without turning off all WiFi notifications.
Re: (Score:2)
Apparently you didn't read you own link.
The important thing to keep in mind is this if you hate this, you can turn it off. The option is just buried under an "advanced" menu. Turning off "Scanning always available" will make "off" for Wi-Fi really be "off."
And further, its only on a leaked version of 4.3, not anyone's production version.
Re: (Score:2)
Just looked at my Nexus 7, running the production version of 4.3. That option is present, though it defaults to off.
Re: (Score:2)
Re: (Score:2)
Auto-connecting to open wifi is an option that's set to on by default by most carriers.
Re: (Score:2)
Auto-connecting to open wifi is an option that's set to on by default by most carriers.
Carriers have nothing to do with wifi. And further, you have to explicitly connect to each router the first time. No phone automatically connects to random open wifi routers unless you set it to. (There are apps that will attempt this for you).
Re: (Score:2)
a. MAC addresses being broadcast without any regard to who is listening. Even when not negotiating/partaking in a connection.
b. MAC address is static.
Compare above situation to banking. You have a bank account number, it uniquely identifies you but it is not transmitted unless you initiate transaction (and even then only on need-to-know basis) plus it can be changed at any time. Now imagine that instead of MAC these bins were skimming banking information (without inte
Re: (Score:2)
Mac addresses were originally designed to be static, but in the real world almost every smartphone uses software mac addresses.
Their nics are built to allow MAC changing. For Android there are any apps for that. [google.com]
Re: (Score:2)
This is accomplished by the use of a number called a MAC address.
Easily defeated by spoofing. And don't give me that "but few know how to do it" nonsense. Its not difficult and people learn how to do things when they realize they need to do it. REAL ignorance is believing that using MAC addresses for anything involving ID or security is a good idea.
Re: (Score:2)
MAC is not used for security, but rather identification. It is your device's static identity where it can be easily mapped to owner's identity. The underlying issue isn't that some marketing scumbags collecting MACs, it is that once these MACs collected it is trivial to aggregat
Re: (Score:2)
There's no reason for the devices to be broadcasting the mac when it is not in use. There''s also no reason it can't generate unique ids on demand and discard them when it is done talking. For example, it can take the time since last boot in milliseconds, hash it and XOR it with the actual MAC address setting the locally administered flag. Or, just don't send out probe requests unless the user has told it to look for new APs.
The issue is that people don't like being stalked every waking moment. The one-off
Re: (Score:3)
Re:Removing bins will not fix underlying problem (Score:5, Informative)
The issue here isn't that MAC addresses are unique, it's that users aren't bright enough or are too lazy to turn off wi-fi detection when they're not using it.
Re: (Score:2)
Those are valid concerns. Perhaps turn off the randomization when connecting to designated APs but use it for anonymous public wifi?
Or just use it for probe requests but not when actually connecting.
Re: (Score:2)
The issue here isn't that MAC addresses are unique, it's that users aren't bright enough or are too lazy to turn off wi-fi detection when they're not using it.
Exactly. As to the "large" address space - it's large if the random-number generator is actually random and has been seeded with a unique value. We've seen lots of bugs and exploits show up because those two conditions were not met.
Re: (Score:2)
I think you're being a bit harsh here.
One, this is a moderately complex concept, that your phone is emitting uniquely identifying info when you're not even connected to a network.
Two, we've conditioned people to keep WiFi on. Between capped bandwidth plans, video services restricted over Cell data, and even Apple asking you to keep it on (they use the GPS + SSID data to help their mapping efforts) h
Re: (Score:2)
it's that users aren't bright enough or are too lazy to turn off wi-fi detection when they're not using it.
Bit harsh! You cannot expect the usual non-computer person to be able to appreciate the privacy implications of a phone in its default wifi scanning mode any more than I can describe the correct way to lay the foundations for a tarmac road. It either should be secure-by-default, or a clearly explained tradeoff that the user can make, nether of which is true for modern smartphones.
Re:Removing bins will not fix underlying problem (Score:4, Informative)
because it's easier to change DNS entries in a DHCP Server than going around to 100+ individual devices to change the DNS entries when a DNS server dies. and since DHCP hands out more than just an IP, it makes sense to use reservations. thats why every DHCP server I've ever seen allows for reservations.
There are many other things that DHCP can hand out as well, DNS is simply an example. other issues are default gateway changes, subnet mask changes, voip server changes, Dynamic DNS updating. which are all fine on a handful of devices to manage that as static, but once you get into 100s, or 1000s, reservations make a lot more sense.
Re: (Score:2)
Re: (Score:2)
The chances of that happening are VERY small. And would only be detrimental if both connected to the same WAP at the same time. Even then it would just lock up and drop the connection most likely. I do change the mac address on my wireless devices every couple of weeks, but not for every connection attempt... but if there were software that did it for me I'd definitely take advantage of that.
Re: (Score:2)
Re: (Score:2)
That can already happen. MAC addresses are not guaranteed unique. It is extremely unlikely to happen but it can.
Re: (Score:2)
And there is no reason a MAC address should not randomize itself in between network connections.
No reason other than that the MAC address exists to uniquely identify the device connecting to the network. You seem to have missed the point of the MAC address. Some networks lock down access by MAC address as it is supposed to identify specific devices.
Re:Removing bins will not fix underlying problem (Score:4, Informative)
And there is no reason a MAC address should not randomize itself in between network connections.
No reason other than that the MAC address exists to uniquely identify the device connecting to the network. You seem to have missed the point of the MAC address. Some networks lock down access by MAC address as it is supposed to identify specific devices.
Your phone knows its real Mac, and the mac of the routers it has connected to before.
All it need do is use the same mac for any router it has seen before, or use its REAL mac when you request
a connection to any router.
Routers you don't CHOOSE TO connect to, have no valid reason to know your mac.
Re: (Score:2)
Why?
All those multiple access points are going to share the same SSID. It should work.
Re: (Score:2)
And there is no reason a MAC address should not randomize itself in between network connections.
Probably would require a bit more smarts than that. Such as the randomization would be turned off when the device
sees a beacon from a known router. e.g. The device would see the router's mac, and it it is one it had connected to previously
it would use the same mac address it did upon first connection.
This solves problems with mac-address filtering that some people use as an ill-conceived attempt at wifi security [zdnet.com].
Also DHCP servers use mac addresses to hand out the same IP addresses, upon re-connection which
Re: (Score:2)
Re: (Score:2)
If not, then you shouldn't care about MACs, as long as they are static. Your isolated infrastructure network won't ever collide with Joe Shmoe smartphone, because there won't be any way to come into contact.
Re: (Score:2)
Re: (Score:2)
I understand why infrastructure might need static MACs. But phones? How about specifying a range of random MAC addresses that they can choose from to prevent collisions with critical infrastructure?
Re: (Score:2)
your security cameras would have the same mac in respect of the network they're connected to... dhcp would be just fine.
and when you would create a new wifi network, you'd use the hardcoded mac on the ap or create a new one.
accountability is pretty much the only reason for enforcing mac addresses and even for that it's very stupid. collisions would be a pretty exotic thing to happen.
Re: (Score:2)
Re:Removing bins will not fix underlying problem (Score:5, Interesting)
There is something I don't understand here.
If I have my WiFi turned on and it is set to automatically connect to "known" access points but not set to connect to random unknown access points, why would it broadcast my MAC?
I can understand that it will listen for a "known" access point and when it finds one, send the MAC to connect and that is fine.
However, why would it broadcast my MAC if it has no intention of connecting?
Re:Removing bins will not fix underlying problem (Score:5, Informative)
With your question, you've touched the heart of the problem.
Lazy software designers (those working for wifi chip designers) are sending mac addresses even while they are not associated with any network.
Some say that these only occur when you have previously associated with a hidden SSID network, but that is not the only case, and most
modern chip sets send a mac address all the time for no reason at all.
Its not part of the standard to broadcast your mac unless you are a router. But since the advent of ad-hoc networks, there are a lot
phones that broadcast it all the time looking to join an adhoc network. Furthermore, bluetooth also broadcasts its mac all the time
and often bluetooth and wifi are built into the same chip.
Re: (Score:2)
'known networks will be joined automatically. If no known networks are available, you will have to manually select a network'.
So where the network is unknown, it won't connect automatically. But you're saying it will still nevertheless broadcast my MAC to available APs??
Re: (Score:2)
Known networks are those that you have previously connected to. This terminology is true for both iPhones and Android.
If a new network appears, even if it requires no password, it will not be connected to automatically.
It appears that most wifi devices (not limited to android or IOS) still broadcast their Mac Address even when you
do not attempt to connect. The standard says that this should be done for Access Points/Routers, but
the problem is that almost every device out there does this for no apparent re
Re: (Score:2)
Yes. It does this so that it doesn't have to wait for the APs to send their beacons. The AP sees the probe request, and sends out a beacon right away, instead of every tenth of a second. Supposedly, this saves time.
However, I wonder what the value of this feature is. If you have a dozen nearby phones, all sending probe requests every second, then the AP i
Re: (Score:2)
However, why would it broadcast my MAC if it has no intention of connecting?
As I mentioned in yesterday's thread about this, to much applause and condemnation by people who apparently don't understand how packet-switched networks work at layer 2...
Broadcasting is to find out what's available or in-range. This is done because broadcasting the SSID is not mandatory in the 802.11(a/b/g/n) spec. As a result, almost every device defaults to sending a probe packet containing a list of preferred networks. A receiving station can then reply to that with the equivalent of a "yes, I'm here"
Re: (Score:2)
Thanks for this explanation.
I would think that one could have a setting for your phone wifi which would not broadcast your MAC and would only listen for SSIDs. When a "known" SSID is found, the the MAC could be sent to establish the connection. This would avoid the problem of walking around with a personally identifiable beacon in your pocket.
This would still leave the problem of connecting to stations where they do not broadcast an SSID but this "feature" doesn't seem to be of much value to anyone.
Re: (Score:2)
Re: (Score:2)
I was proposing that my smartphone should have a setting which would keep it from broadcasting my MAC address all of the time but only broadcast it when it "hears" a known wifi access point. My phone only needs to broadcast my MAC address when it wants to connect. The rest of the time, it should just listen and stay quiet.
There is no need to broadcast my MAC until I want to connect.
This would eliminate the ability of London garbage cans (as well as Macy's, Target, Walmart, etc.) to track me.
Re: (Score:2)
I would think simply re-generating a random MAC address each time you enable WiFi would work well enough.
Re: (Score:2)
What do you mean it's "not possible?"
I would think simply re-generating a random MAC address each time you enable WiFi would work well enough.
There are times when you want to use your real mac (or at least the same mac you used last time you connected).
Mac filtering is sometimes used to limit who can connect.
DHCP servers use mac to give out the same IP upon re-requests, and can run out of IP addresses if a gazillion phones power up with ever-changing mac addresses.
But if the software could use the same mac each time it connected to a specific router, then that SAME MAC could be what ever random mac was in use at the time it first connected with t
Re: (Score:2)
True, there aren't a lot of reasons for your phone's wifi to be spamming its MAC all the time, unless it is also configured to connect to any open AP in range. That itself is a BadIdeaTM without an autostarting VPN client.
Re:Removing bins will not fix underlying problem (Score:5, Insightful)
It is astonishing how few people seem to understand that.
Rather like war-driving in reverse. How times change.
Tracking in the UK... (Score:1)
Given the level of tracking going on by the government in the UK, espescially London, if the spooks there are not already doing this themselves, they will be soon.
Re: (Score:2)
Given the level of tracking going on by the government in the UK, espescially London, if the spooks there are not already doing this themselves, they will be soon.
It's a wonder your mobile isn't photographing where you are and what you are doing and adding that to the pool of publicly recorded video. Probably only a matter of time on that front.
"no-trash-talking" uh more of a "bin ban, banning bin bother"
Re: (Score:3)
Re: (Score:2)
Indeed. Rather than our elected "representatives"* tracking us, they should be stopping the corporations from tracking us. At least the British seem to have representation... somewhat, I guess. There's way too much stalking in the world by both government and industry, and I'm disgusted by it.
* I'm American. My "representatives" only represent the corporations. If they represented the citizenry pot would be legal, since over half the population thinks the laws against it are stupid. [csmonitor.com]
Re: (Score:2)
Re: (Score:2)
I'm not, and don't call me Surely. [autocorrect: Shirley]
[John]
Re: (Score:2)
There's a difference between being tracked by a random company and a government body. At least the latter operates under the scrutiny of elected representatives.
Only in the House of Commons. You don't have much say after that, they pick the PM and the House of Lords is like Forrest Gump's box of chocolates -- you never know what you will get (may contain nuts.)
The majority of Britons seem quite content to be under constant surveillance, at least when someone runs over their cat they'll know who owned the vehicle.
Exclusive Rights (Score:3)
I should think that this is really just GCHQ exercising it's exclusive sovereign right to track everyone, everywhere, all the time.
The American way is more efficient: let business collect the data and then the government can demand to share it.
Re: (Score:2)
Exactly; it's not 'we're putting a stop to this because it's wrong,' but rather 'we're putting a stop to this because you're not being sneaky enough, and that jeopardizes our own domestic spying operation.'
So, enough surveillance now? (Score:2)
Wow, London has decided that there is such a thing as too much surveillance? Maybe the pendulum has finally reached the end of the swing. Hey, a guy can hope.
No. (Score:2, Funny)
Here is what they want:
Re: (Score:2)
i bet if they had been told about it in advanced they would have been happy to let the system run.
Re: (Score:2)
That's right (Score:2)
No prosecution? (Score:3)
Why no criminal investigation, or at least massive fine under Data Protection laws?
Re:No prosecution? (Score:4, Informative)
Likely because phone is actively broadcasting information in the public space. If I go out shouting my Social Security number, others are not liable for overhearing it or even writing it down.
Re: (Score:2)
actually they are...
and remember this is the UK where court orders have been for shutting people up about who dates who on the side - which you could know by just having been in the same bar with them.
Re: (Score:2)
Doesn't matter. Under UK law you have to deal with people's data in a safe manner, with their consent and only keep it as long as you have a legitimate use for it.
I can tell you are not British because we don't have social security numbers. In Europe data protection and privacy are protected far more it seems.
Re: (Score:2)
Just being in the public space doesn't mean someone has the right to systematically record all of the info they see/hear
At lunch today, I handed my credit card to a waiter to pay for a meal. By your logic, that waiter should be allowed to copy down all of the info from my card, because it's a public space. Multiply that by every customer at that restaurant, and then by the total number of restaurants in that chain.
And you think this is OK, because the numbers embossed on my card aren't encrypted?
Re: (Score:2)
At lunch today, I handed my credit card to a waiter to pay for a meal. By your logic, that waiter should be allowed to copy down all of the info from my card, because it's a public space. Multiply that by every customer at that restaurant, and then by the total number of restaurants in that chain.
That's a very interesting analogy to me. It throws into sharp relief the problem here: having to resort to shaky legal principles when the real problem is a poor technological implementation. With cell phones and wireless Internet, the problem is that the protocols being used should not be uniquely identifying themselves in the clear with any random hotspot. Unique IDs for devices on the network are fine, but they should be randomly assigned and negotiated on the fly. If device identification is necessary f
Re: (Score:2)
I find myself thinking, "Thank goodness I'm a legal resident of an EU member state."
Followed by, "Oh, shit--I'm still a US citizen, and most of my family still live there."
Re: (Score:2)
The corporation has taken the issue to the Information Commissioner's Office.
This isn't even an actual ban - the company has only been asked to stop, and has done so.
This is why... (Score:4, Interesting)
This is why I keep wi-fi disabled on my mobile devices unless I need it.
I've found I don't particularly want my device to be phoning home to people when I'm not looking, and I've also found leaving wi-fi on absolutely impacts my battery life.
Stuff like this is only going to get worse as various advertisers decide they're entitled to more information than we're willing to give them.
Re: (Score:2, Interesting)
This is why I keep wi-fi disabled on my mobile devices unless I need it.
That's odd. My phone doesn't send out probes. Like most phones it listens for beacons and connects to those I've told it to. It's possible on some phones to tell it to probe, but that's a bad idea for many reasons.
Could have been worse (Score:2)
"Quick! To the stairs!"
uummm... (Score:3)
Re: (Score:2)
when will it all end?
When they bin the phone tracking bins.
Who thought this was a good idea to begin with? (Score:4, Insightful)
Subject says it all. How was this allowed to happen? Garbage bins don't need to other people, they need to track when they are full and need to be emptied. I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.
I do realize that the US probably has similar or worse programs that we are not yet aware of. I know they have been working on billboard advertising to track people and believe it has been implemented in NYC to some extent. We, all of the free people, need to put an end to this! Nothing good can come from this level of tracking people!
Re: (Score:2)
They do if they're going to start showing targeted ads if the test-program works out.
>I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.
Maybe you need to adjust your drug intake.
Re: (Score:2)
Maybe you need to adjust your naïveté quotient.
Re: (Score:2)
I'm sure that this stems from a Government funding program in a black budget that the people of London (and other areas of the UK) have no idea they are paying for.
Care to back that up with anything or are you just talking out of your arse?
As far as I can see, they are just an advertising company that have struck a deal to provide bins in exchange for advertising space. No reason to think any council money was used to fund this.
Re: (Score:2)
Re: (Score:2)
I assume you meant "how do I come to such a conclusion?" because I never stated my opinion was factual.
Speculation based on events both historical and recent. It's interesting how much work DARPA and the NSA have done to assist certain companies attain certain goals, and how those goals have turned into tools used by politicians and the self proclaimed elites.
In addition, I pointed out a logical business direction for use of sensors on trash bins. "track when they are full". You could add a list of other
CC TV? (Score:3)
Maybe wireless specs need to eliminate open MAC (Score:3)
Perhaps the spec could be augmented by allowing a randomized MAC address that is not tied to the device. Define the first octet so manufacturers don't assign anything to it, and leave the remaining bits as completely random. Make the next part of the packet the public half of a key pair that the device expects responses to come back to. Allow the same random MAC address scheme to be used by either side of the connection. Only accept packets that can be properly decoded with the private key of the key pair, which eliminates the problem of random MAC address collisions. As a part of negotiating the secured connection, when exchanging the private key also exchange the real MAC address only after the secured connection is complete. Or, never use the real MAC address and retain the random MAC address for the duration of the connection.
wait... (Score:2)
Can we just ban tracking phones? Who care what does it...
Wait... let me rephrase that... can we just ban "tracking"? My commercial or government entities?
Free people should not be tracked by anyone.
Given the reaction to Google's "wardriving" (Score:2)
Given the reaction to Google's "wardriving" StreetView cars, they had to have known this would be banned.
Re: (Score:2)
Tho I do hope they recycling part of that is still up even after they stop tracking phones.
All the better reason to go around with your mobile phone turned off until you need to use it or wish to check messages.
"I see you post on /. Please look at all these cheesey t-shirts on ThinkGeek.com!"
Re: (Score:2)
You are either INCREDIBLY naïve, or that was a troll of stellar brilliance.