by Dragorn

Location Spying, Not Just for Governments Anymore!

Every time you leave the house, you're tracked - and with more precision than you might guess.  What city you're in, what street you're on, what store you've gone in, how long you spend in it, and even what aisles you visit.  How long you spent looking at personal hygiene products.

How is such universal tracking done?  There are several tricks the government uses to keep track of people (in the United States, anyhow - likely similar methods are used worldwide):

1.)  License Plate Scanners  Increasingly common in large cities, license plate scanners are good enough to monitor every car entering or exiting an area, as well as tracking what streets you drive on once inside the city.

Major metropolises like New York City routinely scan all cars entering and exiting the island, as well as tracking movement to specific areas.  "Exclusive" communities in California have started scanning all vehicles in and out of public neighborhoods in a thinly veiled threat to keep out "undesirables" - remember, we're always watching you.

Optical character recognition systems are more than fast enough to do real-time recognition of cars passing through control points such as toll booths or low-mounted cameras on police or unmarked vehicles, which scan every car parked on a street they drive down.

Despite numerous protests, there is little case law dictating the use of automatic plate capture.  Several cases have arisen where authorities are accused of racial or religious profiling by logging plates around mosques, churches, and protests.

2.)  Voluntary Digital Tracking Devices  Like the "E-ZPass" system.  For readers unfamiliar, the E-ZPass is similar to an RFID tag system, which is mounted in a car and used to pay road tolls.  E-ZPass tags use an internal battery to boost transmission to the toll readers.  Similar technology is used in other regions, under names like FasTrak, TollPass or, in Europe, systems like eToll, autoPASS, or ENC.  Often, toll authorities offer a discount for using the automated system.

Originally, the E-ZPass was pitched as short-range - it worked in normal toll booths at low speeds.  Then it was expanded to high-speed toll lanes where it could be scanned at highway speeds.  The maximum range for reading an E-ZPass tag is unknown.

Of course, every time you pass through a tag reader, it photographs your license plate in case there is a problem issuing the toll electronically.

In the United States, it is currently illegal to use the electronic tag systems, or to use the tool booth systems, to enforce maximum average speeds.  In the U.K., average speed cameras have been automatically logging license plates and issuing fines for years.  As municipalities become more and more cash strapped, it seems only likely that this tracking will extend to the U.S.

More unsettling is that recently, "Puking Monkey" revealed at DEFCON how he modified an E-ZPass tag to light up an LED every time it was triggered by a reader, and discovered that in New York City, tag readers are placed throughout the metropolis, tracking cars well away from expected toll booths.  The DOT states that the data collected from mid-city readers is used for traffic flow analysis but, once data is created, there's little limit on what it can be applied to.

3.)  Cell Phones  There is no more perfect spy in your pocket than a device which constantly updates where it is located.

To route a phone call or an SMS message to a phone, the cell phone company must know what tower it has most recently connected to.  To fulfill E911 requirements, it must be able to locate a phone geographically.

Case law in the U.S. has already established that this tracking data is not considered private, despite several legal challenges, allowing the government unfettered access to location records without a warrant.


Unfortunately, it's not just the government getting in on the game.  Stores want to know where you are in the store, how long you spend somewhere, and match that to what you buy.

To get high-precision tracking within a store, cell tower precision location is insufficient, and a store would have to pay the cell carrier for the data, anyhow.

The solution: Tracking Bluetooth and Wi-Fi.

Bluetooth tracking came first, and originally was used for interactive ads embedded in kiosk stands or posters, which didn't see a lot of popularity.  For Bluetooth monitoring to work easily, the device must be in discoverable mode - for various technical reasons, sniffing Bluetooth devices which are not discoverable is difficult and expensive, putting it outside the price point companies are looking for when building store-wide tracking networks.

A discoverable Bluetooth device responds to inquiry packets; the most basic of scanning systems simply needs to constantly issue a "scan for new devices" request and log everything seen.  Since Bluetooth is short-range - locating a device within a store becomes as simple as installing as many sensors as are needed.

Fortunately, most (though not all, by any means) devices default to non-discoverable, in part exactly because of these privacy concerns.  Unfortunately, then we come to Wi-Fi.

When a Wi-Fi device is turned on, it expects to connect to a network.  To try to connect to a network, it sends "probe request" packets.  Each of these packets contains the name of the network the device is looking for, and the unique MAC address of the Wi-Fi radio in the device.  Anything in reception range (tens or hundreds of feet) can receive these packets.

Whenever a device's Wi-Fi is turned on, it is regularly sending these packets.  It may often send multiple packets - one for each network in the saved list of preferred networks.

Private companies now have all that is needed to track user movements throughout a store using nothing but the Wi-Fi radio in smart phones.  Additionally, these companies can share and correlate such data - since the packet is meant as a public, broadcast request for a network to join, it could be argued there is no expectation of privacy.

Of course, once data is collected, there's no telling what it could be used for - or who could use it.  Cell phone location data was originally tracked simply for technical reasons: The network needs to know what tower to send a message to.  Now, private companies are being compelled (or volunteering) to collect tracking data.  There is no reason to think this won't be the same story again.

Nothing limits this tracking to inside stores, either.  Several companies have begun to offer outdoor pole-mounted tracking systems, under the auspices of traffic data collection (sound familiar?).  Some of the collection systems are run by law enforcement agencies, some are run by private companies.

Think data collected by a private company isn't a means of tracking you?  Depending on the location resolution of the tracking system, it's possible to correlate the locations in the store, the products in those locations, and the purchase records of that time period, and map a MAC address of a Wi-Fi device to the credit card information used to pay.  Consider also the other companies which have similar data.

For instance, Apple or Google know the user ID of a device and the MAC address (used in backups, etc.).  While it may have been possible to assume that data collection agencies weren't collating these records in the past, it seems naive to think so given recent revelations.  If the same system can collate number plate recognition or toll tag recognition with Wi-Fi detection, it would be similarly possible to identify a user... maybe not with a single read event, but with multiple events over several locations.

Not all is lost.

Privacy in movement is rapidly eroding, but some methods can be avoided.  The simplest way to avoid Wi-Fi tracking?  Turn off Wi-Fi when not at home.  When turned off, the device is no longer looking for networks, and no longer sending probe requests.  Either make it part of your daily habit or use various helper tools.  On Android, event tools like Locale or Tasker can be used, or dedicated tools like Smarter Wi-Fi Manager (disclaimer, written by yours truly [Michael Kershaw]) can be used to control the radios based on cell tower location - using the automatic location data from the cell network to increase your privacy for a change.