If wishes were fishes
"...capabilities that could be developed and none of which are workable right now."
I bet they were working hard to develop those capabilities and working out how best to 'monetise' them.
Electronic BINS in the heart of London must stop tracking hundreds of thousands of passing smartphones, officials have demanded. A dozen or so high-tech rubbish cans - which display adverts and information on built-in flat-screens and are dotted around the capital's financial district's pavements - were set up to collect data …
>. . .
Plans to add facial recognition are however on hold
While GCHQ's plans for faecal recognition incorporated within the Surveillance of Hitherto Inacessible Terrain/ Toilet Advanced Counter Terrorism Information Camera (SHIT-TACTIC) system go ahead as planned.
I can imagine the declassified documents to be released in forty or fifty years time ...
ITEM: PHONE OWNER [redacted] DEPOSITS A FALAFEL WRAPPER IN BIN rl0021 ON A DAILY BASIS.
ITEM: CROSS REFERENCED WITH SUPERMARKET CLUBCARD, [redacted] DOES NOT BUY RAZORBLADES.
CONCLUSION: [redacted] IS BEARDED MIDDLE EASTERN TERRORIST.
ACTION: BIN rl0021 WILL PERFORM LOCALIZED EXPLOSION ON NEXT ATTENDANCE BY [redacted].
It would be sheer coincidence that when Apple bring out their latest phone (the one with fingerprint recognition) that they (whoever "they" are) would then have been able to tie your location, speed, content, and something that would identify you to high degree of accuracy together.
Actually, this site needs a tinfoil hat icon.
Only if you are a typical (read: Luddite techno-fool) iPhone user.
Really. I my (very small) BYOD office, I have to administer access for the iPhone users here. Who ALL, read that again every single one, leave their WiFi running 24/7.
And I completely and utterly blame Apple for this.
Most iPhone users do not bother to look at the (very small) WiFi status indicator and worse, do not wish to go into their Settings / WiFi menu to turn the functionality on and off. Most iPhone users do not want that level of interaction - they believe their devices "Just Work (tm)" and going into the Settings menu to change the way the device operates is against their paradigm of 'lowest user interaction'.
So Apple did not create a home screen control for WiFi / did not make the WiFi icon functionally interactive. So most users leave it alone and just put it out of their mind, another thing the phone 'takes care of by itself'. So technically undereducated users leaving a security hole running with no incentive to learn / do otherwise, from the user standpoint, or educate / change, from the manufacturer standpoint.
I will bet you that the greatest majority of MAC slurps from this experiment were iPhones. The users get what they deserve.
I'm struggling to see that they've broken any laws so the ICO can't do very much. The DPA doesn't apply as capturing MAC addresses doesn't let you identify individuals (though trying to match those MAC addresses with a person list would be illegal). RIPA might apply, but again - there's no information about individuals here.
"I'm struggling to see that they've broken any laws so the ICO can't do very much. The DPA doesn't apply as capturing MAC addresses doesn't let you identify individuals (though trying to match those MAC addresses with a person list would be illegal)."
Let's be crystal clear - The MAC address, associated with the device serial number that YOU bought, and as associated with the sales purchase transaction (and the likely plastic card YOU used to purchase said item) would most definitely identify YOU. Then there's the MSISDN and ICCID and....
"The DPA doesn't apply as capturing MAC addresses doesn't let you identify individuals"
Yes it does, as phones seldom change MACs(*) or owners..
(*) I'm hoping "there's an app for that" very soon. The fastest way to dissuade this kind of shite is not to run silent but to run very very noisily with thousands of randomzed MACs.
At least they'll have the mac address of the yoofs who through them through the windows of a McDonalds now.
On a less silly note, have they ever heard of the data protection act? Hear about google getting hauled over hot coals for slurping wi-fi data? Sooner or a business that does this is going to have to be given a massive fine, possibly shut down in order to make spying on the public like this stop.
I'm not sure that the DPA applies to MAC addresses as constituting data about an identifiable individual. Google got into trouble for slurping (they have always claimed 'accidentally') not just MAC addresses, but also part of the data content of the packets.
MAC addresses are (necessarily) public information - if you want to keep yours secret, don't turn Wi-Fi on (and don't connect to any public networks).
The guidance I have seen is that phone numbers should be handled as if it were personal data, because you don't know how many people are associated with the phone number.
And a phone number has to be known to the network in order to deliver calls.
So an MAC doesn't sound so different to a phone number.
You might be able to claim that some always-visible MAC is a fixed piece of hardware but that means that all the rest is associated with an individual. I can't see how you can get away with not being careful.
Fair point, Dave, and I'd always advocate being careful when handling personal data. Phone numbers are different from MAC addresses (they're more like IP addresses, but the analogy quickly breaks down) in that there exist (not public) directories that can link a phone number to an individual or a physical location. This is not possible for a MAC address (which, in any case, can easily be changed by the user).
Most devices will retain tables of recently 'seen' MAC addresses: arp -a will usually give you a list.
" there exist (not public) directories that can link a phone number to an individual or a physical location. This is not possible for a MAC address (which, in any case, can easily be changed by the user)."
I understand that there also exist such directories for MAC addresses, at least in the telcos, so they can recognize phones. And there are probably lots of apps -IOS, Android or whatever- that slurp MAC data and link them to other personal information, e.g. mail accounts and phone numbers.
The telco certainly has the serial number of your SIM, and the IMEI(s) it's been inserted in, but given the ease of a MAC address being modified (compared to those other two) I can't see the utility of hanging on to it. And when you put the SIM into another phone, the MAC address will change. And, as I noted earlier, the association with the device is by IMEI.
OTOH, public WI-FI providers apparently do - Virgin Media on the tube, f'rinstance. But you voluntarily trigger that association when you sign-in to an AP.
The MAC address is a handset resident identifier not a SIM artefact - You DO NOT need a SIM inserted to use your (smart)phone on a WiFi network.
If you disable WiFi access and you have Mobile Data enabled (i.e. 3G/HSPA(+) 'on'), other SIM-related identifiers will (eventually) allow your phone to adopted a (mobile network provider supplied) IP address... In mobile data mode, 3gPP and ietf methods of identifier and location extraction can be used (LIS function, et al, as per ietf HTTP-Enabled Location Delivery (geopriv)...)
Either way, mobile data or WiFi connected, your device and service identifiers are extractable using published and readily availble methods.
"Most devices will retain tables of recently 'seen' MAC addresses: arp -a will usually give you a list."
Yes, for 2 minutes by default - long enough to maintain a data connection (arp tables are a mapping of IP to MAC address.). $orkplace sniffs for rogue MACs on the wire and that required a thorough inspection of the DPA rules to make sure we weren't breaching any of 'em by snapshotting and cataloging ARP tables at the firewall
Being able to tie a MAC to an individual is a DPA breach even if you don't know WHO the individual is. On top of that, it's proven to be extremely easy to take stuff like "anonymised" hospital data and tie that to specific individuals, which has significant DPA ramifications for publication of such studies.
"So an MAC doesn't sound so different to a phone number."
The point being I think that it's trivial to engineer a reverse search to find an individual from a telephone number. Depending on how and why that's done, that can be legal or illegal.
With a MAC address - much harder. You'd need the co-operation of the mobile operators and they won't co-operate because they're complying with the DPA.
A mobile's telephone number is only used by the network you are taking service from and its transmission to that network is encrypted. A MAC address is transmitted in the clear to any device that asks to see it.
I can't see a way that the MAC address of a mobile phone could be used, in isolation, as a piece of useful data about an identifiable individual. Now, if the bins had cameras in them.....
"it was a 'limited' test and we've stopped and we will consult privacy organisations"
You should consult first scumbag.
I hope they are programmed to phone home when people 'forget' to put out their cigarettes before putting them in a bin full of flammable materials and burn your shit up, hope it costs you a fortune.
Naturally it could be,
"Hi Dave, bored with giving all your google phone data to an Ad Agency?"
Smug git here laughs as he carries his phone switched off and in an RF protective case because he realises that he can be disconnected and actually have a life without the phone/tablet being on an umbilical to his hand.
Downvoting in 3..2..1...0
I use the phone when I want to and in approporate places. I do NOT want to be tracked by my mobile. If I could do without it when in places like London then yes I would leave it at home but most of the time it is switched off.
I've been doing this since when I lived in the US they made it mandatory for all phones to have GPS and 'tracking' built in.
Yeah, the NSA/CGHQ probably think I have something to hide. I don't but that matters little these days. If they try hard enough, they can always find some law that we have all broken and use that to put us away.
>. . .
I've been doing this since when I lived in the US they made it mandatory for all phones to have GPS and 'tracking' built in.
. . .<
You what? Illegal for a cellphone to not have a GPS? How's that enforceable?
Don't worry, they won't put you away any more than other alien abduction victims and Area51 witnesses.
You're too entertaining.
I believe he's confused about the 911 Emergency Location Service, which is required on all phones here. But it only transmits your location if you call 911 and even then there's no requirement for the 911 center to have the equipment to receive the signal. The 911 center here sure doesn't have it.
Otherwise you can turn off the location services and GPS like with any other phone in any other place.
That'd be the thing to do. Get inexpensive rooted phones that run software to constantly change the MAC then just toss them in the bins. If you got a club together you could spread the costs across the group and do it cheaply. It would be fun just knowing that somewhere marketing analysts were being driven mad.
Chuck 'em ALL in jail.
It's about time we enforced an "ask then do" policy instead of an "oh crap we got found out" one, and we need some stiff sentencing to dissuade other outfits from trying similar things - especially when tracking (anonymously or not) is done without consent, option to request not to be tracked, and in some cases informed consent could not be given anyway due to the owner of the device not being an adult...
"there's no way the data that has been collected could be used to identify an individual."
Well the interesting thing is what is actually necessary to identify an individual. I posted on my blog a while back about how Android's prompt of "Will collect anonymous data while using GPS" could very easily be a big lie. For a start, the data will not be completely anonymous as there is no point in collecting random totally anonymous reports. It will be tied to something, like the phone ID, so multiple reports from this phone will be collected together. If the GPS system reports location when turned on or off, over time there may be enough reports in the same place to take a guess as to one of them being a home location. If, like me, you live in the back of nowhere, then it's a very very simple matter to look at the location and determine the address. If you live in a town, it may be harder depending on the type of property, however this can be tied in with other locational data such as "phone with this ID connects to WiFi router with this SSID", and so on.
There is no actual necessity to know your name up front in order to determine exactly who you are, and while it may fail in urban sprawls, it's good for many many individuals.
Now, read again what was said in the article: "Renew, which said the collected data was "anonymised" before it was analysed, hoped to use this technology to track footfall in shopping areas and perhaps even show tailored adverts to people as they walked by the bins."
Ask yourself at which stage the data was actually "anonymised" (and has it been proven to be so by independent audit?). I ask you this because tracking where people walk requires a continuity from point to point. Likewise, displaying adverts to people (adverts, from a bin?!?) requires not only maintaining a continuity but also retaining that information so that relevant advertising can be shown in the future. I am making a leap by suggesting advertising relevance, but this is surely what is meant as there is no point tracking a person to show non-relevant advertising, you get that all over the place already. So how anonymous is anonymous? If it can remain connected to your phone, possibly not so much. And, then, while the data itself may be fairly innocuous (a MAC address is basically a bunch of random-looking numbers), when coupled with other technologies it can start to be a little less anonymous. Cameras, for instance. However, even without that, if data is retained from session to session, guesses can be made about you based upon your travelling speed, where you stop and start, the time of day, and if you linger in any particular places. One or two sessions might be seemingly random. More might start to look like a pattern. Patterns can give insights into people's lives. There is a difference between a person who runs in to Mothercare at half one in the afternoon, and a person who regularly slouches into Ladbrookes at eleven in the morning.
Remember - being anonymous doesn't mean "they don't know your name"...
Exactly what I noticed.
I actually laughed at the inherent self-contradiction when I read: "...the collected data was "anonymised" before it was analysed, hoped to use this technology to... show tailored adverts to people as they walked by the bins." The "anonymised" part is the most sickeningly obvious attempt at damage control spin I have ever read; in the very same breath they reveal the lie and their true intentions.
By definition, if they're showing me "tailored" advertising, they must know who they are showing the adverts to, ergo I am not anonymous. Whether or not they know the name on my birth certificate is irrelevant; to tailor advertising means they must know my comings and goings, likes and dislikes, lifestyle choices, associations, occupation, hobbies, interests - in short, everything that makes me who I am. What price a name if you have all that? Anonymised my fucking arse.
> How does this contravene the DPA? You can't give informed consent because there's no way the data that has been collected could be used to identify an individual.
Well it ought to contravene Data Protection legislation because public targeted advertising could get very personal and damaging to reputation, fairly or unfairly. Consider this scenario - Extracts from log file in hypothetical trial:
07:05, Bin 001 (M junction at Town-on-Sea), Read 55.5A.B1.00.A5.55, speed 65, south.
07:05, Bin 001 (M junction at Town-on-Sea), Display "Lunch at Lenny's", 5 seconds.
13:00, Bin 007 (Lenny's), Read 55.5A.B1.00.A5.55, speed 4, west.
13:00, Bin 007 (Lenny's), Read 55.5A.B1.00.A5.55, speed 15, east.
22:51, Bin 013 (Parliament), Read 55.5A.B1.00.A5.55, speed 2, south.
22:51, Bin 013 (Parliament), Display "Before driving to Town-on-Sea, relax at The Kinkdom (2 doors down from Lenny's). Parties welcome. Bring your own Whip", 60 seconds.
22:51, Bin 013 (Parliament), Error 90023 - display jammed.
22:53, Bin 013 (Parliament), Read 55.5A.B1.00.A5.55, speed 15, south.
A reputation ruined in a day despite best efforts. Worse if your browsing history was ever tied in. Worse even if you try to ignore the ads but passers-by draw conclusions about you. What do you do if an undesirable ad is displayed for someone else but you're afraid passers-by are associating it with you? This could make cities and towns no-go areas. Could this commence the decline of cities?
This 'video advertising everywhere' is going to prove a boon to muggers!
It's already been shown that people quickly learn to 'tune out' advertisements blaring at them.
So in the near future, you won't even notice that guy coming at you with the lead pipe because he's announcing something like, "Tired of high food bills? MegaStore has low, low prices everyday!">THWAP<
It'll be the ultimate urban camoflage!
What happens when you are observed walking past a bin and it displays an advert :-
You're iPhone OS is a version out of date, get an upgrade now and get access to lots of new shit.
Only you've been keeping your phone in your pocket because there a couple of guys eyeing people up as they walk past the bins for some reason. Oh, and they're partially hidden in an alley.
Is that Apple IOS 'last 400 visitors' still available then?.
They got rid of your lifetime tracking but their crowd sourced router database was still free last time I knew.
Google vans also slurped the data too, Clever Appke never even had to get out of their US bed.
The best thing to do when this sort of thing happens in future (and in this situation) is for everyone concerned about this sort of thing to send Subject Access Requests to the allegedly infringing companies.
Not only is it your right to have the data but the margins that these companies will be running on per user mean that it'll only take a few requests to render the whole personal data-harvesting exercise unprofitable.
OK, a failure by the company to respond to such a request is enforced by the cuddly ICO, but it's a slam dunk violation. While they only got Capone for tax evasion, it finished him.
http://www.ico.org.uk/for_the_public/personal_information shows you how to do it.
AC, because, well....
WiFi off: check
GPS off: check
Snub location requests from websites: check
Password to unlock phone: check
Having those on is the same as leaving your house and car unlocked.
My phone will only show me via Maps as located at the nearest tower. Which is interesting when I am located near several towers as this also shows me the one the phone is actually using.
Now, as I was saying about not just the NSA spying on you...
Either you've got a really fancy damn phone or a really shitty house and car. Maybe your car is your house and it doesn't run?
I'm not sure what you're getting at, or who you're planning to assassinate, but the value you place on your phone seems exceptionally misguided and possibly indicative of a serious underlying condition.
I'm not sure what you are getting at, Don. I switch off everything (GPS, wifi, mobile data) on my phone unless I actually want any of those things - basically, most of the time it is just a mobile phone (or as close as I can make it). I also have a passably good lock on the home-screen. Does this make me someone with a "serious underlying condition" too? If so, which, and why is it a problem to you?
Previous stories (http://www.theregister.co.uk/2013/03/28/riotact_goes_berserk_over_bluetooth/) have made it clear that this kind of thing is already widespread. (See for example the map in http://www.atrf11.unisa.edu.au/Assets/Papers/ATRF11_0129_final.pdf). Presumabley widespread in London too, for the same reason, by the same kind of people.
Also, although the term "WiFi" is used everywhere, the only details I have seen use only the term "MAC", which suggests that, like the earlier stories, this is using standard bluetooth tracking equipment.
BTW, how irritating that el register no longer provides links to related stories? Irritated. Don't like you. Don't like your advertisers either. Irritated.
Can I just say how flattered I feel that these people are prepared to waste so much money, and so many resources, just to show me adverts that I'll ignore, or more usually, subconsciously filter out. I'm also rather flattered that they think I am so rich that just because I bought an expensive widget yesterday, I'll be buying another one tomorrow. I wonder what planet they come from ?
If your already spent your widget budget then those adverts aren't aimed at you. They're aimed at the next guy to come down the street with money to burn in his pocket. Advertising is a numbers game with a very, very small target for a given advert. If you get .5% increase with a campaign then it was worth the investment.
The downside of all that is that everybody is simultaneously trying to get the attention of that .5% so it seems overwhelming but the truth of the matter is you don't really filter it out. Your subconscious does remember it and it does affect you, and everyone else...
Biting the hand that feeds IT © 1998–2019