[sanityvampire]

Ubiquitous WiFi kiosks with inbuilt cameras, huh? Ostensibly, they're not allowed to track individual user locations, but the combination of functions present in the devices means it would be trivial to start connecting independent databases and building profiles on users. If you were a malicious actor, how would you go about it?

The PoCs on tracking individuals with MAC addresses are old news (and, in fairness, newer iOS devices use random MAC addresses for WiFi probe requests), let alone the user fingerprinting you could do on browsers when people actually use these things. So you've got a database of devices, and then on top of that you start doing facial recognition and gait analysis to collect another set of individual data points. Then you connect devices to people, and you have a pretty nice system for tracking individuals moving through the city, even those with location services and such disabled.

Paranoia? Maybe, but it wouldn't take much for say, Amazon, to start doing this. And Bezos wouldn't be bound by city regulations on citizen privacy.

[alexandercrohde]

I wouldn't be surprised.

I interviewed with a NYC company that bought a bunch of old phonebooths and was looking into installing cameras on them and recording video to sell to whoever they could. They had this idea that they could do style recognition on clothing and sell that.

[chimeracoder]

> The PoCs on tracking individuals with MAC addresses are old news (and, in fairness, newer iOS devices use random MAC addresses for WiFi probe requests)

MAC address tracking is obsolete. All phones (including iOS devices) broadcast a full list of SSIDs that they have previously connected to when attempting to connect to wireless networks. That alone is enough to uniquely identify most people.

[severine]

I use, perhaps naively, Wi-Fi Privacy Police: https://f-droid.org/en/packages/be.uhasselt.privacypolice/

> Prevents your smartphone or tablet from leaking privacy sensitive information via Wi-Fi networks. It does this in two ways:

It prevents your smartphone from sending out the names of Wi-Fi networks it wants to connect to over the air. This makes sure that other people in your surroundings can not see the networks you’ve connecte to, and the places you’ve visited.

If your smartphone encounters an unknown access point with a known name (for example, a malicious access point pretending to be your home network), it asks whether you trust this access point before connecting. This makes sure that other people are not able to steal your data.

[JBReefer]

I thought iOS doesn't do that anymore?

[chimeracoder]

> I thought iOS doesn't do that anymore?

Last I checked, they did because it's part of the actual spec, though if anyone has definitive evidence to the contrary (either for iOS or flagship Android phones), I'd be curious to see it.

[sanityvampire]

You know, I totally forgot this was a thing. I'm sure modern phones do it. Last time I was on an airplane, couple months ago, I was messing around with airmon-ng, and I was amazed at the amount of personally identifiable information that people's WiFi drivers were just spewing into the ether.