[armchairhacker]

> The solution here shouldn't be technical; it should be legal.

I disagree. Solutions should be technical whenever possible, because in practice, laws tend to be abused and/or not enforced. Laws also need resources and cooperation to be enforced, and some laws are hard to enforce without creating backdoors or compromising other rights.

"ISPs will be prohibited from spying on their customers" doesn't mean ISPs won't spy on their customers.

[transpute]

We need more funding for open-source WiFi Sensing counter-measures, e.g. EU research, https://ans.unibs.it/projects/csi-murder/

> this paper addressed passive attacks, where the attacker controls only a receiver, but exploits the normal Wi-Fi traffic. In this case, the only useful traffic for the attacker comes from transmitters that are perfectly fixed and whose position is well known and stable, so that the NN can be trained in advance, thus the obfuscator needs to be installed only in APs or similar ‘infrastructure’ devices. Active attacks, where the attacker controls both the transmitter and the receiver are another very interesting research area, where, however, privacy protection cannot be based on randomization at the transmitter.

https://github.com/ansresearch/csi-murder/

> The experimental results obtained in our laboratory show that the considered localization method (first proposed in an MSc thesis) works smoothly regardless of the environment, and that adding random information to the CSI mess up the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.

[heavyset_go]

There is no technical solution for this unless you want to invest billions/trillions in building new computing and networking platforms created with privacy in mind.

ISPs will always have the ability to at least deduce whether a connection was used, the MAC address, and it there is WiFi, unfortunately whether people are physically present.

If we look at the roadmap for WiFi/phones/etc, they will soon gain the ability to map out your home, including objects, using consumer radios.

[giantg2]

"There is no technical solution for this"

This isn't really true. The easiest technical solution to the problem of ISPs using your wifi data is to simply use your own WiFi router which does not send the data to them.

[newshackr]

They can still deduce this from the traffic patterns.

[giantg2]

They can map your home and motion with traffic patterns?

[heavyset_go]

The OP was also talking about deducing presence based on connections and traffic patterns, which using your own WiFi AP isn't going to mitigate.

[giantg2]

I don't think there's any reliable way around that. They can do that with real-time power meter monitoring even if you don't have an internet connection.

[sleepybrett]

Good luck to them for those of us who have set up a tailscale exit node in our network and use it whenever they are 'roaming'.

[heavyset_go]

They can see the WireGuard traffic coming in and correlate it with traffic out. WG traffic is easily identifiable.

[idiotsecant]

So use a vpn.

[mbreese]

With a VPN, your ISP may not know where packets are going, but they can still see packets moving. So, unless your VPN is injecting dummy data to mask all patterns (possible, but not common), your ISP is going to have a good idea if someone is home or not.

[giantg2]

So does your power company with real-time meter monitoring. Masking that is much harder and would be more expensive if it's even possible.

[idiotsecant]

Creating useless traffic on a random schedule is pretty trivial.

[slt2021]

I have a better solution: just use your neighbour's wifi :P

pay him with a pack of beer

[mbreese]

You can’t solve social problems with technical solutions. Technical solutions won’t work without some kind of legal backing to force it.

[lioeters]

Sometimes mathematics and physics provide superior solutions than man-made laws. Encryption for example. It's better to make something impossible, than to have laws that are routinely ignored by law enforcement.

[xoa]

>You can’t solve social problems with technical solutions.

Sure, this has a fair amount of truth to it. However, security is not a social problem, it's an economic one. No one, not even the most well funded and skilled organizations like the NSA, has access to infinite resources. Whether a given attack/data harvesting effort costs $1 million, $10 thousand, $100, $1, or $0.01 makes an enormous difference in impact. Can a given three letter agency afford to spend $1m on anyone? Sure. Can they afford it against everyone? No. Same with private orgs, if harvesting data costs $10000/person, it has to generate well over that much money in profit to make it worth it. Is that likely on average? Probably not. If it costs fractions of a cent, then they will be incentivized to scale it as hard as possible, since payoff from even one person will cover thousands of duds.

So sure, by all means we should pursue laws too, as that also shifts costs a bit. But there is zero reason not to simultaneously pursue technical means to make costs as high as possible. Both tracks matter a lot.

[mbreese]

I am really struggling to see the technical solution here. This isn’t a security question - security has already been lost. We’re talking about a device in a home that the owner doesn’t control, being able to monitor the presence of a person using either WiFi signals or device identifiers.

The obvious solution is to not use that device. But that’s not necessarily possible for a variety of reasons, not all of them controllable.

So, what is the technical solution to this? Anything that’s going to mask a persons RF signal is probably going to make WiFi difficult to use. Anything at the network level is already lost because we have a potentially hostile device in a critical point in the network path.

Am I missing a different solution?

[xoa]

>I am really struggling to see the technical solution here.

Are you? Comments are full of obvious solutions like using your own hardware, which you clearly understand.

>We’re talking about a device in a home that the owner doesn’t control

No, we definitely are not. As you yourself immediately acknowledge:

>The obvious solution is to not use that device. But that’s not necessarily possible for a variety of reasons, not all of them controllable.

...but then immediately try to do a fuzzy hand wave it away for reasons I don't really understand. Technical solutions don't have to be completely perfect, which is surely not a standard you're holding any social/legal solution to right? Since that would be ridiculous.

As I said, simultaneously pursuing multiple tracks in parallel is the correct approach, as hybrids can be more then the sum of their parts. A purely legal solution ("law against ISPs collecting this data"), if it's even possible to get passed at all, ends up depending heavily on the honor system with all sorts of perverse incentives, and is very challenging to verify. A purely technical solution ("use your own hardware", "route through another end point") could potentially be interfered with (though let's be clear: this isn't actually a thing basically ever). But we can easily imagine hybrid approaches, just as was done in the past with efforts like CableCARD. The law doesn't need to necessarily try to mandate and police hard to verify behavior like how non-property owner controlled hardware acts, but instead can mandate that ISPs must always allow direct dumb interfaces to their network via customer controlled hardware. That's something easy to verify, which enhances compliance, and easy to understand which enhances the politics.

But make no mistake: the technical aspect is an inseparable part of this approach. We need both.

[citizenpaul]

It makes it much more difficult to be profitable if its illegal. This deters the majority of opportunists leaving only the dedicated criminals. And just like thief's people might understand why they steal no one sheds a tear when they go to prison.

[dcow]

And how do you technically stop an ISP from using the radio in their hardware to detect small changes in phase angle of signals in your home?

[RajT88]

Own your own hardware is how.

Comcast cannot administer my router/AP or modem.

Some other ISP's like AT&T force you to use their gateway. I try and avoid these companies or severely limit the functions of the built in gateway.

[dcow]

And how do you force all consumers to buy their own privacy hardware?

Edit: sorry my question is not strictly how one person would mangle their hardware so it breaks presence detection, it’s how the tech industry would develop an at scale everyday consumer solution to this problem.

[dghlsakjg]

Require certain disclosures to be made in not so fine print.

Require that each privacy waiver is individually initialed, per clause, in wet ink.

This shit would end tomorrow if they had to start delivering modems with 1 inch high letters that said "THIS DEVICE WILL TRACK YOUR LOCATION WITHIN YOUR HOME AND SHARE THAT DATA WITH LAW ENFORCEMENT WITHOUT YOUR KNOWLEDGE", and the modem didn't work until you went down to the Comcast store to sign your rights away.

You don't have to force anything except taking this knowledge out of the fine print and prove that your customers are actually aware of the contractual clauses they are subject to.

The tech industry could come together and come up with a privacy standard guarantee that device manufacturers could use (Something as simple as, we will never share data with law enforcement unless legally compelled).

There's a lot of solutions, ranging from technical (firmware update) to social (pass some laws with teeth).

[jolmg]

> This shit would end tomorrow if they had to start delivering modems with 1 inch high letters that said "THIS DEVICE WILL TRACK YOUR LOCATION WITHIN YOUR HOME AND SHARE THAT DATA WITH LAW ENFORCEMENT WITHOUT YOUR KNOWLEDGE",

I have the urge to laugh at this, but maybe I'm just too cynical. Pretty sure we still live in an age where most people would let go of principles like privacy for a bit of convenience.

[heavyset_go]

Some ISPs allow you to bring your own modem, so there wouldn't be any hardware other than your own and whatever they install to bring it into your home.

[mensetmanusman]

You attach large sacks of potatoes to the ceiling fans and lighting fixtures that are connected to strings and random timers to move them. The potato bags perfectly simulate human motion.

Every house should look like a party of 50.

Invest in potatoes

[pixl97]

Disconnect and ground the antenna and supply your own equipment?

[dcow]

I thought we were talking about a solution that the tech industry could implement and deploy en masse to users, because it’s just, like TLS and browser standards. That’s usually what is being discussed when these give everyone privacy topics come up. The people that care enough to ground their antenna are already using their own hardware. And the ISP will deter hardware modification by charging you for damaged leased hardware. Or you’ll be in an arms race where the ISP’s firmware will flag the unit as defective because the radio doesn't work and cut off access till you fix it.

I guess you could put it in a cage. Maybe I should go door to door selling privacy cages. Do people pay for tinfoil hats these days?

[pixl97]

>Do people pay for tinfoil hats these days?

I don't know, how many people that didn't care much about privacy said things like "There is no way the US government would deport US citizens" 7 months ago.

[hyperdimension]

>Do people pay for tinfoil hats these days?

Only with cash.

[sleepybrett]

When we find them spying on customers they will take it all the way to the supreme court where the definition of spying will be put the wringer and flushed of all actual meaning. Then the law will be struck because it violates the corporation's 1st amendment protections concerning 'free speech'. See also Citizen's United.

[lovich]

Technical and legal solutions are for different classes of problems.

Encryption is a technical solution trying to solve the problem of people being able to steal your data/money without your knowledge.

The law/police are the solution to the 5 dollar wrench problem, where you are very aware of the attack but unable to physically stop it

[scarface_74]

And the law can’t stop someone from using a $5 wrench before the harm is done…

[lovich]

I don’t expect the law to prevent the crime. Much like my comment you replied to, I recognize different tools are for different situations.

The law is there to enforce the “rule of law”

It’s a little ambiguous because the phrase is in English and doesn’t match up 1:1 with the common vernacular, but I want the “rule of law” to enforce that the rules are real, not to prevent someone from testing their existence

[account42]

The legal part should be requiring a technical solution.

E.g. the you should be able to own your router and even if you choose to rent you should have full control over the software.

[taneq]

It might make it a bit harder to use the information obtained through spying, though. Both is good.