Monday, February 8, 2021

Comment on NY Times cell phone tracking piece

A friend posted this article about cell phone tracking (kind of the flip side to their earlier and much longer article on phone tracking) and I thought it needed more than a Facebook post to fill in some of the stuff missing from the article and expand on other bits. Not to increase paranoia or dismiss it but to point out things those not in IT might not know. Especially given the increasing number of posts I see about tracking worries that are way off the mark (tracking chips in vaccines for example) that often would be less of an issue even if they were real than what is actually in increasing use. I don't have an answer. Some think all tracking info should not be kept. On the other end are those that are not worried at all. In the end everyone has their own idea of acceptable risk but that should be based on actual risk factors and as the NY Times' article points out companies are making a business out of linking all available data sources.

Location tracking basics

Here is the rub. Every tool can be used as a weapon. Cell phone location ping data is just a tiny fraction of the stream:

  • Apps track your location as well as what you did. Many apps ask for WAY more perms than they need. Some because the developer was lazy, some to have data to monetize.
  • WiFi access points can track you as you pass them even when you do not connect to them. This includes hotspots in your car. For example 

  • Linked security camera and WAMI systems can basically TiVo an area to allow forward and backward tracking of multiple objects over the entire coverage area which is growing fast. You might be amazed how many posts I see of people having or wanting license plate readers to log cars passing their house. I might note too want a Pan, Tilt  and Zoom (PTZ) camera because they think it will somehow locate and track people in range. More here to why they won't. So if WAMI for homes became available there would probably many that would sign up.
  • Bluetooth is getting strong enough these days to be used as well and is.
  • Then there is LoRa which Amazon just adopted as part of Sidewalk and so on. 
  • Not to mention almost everything is or will shortly be connect to the internet. If it can ID you (as in you have any sort of auth on it) there is another data point. 

That means it is virtually impossible to not be tracked now and it will only get harder as data storage rates drop, computing power increases and systems get deployed and continue to interconnect. The thing is that the data is huge so without a reason it generally just gets stored for "in case". Developers will always err on the side of having too much data to debug with and for future features. Companies are always looking for new features to offer customers and ways to monetize having to store the data they have. And all too often security and QA are seen as overhead costs to be kept to a min. Add to that governments will always want more and better tools the track down "criminals" and most people will be happy to comply as long as they assume it will never be used against them or they think they can exclude themselves. Look at all the people commenting on rep posts without constituent badges because they seem to think that means Facebook will not know where they are even though if you log in from a diff browser you get a notification telling you your account was just access from machine X in city Y. Failed logins are logged too. Even by basic hosted website has that level of tracking by default so you can imagine what a site like Facebook is doing. Even a non static IP is linked to a location for the length of the exchange. Granted there are ways to hide your location somewhat but few are going to deal with that hassle even if they are aware of them. Plus many proxies and VPNs are not as anomilizing as they claim. Also, one of the things all the breeches have shown is most people still use the same login and password everywhere and do not even know what 2FA is making them both easier to track and hack. There again it is not that hard to track down someone's home address these days from a few data points given a lot of government data is online and or sold to search engines like (since 1997).  Outrage back when people first heard and they moved the servers off shore but even then that only saved you the trip to the clerk for the data. People just did not know. While we are on social media you might want to look at this story about the police tracked some protesters via social media.

So then it would seem the only option is to limit access to the data or what the data can be used for. But I would not hold much hope there either. Take WAMI for example. Back in 2016 a company did a WAMI test that was pretty successful at tracking criminals. People kind of freaked at the time but Baltimore police are attempting a new test run to track how it affects crime when people know it is watchingPeople seem freaked about drones in general though the WAMI tests are with piloted aircraft people still seem to see them as drones. You know if they get their test and it shows good results others will want it too. Same goes for other related tech. As I mentioned above people are saying they want features like tracking and recognition even if saying they do not want the government and companies them. The Chinese are going all in so in the end it might be a question if we buy from them or develop it here. BTW did you know almost all security cameras are made in China? There are people warning about that as well of course. That is a whole other thread about unsecured networks of IoT devices whether or not they came with backdoors.