I guess we really shouldn't be surprised at this point, but what many don't understand is just how easy it is to track devices, and by extension people, in this manner.
You don't even have to connect to an open WiFi AP, or any AP. As Glenn Wilkinson demonstrated some time ago [1], the probe requests your device sends out can in many cases, identify you or at least the important locations you've been to. Basically, if WiFi is enabled on your device and it's not associated with an AP, it's constantly sending out requests asking for the [E]SSID of AP's it's previously connected to.
> I guess we really shouldn't be surprised at this point
Yes, we shouldn't stop at being surprised. We should put our actions where our surprise/shock is and do something about it.
For example: leave your mobile phone permanently in flight mode and just all the other features, like agenda, clock, etc (or leave it always at home, if you don't have a landline anymore).
There are certain Android apps, like this one [1] that attempt to turn on/off your WiFi automatically based on location. I have not used this one, but it might make the process a bit less tedious. Obviously, the best option is just to manually turn on/off WiFi yourself.
A more interesting idea would be to create an app that sends out random probe requests with a randomized MAC address. (While not sending out any real probe requests) I wonder if that would be effective at disrupting these sorts of surveillance techniques.
By which you mean... don't have a mobile phone? (I imagine you are someone who either spends most of the day in one place, or doesn't have anyone who they would want to be able to contact them on a whim.)
It's to really hard for me to take this article seriously without the release of said PowerPoint documents. All we have to go on, is that CSEC had access to device IDs and was capable of tracking their locations across airports. And while it's true that metadata can be used to create a graph and hence a wealth of information, ISPs generally are suppose to collect that info. The question is whether the contents of the messages were intercepted.
Even then, this article seems to provide a lot of reactions from professors and commissioners without really getting into the details. It's really not that difficult for anyone, yet alone the government, to track MAC addresses on Wifi networks and then start geolocating them.
You could easily jam Wi-Fi signals or even collect MAC addresses. Collect enough of them from different places, and you can locate people's travelling habits.
No worries, your phone's use/support of ad networks means both companies and governments know as much about your habits already as you don't want them to know. ;-) No fancy iBeacons or trashcans necessary.
Yeah, I'm cool with it too. It'd be good to know if someone connected to a terrorist organization wanders into Pearson, and no one expects privacy at the airport, anyway. You go there knowing it's a secure zone and that your luggage will be gone through and your body scanned. Tracking your Internet usage seems like less of an invasion of privacy than that.
If you read the article it's clear they were tracking people for weeks after they left the airport:
"The document shows the federal intelligence agency was then able to track the travellers for a week or more as they — and their wireless devices — showed up in other Wi-Fi "hot spots" in cities across Canada and even at U.S. airports.
That included people visiting other airports, hotels, coffee shops and restaurants, libraries, ground transportation hubs, and any number of places among the literally thousands with public wireless internet access.
The document shows CSEC had so much data it could even track the travellers back in time through the days leading up to their arrival at the airport, these experts say."
This is a bit of a "well, duh!" thing. Pretty much every large WiFi deployment has this capability. It is common enough that Cisco has a mainline product family to do it (Cisco Unified Wireless Location-Based Services).
This is commonly used to track carts in hospitals, etc.
You technically don't even have to be "actively tracking" users. You just keep the diagnostic logs of client registrations & signal strength for a while and map it when you care. I'd be more worried about a non-government entity using the data to survey people for blackmail or other gain (e.g. politicians: who is commonly located near the state capital, campaign headquarters, and strip club?)
You don't even have to connect to an open WiFi AP, or any AP. As Glenn Wilkinson demonstrated some time ago [1], the probe requests your device sends out can in many cases, identify you or at least the important locations you've been to. Basically, if WiFi is enabled on your device and it's not associated with an AP, it's constantly sending out requests asking for the [E]SSID of AP's it's previously connected to.
I also recommend this video: http://www.youtube.com/watch?v=03iEaKPRb9A