(article linked from m/Android)
This is ridiculous, SSIDs are not private information.
The same was said about social security numbers until SSNs started becoming a primary key to every-fucking-thing which can cross-reference records in countless databases not even associated to the social security office.
Of course SSIDs are sensitive when the context is that they point to where you’ve been & then associate that to where you are right now in realtime; which is then shared with the centralized DB of a surveillance capitalist. When they are coupled to MAC addresses. When snooping cars drive around and record physical locations which are then tied to SSIDs and MAC addresses.
And what if your SSID is “impeach Trump again”, which then pins you to a political leaning that can be exploited in Cambridge Analytica style attacks on democracy? Logs that your phone attempts to connect to that SSID then associates your phone to that.
None of that actually matters, because it’s the users themselves that have chosen to use WiFi and to broadcast the SSID. If I published my dick picks on the web and then went around naked then you could conceivably correlate the dick pic to my person and my current location. But you wouldn’t be breaching my privacy in doing so.
When you say “breach”, this implies legal noncompliance which depends on where you are. In Europe the data collection you describe would be a breach. In the US, it’d be a lawful attack on your privacy.
Is location sensitive?
Of course your timestamped realtime location history is sensitive information. If you think having your realtime whereabouts tracked doesn’t matter then you most likely have little interest in privacy in the first place¹. In which case I’d say fair enough, but then what are you doing in the cybersecurity magazine?
Boycotts are a thing, not just privacy
Some of us boycott surveillance capitalists (#GAFAM). There’s a lot of data that we might not give a shit if they collected in the absence of our boycott (though not location tracking- that’s sensitive anyway). Boycotting does not just mean not paying them. It means not recklessly disclosing profitable data to them. In principle I don’t give a shit if Microsoft records my favourite color. But if MS figures out how to profit from that info in some way, then I’m interested in witholding it from MS. And indeed that’s still a privacy matter nontheless because #privacy is about control.
footnotes (TL;DR: why location history is sensitive info)
- Further elaboration: Everyone decides for themselves what info is sensitive to their operations which then serves as input to the threat model. It’s not for you to speak for everyone in saying “info X is not sensitive”. Some people who live quite simple lives may not regard time and location history as sensitive, but this flies in the face of those who deem it sensitive. You should first consider the obvious cases which trivially disprove your claim: Bin Ladin, Edward Snowden, anyone wanted by law enforcement. But to be clear, you need not be high profile or even be a refugee/undocumented immigrant for realtime location to matter. Someone might be an abortion client whose location was recorded in the parking lot of an abortion clinic in a state that has banned it. Someone’s location might be that of where their extramarital affair takes place. There are countless examples. Let me know if you need more.
(edit)
Know your audienceI fixated on your #falseAnalogy fallacy and overlooked this:
because it’s the users themselves that have chosen to use WiFi and to broadcast the SSID
Even if you do not broadcast your #SSID it’s still publicly available. It’s in that air traffic Google was caught overcollecting. If someone chooses to hide their SSID, you could say that’s an expression of intent & collection of that data is thus a breach. Even in the US, if someone uses a weak WEP they still at least get legal protections from intrusions. Generally, legal protections in the US kick in when expression of intent or authority is disclosed.
Most importantly, you’ve missed the thesis. The article is not for those who are happy to disclose their SSID & all the associated tracking of their phone then searching for that SSID wherever they are. The article is for those who specifically opt not to disclose. You are using the intent of audience A to falsely imply intentions of audience B. Audience A would have skipped this article just based on the title alone.
Please explain how the data collection I described would be a breach of privacy in Europe or anywhere else. What rule or statute would it not be compliant with?
First of all, the answer to that wouldn’t matter because the article is about privacy protection not law enforcement. But to answer the question, collecting personal info about people without their express consent in Europe violates the #GDPR.
The GDPR makes some exceptions for cases where info can be collected on people nonconsentually (e.g. public health systems, law enforcement, scientific research), but your scenario does not match any legal exception. At best, you would have to make your activity part of a scientfiic study. And you wouldn’t get away with simply claiming it’s for science. You would have to make a convincing case that the study is for signficant public benefit.
No, SSIDs are obviously public (since you’re transmitting them to outside your own house) and would come under the GDPR provisions for collecting publically available information. You may need to inform me that you’ve collected my data, but that’s all.
There is no GDPR provision for collecting publicly available information that is personal w.r.t. individuals. You can only collect public info if it cannot be tied to an individual. For example, if a car is illegally parked and you photograph it and post it online, you must blur the license plate. It doesn’t matter that the image was in the public.
But again, this whole subthread is a #redHerring because the article is for those who actually intend to keep their sensitive info out of public view, not the others for whome the topic is irrelevant.
My first idea was to use an USB-to-Ethernet adapter.
That was my first idea too but I ruled it out on the principle that I shouldn’t need to buy more hardware. I also assumed that couldn’t be easy to attach to an unrooted phone.
It works pretty much out of the box on Android I use a cheap gigabit one.
Good to know. I think I have an old no-name one in storage I might dig out & try at some point. But that effort is worse than buying one. So for the moment I’m stuck with attempting reverse tethering.
I love the swiss-army-knife that #openVPN could have been, had they not tried to nanny users by forcing encryption.
Seems like one could just disable wifi and use a USB Ethernet adapter, or failing that if you want to connect directly to a PC, have the PC act as a USB Ethernet adapter.
Is there FOSS for that?
Wifi jammer. Open up your phone and remove the antennas. Jailbreak or similar.
Gnirehtet provides reverse tethering for Android.
Thanks for the tip. I overlooked it since it’s not in the F-Droid repos. Will have to give it a go.
(edit) #Gnirehtet is in my notes as requiring root. This article is apparently giving bogus info: