A kerfuffle has broken out in Seattle over whether the city’s police department is using its Wi-Fi network to spy on anyone with a smartphone. According to Seattle TV station KIRO, the SPD’s emergency services Wi-Fi network has the ability to identify any Wi-Fi device emitting a signal within range of one of its 160 wireless access points and record its location.
A controversy is brewing because of this revelation, but the reality is that any Wi-Fi network can do this. I’m an advocate for consumer privacy as much as the next guy, but in the world of wireless networking complete anonymity is simply a luxury we don’t have.
Wireless networks by definition don’t have the benefit of a dedicated wire through which to funnel traffic. Our devices are communicating among a miasma of signals, and in order for an access point to send the right data to the right person, every device has to have a unique identifier. In Wi-Fi networks that identity tag is known as Media Access Control, or MAC, address, and that address is available to anyone who cares to look.
When your phone’s Wi-Fi radio is turned it on, it’s constantly scanning the unlicensed airwaves for networks – it’s exchanging information with access points on who they are and whether it has permission to connect. It’s entirely possible for a network owner to record these MAC addresses, then correlate them with specific devices and thus specific people. Because the network owner knows the exact location of their access points, they can track that person as they move between network nodes.
Not only is it possible, but many companies and organizations are already doing so in order to mine their networks for data and offer location-based services. Through these fleeting network handshakes Boingo is able to tabulate the number of iPhones and iPads that fly in and out of O’Hare Airport each day. But in many cases we’re freely giving that data over our phone’s own cellular connections.
Anyone who owns an Android phone or uses Google or hundreds of other company’s location-based services is aggregating Wi-Fi location data. That data can be used to send ads eerily specific to your whereabouts. But that data also helps your mapping app plot its precise location when a GPS signal isn’t readily available. For good or bad, Wi-Fi location data is already a critical component of the mobile internet.
Our phones are very social creatures. To them the world is one big singles bar. Every time we leave our homes our phones virtually scream “Here I am! Let’s hook up!” over every radio at their disposal. We can rein our phones in by turning off radios, but that seems to obviate much of the point of a smartphone. Also, the tendency in the industry is to use our radios to share more location data, not less. Increasingly Bluetooth is being used as a proximity-based location technology, which can pinpoint our location in specific rooms, not just specific buildings.
In a networked society there are tradeoffs. I would argue Wi-Fi has done much more to spur the mobile data revolution than any 3G or 4G technology. Through cheap and free public Wi-Fi we’re able to work remotely in coffee shops and friends’ apartments. We’re able to stream video and use bandwidth-intensive applications via Wi-Fi that we couldn’t afford to consume over cellular links.
But if we adopt a shared bandwidth model we also have to announce our presence to the networks doing the sharing. The question is should the inherent capabilities of a communications network be used to create ad hoc surveillance networks. This isn’t exactly advanced espionage we’re talking about here. The information the SPD could collect, if it chose to do so, is information we’re freely broadcasting. It’s the equivalent of a cop looking at license plate numbers in a parking lot.
But there’s a potential for more than just passive observation. With some coordinated effort, any Wi-Fi network can start storing those MAC addresses, effectively creating a database of every smartphone or tablet’s movements throughout the city. Sure we’re already sharing much of this same data with a dozen companies, but there’s definitely a privacy issue when government gets involved. There’s a fine line but between crowdsourcing and crowd surveillance, but it’s a line that shouldn’t be crossed.