Not exactly related but on the topic of finding target's location, A few years ago i used to run a little demo of capturing probe wifi ssid network on prefered network list of nearby devices and used https://wigle.net/ to identify places that people has visited... it was eye opening for some people in the audience for sure.
Relatedly, one of my favorite recent papers is "Surveilling the Masses with Wi-Fi-Based Positioning System" [1]. In the paper, they (ab)use the fact that smartphones report the location of WiFi access points to public databases in order to track human migration over several large scale events (from natural disasters to the invasion of Ukraine).
I know this topics comes up ever so often here, but this is really amazing demo. A reminder that on Android you can use tools like XPL-EX (previously XprivacyLua) to heavily block such calls and libraries, or something simpler even like something like [App Manager](https://muntashirakon.github.io/AppManager/).
The app has many features, one specifically can decompile and dissect other apps methods, and gives you the ability to disable them. It does lead to crashes, that's why XPL-EX is a cleaner option.
> We all kind of know this is true, but it’s always really eyeopening to see to what extent these companies know everything about us.
I agree, if you have a Spotify account I implore you ( and anyone reading ) to download their Spotify data [1] and just look through it, it’s really interesting.
I hear news about how big companies are collecting all our data and got kinda desensitized to just the news but to see it applied to you and your specific music experience is pretty eye (re-)opening.
Could you elaborate a little further ( maybe not data itself, but its type and so on )? I don't have Spotify, but I am obviously fairly interested in the subject as a whole ( and that business model spread widely ).
Thanks! Giving it a try. I've been using Google's take out to download my Fitbit data already because the app is so shit these days. I wonder what else has these data dumps available.
Ah there was a great talk at CCC (actually 2) about a guy tracking Germany’s politicians, they deducted crazy relations from publicly available data iirc. I cannot find the talk right now sadly. Was it in German?
Going after the politicians is the only fix for surveillance capitalism. The US's only strong privacy law for consumer activity is for video rentals and came about when the disclosure of rental records for judge Bork scared members of Congress into protecting their own privacy. This still applies to modern day streaming services.
Instead of making something illegal, that might be perfectly acceptable for someone else, why don’t take a personal decision to stop using those services altogether?
It’s very tempting to impose our own personal truths to everybody else’s via politics, but that’s a quite close approach to totalitarianism.
> Instead of making something illegal, that might be perfectly acceptable for someone else, why don’t take a personal decision to stop using those services altogether?
Because there is no competition in the marketplace based on privacy, and if I want to use the services my friends/family/employer use, then I'm forced to give up my privacy.
The free market has never and will never solve a problem like this. The only thing that ever has is regulation and this is a textbook case of what regulation is for.
> You can actually opt out of this. Vote for politicians that want to regulate this into illegality.
The parliament has more than one politician and the advertising companies pay better.
To opt out of it you need to put politicians in jail for conflict of interest and bribes and make campains against big tech (which could lead to your "suicide). Good luck with that.
Isn’t it what the EU is doing step by step to protect its citizens?
Politicians should be jailed, both on the legislative and executive side, including Presidents, if they ignore the law. France is showing this once again with hopeful Marine Le Pen and former president Sarkozy, together with dozens of their associates.
You don't even need to go off the grid to "opt out". Unless you granted location permissions to those apps, all the "locations" that the apps are sending are most certainly from geoip databases. That's technically a "location", but not what most people would think of when you say "everyone knows your location". Denying location permissions to random flashlight apps, disabling cross-app identifiers in ios/Android, and using a VPN will provide the same amount of anonymity.
It's either using a VPN, or having your real (ISP) IP address exposed. Self-hosting your VPN is actually worse, because you still are tunneling your traffic through a third party that could be monitoring it, and unlike with a public VPN you can't blend with other users.
I ported my number to a voip provider so I can take any calls I want from home DECT phones or laptops. No need for notifications to follow me around or to carry a pocket distraction machine.
I would not happily give up my smartphone but, speaking for myself I get very few personal calls, and latterly, don’t know the last time I had a work call on my phone.
On the question of “why do they collect all this data” - brightness, battery life, headphone usage, volume etc: It’s not just because the data is valuable in itself, it’s also to ‘fingerprint’ the device across IPFA boundaries and in the face of things like NAT and VPNs. There are so many disparate data points that are different across different devices that two apps reporting an identical or near-identical set in a short timeframe are likely on the same device.
Because you and almost everyone else agreed to the Terms of Service where you consented to let them stalk you until they can make an accurate enough simulation of you to sell increased chances to change your behavior to the highest bidder.
You can stop at any time. Cancel your cell phone subscription and turn off your phone. It is a perfectly valid choice.
True, but a Terms of Service document is the vehicle by which you are informed and consenting. If you're not willing to read the information you're choosing to remain uninformed.
When it takes multiple lifetimes to read the Terms of Service for everything a normal person uses to get through daily life, it’s not a case of willingness
I do think apps should force people to actually scroll through ToS at a normal reading speed or tldr the horrible things they will do to you front and center like we forced the tobacco industry to do.
Most of humanity enjoyed their lives without pocket internet until the last couple decades. Saying people cannot be happy without that is like saying they cannot be happy without smoking.
This Apple or Google phone culture is a false dichotomy.
I run a b2b tech company in silicon valley, and have endless technical hobbies and do not need Apple or Google products or a cell carrier to be happy.
It is always possible to choose tech that you own and control. It just takes a bit more research because the open ecosystems lack marketing budgets.
This is not how the GDPR works, just because you stuff it in the ToS doesn't make it legal. Consent has to be explicit and freely given, using the service cannot hinge on accepting tracking.
It’s also because good UI/UX is expensive, open source has never been able to do it, and people are lazy. If you are a person who likes messing with computers and figuring stuff out, you are weird. Most people loathe it. It was super easy for superior UX to capture users and herd them into surveillance ecosystems.
Good stuff. You might find more interesting data by implementing Frida [0] into your process to snoop on encrypted traffic normally not visible due to pinned certificates.
I haven't gone through setting it up (yet) but I imagine there should be differences between EU and US versions of the apps. Is that something you expect to and if so, are you recording that info in your survey?
Or am I just naive here?
The difference should be only at the consent level, eg you might see less or more “Accept All” buttons with different design or different ToS linked.
I don’t believe there’s a real difference on the code or even SDK level based on geo.
You need a cellphone, but you really don't much on it. Browser, email, a chat app or three, banking, navigation, public transport/parking. Most of these have good privacy-minded options or are usually not the biggest offenders. It's games, ecommerce, social media and such that do the most spying, and you can absolutely live without those apps.
Does turning off data (mobile+wifi) when not actually using any app help at all (on Android)? Will apps still be able to phone home in the background? Or will they just fill up a huge cache with data and bulk-transfer it the next time the phone is online?
Maybe at least disconnecting from the internet while not using it will make location tracking slightly more difficult?
Yes? I assume. If I’m international and am not using my US plan they’d better not be using my home plan in background and I’ve never seen any evidence they were.
If you love games that much, why not get a dedicated gaming device? One that you use purely for gaming and don't expose your non-gaming accounts or info on. There's no reason why the entertainment device and the personal communication device need to be the same one, right? Just like there is no reason why you should log in with your old hotmail account on your Xbox just because they are both MS.
Ideally it wouldn't even have an enabled web browser.
If you find yourself unable to do this, that's a sign that "love" is actually addiction which means the upside for actually decoupling is probably a lot bigger than you imagine if you disregard the idea.
Not exactly related but on the topic of finding target's location, A few years ago i used to run a little demo of capturing probe wifi ssid network on prefered network list of nearby devices and used https://wigle.net/ to identify places that people has visited... it was eye opening for some people in the audience for sure.
Relatedly, one of my favorite recent papers is "Surveilling the Masses with Wi-Fi-Based Positioning System" [1]. In the paper, they (ab)use the fact that smartphones report the location of WiFi access points to public databases in order to track human migration over several large scale events (from natural disasters to the invasion of Ukraine).
[1] https://arxiv.org/pdf/2405.14975
That sounds like a super fun demo to do live! I have seen people om social media post their funny ssids around their house…please do not.
Wow, the map gives a good insight of where "technological humans" are concentrated.
or where people are actually recording wifi networksk, wigle is kept up to date by volunteers
Complete dead zone in my area, even though the wifi SSIDs are saturated.
I have something similar:
https://appgoblin.info which let's you see trackers installed on mobile apps and an Android app that lets you see those on your phone.
I'm working on automating a flow similar to the OPs but with an emulator so it can run on a server, but it's pretty difficult.
If anyone has advice I'd love to hear it. My biggest problem is how finnicky getting the rooted emulator plus apps is.
My current flow for mitm and waydroid is here: https://github.com/ddxv/mobile-network-traffic
Hope anyone has some advice!
Edit: just want to mention that the OPs flow is definitely better for capturing real data and endpoints, but I didn't see how I could automate it?
I know this topics comes up ever so often here, but this is really amazing demo. A reminder that on Android you can use tools like XPL-EX (previously XprivacyLua) to heavily block such calls and libraries, or something simpler even like something like [App Manager](https://muntashirakon.github.io/AppManager/).
Could you share a bit on how to identify and block offenders with AppManager?
The app has many features, one specifically can decompile and dissect other apps methods, and gives you the ability to disable them. It does lead to crashes, that's why XPL-EX is a cleaner option.
You would need to be rooted for that sort of blocking to be an option, right?
I think you can run a DNS server, and configure Android with a custom DNS server. Not sure about this exact case though.
Yes, that's a given. I totally disagree with google's philosophy of locking down android features once you root, it's totally unwarranted.
We all kind of know this is true, but it’s always really eyeopening to see to what extent these companies know everything about us.
Even worse is, I think, that somehow they are allowed to sell all the data and that you can basically buy data about everybody easily online[1]
[1]: https://media.ccc.de/v/38c3-databroker-files-wie-uns-apps-un...
> We all kind of know this is true, but it’s always really eyeopening to see to what extent these companies know everything about us.
I agree, if you have a Spotify account I implore you ( and anyone reading ) to download their Spotify data [1] and just look through it, it’s really interesting. I hear news about how big companies are collecting all our data and got kinda desensitized to just the news but to see it applied to you and your specific music experience is pretty eye (re-)opening.
1. https://support.spotify.com/us/article/data-rights-and-priva...
Could you elaborate a little further ( maybe not data itself, but its type and so on )? I don't have Spotify, but I am obviously fairly interested in the subject as a whole ( and that business model spread widely ).
Thanks! Giving it a try. I've been using Google's take out to download my Fitbit data already because the app is so shit these days. I wonder what else has these data dumps available.
Ah there was a great talk at CCC (actually 2) about a guy tracking Germany’s politicians, they deducted crazy relations from publicly available data iirc. I cannot find the talk right now sadly. Was it in German?
Going after the politicians is the only fix for surveillance capitalism. The US's only strong privacy law for consumer activity is for video rentals and came about when the disclosure of rental records for judge Bork scared members of Congress into protecting their own privacy. This still applies to modern day streaming services.
You actually can opt out of this. Personally I have not had a cell phone subscription in ~5 years and only use cash IRL.
You can actually opt out of this. Vote for politicians that want to regulate this into illegality.
Instead of making something illegal, that might be perfectly acceptable for someone else, why don’t take a personal decision to stop using those services altogether?
It’s very tempting to impose our own personal truths to everybody else’s via politics, but that’s a quite close approach to totalitarianism.
Why would I stop using the services when I can use the law to keep using them without being tracked?
> It’s very tempting to impose our own personal truths to everybody else’s via politics, but that’s a quite close approach to totalitarianism.
"Regulation is totalitarianism" is a take that's too hot for me today.
> Instead of making something illegal, that might be perfectly acceptable for someone else, why don’t take a personal decision to stop using those services altogether?
Because there is no competition in the marketplace based on privacy, and if I want to use the services my friends/family/employer use, then I'm forced to give up my privacy.
The free market has never and will never solve a problem like this. The only thing that ever has is regulation and this is a textbook case of what regulation is for.
> You can actually opt out of this. Vote for politicians that want to regulate this into illegality.
The parliament has more than one politician and the advertising companies pay better. To opt out of it you need to put politicians in jail for conflict of interest and bribes and make campains against big tech (which could lead to your "suicide). Good luck with that.
Isn’t it what the EU is doing step by step to protect its citizens?
Politicians should be jailed, both on the legislative and executive side, including Presidents, if they ignore the law. France is showing this once again with hopeful Marine Le Pen and former president Sarkozy, together with dozens of their associates.
But then the government couldn't track you anymore with the help of those companies.
There are no such politicians, and even if they were your vote does not matter.
Laughs in GDPR
You don't even need to go off the grid to "opt out". Unless you granted location permissions to those apps, all the "locations" that the apps are sending are most certainly from geoip databases. That's technically a "location", but not what most people would think of when you say "everyone knows your location". Denying location permissions to random flashlight apps, disabling cross-app identifiers in ios/Android, and using a VPN will provide the same amount of anonymity.
I would never trust a public VPN personally.
It's either using a VPN, or having your real (ISP) IP address exposed. Self-hosting your VPN is actually worse, because you still are tunneling your traffic through a third party that could be monitoring it, and unlike with a public VPN you can't blend with other users.
What do you do for work / how do you handle work or personal calls?
I run a b2b infosec company.
I ported my number to a voip provider so I can take any calls I want from home DECT phones or laptops. No need for notifications to follow me around or to carry a pocket distraction machine.
I would not happily give up my smartphone but, speaking for myself I get very few personal calls, and latterly, don’t know the last time I had a work call on my phone.
author here to answer any questions or discuss an app
On the question of “why do they collect all this data” - brightness, battery life, headphone usage, volume etc: It’s not just because the data is valuable in itself, it’s also to ‘fingerprint’ the device across IPFA boundaries and in the face of things like NAT and VPNs. There are so many disparate data points that are different across different devices that two apps reporting an identical or near-identical set in a short timeframe are likely on the same device.
How the hell is any of this tracking legal?
Because you and almost everyone else agreed to the Terms of Service where you consented to let them stalk you until they can make an accurate enough simulation of you to sell increased chances to change your behavior to the highest bidder.
You can stop at any time. Cancel your cell phone subscription and turn off your phone. It is a perfectly valid choice.
Uninformed consent is not consent. And while you may enjoy your life without a mobile subscription, many would not.
>Uninformed consent is not consent.
True, but a Terms of Service document is the vehicle by which you are informed and consenting. If you're not willing to read the information you're choosing to remain uninformed.
When it takes multiple lifetimes to read the Terms of Service for everything a normal person uses to get through daily life, it’s not a case of willingness
I read every legal contract I agree to. It is crazy not to.
If it is too long and hard to read, there is a reason for that and you can just opt out.
I do think apps should force people to actually scroll through ToS at a normal reading speed or tldr the horrible things they will do to you front and center like we forced the tobacco industry to do.
Most of humanity enjoyed their lives without pocket internet until the last couple decades. Saying people cannot be happy without that is like saying they cannot be happy without smoking.
This Apple or Google phone culture is a false dichotomy.
I run a b2b tech company in silicon valley, and have endless technical hobbies and do not need Apple or Google products or a cell carrier to be happy.
It is always possible to choose tech that you own and control. It just takes a bit more research because the open ecosystems lack marketing budgets.
This is not how the GDPR works, just because you stuff it in the ToS doesn't make it legal. Consent has to be explicit and freely given, using the service cannot hinge on accepting tracking.
> Because you and almost everyone else agreed to the Terms of Service where you consented to let them stalk you
Because some laws (GDPR) are only valid for some people.
No one took Stallman seriously in the early '00s cuz he looks like a total nerd.
It’s also because good UI/UX is expensive, open source has never been able to do it, and people are lazy. If you are a person who likes messing with computers and figuring stuff out, you are weird. Most people loathe it. It was super easy for superior UX to capture users and herd them into surveillance ecosystems.
He still looks like a nerd. I think it’s terminal.
Imagine living in the alternate universe where open source or privacy had a Jenny McCarthy.
Because no one made it illegal?
Good stuff. You might find more interesting data by implementing Frida [0] into your process to snoop on encrypted traffic normally not visible due to pinned certificates.
[0] https://frida.re/docs/home/
And more specifically just use the maintained scripts from HTTP Toolkit.
https://github.com/httptoolkit/frida-interception-and-unpinn...
Excellent, thank you. There’s a lot to Frida.
HTTP Toolkit only mentions using jailbroken iOS devices, but you can also use unjailbroken devices running v13+ via injection [0]
[0] https://frida.re/docs/ios/
I haven't gone through setting it up (yet) but I imagine there should be differences between EU and US versions of the apps. Is that something you expect to and if so, are you recording that info in your survey? Or am I just naive here?
The difference should be only at the consent level, eg you might see less or more “Accept All” buttons with different design or different ToS linked. I don’t believe there’s a real difference on the code or even SDK level based on geo.
Doesn't California have partially stricter laws than the EU?
solid observations and good analysis! so, seems too obvious, are you truly in pioneer territory - nobody else is doing what you've done here?
I mean, there should be something! Maybe not with this exact list of apps, but the code should be similar to other "how-to-record-traffic" guides.
Many thanks for your eyes opening article!
Hopefully you have a third article on the making testing whether common privacy technics are effective ?
Are you aware of any sousveillance projects with the goal of identifying and monitoring the people responsible for this tracking?
Most of us need cellphones so are we just out of luck?
You need a cellphone, but you really don't much on it. Browser, email, a chat app or three, banking, navigation, public transport/parking. Most of these have good privacy-minded options or are usually not the biggest offenders. It's games, ecommerce, social media and such that do the most spying, and you can absolutely live without those apps.
Does turning off data (mobile+wifi) when not actually using any app help at all (on Android)? Will apps still be able to phone home in the background? Or will they just fill up a huge cache with data and bulk-transfer it the next time the phone is online?
Maybe at least disconnecting from the internet while not using it will make location tracking slightly more difficult?
Yes? I assume. If I’m international and am not using my US plan they’d better not be using my home plan in background and I’ve never seen any evidence they were.
Is that true though? I know the banks sell my info to third parties.
I love games. Is there no way to safely block their network calls?
If you love games that much, why not get a dedicated gaming device? One that you use purely for gaming and don't expose your non-gaming accounts or info on. There's no reason why the entertainment device and the personal communication device need to be the same one, right? Just like there is no reason why you should log in with your old hotmail account on your Xbox just because they are both MS.
Ideally it wouldn't even have an enabled web browser.
If you find yourself unable to do this, that's a sign that "love" is actually addiction which means the upside for actually decoupling is probably a lot bigger than you imagine if you disregard the idea.
>I love games. Is there no way to safely block their network calls?
Use a VPN?
Or another phone, anyway best gaming phone ain't the best phone/smart device for other parts of our lives
Has anyone else actually tried it themselves?
[dead]