I would like to see them cover Bluetooth and 802.11-based tracking. Most people I've talked to are unaware that their wifi device periodically sends out probe requests containing its unique MAC address (some more frequently than others, in my testing), which can be used to correlate your location and build a profile.
It's not even difficult, I set up a Raspberry Pi to do it and graphed the arrival and departure times of individual workers in my office. There are businesses putting tracking across a constellation of retail partners, then selling the partners information about what other stores their customers visited.
And yes, I'm aware that iOS 8 is supposed to randomize your MAC address to guard against this (cynically I'd say it helps them push iBeacons) but as of September 2014, it wasn't really working as you'd expect: http://www.imore.com/closer-look-ios-8s-mac-randomization
Don't forget EZ-Pass. There are readers on various major roads around here, not in a toll capacity. I think they're used by state DOT to assess traffic flow.
The first article says that you don't have to use EZPass if you are concerned about privacy, and the eventual automation of speeding tickets. That won't be true forever. I've run into some tolls that are EZPass ONLY. Some of them read your license plate and send you a bill if you don't have EZPass. And here in Massachusetts, on the Mass Pike, if you don't use EZPass, you will be penalized when you get your bill for road usage. The justification is that scanning your plate and then finding your address costs the government more money.
> That won't be true forever. I've run into some tolls that are EZPass ONLY. Some of them read your license plate and send you a bill if you don't have EZPass.
This is true as of recently for the Golden Gate Bridge as well. :/
If you have electronic device on you, you are leaving a trail behind, like footsteps. Is it creepy or illegal to follow or collect those [footsteps]? I telecommute (* ) and easily check if people are in or not by pinging their computers (you may check for visibility of samba shares) - they have no expectation of me knowing they are in or not, but by no means i see this less creepy then your instant messenger of choice showing you as online and me checking. It is increasingly becoming bigger and bigger responsibility of ours to stop leaving these traces behind.
* i have never been told, but can easily imagine my VPN connection logs (server side) can be checked for when i logged in/out (not that they could even imagine i get in also via ssh/port forward through another box, when the VPN is down due to admin negligence) so i have no expectation of privacy there either.
First of all, OP can already track other people in the office by observing when they come and go. What's the moral difference between that and checking to see whether they also emit some electronic signal when present?
Second, it's common for workplaces to have cameras and doors with badge access that track this sort of thing already. So it's not like he would be doing anything creepy even if he were the employer.
Irrelevant. It's all about expectations. If people know that they're being tracked in this manner and they're happy with it, then fine. It becomes creepy when they're being tracked by a colleague without them knowing about it. In the same way that hiding a GPS monitoring device on your partners car without them knowing would be creepy.
Hence my question: Do his colleagues know he is doing this?
[edit] I know I am being "tracked" by colleagues when they are physically present and can see me enter the room. I also know I am being tracked by my employer when I use my swipe card to enter the office building. What I assume is not happening is that any of my other colleagues have electronic devices collecting my arrival/departure times for whatever purpose, regardless of their presence.
What if he started hiding microphones in the office? Is that ok? After all, if you say something out loud in the office, people can already use their ears to track it...
OP here. There were five of us and we all knew it was happening because it was a prototype for a client we were pitching. But we collected data from several hundred unique MAC addresses from the surrounding office spaces, including their wireless NAS and Philips HUE lightbulbs.
We never knew the MAC addresses of anybody but ourselves, though with physical surveillance we could have correlated MAC addresses to comings and goings.
Basically I don't feel that this is particularly creepy unless you are applying it to identifying and tracking specific people. For bulk population metrics I have no problem whatsoever, and I have no problem being tracked in this way, but as a data analyst I know that the line between 'fine' and 'invasive' is a single SQL query.
It's kind of like how tracking phone calls metadata for billing is OK, while tracking it for surveillance is not, and the difference is the collector's intention.
> What's the moral difference between that and checking to
> see whether they also emit some electronic signal when
> present?
This is the key question actually, so I'm glad you asked it.
Manually observing someone and making a note costs resources. Which means you won't bother doing it unless you have reasonable cause to. If John in accounts has a reputation for being late and not getting his work done, you might decide to have someone make a note of what time he comes in and leaves.
If it's automated, that cost goes away, and you can just randomly trawl the data and look for anyone; it's become massively asymmetric. Suddenly John in accounts who was 10 minutes late every day but doing a good job gets a call from HR.
This is generally the problem with mass surveillance and putting the data in to easily queried databases: the cost to query and surveil becomes much much less, which removes the need to have reasonable cause -- you can just go for fishing trips and see what you find.
It's not terribly common, but my workplace is a union shop, and electronic monitoring of employee movements is mostly forbidden by contract for most folks.
There are an emerging set of strategies at the local level for mitigating street level surveillance.
It consists of watching your city council agenda for consent to purchase new surveillance technology via Department of Homeland Security grant.
Use this occasion to push for a privacy policy that governs the new equipment as a condition of purchase.
Restore the Fourth SF Bay Area, Oakland Privacy et al are seeing a pattern emerge where the purchase is either delayed or the privacy policy is adopted.
It's often possible to sign up for email alerts of the agenda for city council meetings.
This is such a great opportunity. I hope they can expand the content to include information like 1) where should I look for it and 2) what do I do when I encounter it. This could help bring the general concerns out of that's-so-tinfoil territory and make the content more shareable with the general public.
The "tinfoil hat" approach is a personal-scope solution.
Part of the "what do I do when I encounter it" course of action could involve a societal-scope solution. E.g., getting involved with privacy advocacy groups or pressuring relevant lawmakers to roll overreach back. (This is, admittedly, far more work and far less likely to succeed.)
It's not even difficult, I set up a Raspberry Pi to do it and graphed the arrival and departure times of individual workers in my office. There are businesses putting tracking across a constellation of retail partners, then selling the partners information about what other stores their customers visited.
And yes, I'm aware that iOS 8 is supposed to randomize your MAC address to guard against this (cynically I'd say it helps them push iBeacons) but as of September 2014, it wasn't really working as you'd expect: http://www.imore.com/closer-look-ios-8s-mac-randomization