The researchers behind an earlier version of Snoopy that tracked only Wi-Fi signals have already used it to track more than 42,000 unique devices during a single 14-hour experiment in 2012 at the King’s Cross train station in London. They have also unleashed Snoopy in a variety of other environments over the past two years, including at several security conferences. By taking careful notice of the Wi-Fi networks the devices have previously accessed (and continue to search for), the researchers were able to detect likely relationships among users. Four devices that hailed an SSID that the researchers geolocated to a London branch of one of the UK’s largest banks, for instance, were presumed to belong to coworkers of the financial institution.
via Meet Snoopy: The DIY drone that tracks your devices just about anywhere | Ars Technica.
This is why devices should default to wifi being off and only turned on when a user wants to use a public wifi. Devices with wifi on will try and get an IP address via DHCP from any open wifi or wifi with a well known SSID — which can be spoofed by anyone. This usually isn’t a problem. The most they get is the layer 2 MAC address of the device which is unique. This could be put into a database and used for tracking.
Sometimes devices will spill IP addresses through ARP requests on networks they think they are still on and this can be problematic.
Sometimes, that will mean exploiting people who are not of a particular class, say upcharging men for flowers if a computer recognizes that that he’s looking for flowers the day after his anniversary. But other times there could be troubling equity concerns. For example, Calo points to the work of NYU professor Oren Bar-Gill who has shown how companies can use complexity in credit-card contracts, mortgages, and cell-phone contracts to “hinder or distort competition and impose outsized burden on the least sophisticated consumers.” Calo says such price-discrimination tactics, applied en masse online, could “lead to regressive distribution effects,” also known as preying on the vulnerable.
via What Does It Really Matter If Companies Are Tracking Us Online? – Rebecca J. Rosen – The Atlantic.
From the paper, Digital Market Manipulation
A new theory of digital market manipulation reveals the limits of consumer protection law and exposes concrete economic and privacy harms that regulators will be hard-pressed to ignore. This Article thus both meaningfully advances the behavioral law and economics literature and harnesses that literature to explore and address an impending sea change in the way firms use data to persuade.