XPost: comp.mobile.android, alt.internet.wireless   
   From: boogabooga@crazyhat.net   
      
   In the last episode of , Chris   
    said:   
      
   >Andy Burns  Wrote in message:   
   >> Dave Higton wrote:   
   >>   
   >>> I'm not sure what exctly you want to know.   
   >>   
   >> If everyone around me has a cellphone that tells Google what my   
   >> ssid is,   
   >   
   >For a start the SSID is not synonymous with you. It is linked to   
   > the WiFi of an access point (AP), which may or may not be a home   
   > router.   
   >   
   >> and if they then "see" that ssid when I try to connect   
   >> at a hotspot,   
   >   
   >Er. How does a mobile hotspot relate to a home broadband router's   
   > SSID? Colour me confused.   
   >   
   >> they instantly know exactly who I am simply by   
   >> putting two and two together.   
   >   
   >No they don't.   
   >   
   >1) an SSID can't identify you   
   >2) a hotspot can't identify you   
   >   
   >(1) + (2) still means someone can't identify you.   
      
   They can't directly identify you, however, simply having a list of SSIDs   
   and BSSID that a device has identified and used in the past, along with   
   timeframes when those are added, would allow one to infer a lot of data   
   about the behaviour of those individuals. Google at least collects the   
   SSID here, and possibly the BSSID.   
      
   Already Google has a list of every BSSID, and it's associated SSID,   
   along with some indication of when it went online, as well as when it   
   moves.   
      
   Finally, each wireless device broadcasts it's own MAC address during   
   scanning as well as normal activity. While some security-conscious   
   devices do randomize their MAC address during active scanning, I'm not   
   aware of Android doing this, and even if they do, once you connect, a   
   consistent MAC address is typically used.   
      
   Knowing a combination of the SSIDs to which a user connects and details   
   about the timing will give you a lot of knowledge, potentially enough to   
   uniquely identify a person in a very short amount of time.   
      
   Of course this is relatively moot since it's attached to a Google   
   Account where you have already provided Google a way to identify you,   
   however, an omnipotent network observer could learn a lot more than you   
   might guess just by collecting SSID and BSSID data from devices, and MAC   
   address visits from base stations -- A large organization such as Google   
   might move into this world by creating their own line of powerful access   
   points with a "cloud" management component, along with a widely deployed   
   line of mobile devices that are dependent on Google's infrastructure and   
   offer features to upload data automatically for use convenience.   
      
   And for the record, do I care? No. I connect to public wifi, I   
   understand the risks (and can encrypt data over said wifi when needed),   
   I especially connect to the access points provided by my service   
   provider(s), and I synchronize my network history between my own mobile   
   devices as well as frequently use location services.   
      
   --   
   There truly is more than one way to skin a cat,   
   but the limited market for cat skins makes learning   
   more than three methods impractical.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)