XPost: alt.comp.os.windows-10, alt.comp.microsoft.windows, alt.c   
   mp.os.windows-11   
   From: marianjones@helpfulpeople.com   
      
   R.Wieser wrote:   
   >> How could anyone discover that AA:BB:CC:11:22:33 belongs to Arlen?   
   >   
   > Easy : Someone drives up to his house and than checks their phone which   
   > SSIDs it detects. :-)   
      
   Here's the key thing we need to do to gain an appreciation for privacy.   
      
   I suggest anyone else who thinks a BSSID is "just a number" begin to   
   separate the object being tracked from the person being inferred.   
      
   This is a very common but very incorrect assumption:   
    "If the thing being tracked isn't me, then I'm not being tracked."   
      
   That is factually wrong, and the academic research we have been citing   
   makes that abundantly clear.   
      
   We need to take the time to understand how modern tracking systems work.   
   Because there are layers of complexity involved that interplay together.   
      
   The privacy risk in Apple's WiFi Positioning System is not what most think   
   it is. The core issue is not whether the scanning device is tracked.   
      
   The core problem is that the WiFi access point itself becomes a traceable   
   object because Apple publishes its GPS coordinates in a global database.   
      
   I've proved it's trivial to obtain the entire WPS database for the mere   
   cost of modifying the public FOSS scripts and a few GB of disk space.   
      
   Apple's WPS stores billions of BSSIDs along with their latitude and   
   longitude. Anyone can query those coordinates. If a BSSID moves, its   
   movement can be tracked. If that BSSID is inside a car, an RV, a backpack,   
   a travel router, a MiFi hotspot, or even a home router that gets relocated,   
   then the person carrying it is tracked indirectly.   
      
   This is exactly what the University of Maryland paper "Surveilling the   
   Masses with Wi-Fi-Based Positioning Systems" demonstrated. The researchers   
   tracked cars, delivery vehicles, people, and sensitive facilities simply by   
   watching BSSIDs move in Apple's database. No user device needed to be   
   compromised. The BSSID itself is the tracking beacon.   
      
   It was trivial for me to reproduce their results.   
    a. I created sequential (or random) valid BSSIDs   
    b. I looked them up and found where they were located   
    c. That gave me the next nearest 400 BSSIDs also   
      
   From that list, I could expand outward (if I felt like it, and I do not).   
   Which is exactly what the researchers said could be done (read the paper).   
      
   Once I have a BSSID of interest, I could track its movements.   
   Which I proved was trivial (where I set movement at 100km distance).   
      
   Again, that's exactly what the researchers said could be done.   
   And I did it.,   
      
   Apple's system is so different from everyone else's system that it was   
   trivial for me, a nobody, to do it - using open source code out there.   
      
   This is the primary, documented, peer-reviewed risk. It does not depend on   
   speculation about Apple's internal behavior. It is observable, measurable,   
   and repeatable. Anyone with a script can look up the GPS coordinates of any   
   BSSID in the database and monitor its movement over time.   
      
   Separately, it is also true that Apple receives the location of the device   
   that reports nearby BSSIDs, because that is how the database is built. That   
   is a different issue, and Apple does not publish that data publicly. But it   
   shows that both the reporting device and the BSSID itself become part of   
   Apple's location infrastructure.   
      
   The important point is that the BSSID does not need to be "associated with   
   you" for this to reveal your movements. If the BSSID moves with you, then   
   tracking the BSSID is tracking you. That is the core finding of the   
   academic research, and it is the part that cannot be dismissed.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)