It's hard to stop businesses tracking your smartphone

It's a lot easier to stop advertisers tracking your browsing habits online than it is to stop people sniffing out your smartphone's location.

Remember the advertising scenes from Minority Report?

You might also remember the very creepy Wi-Fi tracker bins that appeared in the City of London in August. Operated by Renew London, they tracked the smartphones that walked past them in the street. The bins had screens on them that could show ads that were theoretically tailored to the people walking past at any moment. 530,000 unique smartphones were tracked before the City pulled the plug on the initial trial over privacy concerns.

The problem here is that your smartphone isn’t connecting to a network and giving over information without your permission - it’s just broadcasting that it’s turned-on. If your Wi-Fi card is actively searching for available networks it has to tell those networks who it is, and that information is a 12-long string of letters and numbers known as a MAC address.

It’s rather like walking around with your house number and postcode written on a note, stuck to your forehead. People won’t know anything about you specifically, but with enough watchers recognising that note going from place to place you can build up a pretty good picture of the kind of person you are. Whether you prefer to shop at Tesco to Sainsbury’s; whether you’re more likely to buy chicken with wine or beef and beer; whether your interests in certain health products might mean you’re pregnant without even realising yet.

There are as many as 40 firms offering tracking services like this to stores that want to see how their customers shop, reports the Washington Post. That means where they go in the store, how long they wait at the tills, which products they cluster around, how often they visit - and which other stores they also visit. Minority Report’s eye scanners are unrealistic in their lack of ambition: they’re way more complicated than they need to be, but also not part of an integrated system.

Online advertising has been shaken up in the wake of the largest browsers introducing ‘Do Not Track’ features. When turned on, they stop adverts from placing cookies on your machine so they can follow you around the web, adjusting what they show you dependent on where you’re looking.

You can’t really do that with a smartphone’s MAC address, but several companies like this do let people enter their MAC addresses into a database manually as a kind of opt-out. It’s time-consuming, and of course it’s not particularly well advertised. Hence the need for the Wireless Registry. Here’s Brian Fung at the Washington Post:

Together with the Future of Privacy Forum, [founders Stillman Bradish and Patrick Parodi] hope to build a kind of central Do Not Call list for MAC addresses. At least in theory, consumers will be able to visit a single Web site, register their MAC addresses for free, and the major tracking companies that have committed to the project will pledge not to follow those addresses around brick-and-mortar stores. It's a form of potential self-regulation that should look familiar if you've been following the debate over online tracking, where Web browsers have begun letting users tell commercial Web sites they don't wish to be followed.

As a solution it seems a good one, but the flip-side is that it would only take one leak for a very, very valuable list of many unique smartphone identifiers to suddenly be available in the wild. It's likely that we'll see more solutions like this being suggested - both from the tech industry and from governments - as offline tracking becomes more of a privacy worry.

Each smartphone gives some stores valuable data. (Photo: Getty)

Ian Steadman is a staff science and technology writer at the New Statesman. He is on Twitter as @iansteadman.

Getty
Show Hide image

Marcus Hutchins: What we know so far about the arrest of the hero hacker

The 23-year old who stopped the WannaCry malware which attacked the NHS has been arrested in the US. 

In May, Marcus Hutchins - who goes by the online name Malware Tech - became a national hero after "accidentally" discovering a way to stop the WannaCry virus that had paralysed parts of the NHS.

Now, the 23-year-old darling of cyber security is facing charges of cyber crime following a bizarre turn of events that have left many baffled. So what do we know about his indictment?

Arrest

Hutchins, from Ilfracombe in Devon, was reportedly arrested by the FBI in Las Vegas on Wednesday before travelling back from cyber security conferences Black Hat and Def Con.

He is now due to appear in court in Las Vegas later today after being accused of involvement with a piece of malware used to access people's bank accounts.

"Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan," said the US Department of Justice.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

His court appearance comes after he was arraigned in Las Vegas yesterday. He made no statement beyond a series of one-word answers to basic questions from the judge, the Guardian reports. A public defender said Hutchins had no criminal history and had previously cooperated with federal authorities. 

The malware

Kronos, a so-called Trojan, is a kind of malware that disguises itself as legitimate software while harvesting unsuspecting victims' online banking login details and other financial data.

It emerged in July 2014 on a Russian underground forum, where it was advertised for $7,000 (£5,330), a relatively high figure at the time, according to the BBC.

Shortly after it made the news, a video demonstrating the malware was posted to YouTube allegedly by Hutchins' co-defendant, who has not been named. Hutchins later tweeted: "Anyone got a kronos sample."

His mum, Janet Hutchins, told the Press Association it is "hugely unlikely" he was involved because he spent "enormous amounts of time" fighting attacks.

Research?

Meanwhile Ryan Kalember, a security researcher from Proofpoint, told the Guardian that the actions of researchers investigating malware may sometimes look criminal.

“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure," said Kalember. "Lots of researchers like to log in to crimeware tools and interfaces and play around.”

The indictment alleges that Hutchins created and sold Kronos on internet forums including the AlphaBay dark web market, which was shut down last month.

"Sometimes you have to at least pretend to be selling something interesting to get people to trust you,” added Kalember. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”

It's a sentiment echoed by US cyber-attorney Tor Ekeland, who told Radio 4's Today Programme: "I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution."

Hutchins could face 40 years in jail if found guilty, Ekelend said, but he added that no victims had been named.

This article also appears on NS Tech, a new division of the New Statesman focusing on the intersection of technology and politics.

Oscar Williams is editor of the NewStatesman's sister site NSTech.