Your phone's Wi-Fi is leaking. It's telling Kyle McDonald, and people like him, where you've been. It might be telling him where you live and where you work, where you go to school, and what websites you're visiting. And although you've probably been blissfully unaware of all this, he's going to throw this data up on a big screen for all to see at this year's Moogfest.
"Sometimes, I just kind of check out what people around me are doing," said McDonald, a programmer and multimedia artist. "Sometimes that means knowing what websites they're on, but with non-HTTPS websites, you can also see what pages they're looking at."
Your phone's greatest Wi-Fi weakness is in the "probe request frame," which checks to see if a local Wi-Fi network is one your device already knows about, McDonald said. That often contains a list of past networks the phone has connected to, and because a lot of networks have informative names, it can reveal where you spend your time, he said.
Beyond that, if you're on an unsecured network, your Web page requests go out in the open, although if you're lucky, the pages themselves will be encrypted.
"My research indicates that Instagram sends photos over the air unencrypted. Just this evening, I did a 'quick sniff' of myself scrolling through Instagram," McDonald said.
While Instagram uses secure HTTPS for API calls, security research has shown that photo URLs are unencrypted. The company is currently working on switching photo URLs to HTTPS, which would foil eavesdroppers in that particular case. But there's still a lot of data your phone will be leaking.
Who's Watching You?
You're probably not being surveilled by another patron at Starbucks, unless you're unlucky enough to be drinking coffee near McDonald. But "it's absolutely certain that everybody is being surveilled all the time" by some entity, he said. (That could be network managers, ISPs, wireless carriers, or the government, for instance.)
He also pointed out other ways Wi-Fi leakage can be used without your permission: there's a company called Nomi that uses your phone's Wi-Fi to track your location in a store, without telling customers they're being tracked. Nomi settled with the FTC last year about not offering a promised opt-out in stores using its system, although it still doesn't promise it will tell you if you're being sniffed.
"It's worth bothering about if you care about being yourself," McDonald said. "It's kind of hard to go back to not caring about this. When you know you're leaking data, you act differently and you present yourself differently."
At their Moogfest installation called "The Wi-Fi Whisperer," McDonald and Surya Mattu will be collecting data from everyone on the public Wi-Fi network, as well as anyone who passes by the installation. A speaker will whisper key tidbits, such as "an Instagram image is being downloaded right now," and four monitors will run Google searches based on the data, showing how easy it is to connect it to personal information. On an associated website, McDonald will ask poll questions based on data from participants who have agreed to share it: "do they seem dangerous? Are they a dog person? Do they own a car?"
McDonald's past projects have often involved crowd sourcing and social networking, and he's borrowing some ideas here from his last project, which crowdsourced annotations of 12 hours of video. Here, he's using the crowd to choose what the sniffed information "means."
So how do you protect yourself? Apple devices are somewhat better than Android 5 devices at probe request privacy, according to a paper from Xerox PARC. The jury seems to still be out on Android 6. Turn off your Wi-Fi unless you really need it, McDonald says. Don't connect to networks that don't require a password. And if you're still worried, develop your knowledge about how to increase data security.
Cellular networks are much harder to sniff, although of course the some agencies can look at pretty much any network it wants to, McDonald said.