Xfinity using WiFi signals in your house to detect motion
xfinity.com663 points by bearsyankees 4 days ago
663 points by bearsyankees 4 days ago
> Subject to applicable law, Comcast may disclose information generated by your WiFi Motion to third parties without further notice to you in connection with any law enforcement investigation or proceeding, any dispute to which Comcast is a party, or pursuant to a court order or subpoena.
Sounds like, at least in some limited circumstances (using the provided WiFi AP, having this feature turned on, etc), ISPs are going to be able to tell law enforcement/courts whether anyone was home at a certain time or not.
The solution here shouldn't be technical; it should be legal.
If we rely on the technical path, Comcast can achieve the same by how many active IPv6 addresses are in use. Even if you aren't using your phone, the device is going to be constantly pinging services like email, and your ISP can use that to piece together how many people are at home.
If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers. Ideally the legislation would be more broad and stop other forms of commercial/government surveillance, but I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
We suffer from a problem that engineers want nothing to do with politics. I 1000% agree we need a digital bill of rights. It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
I want privacy codified in human law. I didn't vote for standards bodies to pave the road to hell by removing every goddamned persistent handle we can find from existence. I didn't vote for the EU to reinvent an internet worse than popup ads by attacking the symptoms not the cause. I would rather have the internet of the 2000s back in a heartbeat than keep putting up with shitty “technical solutions” to corporations having too much power at scale. I don’t care if people break the law: prosecute them when they do and make the punishments enough to deter future law breakers.
There is absolutely something civilized beyond a lawless advertising wild west where the technical solution is to all be masked Zorros.
Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it.
> I want privacy codified in human law
Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks
- Paris, 1948, Universal Declaration of Human Rights
Protecting privacy is a real challenge today. Using tools like Loyally ai can help businesses respect and secure personal data better. It’s a simple step that made things clearer and safer for everyone involved.
Which says nothing about a business profiling customers that walk through the door and selling its profiles to aggregators. It says nothing about requiring consent before soliciting individuals or subjecting them to psychologically manipulative advertisements. Etc. We need more.
The problem is interpretation. The key phrase is "interference with privacy" which is ambiguous yet all encompassing. You say it says nothing toward solicitation or manipulation where I interpret both of those acts as "interference with my privacy." Not saying your version is wrong, by the way, just different from mine as a example of where the protection falls apart.
My gut feeling as that no matter how much additional and specific language we add to any bill of privacy rights, there will always be holes or work-arounds due to interpretation and semantics. This is how lawyers in most robust legal systems make their living, after all. The data that results from robbing us of consent, privacy and agency when engaged with websites, web/mobile apps and software is so insanely valuable that the people interested in collecting and selling it will be happy to keep one step ahead of whatever language we come up with that attempts to mitigate their actions.
We need a different solution, one that returns us to the levels of implied trust I remember from the late 1990's/early 2000's Internet, one that prevents corporate entities from being the dominant drivers behind its growth and development. However, I am not technical enough or imaginative enough to even guess at what that solution might be, so from my perspective, the battle is already lost and we are at their mercy unless we avoid having an online presence as much as possible...a bit like that old classic movie War Games, the only way to win is not to play.
> My gut feeling as that no matter how much additional and specific language we add to any bill of privacy rights, there will always be holes or work-arounds due to interpretation and semantics.
Nobody will ever write a perfect law and you’ll always see cases like dark patterns when people try to unsubscribe from things or try to maintain their privacy, until there is proper enforcement and businesses start getting punished for violating the intent of the law. That is also unlikely.
That's a declaration, which is not binding. The ECHR art. 8 has similar contents and is binding. However, it has a 'unless we really want to'-portion:
"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
Currently 'the West' happens to be doing its best to quash international law, so I'd expect even that thin veneer to crumble rather soon.
if there are no consequences to violating a law is it a law?
It's probably not a law. It might be a declaration or a proclamation or a resolution.
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it.
Do yourself a favor and enable the Cookie lists in uBlock Origin.
I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.
> Do yourself a favor and enable the Cookie lists in uBlock Origin.
Could you elaborate on this please? I'm sifting through the options and not sure what I'm looking for (disclaimer: I have never once opened the uBlock Origin settings menu in all the years I've used it).
EasyList cookiefilter. Works in uBlock lite as well. It hides all permission notices and consent forms for things you are (presumably) blocking anyway.
I've found you need to remember that you've done this as occasionally I'll get a website that behaves strangely until I link the behavior to uBlock, temporarily disable it and fulfill the cookie notice, then I can enable it and proceed.
You can enable lists that block various things, you'll find this in the settings :-)
Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.
Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.
A language preference cookie is not tracking under the GDPR and doesn't need to be promoted for. Of course, if you take that language preference and feed it into your advertising to identify and target people, then it becomes tracking.
You're correct under the GDPR but incorrect under the older ePrivacy Directive. EU sites need to be compliant with both, and so the cookie banners persist.
Are you sure? That's new to me.
https://en.m.wikipedia.org/wiki/EPrivacy_Directive says
> The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an online shopping service, are exempted.
Language preferences are (in all of the deployments I've seen) legally categorized as functional cookies and not strictly necessary cookies. Same with e.g. dark mode/light mode or other preference toggles
functional cookies would be strictly necessary cookies, wouldn't they?
The wording is annoying, but no. I’ve received legal advice on this topic. Functional cookies are not strictly necessary. It seems very backwards but it’s how the industry currently treats things.
Read: https://gdpr.eu/cookies/ …after you dismiss the cookie banner, of course. I add this not only as a quip but to highlight that even a gdpr explainer website which you’d expect isn’t doing the evil thing of tracking users, has interpreted the relevant laws such that it finds it necessary to promt the user in order to simply explain the gdpr and epd/epr…
> This is not an official EU Commission or Government resource. [...] Nothing found in this portal constitutes legal advice.
It's easier and safer to just claim that you must prompt for everything, and it serves the goal of obfuscating bad behaviour.
Cookies that are functionally necessary to do what the user is there for, not to track them, are OK, that's the spirit and intent of the law. Even if you think the wording means that, realistically, the EU isn't coming after anyone for a legitimate good-faith use of language cookies without a banner, and they'd clarify if that was how they intended to enforce it.
The way I read this proves you wrong:
> Cookie compliance [heading]
> To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
> Receive users’ consent before you use any cookies except strictly necessary cookies.
(emphasis not mine, but would have added it)
A language preference cookie is colloquially considered a preferences cookie, which is included in the except strictly necessary cookies.
I'm not sure what you mean but our ancestor comment describes this clearly.
A language preference cookie is not tracking.
You didn't read what I sent. https://news.ycombinator.com/item?id=44434919
The GDPR is different from the ePrivacy Directive. The EPD is responsible for cookie consent. And it has the language addressing preferences cookies.
I did, I quoted stuff from it, but you are not helping. You should quote the things relevant to the point your are making. Especially when you notice people are not picking up. You also keep saying that gdpr is not EPD, but your link is short on details about this and with this point, you lead me to seek information in sections that are irrelevant.
But I see what you are saying now. That page lists the different purposes, including preference cookies (which include language preferences) and strictly necessary cookies, and I know asking consent is not necessary only for strictly necessary cookies (this page says it, I quoted that part earlier).
If that page is right, you are right and I was wrong. Thanks for persisting.
Well, that would be a shame, and that probably would explain why cd.cz makes me pick English each time I visit. I was assuming they could just save this preference in a cookie, but they obviously wouldn't be able to since I didn't provide consent, since I hide the cookie banners and they don't ask for consent later when needed.
Now, that page is not authoritative and I see it criticized here: https://www.reddit.com/r/gdpr/comments/vniefz/strictly_neces...
I guess it it safe to ask consent in doubt, but I'm not yet convinced the language cookie cannot be considered strictly necessary. How can you correctly provide a requested service to a user if you don't use a language they understand, and how storing the language is not for fulfilling an explicit request from them?
>The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user.
If your are referring to GDPR this is wrong. GDPR does not require consent for strictly necessary cookies.
>Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Though language preference does not seem like something that requires a cookie. Just respect the Accept-Language header. There is no need to reinvent the wheel here.
No I am referring to the EPD as I state in my comment, an acronym you should know since it’s defined in the explainer you link. As someone who has experience in this area, it’s not as simple as “just use the Accept-Language header it will be fine”.
In any event, that’s besides then point. There are non-tracking cookies that get swept up in the EPD’s consent requirements. This causes way more popups than needed to address the real problem of users being tracked and profiled across domains. The result is users being inundated with consent banners on freaking homepages.
If you changed the requirements to “consent is required for marketing cookies” then I’d wager it would vastly reduce the need for these banners. You could show the banner interstitially as soon as a customer entered your funnel and wanted to try to perform spooky attribution.
In my experience the banners are useless because they don’t actually tell me whether the site is tracking me or not (the behavior I presumably want to prevent). They just tell me whether the site uses cookies, which I’m okay with 99% of the time, so I just click yes.
> There are non-tracking cookies that get swept up in the EPD’s consent requirements
Still not sure where you and nightpool got this.
We got it from understanding the legal difference between strictly-necessary and functional cookies. I’ve received legal advice on this topic. The law is crap. It is bad and harmful and botches a nuanced topic. That’s my original point.
> The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user
Nope.
That's exactly why the evil cookie modals are not on the GDPR but only on the sites that want to track you and now need to ask you for your consent before doing so. That's usually exactly where good faith GDPR detractors are wrong, and that's what needs to be repeated again and again in those discussions.
You're correct that the GDPR specifically doesn't require this, but you're incorrect that "the law" doesn't—the 2004 EU ePrivacy Directive requires affirmative consent for all cookies, and it's being enforced much more strictly now in a post-GDPR world
I answered that at https://news.ycombinator.com/item?id=44426726#44434685
No you didn’t. You’re misunderstanding the classification of strictly necessary vs functional vs marketing/tracking cookies. Go talk to a lawyer. I’m sure they will clear things up for you.
>>We suffer from a problem that engineers want nothing to do with politics.
More on point, we suffer from a problem that far too many people of all walks of life want nothing to do with politics.
Plato made the most accurate point 2300 years ago: "The penalty for not being involved in politics is you will be ruled by your inferiors."
And, even though you may not be interested in politics, politics is ALWAYS interested in you.
It should be noted that Mein Kampf's first three chapters are pretty much a call for the common citizen to start becoming more interested - if not involved - in his local politics. I am of the opinion that this is the reason that the book was banned. The antisemitism in the book is far more restrained than I was expecting. But the call to hold politicians accountable to the people - that was a surprise.
The reason is our government and regulators are captured by business concerns which profit from our data. The government in turn views mass surveillance as a powerful tool for social control. Although there are many more people whose privacy is violated by these policies than benefit from them, the rich and powerful minority is more organized in its efforts and thus comes out ahead in the balance of power.
> the rich and powerful minority is more organized
They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support. That means barely anybody would turn up to a contested primary election over it, or donate to a challenger, or organise the foregoing en masse. Contrast that with bread-and-butter or activist issues, where it's immediately clear there is political capital at the very least on the board.
Or the people elected by other humans could... IDK do their job of representing the people rather than a handful of corporations.
The problem is what I said in other comnents here. This is the fabel of sodom and gomorrah in action. We have no people with any moral compass in charge.
> do their job of representing the people rather than a handful of corporations
There is no incentive to represent the civically disengaged. Particularly on niche issues like privacy.
> We have no people with any moral compass in charge
No system works if reliant on wishing up on a star that people were better. We have a lot of problems with our republic's design. None of them can address problems people don't care to involve themselves in respect of.
>no incentive to represent the civically disengaged
THATS LITERALLY THE JOB.
You are literally arguing that if I got a job at a bank and started stealing the deposits it would be ok because I had no incentive not to.
Actually now that I think about it you are also reinforcing my point. Sodom and Gomorrah. You yourself have such poor moral compass that when another person acts maliciously you give them a pass because of course that's what they would do. Because its also what you would do because you also have no moral compass.
The city could not be saved. Not because "god" destroyed it but because the people themselves destroyed it. No good people existed there.
> THATS LITERALLY THE JOB
No, it’s not and it never has been. (Civic engagement and persistent watchfulness on liberties is a universal drumbeat across democracies.)
The courts et al are tasked with protecting the minority from the tyranny of the majority, or in this case, the engaged. Making the judiciary coëqual was our founders’ attempt at taming this tendency. But nothing knowledgeable ever written has suggested our republic should run on autopilot.
> when another person acts maliciously you give them a pass
I’m not giving them a pass, I’m saying the system is acting as designed. If people don’t give a shit about privacy but give a LOT of shits about abortion and cost of living, the elected should focus on the latter. This isn’t moral corruption, it’s responding to expressed preference. (Also, Comcast using Wi-fi to aid law enforcement is far from a black-and-white moral issue. It’s a political and legal question with multiple equilibria when it comes to right answers.)
There is being righteous and there is being right. The bulk of advocates for digital privacy enjoy the former and almost take their failure at the latter as further evidence of their righteousness. (It’s a lot easier to wax lyrical about Sodom and Gomorrah than pick up the phone once a month and attend meetings.)
Yeah the job of being and elected official is to ignore the population and seize power/money/influence for yourself....
You really are proving my original point though.
>(It’s a lot easier to wax lyrical about Sodom and Gomorrah than pick up the phone once a month and attend meetings.)
Blame that victim!
> the job of being and elected official is to ignore the population and seize power/money/influence for yourself
Non sequitur.
An elected prioritising a hot-button issue bill over one they like but which has no support is listening to their population.
> Blame that victim!
If an accurate description of choices actively made is blame, sure.
The whole point of representative democracy was supposed to be that you elect someone to represent your interests, so you don't need to participate in the day to day mundanity of managing the bureaucracy.
The bar rises. The vote was supposed to be enough. If people call in, well, that's not enough, after all, if you really cared, you'd have written an email, or filled out the correct form in the FTC call for feedback thing, which you knew was happening because you monitor the day to day activities of the FTC, the FDA, and the sixty other agencies that might ask for your opinion on something, without which oh well they'll just do what the lobbyists tell them. Oh, you did fill the form? Well, too bad, our lobbyists tell us that you're a bot. Oh, you're not a bot? Well, if you truly cared, you'd have come to the office of such and such at so and so time. You did? Well, if you truly cared, you'd attend more city council meetings, board of education meetings, representative town halls, senate town halls. You'd have written the senator, the congressperson, the state senator, the state congressperson, the mayor, the governor, the president, the president's dog.
What's becoming clear is that the idea of representative democracy is a good one, but the various implementations throughout history have missed the mark - weirdly, inevitably, all giving way with barely a whimper to highly concentrated forms of power, since the Romans.
We should seek to develop, and teach, solutions that empower each individual to take action. This liberal (as in, liberal democracy) idea that things can only get done if you convince 1000, 10,000, 1,000,000 people to do the exact same specific action, is disempowering, disenfranchising, and leads to concentration of power in the hands of the few who can wield the capital equivalent of 1,000,000 people in the form of lobbying, disinformation campaigns, or whatever other wack shit billionaires and corporations get up to.
Direct action seems to be the way to empower people to actually get things done, and syndicalist trade unionism seems to be a good way to balance between individual engagement in the serious work of organizing society, while leveraging the good ideas of representative democracy to allow representatives to manage some of the more tedious aspects of day to day communication and organization between various groups.
I freely admit this is utopian thinking, but I sure wish our world would try more experimentation in governance and organization rather than all of us just repeatedly smacking ourselves in the faces with the baseball bat of capitalist liberal democracy and hoping maybe one time we'll come away without a bloody nose or worse.
> whole point of representative democracy was supposed to be that you elect someone to represent your interests, so you don't need to participate in the day to day mundanity of managing the bureaucracy
According to whom? Nothing in the Federalist Papers or our country’s founding envisions fire-and-forget politics.
> sure wish our world would try more experimentation in governance
The correct place for this experimentation is small governments. And to my knowledge, this experimentation does happen. It just doesn’t necessarily have the effects its framers imagined. RCV didn’t break the two-party system, for example. And public-sector unions have turned into pests.
> There is no incentive to represent the civically disengaged
You're repeatedly misrepresenting or misunderstanding the issue. The tl'dr is that Bezos' civic engagement weighs more than my civic engagement, more than a million of me even. This is one easy way to take the casual and overly general "you're civically disengaged" victim blaming off the table.
Your elected representatives already know your interests, they were a precondition of winning the election. They don't need tens/hundreds of thousands of citizens writing them a letter every time so they are reminded of those interests. This shouldn't turn into a part time job for all citizens.
You casually handwave away the abusers' role with a simple "ah people aren't better" while in the same sentence blaming the abused for not doing enough?
Large corporations have full time lobbyists. They only have to send one "letter". You don't expect every shareholder and employee to be "engaged" just because a company's interest is in fact their interest. Your opinions will be shaped by whether you're more a shareholder or employee, or a "civically disengaged" single parent with 3 jobs.
> We have a lot of problems with our republic's design
The big one being that money is a superpower so the more one has, the more one can take. Or hang behind the predator pack and feed on the leftovers. After all a billionaire's rising tide will lift a millionaire's boat too. Jumping through mental hoops to justify the current situation by victim blaming isn't a prerequisite of this, it's a choice.
From The Onion, but I'm starting to wonder if this is feasible:
https://theonion.com/american-people-hire-high-powered-lobby...
> Bezos' civic engagement weighs more than my civic engagement
Again, I worked on these issues. Bezos and friends never showed up. Nobody showed up. This wasn’t a battle between David and Goliath, it was an empty field to which some generals showed up, looked around and then left.
> money is a superpower so the more one has, the more one can take
To a limit. The last few years have been a barn full of monied candidates being trounced by insurgents.
And again, in any case, not germane to this issue. Most people who would call in on digital privacy don’t bother because they’re lazy or think it’s useless. When they do, e.g. when the EFF mobilises, it’s a quick battle. (The problem being such mobilisation has tended to be reactionary. In part due to the other overlap between digital privacy advocates who will civically engage and libertarians. So we don’t get positive pressure to pass protections, just occasional negative pressure against legal encroachment.)
> Again, I worked on these issues.
Working on something means you put in effort, not that it's focused properly or that you even understand the real issues. At best you'll solve your problems without caring or understanding if it solves anyone else's.
> Bezos and friends never showed up.
Case in point. Bezos and friends don't need to "show up" anywhere you'd know. Their interests are implicitly considered and they're transmitted on channels you and I don't have access to. I'm talking about the general issue of asymmetric representation. This is where money matters.
> The last few years have been a barn full of monied candidates being trounced by insurgents.
You are conflating winning a popular election with leading for the people. Such statements in 2025 US are ridiculously disconnected. Almost without exception in recent history the wealthy always increased their wealth faster than the poor, and at their expense. Just over a decade ago the poorest 50% had 0.4% of the US wealth. No wealth means no power, not even personal agency, let alone in national policy. Are you telling me that finally the "insurgents" are fixing this and with their help the bottom half will start gaining the wealth and power from the super rich? Because if you aren't saying this, you aren't saying anything. The powerful will keep pushing and getting what they need, and you'll keep blaming "the lazy" that things don't change.
> Most people who would call in on digital privacy don’t bother because they’re lazy or think it’s useless.
Most people are assaulted with many, many more attacks on their rights and wellbeing. Those are more immediate concerns. Over 50% of US population just barely eeks out more that $10k in wealth. When they're drowning in debt, living from (social security) paycheck to paycheck, worried what else they'll lose next, showing up to fight for digital privacy, or almost anything that's not life and death, is the least of their concerns.
You decided to label them "lazy". Ever wondered if your work "on these issues" is tainted by this opinion, and that's why ultimately all you can achieve is only for the people who can afford it? Because you can afford it, and the lazy don't deserve it. The correlation is there.
> Their interests are implicitly considered and they're transmitted on channels you and I don't have access to. I'm talking about the general issue of asymmetric representation
I’ve worked on other issues that got passed into legislation. In the privacy cases, I was speaking directly to the electeds.
Nobody showed up. They were dead ends unless they could be linked to an issue people care about, e.g. abortion in blue states and Chinese espionage in red ones.
> Most people are assaulted with many, many more attacks on their rights and wellbeing. Those are more immediate concerns
People with strong views on digital privacy tend to be wealthier and better-educated than the average American. Also, the single mother of three working two jobs will show up to town halls and electeds’ field offices when it comes to issues they care about. And it’s impactful.
People do show up and civically engage. Just not on digital privacy.
Any recommendations on possible regulatory responses to the collection, processing and sale of human motion/activity data collected via WiFi and other RF Sensing?
> Any recommendations on possible regulatory responses to the collection, processing and sale of human motion/activity data collected via WiFi and other RF Sensing?
Research your state's privacy laws and submit a cool and concise complaint to your regulators, e.g. attorney general, consumer protection bureaus, public utility commissions, et cetera. These offices are understaffed and overworked--there is a good chance they haven't noticed this.
If you want to throw cash at the problem, check if Xfinity is pulling this crap in Illinois. (Or another state with a a BIPA [1].) One could argue that one's radar cross section is biometric [1]. That opens up avenues for financing litigation.
Finally, always, call your electeds. U.S. Congressmen and Senators, yes, but also your state legislators. Put it on their radars. (Most offices will put a staffer on a novel issue if more than a couple people call in about it.) If you want to supercharge this effect, find a local party organisation (e.g. such and such town or county D/R committee or club), go to their meeting and try to get it on the agenda.
[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...
> They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support.
This is by design. A lot of people talk about RTO in regards to business real estate but there's also the aspect of keeping people so busy and exhausted that they don't show up when it matters.
> there's also the aspect of keeping people so busy and exhausted that they don't show up when it matters
This would make sense if people didn’t show up for anything. They do. Including very overworked folks.
The unfortunate truth is the people most interested in privacy overlap significantly with the politically nihilistic and lazy. They’ve never called their elected or shown up to a town hall and, moreover, never will, because of course it’s useless.
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
"engineers want nothing to do with politics". Do you mean Comcast engineers see this as a purely technical challenge without caring about implications? In general we are seeing more engineers taking positions on a variety of political issues.
Yep, you're right on the money. The correct course of action is for those of use who recognize this to cease arguing on the Internet with those who don't and connect with one another offline. We're in dire need of something akin to a 21st century Continental Congress.
While I agree that we should have legal codes protecting our online and digital rights, I’m convinced that there are enough Bad People on the Internet that we do indeed still need strong technical protections as well.
I’ve been asked at work to build less than savory stuff, here are some general observations, none of which are admittedly an excuse:
* you get caught up in the moment, hell bent on solving the problem you don’t really think twice
* you don’t want to get that stink on you, you don’t want to be that guy that brings this type of stuff up
* you are mindful of the fact that you are being very well compensated to build it and you don’t want to lose your job
* you know it’s going to fall on deaf ears - maybe they will pay lip service, maybe they won’t but either way nothing will happen
* in the back of your mind you figure someone else is fighting the good fight
On and on, so many different things can go through your mind, who knows which it’ll be on any given day, on any given project
And sometimes, you don't even know what the feature will even be used for.
Today it's an automatic subtitle generator for people with hearing difficulties. Tomorrow it'll be an AI training data generator. In a year, the NSA will re-purpose it into a mass surveillance tool.
> And sometimes, you don't even know what the feature will even be used for.
I did some work in the early 2010s that we expected to be used for computational photography, gaming, and little else. Years later, after I had already left the company, its primary use case became image stabilization for quadcopter drones, something that had not crossed our minds at all when we were building that stuff.
Cue in all the drone footage from the Russian invasion of Ukraine. FUCK. FUCK FUCK.
Exactly
Kind of crazy that I’m being downvoted for just expressing some basic, reasonable feelings
This is all true, and I suppose I participated in a signed update mechanism that I knew the (corporate) end user probably wasn't going to be given the keys to. But, I think there's a difference between this and deliberately going to work on a system that's clearly just top-down designed for something low.
For example, I don't think there's anyone in the (large!) fixed-odds betting terminal industry that can honestly say their work is a good thing for the end users.
What law would you propose? I think the hard part is "Instagram and TikTok remain free-with-ads."
Good riddance to everything supported by ads.
I genuinely wonder if people would wind up spending less money if they had to pay for services than if they get exposed to ads that lead them to buy more things. But either way, once ads and "free with ads" are gone, there's much more room for other competitors.
Okay, you think that, but as we've seen even banning TikTok alone is incredibly controversial and ultimately seems to have failed. Banning Instagram and TikTok doesn't seem politically feasible. So what do you do?
> Good riddance to everything supported by ads.
Ads don't require pervasive and invasive tracking for every breath you take
Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?
Or can instagram only be free if ads are targeted to detailed profiles of individuals built over decades as they are tracked across the whole internet?
> Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?
Yes. Targeted ads need to be 100% to 700% more efficient than regular ads to be as profitable: https://news.ycombinator.com/item?id=43996623
The heavily profiled ads cost a lot more money for the advertiser to run compared to traditional ads, if those platforms turn to contextual ads they do not have their special expensive profiled ads product to sell anymore.
So it's not about the perceived effectiveness of advertisements that you feel as a user, it's about the rather more unique product that they sell to advertisers that really raises their revenue.
The problem is that the internet is international and laws are national or even by state.
There are 24 states that require ID to view porn sites. The laws are being completely ignored by popular websites that are not based in the US.
Yep. And plenty of US sites ignore international laws about slandering Mohammad, and so on.
I’m not sure the lack of a global hegemony is a “problem”.
And another reason you don’t want laws governing the internet is that politicians are dumb. As soon as I heard about the laws I knew this was going to happen.
https://reason.com/2025/01/24/age-verification-laws-meet-vpn...
> ”Google searches for online tools like VPNs have surged in Florida after Pornhub, one of the world's largest adult websites, blocked access to users in the state," CBS News reported earlier this month. "Since the end of November, Google searches for VPNs have surged in the Florida, according to Google Trends. From the week of Dec. 22 - 28 to Dec. 29 - Jan. 4, searches nearly doubled. Since then, the numbers have gone even higher."
> The problem is that the internet is international and laws are national or even by state
How is the this a problem for ISPs coöperating with law enforcement?
> We suffer from a problem that engineers want nothing to do with politics.
It's not even politics, it's simple ethics.
Why would you need a user identifier to block a consent banner? You don't technically. The website requires it because it is a shitty website.
It would be enough to have your browser store a cookie without personal information with { cookieconsent: "STFU" } or some variable in local storage. If the website respected that, we would be fine.
Personal identifiers are not needed and foul compromises aren't acceptable.
I think I’m kind of on your side in general, but I have more of the opposite feeling about legal versus technical solutions. If we had no idiotic EU cookie laws, no “consent” bs required, a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever. It seems like this would be very easy, except for the fact that the number one ad network is also the only browser vendor that matters.
But the attempted legal solutions suffer from being inside the sandbox, meaning all the “cookie management” software is a pile of hacks that barely work, and rely on browsers, as you’ve noticed, to allow their cookies in the service of…limiting cookies. And of course they also suffer from the politicians who wrote them having no clue how any of this works. I suspect if they did, they’d see how dumb it is to regulate that 10,000,000 websites each implement a ton of logic to self-limit their cookies they set (hard to police, buggy) instead of telling 2-3 companies they have to make their browsers have more conservative defaults with how they keep and send cookies back. (easy to prove it’s working with testing).
> If we had no idiotic EU cookie laws
The obnoxious cookie banners are not required by "idiotic EU cookie laws".
> a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever.
1. This was already implemented
2. Tracking isn't limited to cookies only
> except for the fact that the number one ad network is also the only browser vendor that matters.
Oh, so an "easy" solution isn't easy after all. Who would've thought.
> And of course they also suffer from the politicians who wrote them having no clue how any of this works.
But you do? Like how you only speak about cookies when tracking and user data isn't limited to cookies? Or how "stupid EU cookie law" doesn't even talk about cookies (if we're talking about GDPR)?
Usually the people who really have no clue are exactly the people who say that "there's an easy technical solution".
> The obnoxious cookie banners are not required by "idiotic EU cookie laws".
Of course, the alternative is to not use cookies, to not use any web analytics products, or to resolve to argue the semantics of what is necessary before a judge when sued by one of the many lawyers who now advertise (ironically) all over social media with come-ons like "Did you browse FUZZYSWEATERS .COM? Your data may have been improperly used!"
> 1. This was already implemented
Please let me know what browser does what I describe. Close as I can come is configuring a Chromium based browser to just only keep cookies for certain domains, but it's a pain in the butt so I stopped worrying about it a long time ago.
> Oh, so an "easy" solution isn't easy after all. Who would've thought.
But I went on to detail the much "easier" solution where the EU aims its big swinging...list of mandates... at the 2-3 browser vendors rather than involving 10,000,000 small businesses worldwide in the business of trying to guess if they're "GDPR compliant," or could be in breach because they added some snippet of code from a useful web analytics platform that could be said to "track" users.
Do you really think that it is easier and better to regulate millions of people/companies to make them all do a complex thing in good faith AND do it well, than to make those couple of companies sandbox cookie storage in a way that severely kneecaps cross-site tracking?
> 2. Tracking isn't limited to cookies only
Sure, but also I question to what extent anyone is being harmed by "tracking" in the most broad sense of that word. As far as I can tell, the public believes "tracking is a problem" primarily because they resent retargeting ads. That's all. People see a shirt or a chainsaw or an air fryer "following them around" after they browsed for one, and think "that's weird! THEY know!" Despite the fact that most of those things function very simply, do not give a shit who you are, just some ID that your browser saved and is sending back, and which is tied to a list of SKUs you showed interest in.
The more reasonable concern is more around data brokers and the data about a person being sold and aggregated, which mostly gets concerning when it could be used for stalking, targeting political dissidents, etc. The fact that I spent 34 seconds on A product page, then 32 seconds on B, then added B to my cart and then bounced, that is the nature of all of the data being tracked on 90% of websites, they don't traffic in my location data or even want to collect sensitive information. But every website is affected by the GDPR's vague definitions of "tracking." And ironically, I assume partly because all these in-sandbox "CMPs" barely even work, I haven't even observed a decrease in retargeting ads, the #1 thing that people actually observe and are bothered by.
> Of course, the alternative is to not use cookies, to not use any web analytics products, or to resolve to
Honestly, I could not parse this rant that is a chain of non-sequiturs
> Please let me know what browser does what I describe.
Segmenting cookies has been a thing in all browsers for half a decade at least. Everyone but Chrome block third-party cookies. Safari clears out a bunch of cookies periodically (and PWA developers hate it for that)
> But I went on to detail the much "easier" solution where the EU aims its big swinging...list of mandates... at the 2-3 browser vendors
Ah yes, because tracking is only limited to cookies and to browsers.
> Sure, but also I question to what extent anyone is being harmed by "tracking" in the most broad sense of that word. As far as I can tell, the public believes "tracking is a problem" primarily because they resent retargeting ads. That's all.
Well, people from countries with quite recent cases of pervasive and invasive surveillance have other problems with invasive and pervasive tracking.
> The more reasonable concern is more around data brokers and the data about a person being sold and aggregated, which mostly gets concerning when it could be used for stalking, targeting political dissidents, etc. The fact that I spent 34 seconds on A product page, then 32 seconds on B, then added B to my cart and then bounced, that is the nature of all of the data being tracked on 90% of websites, they don't traffic in my location data or even want to collect sensitive information.
You have to chose one stance, not multiple at the same time:
- is this not a problem because who cares about a single ID?
- is this a problem because data broker amass and trade vast amounts of sensitive personal data?
> But every website is affected by the GDPR's vague definitions of "tracking."
Ah yes. It's GDPR that causes these poor innocent web sites to use data brokers that keep my precise location data for 12 years: https://x.com/dmitriid/status/1817122117093056541
And GDPR isn't required at all, because all we need to do is make the 2-3 major browser to just not set cookies, because that's all we're concerned about. There are no other ways of tracking people, and that tracking data isn't used by anyone anywhere.
Except, you know, "data brokers and the data about a person being sold and aggregated", but who cares about that.
What law do you think mandates those annoying cookie popups?
It would be nice if you could argue, “well, just be a good site and don’t use marketing cookies”, but the ePrivacy Directive requires consent for performance and preference cookies too. Perhaps a liberal reading arguably allows classification of certain statistics and preferences functions to be strictly necessary, like “I wouldn’t provide this service without crash reporting because I’d go insane so it’s strictly necessary”, but most lawyers would be ill before advising as much.
There’s still the question of what law mandates that they are annoying pop-ups? They could be preferences in a menu, for example.
What happened is website operators started to feel entitled to doing whatever they want with cookies on users’ machines and eventually decided to act like petulant children when the rules changed.
If cookies are only used for preferences functions, then I should expect that it should only require to mention the cookies in the preferences menu (I hope)? If they have a document to explain each cookie by name, then it would also be helpful, that you can enable/disable them individiaully (or make them read-only) by the browser settings. However, for some things such as languages there are other ways to do without using cookies, such as Accept-Language header for languages, although cookies could be used to override the Accept-Language header in case both are present in the request.
Yes that's the point. You don't need those things. The idea that a news article or blog post or e-commerce page could "crash" is ridiculous, and the law shouldn't humor that excuse. There's been standard ways to declaratively define such pages since before scripting frameworks gained popularity. Use those standard ways. If you're really building an app and need to performance test, buy some hardware in your target range. Privacy aware users block things like Sentry.
You don’t need a shopping cart either. Just make the user write down the skus from your online catalog and send you a purchase order. Products exist on spectrum and the ones that win are typically easier and more convenient to use. If your business is developing the best product it can, it absolutely needs the ability to be convenient and useful.
Adding a language select option on a multinational site seems pretty table stakes in my experience. Plenty often the user does not wish to use the same language as their system/browser. Switching your system’s default language just for one site is a huge hassle.
Re crash reporting: I’m talking about tools like Sentry. I have never once worked on a product of any scale that didn’t need to collect diagnostic reports from the field in order to address code level errors that happen as users are using the product. In house or 3rd party it doesn't matter, and client state has always been involved. A product that doesn’t function is broken. It needs to be fixed.
There is no privacy concession in any of these cases. The EPD simply over-regulates cookies.
I mean maybe we should just reimplement all this crap using indexdb. That’s not a cookie, legally.
The EPD fights symptoms not causes and the internet is worse for it.
Language selection seems easy enough: when the user clicks your flag button, show a toggle switch for "Allow a cookie for language preference". When the user toggles it on, present the language options. If they toggle it off, delete the cookie (in a better world, the server could just send a standard language options header and let the browser show a dropdown for per-site language selection, but oh well).
For crash reporting: pop up a dialog asking if they'd like to submit a report (as software used to do). Don't just submit info from their computer without asking.
If literally any physical product breaks, I don't expect the manufacturer to receive telemetry so they can fix it. If I want them to fix it, I'll bring it back to them. I expect that if I don't go out of my way to tell them something, after I buy the thing, we go our separate ways, and they have no idea about anything I do. If their thing breaks, I also have the option of just not telling them and instead telling everyone else that they're crap. They don't need to spy on me for any reason.
I'm really not seeing the issue with asking consent to do things as they're actually needed. You don't need an "I CONSENT TO EVERYTHING" banner, and most of the stuff you want isn't necessary anyway.
Like I said, privacy conscious users block tools like Sentry. It's a perfect example of "no, you don't actually need to spy on me."
> You don’t need a shopping cart either.
Pretty sure this exact example is explicitly carved out as a-okay.
I think what we're dealing with here is not websites trying to do basic things. Rather, it's every website and their mom thinking they need elaborate analytics to sell plastic garbage.
Yes, that elaborate analytics you spread to 20 third parties IS a privacy concern. We should be looking at that.
> You don’t need a shopping cart either. Just make the user write down the skus from your online catalog and send you a purchase order.
I think this is a way to do it, I had thought also of such a thing before. You can send a "computer payment file" which includes the product ID numbers (and parameters if applicable), the total price that the customer expects to pay, a signature, and encrypted data for use with the bank or credit card company (or some specification of store credit, if you are using that instead).
The existing use of "shopping cart" cookie can still be available as an alternative as well though, in case you do not want to use (or cannot use) the "computer payment file"; then it can provide its UI but you can also use your own if you have your own implementation.
> Adding a language select option on a multinational site seems pretty table stakes in my experience. Plenty often the user does not wish to use the same language as their system/browser. Switching your system’s default language just for one site is a huge hassle.
This is true. However, it would also be helpful to be able to change the settings (including languages, and HTTP request headers) per URL prefix, which would also be another way. This does not mean that the setting cannot also be available as a cookie, which will override the Accept-Language header if both are present in the request.
There is also user authentication; cookies are not really the best way to do that either. I think X.509 client certificates are a better way. However, other methods can still be provided for compatibility for users who do want to use it.
And then, there is more other stuff too, they can also be done in other ways.
Note that all of the above stuff means that many things can work with JavaScripts and cookies disabled (or unavailable), but enabling them will provide a way of working that does not require these other things too.
> In house or 3rd party it doesn't matter
It does matter from the perspective of privacy, because in one case your vistors deal with one party (you) and in the other case another party (Sentry) is also involved.
The GDPR standard of "consent" (as I suspect you know, but as context for my opinion) is applied to the ePrivacy Directive and relates to any cookies that are not strictly necessary.
I do not like using the legal basis of "consent" for processing personal data, and I would much prefer not to need to use consent for placing cookies. As it is, in my personal capacity I can get away without placing cookies at all .
If we had access to other lawful bases for placing cookies, I'd like to think we could work out way towards phasing out any blanket consent. I'm sure "legitimate interests" would be abused and over-relied-on. But it already is, and if we're not arguing with people about whether the "consent" they rely on is legitimate then maybe we'll have more time to worry about whether companies are using other bases appropriately.
> Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it
I don’t know that a reasonable person would compare privacy threats to the threat of death from gun violence.
They exist in totally different altitudes of concern.
> The solution here shouldn't be technical; it should be legal.
I disagree. Solutions should be technical whenever possible, because in practice, laws tend to be abused and/or not enforced. Laws also need resources and cooperation to be enforced, and some laws are hard to enforce without creating backdoors or compromising other rights.
"ISPs will be prohibited from spying on their customers" doesn't mean ISPs won't spy on their customers.
We need more funding for open-source WiFi Sensing counter-measures, e.g. EU research, https://ans.unibs.it/projects/csi-murder/
> this paper addressed passive attacks, where the attacker controls only a receiver, but exploits the normal Wi-Fi traffic. In this case, the only useful traffic for the attacker comes from transmitters that are perfectly fixed and whose position is well known and stable, so that the NN can be trained in advance, thus the obfuscator needs to be installed only in APs or similar ‘infrastructure’ devices. Active attacks, where the attacker controls both the transmitter and the receiver are another very interesting research area, where, however, privacy protection cannot be based on randomization at the transmitter.
https://github.com/ansresearch/csi-murder/
> The experimental results obtained in our laboratory show that the considered localization method (first proposed in an MSc thesis) works smoothly regardless of the environment, and that adding random information to the CSI mess up the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.
There is no technical solution for this unless you want to invest billions/trillions in building new computing and networking platforms created with privacy in mind.
ISPs will always have the ability to at least deduce whether a connection was used, the MAC address, and it there is WiFi, unfortunately whether people are physically present.
If we look at the roadmap for WiFi/phones/etc, they will soon gain the ability to map out your home, including objects, using consumer radios.
"There is no technical solution for this"
This isn't really true. The easiest technical solution to the problem of ISPs using your wifi data is to simply use your own WiFi router which does not send the data to them.
They can still deduce this from the traffic patterns.
They can map your home and motion with traffic patterns?
The OP was also talking about deducing presence based on connections and traffic patterns, which using your own WiFi AP isn't going to mitigate.
I don't think there's any reliable way around that. They can do that with real-time power meter monitoring even if you don't have an internet connection.
Good luck to them for those of us who have set up a tailscale exit node in our network and use it whenever they are 'roaming'.
They can see the WireGuard traffic coming in and correlate it with traffic out. WG traffic is easily identifiable.
I have tons coming in all the time some of it goes out some of it does not.
So use a vpn.
With a VPN, your ISP may not know where packets are going, but they can still see packets moving. So, unless your VPN is injecting dummy data to mask all patterns (possible, but not common), your ISP is going to have a good idea if someone is home or not.
So does your power company with real-time meter monitoring. Masking that is much harder and would be more expensive if it's even possible.
I have a better solution: just use your neighbour's wifi :P
pay him with a pack of beer
You can’t solve social problems with technical solutions. Technical solutions won’t work without some kind of legal backing to force it.
Sometimes mathematics and physics provide superior solutions than man-made laws. Encryption for example. It's better to make something impossible, than to have laws that are routinely ignored by law enforcement.
>You can’t solve social problems with technical solutions.
Sure, this has a fair amount of truth to it. However, security is not a social problem, it's an economic one. No one, not even the most well funded and skilled organizations like the NSA, has access to infinite resources. Whether a given attack/data harvesting effort costs $1 million, $10 thousand, $100, $1, or $0.01 makes an enormous difference in impact. Can a given three letter agency afford to spend $1m on anyone? Sure. Can they afford it against everyone? No. Same with private orgs, if harvesting data costs $10000/person, it has to generate well over that much money in profit to make it worth it. Is that likely on average? Probably not. If it costs fractions of a cent, then they will be incentivized to scale it as hard as possible, since payoff from even one person will cover thousands of duds.
So sure, by all means we should pursue laws too, as that also shifts costs a bit. But there is zero reason not to simultaneously pursue technical means to make costs as high as possible. Both tracks matter a lot.
I am really struggling to see the technical solution here. This isn’t a security question - security has already been lost. We’re talking about a device in a home that the owner doesn’t control, being able to monitor the presence of a person using either WiFi signals or device identifiers.
The obvious solution is to not use that device. But that’s not necessarily possible for a variety of reasons, not all of them controllable.
So, what is the technical solution to this? Anything that’s going to mask a persons RF signal is probably going to make WiFi difficult to use. Anything at the network level is already lost because we have a potentially hostile device in a critical point in the network path.
Am I missing a different solution?
>I am really struggling to see the technical solution here.
Are you? Comments are full of obvious solutions like using your own hardware, which you clearly understand.
>We’re talking about a device in a home that the owner doesn’t control
No, we definitely are not. As you yourself immediately acknowledge:
>The obvious solution is to not use that device. But that’s not necessarily possible for a variety of reasons, not all of them controllable.
...but then immediately try to do a fuzzy hand wave it away for reasons I don't really understand. Technical solutions don't have to be completely perfect, which is surely not a standard you're holding any social/legal solution to right? Since that would be ridiculous.
As I said, simultaneously pursuing multiple tracks in parallel is the correct approach, as hybrids can be more then the sum of their parts. A purely legal solution ("law against ISPs collecting this data"), if it's even possible to get passed at all, ends up depending heavily on the honor system with all sorts of perverse incentives, and is very challenging to verify. A purely technical solution ("use your own hardware", "route through another end point") could potentially be interfered with (though let's be clear: this isn't actually a thing basically ever). But we can easily imagine hybrid approaches, just as was done in the past with efforts like CableCARD. The law doesn't need to necessarily try to mandate and police hard to verify behavior like how non-property owner controlled hardware acts, but instead can mandate that ISPs must always allow direct dumb interfaces to their network via customer controlled hardware. That's something easy to verify, which enhances compliance, and easy to understand which enhances the politics.
But make no mistake: the technical aspect is an inseparable part of this approach. We need both.
It makes it much more difficult to be profitable if its illegal. This deters the majority of opportunists leaving only the dedicated criminals. And just like thief's people might understand why they steal no one sheds a tear when they go to prison.
When we find them spying on customers they will take it all the way to the supreme court where the definition of spying will be put the wringer and flushed of all actual meaning. Then the law will be struck because it violates the corporation's 1st amendment protections concerning 'free speech'. See also Citizen's United.
And how do you technically stop an ISP from using the radio in their hardware to detect small changes in phase angle of signals in your home?
Own your own hardware is how.
Comcast cannot administer my router/AP or modem.
Some other ISP's like AT&T force you to use their gateway. I try and avoid these companies or severely limit the functions of the built in gateway.
And how do you force all consumers to buy their own privacy hardware?
Edit: sorry my question is not strictly how one person would mangle their hardware so it breaks presence detection, it’s how the tech industry would develop an at scale everyday consumer solution to this problem.
Require certain disclosures to be made in not so fine print.
Require that each privacy waiver is individually initialed, per clause, in wet ink.
This shit would end tomorrow if they had to start delivering modems with 1 inch high letters that said "THIS DEVICE WILL TRACK YOUR LOCATION WITHIN YOUR HOME AND SHARE THAT DATA WITH LAW ENFORCEMENT WITHOUT YOUR KNOWLEDGE", and the modem didn't work until you went down to the Comcast store to sign your rights away.
You don't have to force anything except taking this knowledge out of the fine print and prove that your customers are actually aware of the contractual clauses they are subject to.
The tech industry could come together and come up with a privacy standard guarantee that device manufacturers could use (Something as simple as, we will never share data with law enforcement unless legally compelled).
There's a lot of solutions, ranging from technical (firmware update) to social (pass some laws with teeth).
> This shit would end tomorrow if they had to start delivering modems with 1 inch high letters that said "THIS DEVICE WILL TRACK YOUR LOCATION WITHIN YOUR HOME AND SHARE THAT DATA WITH LAW ENFORCEMENT WITHOUT YOUR KNOWLEDGE",
I have the urge to laugh at this, but maybe I'm just too cynical. Pretty sure we still live in an age where most people would let go of principles like privacy for a bit of convenience.
Some ISPs allow you to bring your own modem, so there wouldn't be any hardware other than your own and whatever they install to bring it into your home.
You attach large sacks of potatoes to the ceiling fans and lighting fixtures that are connected to strings and random timers to move them. The potato bags perfectly simulate human motion.
Every house should look like a party of 50.
Invest in potatoes
Disconnect and ground the antenna and supply your own equipment?
I thought we were talking about a solution that the tech industry could implement and deploy en masse to users, because it’s just, like TLS and browser standards. That’s usually what is being discussed when these give everyone privacy topics come up. The people that care enough to ground their antenna are already using their own hardware. And the ISP will deter hardware modification by charging you for damaged leased hardware. Or you’ll be in an arms race where the ISP’s firmware will flag the unit as defective because the radio doesn't work and cut off access till you fix it.
I guess you could put it in a cage. Maybe I should go door to door selling privacy cages. Do people pay for tinfoil hats these days?
>Do people pay for tinfoil hats these days?
I don't know, how many people that didn't care much about privacy said things like "There is no way the US government would deport US citizens" 7 months ago.
Technical and legal solutions are for different classes of problems.
Encryption is a technical solution trying to solve the problem of people being able to steal your data/money without your knowledge.
The law/police are the solution to the 5 dollar wrench problem, where you are very aware of the attack but unable to physically stop it
And the law can’t stop someone from using a $5 wrench before the harm is done…
I don’t expect the law to prevent the crime. Much like my comment you replied to, I recognize different tools are for different situations.
The law is there to enforce the “rule of law”
It’s a little ambiguous because the phrase is in English and doesn’t match up 1:1 with the common vernacular, but I want the “rule of law” to enforce that the rules are real, not to prevent someone from testing their existence
The legal part should be requiring a technical solution.
E.g. the you should be able to own your router and even if you choose to rent you should have full control over the software.
It might make it a bit harder to use the information obtained through spying, though. Both is good.
> The solution here shouldn't be technical; it should be legal.
The parent commenter was highlighting that law enforcement can compel them to provide the data.
The customer has to opt-in to WiFi motion sensing to have the data tracked. If you see something appear in an app, you should assume law enforcement can compel the company to provide that data. It's not really a surprise.
> If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers.
To be clear, the headline on HN is editorialized. The linked article is instructions for opting in to WiFi motion sensing and going through the setup and calibration. It's a feature they provide for customers to enable and use for themselves.
> The customer has to opt-in to WiFi motion sensing to have the data tracked.
- Is this true if Law Enforcement gets a subpoena?
- Is this true if Law Enforcement asks "nicely"?
- Can Xfinity activate it without the user knowing?
- Does it explicitly notify the user when the setting has been changed? (e.g. done by LE, hacker, or an abusive partner)
- Is this a promise and a promise that by default it will stay off?
- Is the code to perform this feature pre-installed and able to be trivially (or even non-trivially) activated by hackers?
“Please accept our new terms of service to continue using your internet connection”
Your honor, they clearly opted in to us spying on absolutely everything they do or think.
> The customer has to opt-in to WiFi motion sensing to have the data tracked.
Not for long, there’s money to be made by adding this to the cops’ customer lookup portal.
>opting in to
Yea, at least in the US you have almost zero consumer rights around this.
Once they find some marketing firm to sell the data to suddenly it will be come opt-out in a new update and most people will blindly hit agree without having a clue what it's about.
> I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
"Best we can do is letting all the AI companies hoover up your data too"
It doesn't require IPv6. The modem is just as aware of all the private IPv4 addresses on your network as well as all the public IPv6 ones.
Unless you put your own gateway (layer 3 switch, wifi ap, linux router) in front of it.
From my understanding it tracks signal strength between two points (gateway and printer for example).
Putting your phone in airplane mode doesn't make it think you have left the house.
> If you’d like to prevent your pet’s movement from causing motion notifications, you can exclude pet motion in your WiFi Motion settings by turning on the Exclude Small Pets feature. > Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans.
That would require Comcast to have access to your router, or more precisely, the NAT.
Comcast sells a router gateway combination device that's probably required for this motion sensing anyway. If you have that they could already check device counts and in fact their Xfinity app lists connected devices in detail.
For most people their Comcast modem _is_ their router.
The point of the comment about ipv6 is that if you don't use a Comcast modem/router or they're prohibited by law from snooping on that, Comcast can still sorta understand the number of users from the outside by looking at your ipv6 addresses.
I understand they can do traffic analytics but with privacy extensions and the proliferation of IoT devices I don't think that level of analysis is going to be very fine. Probably just enough to bin houses into different size groups.
There are a multitude of pre-existing ways of achieving the same result. One would be simply looking at the ft^2 listed on the public tax documents for the given address.
So I was really assuming any useful analysis would require them to be the actual man in the middle by owning and controlling your router. In which case address family does not matter.
> The solution here shouldn't be technical; it should be legal.
I expect more than a few commenters here will disagree with you. Some rather vehemently.
To those that do so, I'd encourage you to read the novel Attack Surface by Cory Doctorow. While it's fiction, in the book, Doctorow makes a pretty compelling argument for the notion that when it comes to privacy, we can't win by "out tech'ing" the governments and corporations. We're simply too heavily out-resourced. If I'm interpreting his message correctly, he is saying basically what Josho is saying here: that we have to use the political/legal system to get the privacy protections that we care about enshrined into law and properly enforced.
Now, is that going to be easy? Hell no. But after reading the book I was largely sold on the idea, FWIW. That said, the two approaches aren't necessarily mutually exclusive. But I do believe that those of us who care about privacy should focus more on using our (knowledge|skills|resources) to try to foster change through politics, than on trying to beat "them" with better tech.
YMMV, of course. But if you haven't read the book, at least consider giving it a shot. Probably Doctorow makes the argument better than I can.
"The solution here shouldn't be technical; it should be legal."
Laws can be broken. Laws of physics cannot. Best to utilize both a legal and physical defense.
> The solution here shouldn't be technical; it should be legal
Technical solutions tend to last longer. Legal solutions have a habit of being ignored when they become inconvenient.
The legal default should be that collecting this sort of data should always be illegal without informed consent and never used beyond the remit of that consent. As inconvenient as it sometimes is, the world needs GDPR.
> The solution here shouldn't be technical; it should be legal.
It should be both, one serving as a backup to the other. Theft is illegal, yet we lock our doors.
In the EU, residential users have a right to use their own routers. IMHO, this should be the norm, and ISPs shouldn't be shipping routers to users.
Problem is, most folks aren't aware of how much spying the ISP routers do, and they want the most easy and convenient choice. Hence the status quo.
Same in the US!
Unfortunately, only the nerdiest nerds do things like buy their own routers...and that sort of thing is pretty much impossible to evangelize.
just buy your own simple modem and install your own wireless access point.
do not buy any device from comcast you dont fully control!
Until the day when to use the service you have to use their device. Or it's being used at work, a hotel, in stores, in your kids school, or anywhere you have no say on the devices used.
Also make sure your phone and other every day carry items never connect to the Internet via your ISP’s network or emit radio signals while nearby your home.
In the future when you say things like this, please say "First" or else you're starting an endless back-and-forth of one-ups and false dichotomies.
A legal precedent easily leads to a technical block.
> The solution here shouldn't be technical; it should be legal.
The technical solution seems strictly preferable
Legal "protections" only protect you up the moment a warrant is issued, if that
>> The solution here shouldn't be technical
The solution can be technical, but only if it is also sneaky. Blocking or disallowing certain information is one thing but making that information worthless is better. A simple AI agent could pretend to ping all sorts of services. It could even do some light websurfing. This fake traffic would nullify any value from the real traffic, destroying the market that feeds this surveillance industry.
I see a UI that allows homeowners to fake certain people being in the house when they are not, either replaying traffic or a selection of generic bots that mimic the traffic of various cohorts.
> Comcast can achieve the same by how many active IPv6 addresses are in use
Isn't this basically impossible with IPv6 Privacy Extension Addresses?
you cant tell most of those things because same ip doesnt coorespond to a unique service and plenty of programs and websites phone to servers where addresses have changed. there is no static database.
you also cant associate it to a person automatically. the burden of proof is high - how many jurors have tech at home they know nothing about and maybe got hacked?
> The solution here shouldn't be technical
Why not? Just run your own router instead of the one your ISP tries to give you.
What if I left my device at home?
It would work even better. From the linked support page:
"Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans."
With enough signals, gait recognition for example is possible, and those same signals could be corroborated with presence or absence of concomitant device signals to determine if your device is moving with your person, and if not, to then flag this for enhanced monitoring if evasion is suspected.
The point is every single thing I own should be "on my side". My car should not store my location history. My wifi router should not track presence and movement. My printer should not add any watermarks or telltale dots. My stuff should actively make it difficult or impossible for hackers, advertisers, or law enforcement to recover any useful information.
This means, respectively: ensure personal info is stored securely so hackers can recover little. Don't transmit info to remote servers to limit what advertisers get. And just store as little as possible in the first place because this is the legal means to have little to subpoena or discover.
Useful info, when absolutely necessary, should be locked behind a password, as constitutional rights preclude law enforcement from making someone disclose it.
I agree, but that is only one reason. The other reason is to save power (and also RAM, disk space, network bandwidth, time, etc) by omitting unwanted functions. (Some things to actively make it difficult (e.g. encryption, passwords) would use up more power, but since they are not constantly active and are not as many functions, they might still use up less power in total.)
This is magical thinking, because it’s using the legal system to solve a technical and social problem. It’s probably possible to create standards that don’t leak PII and other forms of metadata that are unique. That is probably the only solution going forward to reduce possible interdiction by extralegal third parties. However, Comcast can only be enjoined from doing this legally, and will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards. The fact that these capabilities are available to Comcast corporate is because OEMs that make set top cable receivers and combination cable modem WiFi routers provide these capabilities. I’m not sure if these features are standard or require a special order. Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine, which isn’t going away anytime soon.
You seem to think that it would be impossible to instruct Comcast to implement on/off for the feature? That's the sort of thing that the legal system is for.
I don’t think that this would be likely to pass Congress. Even if it were, if Comcast failed to uphold its obligations due to receiving a National Security Letter (NSL) then they would be hamstrung, unable to comply and unable to protest publically.
It’s almost a legal impossibility and would be a bad move geopolitically to give up this full take capability and it is not happening. It’s wishful thinking to believe otherwise.
These companies are so big now, and more importantly their lobbyists are, that it is unlikely any regulations would ever come that would limit their abilities to make money off of your PII.
All these already existing dragnets make oldies like the Clipper Chip seem like a weekend hackathon project.
The irony is that all of these metadata leaks and correlation attacks etc were theoretical at the time these technologies were created and developed, unless you’re NSA level compute power, both human and silicon. Now, any script kid has enough info to try to build an array of SDRs to do the same thing, and no one will care when they do besides the feds who cry foul about their turf being stepped on by plebeians. The public will never care because their eyes will already have glazed over once you mention MAC addresses and SSIDs.
> any script kid has enough info to try to build an array of SDRs to do the same thing
It doesn't particularly matter what hobbyists get up to. It matters what's available at scale on the mass market, what's widely deployed, what data is legally permissible to collect on a large scale, and what data is legal to sell.
Law enforcement can't subpoena that which does not exist. The best defense to these sorts of things is often to place legal limits on collection, retention, and sale.
Your take is both alarmist and defeatist.
> Your take is both alarmist and defeatist.
Legal limits on national security agencies are not enforceable due to Five Eyes etc. Allied foreign spies do what American spies don’t. I’m just admitting the political reality of the situation. What you do with that information may be limited, but it’s not a failing on my part that this is the status quo.
> Legal limits on national security agencies
You're not talking about what they're talking about. They're talking about limiting corporate data collection. If companies don't build this into routers, then 99% of routers won't be collecting this data, and foreign spies won't have any data to steal.
They will classify the data as necessary for business purposes and collect it under a different name. They will be obligated to pass full take information if necessary, and it will be tapped at any point by employees who are given NSLs and asked/told to do things under penalty of law where applicable, and on threat of arrest or dismissal if not, or by federal agents themselves or their deputies or other approved third parties. Your modem may be intercepted in the mail and reflashed if necessary or over the wire, and that functionality is part of the operating standards of the modems. You could find a way to secure this on your own maybe, which is perhaps just another signal which flips a bit somewhere and may be logged. You can’t close Pandora’s box. It doesn’t matter if Comcast has the WiFi data to sell because they will have access to the information due to how the WiFi signals propagate. It’s diagnostic data. It’s the signals themselves. So all this is perhaps a misdirect, as any third party in range of the WiFi network can likely do the same thing passively, so it is a moot point. The data being gathered and sold should be legislated, but I don’t think that it will affect any of the actual concerns raised, because feds will still legally do whatever they are authorized to do, the justification and doctrine may not be public information. You probably won’t know, so you won’t object. Third parties who lack principles will gather the data regardless of legality. I don’t know how you could even legislate against passive monitoring unless you could demonstrate intent to harm or violate FCC regulations and applicable laws about harming people or computer systems like CFAA, which is a whole other issue.
> They will classify the data as necessary for business purposes and collect it under a different name.
Laws are powerful enough to stop that.
> wiretaps
I said 99%, not 100%.
> any third party in range of the WiFi network can likely do the same thing passively
But they won't do it in bulk without a lot of motivation (like profit).
When they are compelled to do it, they will not even know it is happening. Only the people doing it would know. That’s the reality of why it is done now. That there is a market for it should never have been allowed but the capability is necessary to troubleshoot the network. I guess it seems silly to say this is even a legal issue. They shouldn’t do a lot of things, but they are going to be legally compelled to do them, so the network structure’s form follows that function. If there is no market for that data, they will get the data by proxy by leasing access to the network or the customer or the metadata for security or other legal purposes via intermediaries or separate internal units. This is just how ISPs have to handle this kind of data request or other legal request. They have formal means to ask for what they need, and they will usually get enough data to find out anything they will need to find out that the CPE is emitting or doing.
I guess if you’re truly concerned you shouldn’t have WiFi at home or a mobile phone. Too bad 5G signals have similar capabilities, but at least the signals don’t propagate as well.
> When they are compelled to do it, they will not even know it is happening.
That ... might or might not be an issue, but it's not _this_ issue, ie the one we were originally talking about here.
A targeted order to wiretap (or otherwise spy on) a specific person or entity is entirely different from widespread data collection, retention, and sale for whatever corporate purpose. With widespread collection the data is then sitting there in a data lake waiting to be subpoenaed by law enforcement at their leisure for any arbitrary reason they happen to think up potentially years in the future.
> they are going to be legally compelled to do them, so the network structure’s form follows that function
You can't be compelled to hand over that which you do not have. Neither can you be compelled to modify your product in a particular manner absent market wide legislation; see FBI v Apple if you doubt that.
> A targeted order to wiretap (or otherwise spy on) a specific person or entity is entirely different from widespread data collection, retention, and sale for whatever corporate purpose. With widespread collection the data is then sitting there in a data lake waiting to be subpoenaed by law enforcement at their leisure for any arbitrary reason they happen to think up potentially years in the future.
I do see what you mean, but they are differences of degree, not kind. It could be considered a best practice to minimize PII etc, but even other groups don’t do any better. Signal still uses phone numbers.
> > they are going to be legally compelled to do them, so the network structure’s form follows that function
> You can't be compelled to hand over that which you do not have. Neither can you be compelled to modify your product in a particular manner absent market wide legislation; see FBI v Apple if you doubt that.
I agree. However, Apple is also confident enough in their legal team, reasoning, funding, and likely legal outcomes that they will flout NSLs in America, and yet they will cave to UK in that they disabled Apple’s Advanced Data Protection (in UK) which means that iCloud files aren’t really E2EE if the government can just say that you can’t do that anymore. Not your keys, not your files and the security and privacy of said effects thereof.
> This is magical thinking, because it’s using the legal system to solve a technical and social problem.
Is that not literally the entire purpose of the legal system?
> will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards
I imagine beamforming techniques are only going to become more commonplace over time.
> Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine
Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.
> > This is magical thinking, because it’s using the legal system to solve a technical and social problem.
> Is that not literally the entire purpose of the legal system?
The legal system is subverted by the national security apparatus by necessity and by design. The information gathered by ISPs is necessary to prevent interference with ground-based radars around airports, and is necessary for fraud detection and internal security of the network. It would be feasible to make it so that this information would be gathered and retained only for a short period of time to establish and maintain network integrity, such as handshakes and other bits and bytes exchanged and retained inherent to the protocols used. The legal doctrines that establish the legality of full take surveillance have been argued before FISA courts, so an act of Congress or a test case would likely be necessary to prompt any legal reexamination of the relevant issues. However, national security issues are not really able to be resolved legislatively, because executive orders will always enable that which cannot be done on the books, which presupposes that which is done is done by the book to begin with.
What is done in the shadows must stay obscured due to means and methods, and this ideology isn’t amenable to change, political or otherwise. There is not much else to say on that point as it is observational and experiential based on my lived experience and history of interactions with law enforcement, national security professionals, and private security as a service provider and former licensed security guard, as well as being a victim of police overreach and charge stacking. I’ve worked with law enforcement and been work for law enforcement. I’ve fought the law to a draw, and I’ve fought the law and lost due to bad calls by refs. I’m working on becoming a better citizen and community member so that I can be a helper. More than that, I can’t say. The future is hopeful and yet the challenges are real, and changing. Old guards are giving way to young Turks. It’s an interesting time to be alive.
> > will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards
> I imagine beamforming techniques are only going to become more commonplace over time.
The beamforming and other technologies used with modern WiFi are what enable the motion detection “for free” because the WiFi signals act as radar signals, the contours of the perturbations of which are already baked into the WiFi protocol. It’s insecure by design against this side channel attack.
> > Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine
> Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.
You would have to reimplement the standards to make everything that squawks rotate their identifiers regularly, ideally after every transmission. It’s possible I suppose. I don’t think the political will is there to mandate this, and there are not that many people who work on these kinds of problems. Look at who created TOR. You’d have to run that kind of system everywhere, and only use it for everything, and that system would have to be part of the protocol or otherwise unable to be disabled by end users. Otherwise, you’re at the status quo we have now, where the weak links are the first to break.
If this sounds like a stretch, the weak links are always people, not protocols or pipes. That’s why this is magical thinking. As principled as you and I are, bad guys don’t have principles. Those who fight bad guys have principles, and they also have more coffee and mathematicians and hashrate.
Congress will never rule against the national security apparatus because there is no political will to do so. I can count on one hand the folks in Congress who are on relevant committees to even consider legislation on these matters who is in any way critical at all, and they largely agree with you that something needs to be done. But they don’t have the votes to do anything because the issues aren’t relevant to voters. No one cares the way you or I do, or they would probably become lawyers or politicians, as well as soldiers and broadcasters.
If you think something constructive and positive needs to be done, I would likely agree that the impetus for change exists. I’m all ears.
when I'm at home, my device is just sitting on the desk. rarely is it in my actual hand being carried with me. also i'm old, so i don't have it in my hand while sitting on the couch or in bed either. that's why my laptop is for. something with a real keyboard and screen and not something that's going to give me scoliosis for hunching over to read all the damn time
> ... I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
The solution is to not use the internet if you care about your privacy.
We are now treating foreign students with suspicion when they don't have a satisfactory internet footprint. Only a matter of time until that gets turned against the citizenry. Submit to surveillance capitalism or go to jail you deviant.
Heh, soon your modem will report to the SS on how many undesirables you are sheltering in your home.
Us humans love building the Torment Nexus.
Comcast has remote control of all of their equipment so they will just turn it on for you if they get a court order or a big enough check from an adtech company.
Wifi imaging is a bit like a silhouette and generally accurate enough to work out gait and height which could give a good indication of which people are in what locations in a home. That is some very scary power in the hands of a corpo.
More scary in the hands of the government. Whether you didn’t trust the prior US government or this one - which pretty much covers the entire population - that’s the folks that shouldn’t have this technology at their disposal. I struggle to see a use a corporation will have for this even extending ad tech to the maximum potential. The most useful application is surveillance for political purposes - in the current government, how better to cross reference with the uber database of people they are building to enact political policy to know when people they want to disappear to a foreign prison? This provision doesn’t even seem to require a warrant.
they only have some level of control over DOCSIS modem. if you install the cheapest/simplest DOCSIS modem, and connect it to your own wireless access point that is NOT controlled by Comcast - they wont know anything.
They will only see traffic coming from 1 local IP - of your wireless AP
Hmm. Not much of this is true.
They provide a modem / router combination device at even their cheapest tier.
That device can leverage this technology, and the technology isn’t reliant on traffic.
They can gather plenty, and can provide it to third parties without our knowledge or consent.
Hmm. That misses the broader reality.
What you're missing, is that you are allowed to use your own modem. You can purchase an Arris Surfboard, and use that.
They still have control of that modem, but can gather no downstream data. That the devices are not distributed by Comcast personally is not relevant to you being able to do this.
I did that, and then a few years later they no longer supported that version. I gave up and used the provided modem.... guess I could put it in a faraday cage to prevent the WiFi from being enabled...
DOCSIS protocol hasn't changed, 3.0 modems are still being supported, just like a decade ago
Well, I had a DOCSIS 3.0 modem I used with Spectrum (https://www.amazon.com/dp/B016PE1X5K), and now it no longer works. You can see it isn’t on their compatible list anymore: https://www.spectrum.net/support/internet/compliant-modems-c...
Or just cut the power trace to the wifi chipset.
or ground the antenna, or put the thing in a cage. The cables (which must escape the cage) will make the cage less effective but I imagine it would be enough.
You can’t get top speed or unlimited data with your own modem.
Not sure about Comcast, but I have no issues with Cox. I'm getting 2.5Gbps with my own equipment (Ubiquiti UCI, which is $$$, but other cheaper modems also work).
The people who do this will be a vanishingly small minority. It's not as easy to set up one's own modem as it is their own router, IME. And even then, going with your own router is rare.
> It's not as easy to set up one's own modem as it is their own router, IME.
I mean, I suppose it's got the additional step of calling Comcast and giving them the MAC of your modem, but IIRC that's all I had to do after buying one on their approved list. Been at least 7-8 years since I had them, though.
You can plug-and-play with a consumer "router", but even then you need to know the difference between WAN and LAN sides. So the extra effort seems minimal.
Most people don't know how to set up either one. I know when the fiber techs came to my house to set me up they were greatly impressed at my (fairly basic; I don't do this for a living) networking knowledge.
You don't usually have to call any more, there's a captive portal provisioning process. It's not totally reliable and sometimes you might give up after a few tries and call instead.
What are you talking about? Modems are incredibly simple to set up. You buy it, log into your account on another network or call the ISP, enter your modem's mac address...and that's it. You have to type in the mac or read it off over the phone. There's nothing on device to set up, it's much easier than a router.
I'd definitely appreciate if you know any resources on this. I don't recall the details, since it's been seven years since I last tried, but I remember hitting friction I couldn't get past.
You also get better rates if you use their equipment.
Surely that is not true? I thought rental fees were common with using the vendor equipment (something like $10/month). It is a frequently listed as a cost cutting measure to buy your own modem rather than rent from The ISP. A modem is $100-200, so you should be net positive after a year on the investment.
No longer true last time I went in to renegotiate my service plan, I got a better monthly rate and higher bandwidth using their gear. I had previously used my own modem and router.
Huh. At least there is now a carrot to get you to mule for their public WiFi offering.
docsis modem costs $30, wireless AP costs another $50, add repeaters if you want.
I have been using my setup for 9 years and never paid a dime in rent of equipment.
the setup is plug-n-play / one youtube video away
I guess you don’t want the fastest speed or no data cap. We easily surpass the 1TB cap with 4K streaming and WFH video calls.
I use Cox and get their fastest speed (2.5Gbps) with the option for unlimited data if I wanted it, and I'm using my own equipment.
Similarly, never seen limitations on speed or allotment if using owned equipment. The ISP will give a big scary message about how support will be unable to help you if things go wrong, but that’s the extent of it.
Your described option is not the broader reality.
Most people use the hardware that is provided with the service by default. Last time I checked, there's not even an additional rental fee.
Maybe not everywhere, sure, only in America.
https://www.xfinity.com/support/articles/list-of-approved-ca...
I can't believe I'm defending Comcast on the internet but here I am, I guess between them and you I'm siding with the entity currently being less of an ass to me?
Idk what you’re even defending with that article, but that’s your cross to bear.
Mimicking my speech pattern then trying to say I’m being the ass is not going to hold up, however.
Elsewhere I posted that I used to work in this space and have first-hand knowledge that the majority of people do not use third party modems. That is a fact.
Just because people can go out and purchase a new modem and then additional wifi gear, doesn’t mean that they do or even should to shield themselves from the potential privacy violations happening here.
I said you were being the ass because you called me a "shillbot".
You edited your comment to delete that, so I'll also retract my calling you an ass.
I agree with basically everything else you said.
appreciate you and sorry for hitting you with some crossfire that was intended for Comcast and Comcast only
Sure, but you still can use your own hardware if you choose to. And that's all that the original comment you replied to was saying. If you choose to use your own hardware, then Comcast won't have control over it and cannot do this wifi motion detection.
Of course, most people won't do this, but that's besides the point.
> they only have some level of control over DOCSIS modem
they typically issue a modem / router combination unit, and they can control the router and its radios.
Yes, but you can replace that with your own unit they don't have control over.
…and most people don’t. it’s an additional expense, additional work, and frankly not worth the headache for like 80%+ of users.
I used to work in this space, and have first-hand knowledge about the prevalence of third party modems with a sample set of over 100k people. What’s your experience?
Nobody is arguing against that. I fully agree that most people don't. The point was only that you can.
Why an Arris Surfboard specifically? Just checked their website and the ratings are not good?
Edit: thanks for the downvote! The few I clicked on their website have weak ratings but they are rated much better on Amazon.
Historically the surfboard has been the go to option for Comcast. I can’t say what the current best option is, but if you purchased your own modem in the previous decade chances are you bought a surfboard. IIRC Comcast has a page of third party modems that are compatible.
Back when I used Comcast ten years ago, that was the one that I had that I used with them. I mentioned it because I'm 100% certain it can be used. There are a million others too.
>They provide a modem / router combination device at even their cheapest tier.
you can bring your own modem & AP
You can turn the customer AP off; however, the Comcast Customer Shared WiFi is always on. This is true even for Comcast Business accounts. You're expected to be a hotspot for their other customers.
Which is one of the main reasons I bought my own modem.
just dont buy any device form comcast!
buy your own DOCSIS modem from Amazon and your own wireless AP. Separate AP is needed, because Comcast has some form of control over DOCSIS modem (they can reboot and send config to your modem)
problem solved
You can turn off the shared hotspot: https://www.xfinity.com/support/articles/disable-xfinity-wif...
Is this true if the modem/router/AP is in bridge mode (so acting as just a modem)? They would have to essentially provision 2 IPs per customer in that case, I wonder if they just don't bother.
It’s tricky when privacy gets tangled with law enforcement requests. If you want better control over your data, tools like HiFiveStar can help you monitor what’s being shared. It made me feel a bit more on top of my online footprint.
And also how many people are currently in the house, right at this moment. Maybe even which rooms of the house those people are in.
WiFi can also be used to detect heartrate and breathing, which can leak additional ad-targeting information related to activity, arousal, or agitation.
I am curious if, with the number and quality of signals they can capture from this, how uniquely they can identify individuals and determine things like age, gender, weight, etc. Particularly when analyzed probabalistically with other household level data they likely have.
One could just keep a rotisserie chicken roasting in the oven to make it seem like someone’s home
You should assume that any information a company has about you will be turned over to law enforcement in that case. They don’t have a choice, they’re required to cooperate.
The purpose of that clause isn’t to allow them to cooperate with law enforcement. That’s a given. It’s to avoid problems with you when they do, so they have something to point to and say “we did warn you.” Law supersedes private contracts. They could write “we will never give your information to law enforcement” but all that means is that they’ll be forced to break the contract when that happens.
> Sounds like, at least in some limited circumstances (using the provided WiFi AP, having this feature turned on, etc), ISPs are going to be able to tell law enforcement/courts whether anyone was home at a certain time or not.
Kind of, but I'll bet most homes would frequently also appear "empty" any time the occupants are asleep. Not everyone gets up to go to the bathroom in the middle of the night.
Law enforcement could tell whether you're home at certain time or not for decades before WiFI Motion. However with WiFi motion, if you're in some kind of a big building, like a hotel or huge office building, they will be able to tell exactly the room number and spot you're occupying.
They could also do that with the surveillance feeds and actually confirm its you and not the night custodian.
Couldn’t you do this already? I have an electric meter on the side of my building with a public facing display of kwh usage. The water company has a similar hookup for measuring flow. Both could be used to determine occupancy in theory.
Just don't use your vendor's hardware. Get a cheap cable modem and hang whatever infra you want on the other side. Get a hardware VPN like the Velocloud. Using your ISP's equipment is like using their SMTP.
Would be curious how that works with larger family with pets. Depending on the week we're 5-7 people and 2-4 dogs. With a single AP the noise beyond "something happened" would be pretty rough I think.
“Comcast does not monitor the motion and/or notifications generated by the service.”
Sounds like the above claim amounts to nothing more than, “trust me bro.” Or, rather, that that nothing stops them from monitoring it, other than the cost, as they haven’t monetized it yet.
They don't MONITOR it, but they do log and store it all for years and years and will turn it over or sell it to anyone who asks.
Curious: What about adding a small battery powered WiFi device to your dogs collar? Would that look like a person moving around the house? What about a WiFi controlled mini drone that flew around you house?
[Note: this should be illegal]
This technology doesn't rely on you actually having a WiFi device on you. It can detect presence/motion by changes to the standing waves of the EM propagation throughout the room.
As the salty water meatbags move from room to room we change how the reflections and scattering patterns of 2.4 and 5GHz waves move. Studying these changes and some calibration, you can even determine small changes (like is the person on the left side of the room breathing, are they standing or prone, etc).
In their docs, they show using the WiFi connection from a printer to determine motion sensing and have the option to exclude pets.
im very skeptical of the accuracy claimed. The layout and complexity of objects in most homes to do this is way to awkward to work reliably.
For someone breathing or a heartbeat you need much higher GHz signal. Usually this is done at 30ghz to 60ghz. The power flux leaving the antenna has an inverse square drop off rate which makes this basically impractical unless your standing directly in front of it.
I have personally tested wifi imaging from a cheap old 2.4Ghz linksys router that was accurate enough to tell if my hand was open or closed, maybe 10 years ago.
I do agree some of these claims are pretty extreme. I wonder if it does work what the reliability of things like breathing and heartbeats. FWIW, some of these systems do incorporate 60GHz signals in their analysis, but as you mention dealing with 60GHz is incredibly challenging even in something like a residential building.
I'd really like to actually see it in person to really grasp the limitations.
Is 60GHz not part of the standard now? Only a matter of consumer hardware support.
I don't think 60GHz is required on WiFi 7 which includes a lot of sensing, but I'm open to be proven wrong.
It doesn't require a WiFi device to work.
> If you’d like to prevent your pet’s movement from causing motion notifications, you can exclude pet motion in your WiFi Motion settings by turning on the Exclude Small Pets feature. > Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans.
It's basically passive radar using the wifi bands as the reflection AFAIK. It doesn't seem to be about the active state of devices, but the deflections in known points. It's creepy.
A much easier alternative is to not enable the feature on your router.
It's an opt-in feature. If you don't set it up, they aren't generating the home/away chart like shown in the article.
It's an opt-in feature, for now.
If they find some way to sell the data you'll quickly find it difficult to opt-out of.
I was thinking of attaching a wifi enabled device to a roomba if you wanted to appear to be home when you weren't. I would hope, though, that doing something like this wouldn't be illegal. It's your home, your stuff, etc. Besides, I don't want to get arrested for leaving a rotating fan on or something.
> using the provided WiFi AP
Which you can simply not do if you don't trust your ISP not to misuse it. Which is why I never run my ISP's router, I run my own instead.
They already can.
If they have access to your router and its logs, they can simply check whether your mobile device was in WiFi range at that time.
Sure, mobile devices can be turned off, but at that point, so can routers.
In 99.9% of circumstances, it's a "nothing burger" from a law enforcement perspective, except maybe for detecting actual crime occurring when no residents are home.
definitly an atrocious violation of privacy, but in reality discerning between an animal, something blowing in the wind, and a person moving would be very hard without a dedicated calibrated array for that to hold up in court. I'm aware they have "exclude animal" but theres no way its at all accurate.
Using your mobile data and internet traffic is far easier and already deeply integrated into off the shelf law enforcement products. Those progams are even more terrifying than this by an order of magnitude.
Can't they already do this with the data of which devices are connected when? Motion data doesn't identify you in the way that device data does
I've been telling people for ages to not trust ISP provided hardware. Notice the vague language here which means they reserve the right to share private information for anything that might be called an investigation, or for any dispute which includes them (didn't pay your bill?), or a subpoena.
Subject to applicable law, Comcast may disclose information generated by your WiFi Motion to third parties without further notice to you in connection with any law enforcement investigation or proceeding, any dispute to which Comcast is a party, or pursuant to a court order or subpoena.
This is scary, particularly considering how the current administration wants to weaponize everything they possibly can.
This is what precisely why I willingly pay more to Google for their fiber optic service than AT&T for an equivalent, albeit less expensive, plan: Google readily allows me to use my own equipment. I am voting with my dollars on this one.
Scary, but is it any scarier than the status quo before this feature was implemented? The fidelity of the data, perhaps, but it's more or less been the standard that our footprint where we intersect with a third-party is no longer ours to control.
> is it any scarier than the status quo before this feature was implemented
Yes. It's an invasion of privacy inside peoples' homes.
Xfinity won't give folks in certain locales (maybe everywhere in the US?) unlimited bandwidth unless they use their modem/router. This seems like a good reason that practice should be illegal.
If you want to remove the 1.2TB data cap, you can either pay $25/mo and get Xfinity's gateway router "included" OR pay $30/mo to use your own modem/router.
Put their WiFi router inside a faraday’s cage and wire a modem behind it. That should shave off the $25/mo.
I use my own and there's a data cap.
I did too last time I had my own internet service, but I wasn't paying the $30/month fee to have unlimited bandwidth. Are you? (And if so, why, if they're not giving you the unlimited bandwidth?)
I have to pay more when I do not use their device? Crazy...
Right, it makes you wonder what they're getting out of using the first-party device. Companies usually aren't in the business of burning money.
I use my own modem/router with them, but I have to pay an extra $30/mo for unlimited download. Complete garbage. I wish there was competition; Comcast is my only realistic option in San Francisco.
As far as I’m aware, Xfinity fiber customers have to use the provided “Xfinity Wi-Fi Gateway” and cannot enable bridge mode.
If anyone knows a way around this, please share! I want to connect my Xfinity ONT directly to my UniFi router.
They have changed this policy with their new plans released last week. You no longer have to use their equipment to get unlimited data
In that situation, I would put the vendor modem in a microwave or other impromptu faraday cage to prevent the leakage. Remove/isolate the antennas as best as possible.
Can also open it up and disconnect the wifi antennas, or cut the traces if they're on the PCB.
Those vendor modems are rentals and expected to be returned in working order. Would you likely get away with it? Sure, nobody is paying techs to diagnose why the WiFi is failing for unit #367326, but cutting traces is definitely crossing some lines.
I wonder what they do with them when they’re returned. Ship em off in pallets to e waste buyers in China I would guess.
I was thinking about this with respect to the new uncomplicated no-contract service with no caps they started offering:
https://www.slashdot.org/story/25/06/26/2124252/comcasts-new...
Apparently you can get 1/2gbit ethernet only modems without wifi. You don't save any money over using their equipment.
This practice, and fear of the exact sort of nonsense in this article, plus wanting to keep my wifi bandwidth free for the network I actually connect to, is why I'm still on AT&T DSL in my area, at 50 mbps. Comcast is available at up to gigabit, and they can keep it.
AT&T is pretty bad in its own way. They snoop DNS and to sell your info (including physical address) to advertisers - even if you switch your DNS providers. They used to had a paid opt out (~$20/mo IIRC) but I don’t see that option anymore.
This is quite easy to avoid by using DNS over TLS. It's like 15 minutes of effort in some OpenWRT documentation [1]. If you want any hope of having some semblance of control and privacy, you would already be using your own router, with their CPE being relegated to modem-only duties. It only makes sense that in this situation you choose a router that can run highly-configurable and privacy-preserving software.
I did it several months ago, including the optional adding an outbound firewall rule dropping forwarded UDP/TCP 53 traffic (I tried the redirect rule suggested there first, but it didn't work and the firewall ruleset failed to load, so a drop will have to do. I didn't bother investigating why, because everything on my LANs is configured to use the router as their only nameserver anyway).
I also added a rule dropping it from the router itself in case something breaks, for example if it suddenly decides to start honouring the DHCP-received nameserver addresses (my ISP) despite being configured not to.
EDIT: The article doesn't make this clear, but the bootstrap section is only necessary if you specify upstream nameservers by name (e.g. "https://dns.cloudflare.com/dns-query"). This is not required. For example, you can configure a manual upstream of "tls://1.1.1.1" like I did, and then it doesn't need to do any DNS lookups at all, so does not need to be configured with bootstrap servers, so will not break if you add the 2 firewall rules I mentioned.
[1] https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq...
I wasn't really meaning to defend AT&T as a good option, just a slightly less evil one. I'm surprised I have a choice at all out here in the sticks. A lot of places just have one provider.
I had AT&T DSL many years ago. They forced me to use their modem/router combo from 2Wire. It was truly awful. I eventually got so fed up with trying to connect things to the WiFi that I bought a separate router to plug into it, and connected to that network, which it did let me do. That solved most of my problems, other than the overall poor service.
Interesting. My family had one of the pointy 2Wire ones (the HomePortal 1000 looks like the one), and I don't remember it having issues with WiFi. Then again, all I had to connect at the time was an HP Pavilion running Windows Vista/7 (later Linux) and an iPod Touch. I think we eventually had a Wii and an Epson printer connected wirelessly as well.
Now I do remember some issues getting it to maintain a stable connection to the DSL network at some points, which even daisy-chaining another router wouldn't have fixed. No way to tell if that was the gateway or just the DSL network that was flaky.
So use their router, but connect your own to it. Then turn off the WiFi in their equipment
I'm doing the first bit, but I can't turn off the wifi -- only stop broadcasting my "personal" network. And actually, as I went in to make sure that was the case, I saw that broadcasting of my personal network had been forcibly turned back on. Lovely!
If you cannot disable it and you don't trust the wifi but need the service, wrap the isp provided box it in aluminum foil and ground that foil ( no need to try to solder on the foil, an alligator clip is more practical), the wifi will still be on but it will be completely blind. Just make sure it doesn't overheat.
I thought you weren’t supposed to ground faraday cages, is that not the case?
it a safety mesure, the ground coud potentially act as a really crappy antenna but if the foil is touching something conducting on the modem and there is a malfunction, you want that current to go somewhere and the ground is that place.
That is what should be illegal, for electronic devices (even if rented) to be unable to disable wireless communications, or for a contract to affect the operation of stuff other than wireless communications when the wireless is disabled. It should also be illegal to be unable to disable all power to electric devices (for devices with battery power, that would include that it must be possible to remove the battery, and the method to be documented).
If you don't broadcast your SSID, then how can device manufactures have hyper accurate location services available when GPS is not? You're not participating in the system! Hell, as much money as theGoogs gives to be the default search to various companies, would they not be willing to pay ISPs to keep that option on? I'm just throwing ideas out that I know nothing about, but I don't see why they would be opposed to the concept.
This is an old article, but still accurate. By default every Xfinity router also advertises Xfinity's public wifi offering: https://money.cnn.com/2014/06/16/technology/security/comcast.... Now if you turn that off then what? Not sure, but I trust Xfinity and their lawyers to find a way :)
Doesn’t turning off SSID broadcast result in devices that have the wifi network saved repeatedly broadcast a request for the AP to identify itself in an effort to establish a connection?
They do that already... sum of all privacy losses.
Any time you go out in public your devices are crying out looking for your home AP. If someone can figure out which are you, e.g. by seeing you multiple times in different places they can then go look up where you live based on your home's SSID broadcasts.
Correcting myself: It appears that many modern client devices (at least current Networkmanager in linux, iphones, and grapheneos) have a "hidden" flag on saved SSIDs and only probe for hidden ones, so the ancestor post is correct for a least these devices.
Older and less sophicated clients, -- that don't explicitly have a 'hidden flag' for saved SSIDs will probe continually for all SSIDs they know.
I'm not sure I follow. Why would a network known to the device not be connected to the network? If you never connected your device to their wifi and only connected to your wifi connected via ethernet, why would it even know to make a request? If you're not actively connecting to the WiFi in your house, why not just "forget network"? Seems like a strange hypothetical, but aren't they all?
> Why would a network known to the device not be connected to the network?
I think they're referring to when you leave your home. Your device(s) will be constantly broadcasting probe requests for the hidden network.
The away-from-home probe requests wouldn't be that useful for mapping, but your AP/router is equally useful for mapping with or without broadcasting the SSID. Hiding your SSID just means it sets the SSID to null in the beacon frames but it's still sending out beacon frames with its far-more-unique MAC address (BSSID). If you're on linux you can see this pretty easily by running `sudo iw dev wlan0 scan`. The "hidden" wifi networks will have their SSID as "SSID: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" but all the other information including MAC address is still there. Personally it seems there are two "hidden" wifi networks within range of my bedroom.
I admittedly know little about this, but isn't GPS accurate enough on most modern devices to render the SSID refinement moot?
I use a cellular connection for my internet, but my apartment building is wired with Xfinity, and probably 90% of people use it.
Naturally, there is no way for me to opt out of this.
Does your apartment lease require that you use Comcast's hardware? When I signed up for Xfinity years ago I wanted to use my own hardware (NetGear cable modem, Buffalo Airstation with DD-WRT). I forget now whether I had to walk through the activation over the phone with a tech - I vaguely recall having to provide some information about the modem, which was one of the models listed as supported on their use-your-own-hardware web page - but the whole thing was easy.
Other people have mentioned that not using Comcast's stuff means that certain features won't be available, but I don't care. I don't have huge bandwidth needs, for instance.
I believe the person you are replying to does not use comcast, but is saying they cant' opt out of this spying due to their neighbors using comcast.
Are you in California? I'd contend there's a CCPA issue there. "I live at X address, and demand that you not collect my movement information from any of your equipment at this address or others."
Time to make your apartment a faraday cage!
RF-blocking paint exists.
And contrary to popular belief, neither it nor a faraday cage blocks RF. They attenuate it, to varying degrees.
There is still the question of how much the attenuation is and if it can prevent the detection. There is also the issue if you want to receive other radio signals such as AM radio, FM radio, amateur radio, etc.
If you ask the Xfinity managers who came up with this idea whether thieves will be able to buy live information on whether your home is empty from hackers on the dark web, the managers will likely say... nothing. What they will do is look at you with a deer-in-the-headlights expression in their shocked faces.
Sigh.
The word "liability" might not always work, but occasionally it makes someone think a little harder about what their company is doing.
A company like Comcast knows more about the liabilities of what they're doing than any of their customers do, guaranteed.
Any service provided by a connected device can be framed as something "people can buy on the Dark Web".
XFinity lets you make HTTP requests to the web via your router. Uh-oh: XFinity decided to sell info on your web requests on the Dark Web.
I don't want my ISP doing this to me, but it sounds like something pretty cool to do myself. Does anybody know what the current state of "self-hosting" this kind of functionality is?
I am also super interested for the personal use case. What is the resolution? Can I track my cat through the house? See when they go to the feeder? Count my own bathroom visits?
> What is the resolution? Can I track my cat through the house? See when they go to the feeder? Count my own bathroom visits?
None of the above.
The setup process has you select 3 reference devices. You should pick the devices so that your normal motion areas are between the device and the router.
The router then watches the WiFi signals from those devices. If they fluctuate more than baseline, it's assumed that something is moving around in the area.
It's a threshold detection that can serve as a crude motion sensor for home/away purposes.
For home / away purposes it's easier to just detect if your phone is connected to the network. I built something like that before by shipping the log from my UniFi controller to a RPi and listen for events where my phone's MAC address connect or disconnnect.
This doesn't really tell you if someone without your wifi password is rummaging through your house while you're not there. Also wifi is not the right tool for this lol
> Also wifi is not the right tool for this lol
Why? It's already there and reliable.
Nuts. Less interesting than the claims of monitoring heart rate, but still potentially some applications “for free” if it just needs to analyze signal strength from devices I already have. Theoretically could put it directly onto my OpenWRT router and make it available from there.
Just get cameras and local storage/processing for them. No need for elaborate Wi-Fi presence detection hacks.
Presence detection without the possibility of images being captured seems a reasonable application to me. So much the better if I could do it with hardware I already have versus installing motion detectors or other sensors.
RF human detection sensors ((that can even tell you the heart rate of someone in the room (if its below 120 I think)), cost almost nothing. Or at least they did before tariffs .
They can also be programmed to detect people on the floor, so if you have elderly in your house you can know if someone fell, without cameras. They are made for hospitals but are cheap, but not 100% accurate for HR and falls, but reliable enough for security, and cheap.
RF would have to be placed in each room, no? And would require wiring or be battery powered.
Wifi is something most people already have available, and requires no new wiring or battery management. That's the selling point.
Check out ESP32-based projects like ESP32-CSI-Tool or the FreqSense library, which can implement WiFi sensing with minimal hardware and completely under your control.
>Check out ESP32-based projects like ESP32-CSI-Tool or the FreqSense library
Interesting, mind sharing links to these?
I just don't get these comments, it literally takes longer to type out a reply versus just highlighting the text and right click to search. Truly baffling.
Sorry, I should have clarified (I would normally agree with you here).
I found a GitHub repo for "ESP32-CSI-Tool" that seems related to Wi-Fi Sensing, but zero references to "FreqSense" in the Wi-Fi/RF context.
The only FreqSense I found is an obscure academic paper on speech recognition that doesn't involve any form of hardware.
In case anyone is skimming the headline and comments: It's not enabled by default. This is an optional feature that you have to find, turn on, and then select up to 3 WiFi devices to use as reference signals:
> Activating the feature
> WiFi Motion is off by default. To activate the feature, perform the following steps:
The actual title of the article is "Using WiFi Motion in the Xfinity app".
"...for you." --Bane
These days it is never safe to assume that opting-in does anything more than making some of the information that's being collected regardless available.
Although I actually agree with you that it probably isn't doing anything by default to the extent that it isn't doing anything yet because it's new they haven't worked out how to monetize it.
I think at least right now this is reasonable: It's off by default, and if you choose to turn it on, they don't use it for anything themselves, but Comcast is disclosing that it may be forced to give the data over with a legal request.
If I was advising Comcast, I'd tell them this is a dumb thing to introduce because just the perception of bad behavior is not worth any particular benefit, but whatever. I can't imagine someone deciding they want a Comcast plan because it offers this, and there's no way for them to monetize it without almost assured legal backlash.
The visibility of the feature for users may be "off by default" but that means nothing in terms of what Comcast is actually collecting, storing, and sending to third parties.
>It's not enabled by default.
Here's how this level of scum works in reality:
At first: https://news.ycombinator.com/item?id=3017694
Eventually: https://news.ycombinator.com/item?id=39709991
I remember reading this paper when it came out, didn't think it would be commercializable, and here we are.
I have a sneaky suspicion this is not something that Xfinity/Comcast just woke up one day and thought they should implement. This has all the hallmarks of the treasonous surveillance state injecting itself to instrumentalize corporations to claim they’re not violating the supreme law called the Constitution if they simply make others commit the treasonous crimes against the people.
Because we all know, of course, the Constitution only applies to the federal government, right? If mega-corporation USA Inc uses its shell company Comcast to violate the Supreme law of the land in a treasonous manner, then you are of course SOL asa mere citizen since they aren’t the federal government and the Constitution does not apply to them.
In case it want clear, that was sarcasm.
I miss the old days when this would come off like a crazy rant, rather than being the evening news.
In case people missed it:
https://theconversation.com/from-help-to-harm-how-the-govern...
https://www.eff.org/deeplinks/2023/07/even-government-thinks...
https://www.politico.com/news/magazine/2024/02/28/government...
I was just reading up on wifi 7 today. It sounds like the spec was designed with WIFI sensing in mind.
That’s speculation. In the article, you can see that it’s meant as a pseudo-alarm system. It’s plausible that someone at Comcast thought this is a value-add. (Netgear already offered this as a feature on their routers, it’s not a novel concept.)
Even within tech circles, lots of people aren’t worried about privacy and even have indoor cameras in their homes.
Yeah, it's bizarre.
Normally the pathway for this kind of thing would be:
1. theorized
2. proven in a research lab
3. not feasible in real-world use (fizzles and dies)
if you're lucky the path is like
1. theorized
2. proven in a research lab
3. actually somewhat feasible in real-world use!
4. startups / researchers split off to attempt to market it (fizzles and dies)
the fact that this ended up going from research paper to "Comcast can tell if I'm home based on my body's physical interaction with wifi waves" is absolutely wild
It's not too crazy, if you're familiar with comms systems.
The ability to do this is a necessity for a comm system working in a reflective environment: cancel out the reflections with an adaptive filter, residual is now a high-pass result of the motion. It's the same concept that makes your cell location data so profitable, and how 10G ethernet is possible over copper, with the hybrid front end cancelling reflections from kinks in the cable (and why physical wiggling the cable will cause packet CRC errors). It's, quite literally, "already there" for almost every modern MIMO system, just maybe not exposed for use.
> the fact that this ended up going from research paper to "Comcast can tell if I'm home based on my body's physical interaction with wifi waves" is absolutely wild
The 15-year path was roughly:
1. bespoke military use (see+shoot through wall)
2. bespoke law-enforcement use (occupancy, activity)
3. public research papers by MIT and others
4. open firmware for Intel modems
5. 1000+ research papers using open firmware
6. bespoke offensive/criminal/state malware
7. bespoke commercial niche implementations
8. IEEE standardization (802.11bf)
9. (very few) open-source countermeasures
10. ISP routers implementing draft IEEE standard
11. (upcoming) many new WiFi 7+ devices with Sensing features
> There is one area that the IEEE is not working on, at least not directly: privacy and security.. IEEE fellow and member of the Wi-Fi sensing task group.. the goal is to focus on “at least get the sensing measurements done.” He says that the committee did discuss privacy and security: “Some individuals have raised concerns, including myself.” But they decided that while those concerns do need to be addressed, they are not within the committee’s mandate.
Sounds like IEEE is in need of fresh leadership and soon. Complacency at this point is folly.
I was reading Hyatt's Privacy Policy and they mention biometrics (and even genetic information for some reason). Does this mean they can analyze all of my behavior in the hotel room?
I'm not about to find out. I really liked Hyatt, too.
The ER I was seen at a few weeks ago had me sign a consent to use my data to (presumably) train AI.
Was it possible to deny it?
Probably, but my care would have suffered. They are required by law to treat people in emergencies but they aren’t required by law to do anything but keep them from immediately dying.
I have a condition that requires complex and ongoing care, and sometimes need to be admitted briefly for same. Refusing to sign consent forms prevents that and gets you on to the “this guy isn’t going to pay us, get him out of here asap” list.
Yeah, I get how that could be. I wondered if that was something you'd feel comfortable doing in that specific ER, and I could imagine feeling like you had to choose between skipping the form and getting care.
This is a neat feature when it's your own device that you control, but not so great when they "disclose information generated by WiFi Motion to third parties without further notice to you."
I wanted to talk about how responsible WiFi router software authors can make things local-only (and I've done that in the past; no way to get this information even if I wanted it). But this is always temporary when "they" can push an update to your router at any time. One day the software is trustworthy, they next day it's not, via intentional removal of privacy features or by virtue of a dumb bug that you probably should have written a unit test for. Comcast is getting attention for saying they're doing this, but anyone who pushes firmware updates to your WiFi router can do this tomorrow if they feel like it. A strong argument in favor of "maybe I'll just run NixOS on an Orange Pi as my router", because at least you get the final say in what code runs.
Sensing is (sadly) part of Wi-Fi 7. If you have a recent Intel, AMD or Qualcomm device from the past few years, it's likely physically capable of detecting human presence and/or activity (e.g. breathing rate). It can also be done with $20 ESP32 devices + OSS firmware and _possibly_ with compromised radio basebands.
Was anyone asking for their network to be able to sense their breathing rate? What does this enable that actually improves people’s lives?
This is the kind of stuff that pushes me to pull a Ron Swanson and throw my technology in the dumpster.
The network already could. The standardisation is just making the feature available without hiding it.
The core of the sensing technology is about improving MU-MIMO + OFDM + all the other speed tricks. Human bodies interfere in predictable ways so you need the tech to steer around that. As a side effect, you get detection capabilities for free.
In such a setup, your laptop and router already know where you are. The question is whether or not to offer it to you so you can use that information for things like home automation. Had they not made this part of the protocol, the privacy risks were just as bad, you just wouldn't be aware of them.
Similar technology has been quietly in use for a while, with falling cost, e.g. "Inside a $1 radar motion sensor", https://news.ycombinator.com/item?id=40834349 (100 comments).
Commercialization gives consumers and regulators the opportunity to express their opinions on the sudden and unsolicited transparency of the walls, floors and ceilings of their homes and businesses.
I tried Wifi7 at my home, but most of the benefits are lost when physical walls are in the way. Therefore I think WiFi 7 is more for commercial applications.
TSA can check your heart rate / breathing rate elevating during your walk through security.
Casinos can see your heart spike before placing a bet. If the system is digital maybe that can be synced to always deal a loss hand.
The only use case I've heard of is elderly care, where no movement might mean a person has fallen and needs help. An edge, strictly opt-in scenario that would be addressed more effectively (movement+HR+body temp) by relatively cheap wearables.
Commercial use of WiFi sensing predates WiFi 7 (a notable example is Philips smart bulbs with presence detection). AFAIK WiFi 7 just includes an amendment by the 802.11bf working group to improve performance.
What's the commercial use of having this data though? Or even law enforcement use? We all have our phones on us most of the time anyways, knowing where in my house I'm at doesn't really... change anything...
There are 1000+ public research papers on machine learning + RF detection of human activity, including but not limited to breathing rate, keystrokes, body position, body motion, gestures, sleeping, biometric (identity) signals and more, https://scholar.google.com/scholar?q=device+free+wireless+se...
What's the economic value of remote collection of human behavioral signatures without consent, integrated with AI and robotics and "digital twins"? We're not there yet, but if the technology continues improving, what's the future value of "motion capture" of humans without body-worn sensors?
In theory, this will enable "Minority Report" user interfaces. 3D gestures could be combined with "AI" voice interfaces. Biometric authentication (e.g. heart rate) could replace passwords. Walk into a room and it adapts itself to your preferences. Etc.
There are lots of "cool" Jetsons sci-fi use cases, but ONLY IF the data and automation are entirely under control of the human subjects, e.g. self-hosted home server, local GPUs, local LLM, local voice recognition, etc.
[flagged]
If you had a particular idea from the LLM that you wanted to share people would be more receptive, but just dumping the whole output comes across as intellectually lazy
Please don't do this. Whether it's LLM-generated or not, we don't want big blocks of text from elsewhere pasted into comments here. Please at least try to craft original human thoughts.
To whom it may concern, for those who use the modem in bridge mode, it is possible to discreetly pop open the Xfinity modem and disconnect the wireless antennas.
Detecting motion through WiFi signals sounds tricky to set up. You might want to check out Loyally AI for tracking real-time activity in smart home systems. It helped me keep an eye on things without extra sensors.
This is actually a feature of the Plume wifi mesh devices. https://support.plume.com/s/article/Sense-Live-View?language... It's also available from any other ISP that uses them, or if you buy your own Plume device and a subscription. It's been there for years. https://arstechnica.com/gadgets/2020/03/from-wi-fi-to-spy-fi...
https://staceyoniot.com/the-next-big-wi-fi-standard-is-for-s...
> The IEEE plans to take the concepts for Wi-Fi sensing from the proprietary system built by Cognitive (which has been licensed to Qualcomm and also Plume) and create a standard interface for how the chips calculate interference that determines where in space an object is.
Other firmware sensing capability: https://www.cognitivesystems.com/caregiver/
- Activity Tracking: Detects movement patterns to identify changes in daily routines to spot health concerns
- Sleep Monitoring: Tracks sleep duration, wake times and nighttime interruptions to assess sleep quality
- Anomaly Detection: Establishes household baseline to proactively identify unusual patterns & changes in activityPut your cable modem in bridge mode and use your own WiFi.
I used to recommend using your own cable modem as well, but these days you have to use the Xfinity modem to avoid overages if you're in a market with data caps.
Comcast has a stellar network operations unit, but their business operations are creepy and exploitative.
Is their network good, though? They try to keep my data in their network as long as possible affecting latency to certain places, which is significantly worse than what fiber providers in my area do.
Okay I'm as concerned about privasy as everybody else is here but i also gotta admire that its pretty neat they can actually do that. Are they measuring the signal echo like what radar does? If they controlled both the receiver and transmitter i wouldn't be as surprised to find out they can tell when something crosses between them and form a 2-dimensional mesh (like that episode of Star Trek TNG where geordie detects cloaked romulan ships by having starfleet deploy a fleet of ships that send signals back and forth and look for timing variances) but if I'm understanding correctly this is different because they only control a single point in the network?
I wonder if they have enough information to make out shapes or if it's just a simple rangefinder?
It's far from great for imaging, but it can be done. https://www.zmescience.com/research/inventions/wifi-technolo...
Honestly even that is pretty incredible. At the very least that's enough date to count family members, possibly ID them if they have different-shaped bodies, and identify certain activities with obvious silhouettes (eg, sex).
I don't think it justifies the impending orwellian hellscape this technology will eventually unleash, but one positive thing about this that has me a bit excited is that this could easily clear up many ambiguities in criminal cases. for example, fairly often a death will get ruled as a suicide but victim's relatives and friends will insist that it must have been a murder; imagine being able to use this technology to definitively prove whether or not there was another party present when the victim died.
Or in rape cases where the defendant is protesting their innocence, knowing the body language of the victim and the defendant could be a vital clue because you might be able to observe the victim fighting back.
Again, I don't think the positives outweigh the negatives to the point that it could ever justify an invasion of privacy on this scale (you might as well just make everybody let the government set up a thermal camera in their house!) but it is interesting to think about the problems this could solve.
Similarly, "DensePose from WiFi" (2023), 40 comments, https://news.ycombinator.com/item?id=34423395
About fivish years ago I interviewed with a Wi-Fi device maker and the engineer I interviewed with was bragging that they could watch users walk around their home.
The term for this sort of thing is "WiFi sensing". Relevant HN thread from 2021 ("The next big Wi-Fi standard is for sensing, not communication (2021)"): https://news.ycombinator.com/item?id=29901587
As far as I can tell, devices were already on the market when that thread was made. 802.11bf was standardization to help along interoperability and future products.
One takeaway from this is that there's a strong privacy case for disabling the built-in wireless network from your ISP-provided modem/router and using your own, to reduce the number of ways that your ISP can surveil you.
My home ISP's cell router (because no other internet reaches our area anymore) has almost no configurable settings (just wifi name/password/hidden), and actively forbids you from disabling wifi even though I only use it through the wired connection.
(And what limited configurability it provides is only through the app, which requires you to agree to their "molest your privacy policy". I had been content with just not installing the app , but my threat model hadn't considered this new development ...)
That’s always a good idea, but they’ll still be able to tell when someone is home because the outbound internet traffic will increase.
And don’t forget to set your DNS to a non-ISP resolver.
SNI is not encrypted.
You need a box downstream of your ISP devices that encrypts all traffic out over a VPN. This is what I do.
> That’s always a good idea, but they’ll still be able to tell when someone is home because the outbound internet traffic will increase.
Sure, but not necessarily who is home, since they won't have the MAC address of your device(s) connecting.
Also, traffic volumes are a lot noisier of signals than you might think, given how much automated and background stuff we have these days.
So you need fake upstream downstream traffic, put your router in a lead box, use DNS over https, and then all that for nothing because the Amazon router was backdoored by the NSA too
Even better, don't use the Comcast router at all. It's a rip off anyway
Don't they hand out combination modem/routers? What's a cheaper alternative?
Buy your own DOCSIS modem, opt out of renting theirs. It'll pay for itself after a few billing cycles (the modem rental fee is $15 per month)
I did this recently and found out Comcast considers some security feature that runs only on their hardware to be part of the bundle they sold us.
So, bringing your own modem gets rid of the rental fee, but requires moving to a different plan without the security feature bundled. This is of course more expensive, almost entirely negating the savings of bringing your own network equipment (I think our net savings is $5/month, which means its going to be a couple years to pay back the modem cost).
If you're on a cheaper lower speed subscription, you can often find compatible modems at thrift stores for a couple dollars. People upgrade to faster tiers and unload their old perfectly serviceable equipment good for a couple hundred megabits - fine for most needs.
Wow, what a deal. Last I looked it was $5/mo. Spectrum doesn't give you any discount at all.
Still I thought a good DOCSIS 3.1 modem would be a few hundred.
I bought a DOCSIS modem+wifi AP on amazon a decade ago for $50. Its been working like a champ and I have control over it.
although for the best control it is recommended to buy modem separately and wifi AP separately, because Comcast can send C&C commands to your modem over the copper cable
If it lets you. I think Bell modem+router+AP devices always broadcast a TV network with no way of disabling it whether you have TV service or not.
This is piled on top of the existing strong case for all Comcast wifi equipment being hot garbage. If some confluence of poor regulations has led you to being stuck with Comcast, the least you can do for yourself is get your own DOCSIS modem and routers and access points that you control.
What is the escalation path for replacing or removing the corrupt public utility commissions that allow these fraudulent and unethical monopolists to continue operating?
We have endless cases of Comcast and others criminally abusing their granted monopoly and the PUCs simply allowing them to run roughshod over consumers.
How do we fix it?
This reminds of an MIT-licensed library that was Vibe-coded and released three weeks ago. The source is available here: https://github.com/ruvnet/wifi-densepose
Thought I could integrate that into home assistant...till I got to the 78% GPU utilization part. Bit heavy for 24/7
Score one more point for the tinfoil hat crowd:
1. Black tape over our webcams to keep them from watching us.
2. Cardboard over our windows to keep laser microphones from hearing us.
3. RFID blocking wallets to keep our money safe from them.
4. WiFi motion detectors watching our every move in our own home. <---You are here.--->
5. Aluminum underwear keeping our private parts from being scanned into AI at airports.
6. Tinfoil hats protecting our thoughts.
I worked in a nascent water tech space recently involving an IOT water flow sensing device installed on a main water line. I worked extensively on detection models capable of distinguishing water fixture use during simultaneous usage scenarios. When your full time job involves a niche domain such as this, a whole new world begins to reveal itself. You can distinguish people based on their patterns of fixture usage. You can determine how many people are living in a residence. You can determine hygiene habits of each person. There's a lot more to these smart home devices than what meets the eye. You thought the sensor was good for just detecting leaks and approximately breaking down water consumption? Think again.
This device alone is capable of doing a lot, but when combined with other sensing devices such as a WIFI motion detection system, you can create a system where the whole is greater than the sum of the parts. First, you may not even need to monitor water flow now because detecting a person in the bathroom, moving about, is sufficient to detect toilet usage followed by hand-wash, and shower usage. You will know duration of each. You may be able to distinguish people in a residence, which means you'll learn who did what throughout a household.
Right about now you may be wondering who would ever want to know this kind of stuff? Who cares if you just used the toilet and didn't wash your hands? Who cares if you frequently use the toilet, or wash your hands excessively, or frequently and excessively wash your hands throughout the day? What if you are a landlord with a tenant leasing agreement stipulating no one other than the listed members on the contract shall occupy the residence without permission of the landlord (with exceptions, of course).
Thanks for sharing this. Check out this other comment on this page to see what one company says they can do (health baselining etc)
One more reason not to use an ISP router, although in this case most of us are at minimum carrying around GPS homing beacons in our pocket so the carriers already know where we are.
And now we also know the reason why they give away unlimited data for free when you use their router, but not when you want to use your own router.
I can turn off the WiFi on my ISPs (Cox) router. I just have it port-forward everything into my own wifi-router where I manage it from there.
Is Xfinity licensing Wifi Motion™ from Cognitive Systems?[0]
"WiFi Motion, Cognitive’s Wi-Fi Sensing solution, is an innovative software platform that leverages AI and sophisticated algorithms to transform existing Wi-Fi signals into a motion sensing network."
Another company operating in this space is Origin Wireless. They demonstrated breathing detection with WiFi in 2017[1]. They've since partnered with ISPs to offer a WiFi Sensing "TruShield" home security service.[2]
[0]https://www.cognitivesystems.com/
[1]https://www.engadget.com/2017-10-09-origin-wireless-motion-d...
Linksys has offered similar functionality (“Linksys Aware”) since 2019.
https://www.theverge.com/2019/10/8/20905223/linksys-aware-me...
Next step it will just be a feature they offer and whether you know of it, use it, or want it, it'll always be on in the background due to you signing a terms of service that lets them. And then it'll not just be in a xfinity router but your tv, phone, etc. Just makes me want to live in a cabin in the woods.
Worth mentioning that unlike some ISPS Xfinity does let you use your own DOCSIS modems, which is the ideal way of using an ISP. ISP provided gateway's WIFI is not ideal for privacy, security and performance.
Comcast in general has a long history of snooping around and messing with users' traffic. Not that the alternatives are much better. Regular folks are screwed on this matter.
But perhaps for HNers setting up your own trusted WIFI AP and routing it (and all other traffic) through an internet gateway that routes your traffic over a secure channel (whatever that is for you, Tor, VPN services, VPN over your own cloud/vps,etc..) is ideal. It goes without saying, your DNS traffic should also not be visible to the ISPs.
Keep in mind that they sell all this data (including the motion data) not just to law enforcement but to arbitrary well-paying data brokers and other clients.
I'm sure people will want to make it seem like Comcast is doing something evil here, but they're not:
> Comcast does not monitor the motion and/or notifications generated by the service.
> This feature is currently only available for select Xfinity Internet customers as part of an early access preview.
> WiFi Motion is off by default.
Features like this at Comcast are typically one or two engineers on a random team coming up with a cool idea, testing it out, and if it works, they ask if they can roll it out en-masse. If it's just a software or server/backend thing and it doesn't have any negative impact, it gets accepted. Despite their terrible customer service and business practices, they do some cool stuff sometimes. They also release a fair bit of home-grown stuff as open source, which is expensive and time-consuming, but [they hope] it attracts engineers.
> does not monitor motion
This doesn't mean that they can't monitor motion (e.g. as compelled via NSL). This product sorely needs E2EE.
It's all well and good until the MBAs get a hold of it... Technology doesn't exist in a vacuum.
Could I sufficiently foil their mechanism here by not connecting any WiFi devices to their access point and then wrapping their access point with foil? Or would you need to take it all the way and put the device in a faraday cage? I’ve always wanted to build one but never had the motivation. Maybe this will be the impetus I need to finally make one! Like others have stated I use the ISP provided hardware to get around the data cap. But connect nothing to it other than my own router.
If it is what I think it is -> I worked on it at Technicolor.
The tech is very cool, the initial pitch was to fine tune wifi performance to get the best bandwidth\coverage ratio for a particular customer. But indeed, during testing we quickly discovered that we can map apartments and houses to some extent. You knew when someone was on the toilet for example.
Up next - Comcast will pause ads when it detects that you've walked into the kitchen - or raise the volume. Advertisers can pay extra for this feature.
Funny, Xfinity has been spamming me for months now trying to get me to get off my own hardware and onto theirs. Promising me vague "speed improvements" (and of course without ever bothering to provide a single piece of data about how/why speed would be improved, or by how much). No, no I don't think I will.
Soon ICE will have given Comcast enough money to provide a live feed of the neighborhoods they are targeting and where all the bodies are that match the height of their targets.
We need to be finding the xfinity wifi hotspots in our neighborhoods, knock on doors, and help people understand the risks they are creating for themselves and their neighbors and how to setup their own routers.
Can't help but imagine a reality where this is widespread and people resort to installing radio reflective curtains/decorations that freely move with slight ambient air currents in an effort to scramble the reflections and make it as hard as they can to measure.
Something like a belly dance belt around the router could also work.
Other options:
- Shielded rooms + wired networking
- Shielded rooms + Li-Fi (wireless with light instead of radio)
I really wish Xfinity focused on providing a reliable service instead of building out next gen surveillance machines
> WiFi Motion will function only in areas of your home where you have strong WiFi signals traveling between your gateway and your WiFi-connected devices, and Comcast does not guarantee or warrant performance.
It is clearly just monitoring RSSI and everybody's acting like this is some spooky radar based technology.
How long is it before a starlink has this capability. Maybe a stretch, but also inevitable. I think about the fact that there are probably many uses of starlink that don't involve a consumer login, they just provide ubiquitous surveillance wherever.
Might be useful for people to investigate hardware mods that disable WiFi on their newer gateways. I have an XB3, but motion detection requires an XB7/XB8: https://news.ycombinator.com/item?id=43527521
Can anyone recommend a worthwhile setup for me? I am interested in switching my setup on Cox. It seems the Arris S33 plus Unifi Dream Router is one of my best options for good speed and features like ad blocking and VLAN? Best to buy direct from the manufacture or is Amazon ok?
People really like the Arris S33 and the motorola... god I think it's the SB8200? something like that.
I treat the ISP-provided gateway as a part of the internet, I don't use its WiFi and don't attach other devices to it which are not my own router or a honeypot. The subnet the gateway resides in is like a moat surrounding a castle.
On one hand, cool. On the other hand, why? This doesn't seem terribly accurate or insightful. A security camera is cheaper and has a better sensor and logic for detecting motion.
Myself and my buddies worked on it. This might sound ripe with "conspiracy". I know how it's going to sound. Take it for what you will. Initially wanting to know things like, whose in what room, how many people, and what your actively doing, who you socialize with most etc. Been working on this since they bought Skydog/Powercloud. Purposely "helped" design the spec for wifi since Wifi 5 or earlier. How do we get more sensor devices into the home? Build an IoT line of business and make wifi "better". Imagine seeing the the entire USA on a map (comcast "national watchtower" tool), and then seeing what each router can "see", including those xfinity hotspots. One, giant, signal map of devices with tagged metadata such as a percentage associated to "who" owns the device, what the device is, and what apps you have installed, which you are using at this current moment, any health and biometric data in case grandma fell over and can't get up. There is always a hidden SSID transmitting. p0f is nicely preinstalled on the wifi router cpe. Now create the standard firmware RDK for worldwide use purchasing cable/tv networks in other countries. (Sky, IoT companies in Italy). Now give them more ability, like to unlock your home "MyQ" (comcast ventures "investment"), why stop there, get into businesses such as taco bell with LoRaWAN. Add xfinity mobile for that extra juice of seeing all the little SIMS (game) characters on the (very real) map so you can recommend to them how to better schedule their life. It's all there. Now take that same map, and make it global. Attend the next SCTE conference and see it all for yourself. They're proud of it. I thought, I was too.
In a future Visible Social Network movie, through-wall sensing creators could livestream their own activity telemetry as a global public demo.
Everyone would follow suit, or would they? See the movie and find out!
People here claiming "stick the ISP modem in a microwave oven, put on a tin foil hat and use your own device" -- do you truly, 100% trust that nobody but you has access to said "own" device?
Are there any kits to place my comcast modem in a faraday cage?
Looking forward for Wifi singnal scrambling. I mean if we take things like Spectre seriously (I don't to a large degree), this would certainly qualify as well.
I recall years ago reading a research paper on WiFi signals being used to track people through wall using MIMO…then American Express investing in the technology and now this…
The race is on to find the cheapest/easiest decoy that can simulate such motion (because if everything is moving, then nothing is moving). A tube man in every corner?
The race is already on for biometric fingerprinting via WiFi Sensing, e.g. via heart rate.
Okay, so buy my own router and then put the ISP one in a metal box. Gotcha!
>WiFi Motion is not a home security service and is not professionally monitored.
That's funny because it does sound like they suggest it be used as such.
Given that your ISP is monitoring your DNS, is wifi motion (usage is probably as valuable) really that bad?
I did this a decade ago. We can detect your breath rate. It's far more sensitive with modern units.
3 cat feeders(small dispensers) 3 different recurring times, 3 cats = never a dull moment for the FBI on watch...
Great, I always wanted to
- be able to spy on my neighbors
- add more surveillance systems into my house
- have my neighbors be able to spy on me through my walls
15 years of research and 5 years of HN discussion. It can always get worse, https://news.ycombinator.com/item?id=29901979
We could use terahertz spectrum to detect specific molecules and in turn use terahertz frequencies and radios as a way to track specific ingredients in food or pollutants in the air
Engineers both create the tools for utopia and the tools for autocracy.
It's the same tool much of the time, including here. Utopia is getting a warning there is an intruder in your residence before you walk in, or better deterring that from happening. Autocracy is the government tracking you in your house.
I agree, but the reason I'm less convinced this is in that gray zone is because, frankly, break-ins are relatively rare. In general, crime is highly localized. So while I'm sure it is useful to some people, I'm quite suspicious that it is not helpful for most people. Maybe gives them peace of mind, but that peace of mind can increase paranoia. We'll just have to see the rates of false positives to false negatives...
But I do see this as an extremely useful tool for autocrats, hackers, and abusive relationships. I'm willing to bet that this is used by these malicious actors far more than your average user gets a true positive detection. And we really should be clear, the danger is far more than autocrats.
>WiFi Motion is off by default
I have Xfinity as a backup isp. Bye bye!
Does wrapping their modem in foil work at defeating this thing in any meaningful way? I have my own router.
ISP routers should have an admin option to disable WiFi.
Grounded fine copper mesh can attenuate RF and maintain cooling.
I always turn off every feature on every router I don't own and use it in pass through mode.
Xfinity is the worst service I'd ever used.
I'm boring. I want a pipe, like a water pipe for data, and I'll do the rest. This makes them actively combative.
Ignoring the whole TV/landline stuff they keep pushing as that's too easy a target, they are actively hostile about just using internet.
It was way cheaper to use their modem. About $15/mo. Why? Because they want a huge hotspot network in every house. They swear it won't affect speed, but as I never got close to advertised speeds, I didn't believe that. They also act as their 'cell network' that they try to push, and basically call you an idiot for declining. In fairness their cell network is pretty cheap, but I'm just not interested.
I chose to pay more to use my own modem, and they absolutely hounded me, stopping just short of calling me stupid about once a month. Maybe it was commissioned sales people searching for people like me as a given, and getting mad when I rebuffed.
And let's not even talk about data caps. Which, by the way, using their modem exempted you. Why? I naively assume because they can't differentiate hotspot data from yours. Maybe I'm wrong.
The whole service is dystopian. I moved since luckily to a rural, middle of nowhere area that does their own fiber. It has zero of those issues, and costs about half as much for twice the speed. It makes you realize how scummy they really are.
Not with the ancient barely working WRT54G that comcast keeps nagging me to replace!
Note that according to the website: "WiFi Motion is off by default."
Reason #293674 to always use your own router and modem as often as possible
Reason 732 why I would never use the network gear provided by an ISP.
Just get your own router and don't use ISP provided router.
>tape a smartphone to your roomba
>stream audiobooks
>leave house, commit crime
Yeah, disable that wifi on an device not controlled by you
If they make the firmware there's no guarantee they aren't still doing it just without a broadcast SSID going along with it.
so is this just looking at the SNR for any given connected device and looking for sudden dramatic changes in it?
It’s creepy there is an Exclude Small Pets mode.
One more reason yet to have my own modem.
Can you block this with a pihole?
I had a conspiracy theorist tell me one time this is why they removed all the lead paint. It never quite made sense that kids were actually eating lead chips.
I know lead is bad for you, maybe a coincidence.
Even old lead paint didn't have a lot of lead in it. A thin layer of lead paint with <1% lead does nearly nothing for WiFi signals.
We use lead for shielding ionizing radiation like gamma rays, but even that uses a lot more lead than you'd find in paint.
Not all "radiation" is the same thing.
There is a pattern called 'Pica' where kids gnaw on stuff, windows, ledges etc https://en.wikipedia.org/wiki/Pica_(disorder)
Apart from what the sibling poster said about lead (II acetate) having a sweet taste, little kids will put literally anything in their mouths. You ain't lived till you had to get dog shit out of a baby's mouth.
>It never quite made sense that kids were actually eating lead chips
You know that lead tastes sweet, right?
is ther an adblock for https ? can we do subdomain https ad blocking ?
...and promising to give it to cops.
Turn that thing off.
holy shit we live in a matrix
Yet another reason to refuse to rent their modem or router.
[dead]