I can’t really care about obscure Bluetooth tracking when every business has CCTV doing facial recognition.
Here in Holland we must even have a mobile phone module in every car so it can call the emergencies in case of a crash.
That's one of the funniest things about wardriving with Wigle on your phone. I can often see the SSID of "Jennifer's Equinox", "Jacks Suburban" right after I get cut off by someone in said vehicle. The vast majority of car bluetooth/wifi I see tends to have varying amounts of identifying information. It's almost as bad as the fact that apple still defaults to Jacks iPhone/iPad etc with no option to rename the device until you've finished setting it up.
Companies are not out to protect us with default settings and the majority of users need to wake up to this fact.
I am not without sin when it comes to driving a car.
It can be done, relatively easily.
In the EU this is forbidden unless they explicitly ask your permission. They can still gather aggregate stats but they cannot build a profile on you.
Even the airports here track everyone. They say it's for public safety but I'm sure they use it for market analysis for their expensive sandwich shops too.
They do but most phones rotate the mac adress these days. So while they can still track you through the store (sadly) they don't have the ability to track your recurring visits.
I wish phones had the option to constantly spam broadcasts with random MAC ids. That would make the practice useless.
I used it in train stations, and get hits when passing highways via train or bus. Esp. fun if you stand still due to traffic lights or traffic jam, since you can try to get a visual.
The only lesson to be learned here is that it allowed one to learn in 2019 Musk is overrated. But you can also learn that lesson from the book The PayPal Wars which predates this by 15 years.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Not allowed in EU.
I'm surprised, I know for a fact that some stores definitely have the ability to do that on their hardware.
You could also read the numberplate directly with OpenALPR. It can be finicky to set up a camera to do this reliably in all conditions (particularly at night and high speed) but once done you could detect any car passing, not just ones with wifi access points.
When the law requires us to have numberplates, I think this just has to be considered public information for anyone who is nearby or can leave a camera nearby. It's not ideal to leak it in additional forms that might be easier for people to grab (say, with an ESP32), but it's a matter of degree rather than of kind.
But yeah, I'm with you on some of these others, particularly the medical devices. That's not great.
I definitely don't approve of mass collection across many cameras, accessible to who-knows-who with minimal if any privacy controls (Flock). But it wouldn't surprise or bother me if my next-door neighbor had ALPR enabled, as long as it's not part of that cloud. YMMV.
Full disclosure: I develop an open source home/hobbyist-oriented NVR, although it doesn't have an ALPR feature or any other analytics today.
i like that a lot, brother, thank you!
Yes, I remember Cisco had a product like this all the way back in 2011. They could pinpoint a customer to an exact position inside a store using triangulation, they would know which shelf you spent time in front of etc. In the 15 years since then, I expect the technology is much scarier and intrusive.
Ever been in an Apple store? Look up. In the dark voids between the edge-to-edge backlit ceiling. There are secrets there. Watching you.
Edit: iOS
Definitely not the most obvious location. I would have expected to find this under the bluetooth settings.
Apple reconnects to known devices and networks at 5am:
https://support.apple.com/en-us/102412
Bluetooth and Wi-Fi Aren't Fully Disabled When Off in iOS 11 Control Center
https://news.ycombinator.com/item?id=15297387 (2017, 143 comments)
I have a "store mode" button that just kills wifi/bt that I hit before I go into any store.
There is also a Bluetooth shutoff app on F-Droid.
https://f-droid.org/en/packages/com.mystro256.autooffbluetoo...
I have also put an Airtag clone in my car (Loshall in iOS mode). That is probably leaking my arrival times. My water meter is also now bluetooth.
Many places do this. The department stores in the mall, target, even grocery stores do it.
I mean yes, said medical devices are a whole lot less useful to me if they are not transmitting data. For some of this stuff you can't have your cake and eat it too.
What bothers me more is that my sex toys broadcast on Bluetooth even when I'm using them through WiFi. It even says the brand in the device name.
Not that I give a fuck what the neighbours think but it's just none of their business. And some toys are for discreet outdoor use too. Though that's not my thing.
In the past I renamed one of my phones to "Lovense Hush" to troll, though I've never seen anyone looking suspiciously. I guess most people aren't creeps like me who check stuff like that :)
Please don’t conflate these two. I have lots of BLE wearables and other sensors. They only send data to my own computer which I control, unlike IoT devices which by definition send to a third party on the Internet. To me it is far more important to protect against strangers on the Internet versus someone wardriving the neighborhood.
On a related note, did you know that EU has a Radio Equipment Directive (RED 2014/53/EU) that came into effect in 2025. It all but guarantees that such Bluetooth communication will be encrypted.
That's perhaps technically correct, but a naive interpretation of the risk. I don't need to see the data your BLE devices are sending you, all I need is traffic analysis and meta data from the signals they are broadcasting - and they broadcast that to anyone within detection range which includes attackers with much higher gain antennas than you who can likely pick up those broadcasts at ten times the distance any of your devices will communicate at.
"Flying helicopters low and slow over the Tucson desert in Arizona, the FBI has been using "signal sniffers" to try to locate Nancy Guthrie's pacemaker.
As the search for the 84-year-old mother of US Today show anchor Savannah Guthrie entered its third week, investigators took to the sky with advanced bluetooth technology.
They were hoping to pick up signals emitted from the device implanted in Ms Guthrie's chest to help trace her whereabouts, US media outlets NewsNation and Fox News reported."
https://www.abc.net.au/news/2026-02-16/nancy-guthrie-pacemak...
Let's suppose we have a pacemaker, and it has data that is beneficial to read -- maybe even in real-time on their pocket computer, or opportunistically as the patient walks by their reader-device, or however that is done.
So we want this data, and we want it over RF. It probably seems obvious that it should only transmit when it is told to do so, right?
So how do we tell the pacemaker to transmit? On its face, that problem seems solved by integrating a receiver that sits and waits for a valid instruction.
Except: That receiver takes power to run. And since changing batteries inside of a person is problematic, we want them to last as long as they can while still performing the desired task.
Now we get to the not-obvious part: In terms of power, it's often less costly to intermittently transmit a string of data than to continuously operate a radio receiver. And maybe it's a bad idea to have an implanted pacemaker that has an open receiver for anything nearby to try to fuck with, anyway.
But a transmit-only radio? Good luck hacking that.
So... we do intermittent transmission, and this works for pacemakers. It also works for the cheap Zigbee thermometer I have (wherein I don't normally request the temperature; it just delivers it periodically, and it runs for years and years on a coin cell).
(Now: Should that pacemaker data be encrypted? Yes, of course. And so should the ID. In fact, the whole transmission should be indistinguishable from background noise by unrelated devices. In this way, authorized devices can then use pre-shared keys to receive and decode these messages and others receive nothing. That kind of cuts BLE and thus also the pocket computer out of the monitoring mix, but tradeoffs are tradeoffs.)