Are we all handing to Google the SSID of our home routers?

Yep. The SSID is a broadcast and assumed to be publicly available. If this bothers you, one solution is to hide among the multitudes and name your SSID as DEFAULT, LINKSYS, BELKIN, or a variety of other common names. The problem here is that what Google and similar snoopy companies really want is your wireless routers MAC address, so that it can distinguish between the multitude of nearly identical SSID's. While MAC addresses are assumed to be unique, there are plenty of counterfeits and contrived MAC addresses. However, the combination of MAC address and SSID is probably unique[1].

Turn off your wireless access point when you're not using it. Hiding the SSID does nothing useful as it can extracted from the management packets. However, if you're really really really paranoid, I recommend an expect web script, that logs into your wireless router, changes the SSID at regular intervals. Here's a starting list: This should thoroughly confuse Google. Unfortunately, it will also confuse users of your Wi-Fi router, but sacrifices must be made in the pursuit of anonymity[2].

[1] Except for one batch of cheap wi-fi access points I once bought that all had the same MAC address. This was long ago, and they have surely been recycled by now. [2] My home SSID is my home address. My office was the office address, but one of the other businesses in the building decided to use the same SSID, so I changed it to something obscure. Most of my customers have either the owner name, company name, or address as the SSID. If there's a problem I want them to be found.
Reply to
Jeff Liebermann
Loading thread data ...

And you can count them slurping the passwords from the data stream during your phone backups to Google servers, too (if enabled).

-sw

Reply to
Sqwertz

I'm reading your helpful links, but I'm soooo very confused.

I have Android 4.3 that otherwise helpful page assumes you log into something called a "Google Account", which, to my knowledge, I don't even do. I don't log into anything that I don't have to.

On purpose, the only "Google Account" action that I do is I have to *define* one, just so that I can download from Google Play. But that's it for me. I don't "sign in" to my knowledge, to any Google Account.

Does that mean that "I" don't send Google "my" SSIDs? (I'm so confused.)

Reply to
Alice J.

This *seemed* like a good idea, but when I tried to log in from my laptop into my Android Google Play account, it wouldn't let me.

I had the login and password correct, but Google insisted on gathering

*more* data about me, before it would let me in anywhere!

formatting link

What's ridiculous is that this says "verify it's you", whereas I could give it *any* phone number, and it would verify it.

So, it's not actually doing what they purport it to be doing. It's just gathering *more* data about me, which I don't feel like giving it.

Reply to
Alice J.

Since I have "sync" turned off, and all my "location info" turned off, does Google *still* get my SSID and passwords?

Reply to
Alice J.

The BSSID is the router MAC address, is that correct? If so, does changing the MAC address of the router (via the clone function, or via manual modification) work to "confuse" the Google servers?

I wouldn't mind periodically changing the MAC address that Google sees of my router if that will work.

Will that work?

Reply to
Alice J.

Just as a related note...

I periodically wipe out my Google account on my phone, making up a new one such as snipped-for-privacy@gmail.com, which Google gives me as long as it's unique.

I have noticed, thankfully, that NOTHING is lost when I wipe out the google account. (I don't buy anything with a phone so there is no way I could have paid for any apps, by design.)

Reply to
Alice J.

I like this idea, but it has the hazard that your SSID will be in all the rainbow tables.

If I pick a really good passphrase (assuming it's not in the rainbow tables already), would that work?

I use MAC Cloning anyway on my router. I realize the router has a bunch of different MAC addresses, so, may I ask if the MAC address that we typically clone for the cable company is the same MAC address that Google 'sees'?

If the one MAC address that we can change on the router happens to be the same MAC address that Google sees, would a viable solution be for all of us to stick together and use the following:

SSID = DEFAULT MAC = DE:AD:BE:EF:CA:FE Passphrase = It's imperative to make it as unique as you possibly can!

Seriously, I ask this (I'm not joking).

If we all used the same SSID and the same MAC on our home routers, and if we ensured that our passphrases were as powerful as we can make them (because we're in the rainbow tables otherwise), would that work to foil google?

Reply to
Alice J.

It should.

You seem to think you have an account that is /just/ a Google Play account, it isn't; it's a full blown Google account with the ability to do gmail, location history tracking, google+, uploading videos and commenting on youtube, editing spreadsheets and documents, syncing calendars and to-do lists, etc, etc ... you just happen to not be using those parts of it.

Reply to
Andy Burns

Yes, from your neighbour's android devices, and from google's streetcars, which both report visible SSIDs along with GPS location data.

No.

Reply to
Andy Burns

I think that means that you used a Google account you already had, or created a new one, when you set up your Android device - and that you have forgotten or never noticed the user-name and password that you must have used in order to create or access that account. You can use your device without knowing the user-name and password of the Google account; you only need those if you want to make changes to that account (such as add or remove an Android device from it).

Reply to
Whiskers

If you give that page some made-up mobile phone number, then Google will send the automatic 'verify you are you' message to that number. So you won't see it but someone else might; if they ignore it then Google will automatically deduce that you don't have access to that mobile phone number and thus that you aren't you. If that person for whatever reason tries to respond to the message by following the instructions, they'll come up against the user-name and password that you know but they don't and you still won't get into your account but neither will the innocent stranger you inflicted.

Google might be trying to contact you using the email address you associated with your Google account; probably a gmail address. You'll need the matching user-name and password to access it of course.

Reply to
Whiskers

When you connect to a hotspot, your device only has to identify itself; it passes on no information at all about any other WiFi access points it may have encountered or accessed in the past.

However when searching for something to connect with, your mobile phone (like any other WiFi device) will send out signals asking for access points it has previously connected with to respond; this is so that automatic connection can be established whenever you are within range of a known access point - but it also means that anyone listening in to the background WiFi traffic can get a list of [all?] the access points your device has accessed in the past, which does to some extent identify 'you'. Which is why it's a good idea to switch off your device's WiFi unless you're actually using it (that and extending battery life).

Reply to
Whiskers

You are close.

  1. I created a google account when I first set up the device.
  2. Then, over time, periodically I deleted them (once every few months).
  3. So I have a current Google account (just for Google Play).
  4. I know the password (because it's algorithmic, based on the account name).

As you said, I *never* seem to need the password ever again, so, I could just as well have forgotten it and it wouldn't matter. I just delete the account every few months anyway (for privacy purposes).

Since I never log into the account, and since my settings are to have sync and tracking and all that stuff turned off (as I showed before), does that mean that "I" don't send Google any SSIDs?

Reply to
Alice J.

I showed a screenshot. It wouldn't. It didn't like that I've never logged in, I guess, and that I suddenly logged in from the web, I guess (instead of from a phone).

There is no way around it. Google won't let me in without me giving them MORE information (which is a phone number).

That's kind'a funny. The account was created on a phone. But Google doesn't already know my phone number?

How can that be?

That may be the case, and probably is. But I don't even use it. The account is *only* there to allow me to download apps from Google Play. I delete it every few months anyway, so it wouldn't be worth using it for anything else.

Reply to
Alice J.

I understood that. Basically, Google won't let me in.

The *only* time the account was ever used was about a month ago when I created it (after having deleted the last account on January 1st).

Then, I have never logged in explicitly. I have all the sync stuff and login stuff on all Google apps turned off:

That includes stuff that automatically logs you in by default: Settings > Accounts > Google > Privacy > {Search, Location settings, Ads}

  1. Settings > Accounts > Google Account: snipped-for-privacy@gmail.com Accounts > Google > Privacy > Search > a. Google Account Signed out for Google Search, and no Google Now cards can be shown. b. Google location settings A. Access location: [unchecked] [Do not] Let Google apps use this device's location any time it is on. B. Google Location History = blank c. SafeSearch filter [unchecked]SafeSearch is not active d. Legal Web History = off Personal Results = off
  2. Settings > Accounts > Google > Privacy > Location settings > a. Location access for your phone is off. Google applications are unable to access your location because location access for the phone has been turned off. To turn it back on click below to go to Settings > Location Access b. Settings > More > Location services > Access to my location = [unchecked] c. Settings > More > Location services > Location sources > Use GPS statellites = [unchecked](and grayed out) Use wireless networks = [unchecked](and grayed out)
  3. Settings > Accounts > Google > Privacy > Ads > a. Ads: Reset advertising ID (click it to reset) b. Opt out of interest-based ads (check it to opt out) c. Ads by Google (clicking it will pop up a browser session)
    formatting link
    (x) [where (x) is a huge encrypted mess of characters]

Did I miss anything to log out of?

Reply to
Alice J.

I was afraid of that. My stoooooopid neighbors threw me under the bus!

What can we do in that case to get OUT of Google's system?

  1. Add _nomap to the end of the SSID
Reply to
Alice J.

You seem to understand where I was going.

So here's my two part technical question:

Part 1: I already know that if you hide your SSID at home, then your mobile device must scream out that SSID in order to connect, which the mobile device will do, to your detriment, at a local hotspot.

Part 2: What you just said though, is that it will scream out *all* your recent connections, and you didn't mention whether or not it will do that irrespective of whether those prior connections were broadcast hidden.

Can you (or someone) clarify, as this is an IMPORTANT POINT!

Reply to
Alice J.

Just because google.com honours the _nomap suffix, who's to say whether wigle.net, mozilla.org, locationapi.org, combain.com et al. do?

what about people who *like* to use WiFi geolocation, and don't mind contributing their own location as the "price" of using everyone else's?

Reply to
Andy Burns

So it is writ by Alice J. , so mote it be.

I'd like to know if appending "_nomap" to the SSID would do anything more than lengthen the SSID. Is this supposed to be honored by everyone? That never worked for X-No-Archive. Besides which, the SSID is no more of a security breach than the number on the mailbox at the end of your driveway.

No, MACs should be globally unique. Spoofing a computers MAC by the router it is connected to might not cause a collision, but if everyone reported the same MAC there would be nothing but collisions and hilarity would ensue.

As for the pass-phrase, yes it should be at least as strong as needed in every case where a pass-phrase/password is used.

Mike "an algorithm applied to the id isn't strong" Yetto

Reply to
Mike Yetto

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.