Some thoughts on the Seattle police's surveillance mesh network.

In the past day or two an interesting piece of news has been making the rounds. Earlier this year the police department of the city of Seattle, Washington set up its own wireless mesh network for what many people are saying is for the purpose of keeping people under surveillance. The hardware was purchased from Aruba Networks; it is unknown whether or not the company set up the gear, or if another outfit was contracted for installation and maintenance. Each of the nodes is apparently broadcasting frames containing ESSIDs that reflect its location (such as 4th Avenue and Union Street), which is probably why some people noticed in the first place. The nodes are undoubtedly handling more traffic but without packet captures there's no way of knowing (hint hint, cough cough). The Seattle PD isn't saying much so all we have to go on is a handful of facts, knowledge of how wireless networks work, and I'm sorry to say a lot of ill-informed rumors. Let's try to sort things out as best we can. The first logical question to ask is, why use wi-fi? The best hypothesis I can come up with is that police may not be able to gain access to cellular records in what they consider a timely fashion. It is well known and understood that cellular providers track the IMEI of every cellphone that pings every tower on the cellular network at what time, and that information can be handed over to law enforcement (and other) agencies without warning. Cell companies maintain detailed inventories of their gear, maps of where every cellular tower is, and what cellular nodes are positioned where on them. Log a certain IMEI on a certain transceiver on a certain tower and you know roughly where that device is. Log the same IMEI on several transceivers on several towers and you can figure out where the device is in a lot more detail. Analyze the pattern that IMEI makes and you can plot the device's trajectory on a map. However, that often means hitting up several cellular providers at the same time and hoping that they all respond fast enough for police to find someone. That probably isn't the case. Wi-fi gear is much less expensive than cellular equipment (even if it was technically paid for by DHS and not the city of Seattle per se) and requires less bureaucratic overhead (such as FCC licensing) to deploy. In case you're curious, here are a few ways you can find out the IMEI on your mobile device. It seems plausible to state that this network could be used, in part at least to track people based upon the locations of their mobile devices. Smartphones, tablets, and MP3 players which are wireless enabled will, if they are not powered down or if wireless is not disabled, periodically probe for the presence of wireless networks they've been a part of in the past by sending association frames in the hope that the access point is still out there and will respond. Those association frames contain, among other things, the MAC address of the wireless chipset in the device, the ESSID of the access point, the supported data rates of the chipset, and any additional capabilities of the device (which may be sufficiently unique to help fingerprint a device, and later the device's owner). While this leaks some potentially identifiable data (like the name of your network at home), it could also just as easily broadcast the network name of any of the bazillion Starbucks franchises undoubtedly squatting on corners in Seattle like mushrooms after a summer rain ('attwifi', if you care). It is possible that apps installed on or semipermanently baked into the firmware of your device may broadcast additional identifying data, but without a packet capture there really isn't any way of knowing. As an aside, MAC addresses are not globally unique. You can bet your goldfish that at least ten other people on the planet have wireless devices that have the same MAC address. However, there are 2^48 possible MAC addresses, which is a big but finite number, and it is statistically unlikely that