Xfinity using WiFi signals in your house to detect motion

Posted by bearsyankees 11 hours ago

Xfinity using WiFi signals in your house to detect motion(www.xfinity.com)

494 points | 326 comments

jacobgkau 9 hours ago|

> Subject to applicable law, Comcast may disclose information generated by your WiFi Motion to third parties without further notice to you in connection with any law enforcement investigation or proceeding, any dispute to which Comcast is a party, or pursuant to a court order or subpoena.

Sounds like, at least in some limited circumstances (using the provided WiFi AP, having this feature turned on, etc), ISPs are going to be able to tell law enforcement/courts whether anyone was home at a certain time or not.

josho 9 hours ago||

The solution here shouldn't be technical; it should be legal.

If we rely on the technical path, Comcast can achieve the same by how many active IPv6 addresses are in use. Even if you aren't using your phone, the device is going to be constantly pinging services like email, and your ISP can use that to piece together how many people are at home.

If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers. Ideally the legislation would be more broad and stop other forms of commercial/government surveillance, but I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.

dcow 3 hours ago|||

We suffer from a problem that engineers want nothing to do with politics. I 1000% agree we need a digital bill of rights. It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-

I want privacy codified in human law. I didn't vote for standards bodies to pave the road to hell by removing every goddamned persistent handle we can find from existence. I didn't vote for the EU to reinvent an internet worse than popup ads by attacking the symptoms not the cause. I would rather have the internet of the 2000s back in a heartbeat than keep putting up with shitty “technical solutions” to corporations having too much power at scale. I don’t care if people break the law: prosecute them when they do and make the punishments enough to deter future law breakers.

There is absolutely something civilized beyond a lawless advertising wild west where the technical solution is to all be masked Zorros.

Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it.

jraph 1 hour ago|||

> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it.

Do yourself a favor and enable the Cookie lists in uBlock Origin.

I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.

dcow 38 minutes ago||

Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.

Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.

lloeki 1 hour ago||||

> I want privacy codified in human law

Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks

- Paris, 1948, Universal Declaration of Human Rights

dcow 45 minutes ago||

Which says nothing about a business profiling customers that walk through the door and selling its profiles to aggregators. It says nothing about requiring consent before soliciting individuals or subjecting them to psychologically manipulative advertisements. Etc. We need more.

xp84 19 minutes ago||||

I think I’m kind of on your side in general, but I have more of the opposite feeling about legal versus technical solutions. If we had no idiotic EU cookie laws, no “consent” bs required, a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever. It seems like this would be very easy, except for the fact that the number one ad network is also the only browser vendor that matters.

But the attempted legal solutions suffer from being inside the sandbox, meaning all the “cookie management” software is a pile of hacks that barely work, and rely on browsers, as you’ve noticed, to allow their cookies in the service of…limiting cookies. And of course they also suffer from the politicians who wrote them having no clue how any of this works. I suspect if they did, they’d see how dumb it is to regulate that 10,000,000 websites each implement a ton of logic to self-limit their cookies they set (hard to police, buggy) instead of telling 2-3 companies they have to make their browsers have more conservative defaults with how they keep and send cookies back. (easy to prove it’s working with testing).

dokyun 2 hours ago||||

https://www.i-dont-care-about-cookies.eu/

ddq 2 hours ago||||

Yep, you're right on the money. The correct course of action is for those of use who recognize this to cease arguing on the Internet with those who don't and connect with one another offline. We're in dire need of something akin to a 21st century Continental Congress.

grafmax 2 hours ago||||

The reason is our government and regulators are captured by business concerns which profit from our data. The government in turn views mass surveillance as a powerful tool for social control. Although there are many more people whose privacy is violated by these policies than benefit from them, the rich and powerful minority is more organized in its efforts and thus comes out ahead in the balance of power.

JumpCrisscross 1 hour ago||

> the rich and powerful minority is more organized

They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support. That means barely anybody would turn up to a contested primary election over it, or donate to a challenger, or organise the foregoing en masse. Contrast that with bread-and-butter or activist issues, where it's immediately clear there is political capital at the very least on the board.

citizenpaul 1 hour ago||

Or the people elected by other humans could... IDK do their job of representing the people rather than a handful of corporations.

The problem is what I said in other comnents here. This is the fabel of sodom and gomorrah in action. We have no people with any moral compass in charge.

brirec 2 hours ago||||

While I agree that we should have legal codes protecting our online and digital rights, I’m convinced that there are enough Bad People on the Internet that we do indeed still need strong technical protections as well.

reissbaker 3 hours ago||||

What law would you propose? I think the hard part is "Instagram and TikTok remain free-with-ads."

JoshTriplett 2 hours ago|||

Good riddance to everything supported by ads.

I genuinely wonder if people would wind up spending less money if they had to pay for services than if they get exposed to ads that lead them to buy more things. But either way, once ads and "free with ads" are gone, there's much more room for other competitors.

nerdsniper 2 hours ago|||

Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?

Or can instagram only be free if ads are targeted to detailed profiles of individuals built over decades as they are tracked across the whole internet?

chronogram 2 hours ago||

The heavily profiled ads cost a lot more money for the advertiser to run compared to traditional ads, if those platforms turn to contextual ads they do not have their special expensive profiled ads product to sell anymore.

So it's not about the perceived effectiveness of advertisements that you feel as a user, it's about the rather more unique product that they sell to advertisers that really raises their revenue.

toss1 2 hours ago||||

>>We suffer from a problem that engineers want nothing to do with politics.

More on point, we suffer from a problem that far too many people of all walks of life want nothing to do with politics.

Plato made the most accurate point 2300 years ago: "The penalty for not being involved in politics is you will be ruled by your inferiors."

And, even though you may not be interested in politics, politics is ALWAYS interested in you.

dotancohen 1 hour ago||

It should be noted that Mein Kampf's first three chapters are pretty much a call for the common citizen to start becoming more interested - if not involved - in his local politics. I am of the opinion that this is the reason that the book was banned. The antisemitism in the book is far more restrained than I was expecting. But the call to hold politicians accountable to the people - that was a surprise.

scarface_74 2 hours ago||||

The problem is that the internet is international and laws are national or even by state.

There are 24 states that require ID to view porn sites. The laws are being completely ignored by popular websites that are not based in the US.

brookst 2 hours ago|||

Yep. And plenty of US sites ignore international laws about slandering Mohammad, and so on.

I’m not sure the lack of a global hegemony is a “problem”.

scarface_74 2 hours ago||

And another reason you don’t want laws governing the internet is that politicians are dumb. As soon as I heard about the laws I knew this was going to happen.

https://reason.com/2025/01/24/age-verification-laws-meet-vpn...

> ”Google searches for online tools like VPNs have surged in Florida after Pornhub, one of the world's largest adult websites, blocked access to users in the state," CBS News reported earlier this month. "Since the end of November, Google searches for VPNs have surged in the Florida, according to Google Trends. From the week of Dec. 22 - 28 to Dec. 29 - Jan. 4, searches nearly doubled. Since then, the numbers have gone even higher."

JumpCrisscross 1 hour ago|||

> The problem is that the internet is international and laws are national or even by state

How is the this a problem for ISPs coöperating with law enforcement?

idiotsecant 2 hours ago||||

What law do you think mandates those annoying cookie popups?

dcow 1 hour ago||

It would be nice if you could argue, “well, just be a good site and don’t use marketing cookies”, but the ePrivacy Directive requires consent for performance and preference cookies too. Perhaps a liberal reading arguably allows classification of certain statistics and preferences functions to be strictly necessary, like “I wouldn’t provide this service without crash reporting because I’d go insane so it’s strictly necessary”, but most lawyers would be ill before advising as much.

https://gdpr.eu/cookies/

zzo38computer 1 hour ago||

If cookies are only used for preferences functions, then I should expect that it should only require to mention the cookies in the preferences menu (I hope)? If they have a document to explain each cookie by name, then it would also be helpful, that you can enable/disable them individiaully (or make them read-only) by the browser settings. However, for some things such as languages there are other ways to do without using cookies, such as Accept-Language header for languages, although cookies could be used to override the Accept-Language header in case both are present in the request.

gxs 2 hours ago|||

I’ve been asked at work to build less than savory stuff, here are some general observations, none of which are admittedly an excuse:

* you get caught up in the moment, hell bent on solving the problem you don’t really think twice

* you don’t want to get that stink on you, you don’t want to be that guy that brings this type of stuff up

* you are mindful of the fact that you are being very well compensated to build it and you don’t want to lose your job

* you know it’s going to fall on deaf ears - maybe they will pay lip service, maybe they won’t but either way nothing will happen

* in the back of your mind you figure someone else is fighting the good fight

On and on, so many different things can go through your mind, who knows which it’ll be on any given day, on any given project

miki123211 2 hours ago||

And sometimes, you don't even know what the feature will even be used for.

Today it's an automatic subtitle generator for people with hearing difficulties. Tomorrow it'll be an AI training data generator. In a year, the NSA will re-purpose it into a mass surveillance tool.

gxs 53 minutes ago||

Exactly

Kind of crazy that I’m being downvoted for just expressing some basic, reasonable feelings

vasco 36 minutes ago||

Maybe you're finding they aren't so reasonable.

armchairhacker 7 hours ago||||

> The solution here shouldn't be technical; it should be legal.

I disagree. Solutions should be technical whenever possible, because in practice, laws tend to be abused and/or not enforced. Laws also need resources and cooperation to be enforced, and some laws are hard to enforce without creating backdoors or compromising other rights.

"ISPs will be prohibited from spying on their customers" doesn't mean ISPs won't spy on their customers.

transpute 6 hours ago|||

We need more funding for open-source WiFi Sensing counter-measures, e.g. EU research, https://ans.unibs.it/projects/csi-murder/

> this paper addressed passive attacks, where the attacker controls only a receiver, but exploits the normal Wi-Fi traffic. In this case, the only useful traffic for the attacker comes from transmitters that are perfectly fixed and whose position is well known and stable, so that the NN can be trained in advance, thus the obfuscator needs to be installed only in APs or similar ‘infrastructure’ devices. Active attacks, where the attacker controls both the transmitter and the receiver are another very interesting research area, where, however, privacy protection cannot be based on randomization at the transmitter.

https://github.com/ansresearch/csi-murder/

> The experimental results obtained in our laboratory show that the considered localization method (first proposed in an MSc thesis) works smoothly regardless of the environment, and that adding random information to the CSI mess up the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.

heavyset_go 4 hours ago||||

There is no technical solution for this unless you want to invest billions/trillions in building new computing and networking platforms created with privacy in mind.

ISPs will always have the ability to at least deduce whether a connection was used, the MAC address, and it there is WiFi, unfortunately whether people are physically present.

If we look at the roadmap for WiFi/phones/etc, they will soon gain the ability to map out your home, including objects, using consumer radios.

giantg2 4 hours ago||

"There is no technical solution for this"

This isn't really true. The easiest technical solution to the problem of ISPs using your wifi data is to simply use your own WiFi router which does not send the data to them.

newshackr 4 hours ago||

They can still deduce this from the traffic patterns.

giantg2 3 hours ago|||

They can map your home and motion with traffic patterns?

heavyset_go 2 hours ago||

The OP was also talking about deducing presence based on connections and traffic patterns, which using your own WiFi AP isn't going to mitigate.

idiotsecant 2 hours ago|||

So use a vpn.

mbreese 2 hours ago||

With a VPN, your ISP may not know where packets are going, but they can still see packets moving. So, unless your VPN is injecting dummy data to mask all patterns (possible, but not common), your ISP is going to have a good idea if someone is home or not.

mbreese 2 hours ago||||

You can’t solve social problems with technical solutions. Technical solutions won’t work without some kind of legal backing to force it.

lioeters 2 hours ago||

Sometimes mathematics and physics provide superior solutions than man-made laws. Encryption for example. It's better to make something impossible, than to have laws that are routinely ignored by law enforcement.

citizenpaul 51 minutes ago||||

It makes it much more difficult to be profitable if its illegal. This deters the majority of opportunists leaving only the dedicated criminals. And just like thief's people might understand why they steal no one sheds a tear when they go to prison.

dcow 4 hours ago||||

And how do you technically stop an ISP from using the radio in their hardware to detect small changes in phase angle of signals in your home?

RajT88 3 hours ago|||

Own your own hardware is how.

Comcast cannot administer my router/AP or modem.

Some other ISP's like AT&T force you to use their gateway. I try and avoid these companies or severely limit the functions of the built in gateway.

dcow 3 hours ago||

And how do you force all consumers to buy their own privacy hardware?

Edit: sorry my question is not strictly how one person would mangle their hardware so it breaks presence detection, it’s how the tech industry would develop an at scale everyday consumer solution to this problem.

dghlsakjg 2 hours ago||

Require certain disclosures to be made in not so fine print.

Require that each privacy waiver is individually initialed, per clause, in wet ink.

This shit would end tomorrow if they had to start delivering modems with 1 inch high letters that said "THIS DEVICE WILL TRACK YOUR LOCATION WITHIN YOUR HOME AND SHARE THAT DATA WITH LAW ENFORCEMENT WITHOUT YOUR KNOWLEDGE", and the modem didn't work until you went down to the Comcast store to sign your rights away.

You don't have to force anything except taking this knowledge out of the fine print and prove that your customers are actually aware of the contractual clauses they are subject to.

The tech industry could come together and come up with a privacy standard guarantee that device manufacturers could use (Something as simple as, we will never share data with law enforcement unless legally compelled).

There's a lot of solutions, ranging from technical (firmware update) to social (pass some laws with teeth).

mensetmanusman 2 hours ago||||

You attach large sacks of potatoes to the ceiling fans and lighting fixtures that are connected to strings and random timers to move them. The potato bags perfectly simulate human motion.

Every house should look like a party of 50.

Invest in potatoes

heavyset_go 2 hours ago||||

Some ISPs allow you to bring your own modem, so there wouldn't be any hardware other than your own and whatever they install to bring it into your home.

pixl97 3 hours ago|||

Disconnect and ground the antenna and supply your own equipment?

dcow 3 hours ago||

I thought we were talking about a solution that the tech industry could implement and deploy en masse to users, because it’s just, like TLS and browser standards. That’s usually what is being discussed when these give everyone privacy topics come up. The people that care enough to ground their antenna are already using their own hardware. And the ISP will deter hardware modification by charging you for damaged leased hardware. Or you’ll be in an arms race where the ISP’s firmware will flag the unit as defective because the radio doesn't work and cut off access till you fix it.

I guess you could put it in a cage. Maybe I should go door to door selling privacy cages. Do people pay for tinfoil hats these days?

lovich 4 hours ago||||

Technical and legal solutions are for different classes of problems.

Encryption is a technical solution trying to solve the problem of people being able to steal your data/money without your knowledge.

The law/police are the solution to the 5 dollar wrench problem, where you are very aware of the attack but unable to physically stop it

scarface_74 2 hours ago||

And the law can’t stop someone from using a $5 wrench before the harm is done…

lovich 7 minutes ago||

I don’t expect the law to prevent the crime. Much like my comment you replied to, I recognize different tools are for different situations.

The law is there to enforce the “rule of law”

It’s a little ambiguous because the phrase is in English and doesn’t match up 1:1 with the common vernacular, but I want the “rule of law” to enforce that the rules are real, not to prevent someone from testing their existence

taneq 4 hours ago|||

It might make it a bit harder to use the information obtained through spying, though. Both is good.

Aurornis 8 hours ago||||

> The solution here shouldn't be technical; it should be legal.

The parent commenter was highlighting that law enforcement can compel them to provide the data.

The customer has to opt-in to WiFi motion sensing to have the data tracked. If you see something appear in an app, you should assume law enforcement can compel the company to provide that data. It's not really a surprise.

> If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers.

To be clear, the headline on HN is editorialized. The linked article is instructions for opting in to WiFi motion sensing and going through the setup and calibration. It's a feature they provide for customers to enable and use for themselves.

godelski 4 hours ago|||

  > The customer has to opt-in to WiFi motion sensing to have the data tracked.

  - Is this true if Law Enforcement gets a subpoena? 
  - Is this true if Law Enforcement asks "nicely"?
  - Can Xfinity activate it without the user knowing?
    - Does it explicitly notify the user when the setting has been changed? (e.g. done by LE, hacker, or an abusive partner)
  - Is this a promise and a promise that by default it will stay off?
  - Is the code to perform this feature pre-installed and able to be trivially (or even non-trivially) activated by hackers?

Idk, there's a lot of questionable things here and Xfinity doesn't have the best track record that gives me a lot of confidence that we should trust them. This seems like an easily abused system that can do a lot of harm while provides very little utility to the vast majority of people.

jonhohle 4 hours ago||||

“Please accept our new terms of service to continue using your internet connection”

Your honor, they clearly opted in to us spying on absolutely everything they do or think.

tehwebguy 7 hours ago||||

> The customer has to opt-in to WiFi motion sensing to have the data tracked.

Not for long, there’s money to be made by adding this to the cops’ customer lookup portal.

bigbuppo 2 hours ago||

There's money to be made by selling this to advertisers.

pixl97 3 hours ago|||

>opting in to

Yea, at least in the US you have almost zero consumer rights around this.

Once they find some marketing firm to sell the data to suddenly it will be come opt-out in a new update and most people will blindly hit agree without having a clue what it's about.

mindcrime 1 hour ago||||

> The solution here shouldn't be technical; it should be legal.

I expect more than a few commenters here will disagree with you. Some rather vehemently.

To those that do so, I'd encourage you to read the novel Attack Surface by Cory Doctorow. While it's fiction, in the book, Doctorow makes a pretty compelling argument for the notion that when it comes to privacy, we can't win by "out tech'ing" the governments and corporations. We're simply too heavily out-resourced. If I'm interpreting his message correctly, he is saying basically what Josho is saying here: that we have to use the political/legal system to get the privacy protections that we care about enshrined into law and properly enforced.

Now, is that going to be easy? Hell no. But after reading the book I was largely sold on the idea, FWIW. That said, the two approaches aren't necessarily mutually exclusive. But I do believe that those of us who care about privacy should focus more on using our (knowledge|skills|resources) to try to foster change through politics, than on trying to beat "them" with better tech.

YMMV, of course. But if you haven't read the book, at least consider giving it a shot. Probably Doctorow makes the argument better than I can.

like_any_other 1 hour ago||||

> The solution here shouldn't be technical; it should be legal.

It should be both, one serving as a backup to the other. Theft is illegal, yet we lock our doors.

baggachipz 9 hours ago||||

> I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.

"Best we can do is letting all the AI companies hoover up your data too"

preisschild 17 minutes ago||||

> Comcast can achieve the same by how many active IPv6 addresses are in use

Isn't this basically impossible with IPv6 Privacy Extension Addresses?

giantg2 4 hours ago||||

"The solution here shouldn't be technical; it should be legal."

Laws can be broken. Laws of physics cannot. Best to utilize both a legal and physical defense.

pdonis 1 hour ago||||

> The solution here shouldn't be technical

Why not? Just run your own router instead of the one your ISP tries to give you.

slt2021 6 hours ago||||

just buy your own simple modem and install your own wireless access point.

do not buy any device from comcast you dont fully control!

class3shock 4 hours ago|||

Until the day when to use the service you have to use their device. Or it's being used at work, a hotel, in stores, in your kids school, or anywhere you have no say on the devices used.

jitl 4 hours ago|||

Also make sure your phone and other every day carry items never connect to the Internet via your ISP’s network or emit radio signals while nearby your home.

jvanderbot 4 hours ago||||

In the future when you say things like this, please say "First" or else you're starting an endless back-and-forth of one-ups and false dichotomies.

A legal precedent easily leads to a technical block.

oliwarner 7 hours ago||||

> The solution here shouldn't be technical; it should be legal

Technical solutions tend to last longer. Legal solutions have a habit of being ignored when they become inconvenient.

The legal default should be that collecting this sort of data should always be illegal without informed consent and never used beyond the remit of that consent. As inconvenient as it sometimes is, the world needs GDPR.

dylan604 9 hours ago||||

What if I left my device at home?

matthew-wegner 7 hours ago|||

It would work even better. From the linked support page:

"Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans."

aspenmayer 8 hours ago|||

With enough signals, gait recognition for example is possible, and those same signals could be corroborated with presence or absence of concomitant device signals to determine if your device is moving with your person, and if not, to then flag this for enhanced monitoring if evasion is suspected.

landl0rd 8 hours ago|||

The point is every single thing I own should be "on my side". My car should not store my location history. My wifi router should not track presence and movement. My printer should not add any watermarks or telltale dots. My stuff should actively make it difficult or impossible for hackers, advertisers, or law enforcement to recover any useful information.

This means, respectively: ensure personal info is stored securely so hackers can recover little. Don't transmit info to remote servers to limit what advertisers get. And just store as little as possible in the first place because this is the legal means to have little to subpoena or discover.

Useful info, when absolutely necessary, should be locked behind a password, as constitutional rights preclude law enforcement from making someone disclose it.

zzo38computer 4 hours ago|||

I agree, but that is only one reason. The other reason is to save power (and also RAM, disk space, network bandwidth, time, etc) by omitting unwanted functions. (Some things to actively make it difficult (e.g. encryption, passwords) would use up more power, but since they are not constantly active and are not as many functions, they might still use up less power in total.)

aspenmayer 8 hours ago|||

This is magical thinking, because it’s using the legal system to solve a technical and social problem. It’s probably possible to create standards that don’t leak PII and other forms of metadata that are unique. That is probably the only solution going forward to reduce possible interdiction by extralegal third parties. However, Comcast can only be enjoined from doing this legally, and will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards. The fact that these capabilities are available to Comcast corporate is because OEMs that make set top cable receivers and combination cable modem WiFi routers provide these capabilities. I’m not sure if these features are standard or require a special order. Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine, which isn’t going away anytime soon.

maxerickson 8 hours ago|||

You seem to think that it would be impossible to instruct Comcast to implement on/off for the feature? That's the sort of thing that the legal system is for.

aspenmayer 7 hours ago||

I don’t think that this would be likely to pass Congress. Even if it were, if Comcast failed to uphold its obligations due to receiving a National Security Letter (NSL) then they would be hamstrung, unable to comply and unable to protest publically.

It’s almost a legal impossibility and would be a bad move geopolitically to give up this full take capability and it is not happening. It’s wishful thinking to believe otherwise.

https://en.wikipedia.org/wiki/Room_641A

fc417fc802 4 hours ago||||

> This is magical thinking, because it’s using the legal system to solve a technical and social problem.

Is that not literally the entire purpose of the legal system?

> will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards

I imagine beamforming techniques are only going to become more commonplace over time.

> Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine

Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.

aspenmayer 2 hours ago||

> > This is magical thinking, because it’s using the legal system to solve a technical and social problem.

> Is that not literally the entire purpose of the legal system?

The legal system is subverted by the national security apparatus by necessity and by design. The information gathered by ISPs is necessary to prevent interference with ground-based radars around airports, and is necessary for fraud detection and internal security of the network. It would be feasible to make it so that this information would be gathered and retained only for a short period of time to establish and maintain network integrity, such as handshakes and other bits and bytes exchanged and retained inherent to the protocols used. The legal doctrines that establish the legality of full take surveillance have been argued before FISA courts, so an act of Congress or a test case would likely be necessary to prompt any legal reexamination of the relevant issues. However, national security issues are not really able to be resolved legislatively, because executive orders will always enable that which cannot be done on the books, which presupposes that which is done is done by the book to begin with.

What is done in the shadows must stay obscured due to means and methods, and this ideology isn’t amenable to change, political or otherwise. There is not much else to say on that point as it is observational and experiential based on my lived experience and history of interactions with law enforcement, national security professionals, and private security as a service provider and former licensed security guard, as well as being a victim of police overreach and charge stacking. I’ve worked with law enforcement and been work for law enforcement. I’ve fought the law to a draw, and I’ve fought the law and lost due to bad calls by refs. I’m working on becoming a better citizen and community member so that I can be a helper. More than that, I can’t say. The future is hopeful and yet the challenges are real, and changing. Old guards are giving way to young Turks. It’s an interesting time to be alive.

> > will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards

> I imagine beamforming techniques are only going to become more commonplace over time.

The beamforming and other technologies used with modern WiFi are what enable the motion detection “for free” because the WiFi signals act as radar signals, the contours of the perturbations of which are already baked into the WiFi protocol. It’s insecure by design against this side channel attack.

> > Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine

> Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.

You would have to reimplement the standards to make everything that squawks rotate their identifiers regularly, ideally after every transmission. It’s possible I suppose. I don’t think the political will is there to mandate this, and there are not that many people who work on these kinds of problems. Look at who created TOR. You’d have to run that kind of system everywhere, and only use it for everything, and that system would have to be part of the protocol or otherwise unable to be disabled by end users. Otherwise, you’re at the status quo we have now, where the weak links are the first to break.

If this sounds like a stretch, the weak links are always people, not protocols or pipes. That’s why this is magical thinking. As principled as you and I are, bad guys don’t have principles. Those who fight bad guys have principles, and they also have more coffee and mathematicians and hashrate.

Congress will never rule against the national security apparatus because there is no political will to do so. I can count on one hand the folks in Congress who are on relevant committees to even consider legislation on these matters who is in any way critical at all, and they largely agree with you that something needs to be done. But they don’t have the votes to do anything because the issues aren’t relevant to voters. No one cares the way you or I do, or they would probably become lawyers or politicians, as well as soldiers and broadcasters.

If you think something constructive and positive needs to be done, I would likely agree that the impetus for change exists. I’m all ears.

dylan604 8 hours ago|||

These companies are so big now, and more importantly their lobbyists are, that it is unlikely any regulations would ever come that would limit their abilities to make money off of your PII.

aspenmayer 8 hours ago||

All these already existing dragnets make oldies like the Clipper Chip seem like a weekend hackathon project.

The irony is that all of these metadata leaks and correlation attacks etc were theoretical at the time these technologies were created and developed, unless you’re NSA level compute power, both human and silicon. Now, any script kid has enough info to try to build an array of SDRs to do the same thing, and no one will care when they do besides the feds who cry foul about their turf being stepped on by plebeians. The public will never care because their eyes will already have glazed over once you mention MAC addresses and SSIDs.

fc417fc802 4 hours ago||

> any script kid has enough info to try to build an array of SDRs to do the same thing

It doesn't particularly matter what hobbyists get up to. It matters what's available at scale on the mass market, what's widely deployed, what data is legally permissible to collect on a large scale, and what data is legal to sell.

Law enforcement can't subpoena that which does not exist. The best defense to these sorts of things is often to place legal limits on collection, retention, and sale.

Your take is both alarmist and defeatist.

aspenmayer 4 hours ago||

> Your take is both alarmist and defeatist.

Legal limits on national security agencies are not enforceable due to Five Eyes etc. Allied foreign spies do what American spies don’t. I’m just admitting the political reality of the situation. What you do with that information may be limited, but it’s not a failing on my part that this is the status quo.

Dylan16807 34 minutes ago||

> Legal limits on national security agencies

You're not talking about what they're talking about. They're talking about limiting corporate data collection. If companies don't build this into routers, then 99% of routers won't be collecting this data, and foreign spies won't have any data to steal.

aspenmayer 5 minutes ago||

They will classify the data as necessary for business purposes and collect it under a different name. They will be obligated to pass full take information if necessary, and it will be tapped at any point by employees who are given NSLs and asked/told to do things under penalty of law where applicable, and on threat of arrest or dismissal if not, or by federal agents themselves or their deputies or other approved third parties. Your modem may be intercepted in the mail and reflashed if necessary or over the wire, and that functionality is part of the operating standards of the modems. You could find a way to secure this on your own maybe, which is perhaps just another signal which flips a bit somewhere and may be logged. You can’t close Pandora’s box. It doesn’t matter if Comcast has the WiFi data to sell because they will have access to the information due to how the WiFi signals propagate. It’s diagnostic data. It’s the signals themselves. So all this is perhaps a misdirect, as any third party in range of the WiFi network can likely do the same thing passively, so it is a moot point. The data being gathered and sold should be legislated, but I don’t think that it will affect any of the actual concerns raised, because feds will still legally do whatever they are authorized to do, the justification and doctrine may not be public information. You probably won’t know, so you won’t object. Third parties who lack principles will gather the data regardless of legality. I don’t know how you could even legislate against passive monitoring unless you could demonstrate intent to harm or violate FCC regulations and applicable laws about harming people or computer systems like CFAA, which is a whole other issue.

dylan604 8 hours ago|||

when I'm at home, my device is just sitting on the desk. rarely is it in my actual hand being carried with me. also i'm old, so i don't have it in my hand while sitting on the couch or in bed either. that's why my laptop is for. something with a real keyboard and screen and not something that's going to give me scoliosis for hunching over to read all the damn time

wyager 2 hours ago||||

> The solution here shouldn't be technical; it should be legal.

The technical solution seems strictly preferable

Legal "protections" only protect you up the moment a warrant is issued, if that

timewizard 9 hours ago||||

It doesn't require IPv6. The modem is just as aware of all the private IPv4 addresses on your network as well as all the public IPv6 ones.

Unless you put your own gateway (layer 3 switch, wifi ap, linux router) in front of it.

Yeri 7 hours ago|||

From my understanding it tracks signal strength between two points (gateway and printer for example).

Putting your phone in airplane mode doesn't make it think you have left the house.

> If you’d like to prevent your pet’s movement from causing motion notifications, you can exclude pet motion in your WiFi Motion settings by turning on the Exclude Small Pets feature. > Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans.

frollogaston 8 hours ago|||

That would require Comcast to have access to your router, or more precisely, the NAT.

nemomarx 8 hours ago|||

Comcast sells a router gateway combination device that's probably required for this motion sensing anyway. If you have that they could already check device counts and in fact their Xfinity app lists connected devices in detail.

timewizard 8 hours ago|||

For most people their Comcast modem _is_ their router.

frollogaston 8 hours ago||

The point of the comment about ipv6 is that if you don't use a Comcast modem/router or they're prohibited by law from snooping on that, Comcast can still sorta understand the number of users from the outside by looking at your ipv6 addresses.

timewizard 7 hours ago||

I understand they can do traffic analytics but with privacy extensions and the proliferation of IoT devices I don't think that level of analysis is going to be very fine. Probably just enough to bin houses into different size groups.

There are a multitude of pre-existing ways of achieving the same result. One would be simply looking at the ft^2 listed on the public tax documents for the given address.

So I was really assuming any useful analysis would require them to be the actual man in the middle by owning and controlling your router. In which case address family does not matter.

devwastaken 3 hours ago||||

you cant tell most of those things because same ip doesnt coorespond to a unique service and plenty of programs and websites phone to servers where addresses have changed. there is no static database.

you also cant associate it to a person automatically. the burden of proof is high - how many jurors have tech at home they know nothing about and maybe got hacked?

sandworm101 5 hours ago||||

>> The solution here shouldn't be technical

The solution can be technical, but only if it is also sneaky. Blocking or disallowing certain information is one thing but making that information worthless is better. A simple AI agent could pretend to ping all sorts of services. It could even do some light websurfing. This fake traffic would nullify any value from the real traffic, destroying the market that feeds this surveillance industry.

I see a UI that allows homeowners to fake certain people being in the house when they are not, either replaying traffic or a selection of generic bots that mimic the traffic of various cohorts.

frollogaston 8 hours ago||||

Ipv6? I ain't enabling that anyway

hamhock666 7 hours ago|||

> ... I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.

The solution is to not use the internet if you care about your privacy.

kevin_thibedeau 7 hours ago||

We are now treating foreign students with suspicion when they don't have a satisfactory internet footprint. Only a matter of time until that gets turned against the citizenry. Submit to surveillance capitalism or go to jail you deviant.

pixl97 3 hours ago||

Heh, soon your modem will report to the SS on how many undesirables you are sheltering in your home.

Us humans love building the Torment Nexus.

lrvick 6 hours ago|||

Comcast has remote control of all of their equipment so they will just turn it on for you if they get a court order or a big enough check from an adtech company.

Wifi imaging is a bit like a silhouette and generally accurate enough to work out gait and height which could give a good indication of which people are in what locations in a home. That is some very scary power in the hands of a corpo.

fnordpiglet 3 hours ago|||

More scary in the hands of the government. Whether you didn’t trust the prior US government or this one - which pretty much covers the entire population - that’s the folks that shouldn’t have this technology at their disposal. I struggle to see a use a corporation will have for this even extending ad tech to the maximum potential. The most useful application is surveillance for political purposes - in the current government, how better to cross reference with the uber database of people they are building to enact political policy to know when people they want to disappear to a foreign prison? This provision doesn’t even seem to require a warrant.

slt2021 6 hours ago|||

they only have some level of control over DOCSIS modem. if you install the cheapest/simplest DOCSIS modem, and connect it to your own wireless access point that is NOT controlled by Comcast - they wont know anything.

They will only see traffic coming from 1 local IP - of your wireless AP

boston_clone 6 hours ago||

Hmm. Not much of this is true.

They provide a modem / router combination device at even their cheapest tier.

That device can leverage this technology, and the technology isn’t reliant on traffic.

They can gather plenty, and can provide it to third parties without our knowledge or consent.

margalabargala 5 hours ago||

Hmm. That misses the broader reality.

What you're missing, is that you are allowed to use your own modem. You can purchase an Arris Surfboard, and use that.

They still have control of that modem, but can gather no downstream data. That the devices are not distributed by Comcast personally is not relevant to you being able to do this.

cortesoft 3 hours ago|||

I did that, and then a few years later they no longer supported that version. I gave up and used the provided modem.... guess I could put it in a faraday cage to prevent the WiFi from being enabled...

lrvick 1 hour ago||

Or just cut the power trace to the wifi chipset.

boston_clone 4 hours ago||||

Your described option is not the broader reality.

Most people use the hardware that is provided with the service by default. Last time I checked, there's not even an additional rental fee.

margalabargala 1 hour ago|||

Maybe not everywhere, sure, only in America.

https://www.xfinity.com/support/articles/list-of-approved-ca...

I can't believe I'm defending Comcast on the internet but here I am, I guess between them and you I'm siding with the entity currently being less of an ass to me?

Mogzol 3 hours ago|||

Sure, but you still can use your own hardware if you choose to. And that's all that the original comment you replied to was saying. If you choose to use your own hardware, then Comcast won't have control over it and cannot do this wifi motion detection.

Of course, most people won't do this, but that's besides the point.

boston_clone 1 hour ago||

> they only have some level of control over DOCSIS modem

they typically issue a modem / router combination unit, and they can control the router and its radios.

Mogzol 28 minutes ago||

Yes, but you can replace that with your own unit they don't have control over.

lynndotpy 5 hours ago||||

The people who do this will be a vanishingly small minority. It's not as easy to set up one's own modem as it is their own router, IME. And even then, going with your own router is rare.

margalabargala 1 hour ago|||

What are you talking about? Modems are incredibly simple to set up. You buy it, log into your account on another network or call the ISP, enter your modem's mac address...and that's it. You have to type in the mac or read it off over the phone. There's nothing on device to set up, it's much easier than a router.

devilbunny 4 hours ago||||

> It's not as easy to set up one's own modem as it is their own router, IME.

I mean, I suppose it's got the additional step of calling Comcast and giving them the MAC of your modem, but IIRC that's all I had to do after buying one on their approved list. Been at least 7-8 years since I had them, though.

You can plug-and-play with a consumer "router", but even then you need to know the difference between WAN and LAN sides. So the extra effort seems minimal.

Most people don't know how to set up either one. I know when the fiber techs came to my house to set me up they were greatly impressed at my (fairly basic; I don't do this for a living) networking knowledge.

jcrawfordor 4 hours ago||

You don't usually have to call any more, there's a captive portal provisioning process. It's not totally reliable and sometimes you might give up after a few tries and call instead.

SoftTalker 3 hours ago|||

You also get better rates if you use their equipment.

0cf8612b2e1e 1 hour ago||

Surely that is not true? I thought rental fees were common with using the vendor equipment (something like $10/month). It is a frequently listed as a cost cutting measure to buy your own modem rather than rent from The ISP. A modem is $100-200, so you should be net positive after a year on the investment.

bix6 4 hours ago|||

Why an Arris Surfboard specifically? Just checked their website and the ratings are not good?

Edit: thanks for the downvote! The few I clicked on their website have weak ratings but they are rated much better on Amazon.

margalabargala 1 hour ago|||

Back when I used Comcast ten years ago, that was the one that I had that I used with them. I mentioned it because I'm 100% certain it can be used. There are a million others too.

McAtNite 3 hours ago|||

Historically the surfboard has been the go to option for Comcast. I can’t say what the current best option is, but if you purchased your own modem in the previous decade chances are you bought a surfboard. IIRC Comcast has a page of third party modems that are compatible.

57473m3n7Fur7h3 9 hours ago|||

And also how many people are currently in the house, right at this moment. Maybe even which rooms of the house those people are in.

schiffern 9 hours ago||

WiFi can also be used to detect heartrate and breathing, which can leak additional ad-targeting information related to activity, arousal, or agitation.

https://www.mdpi.com/1424-8220/24/7/2111

shostack 5 hours ago||

I am curious if, with the number and quality of signals they can capture from this, how uniquely they can identify individuals and determine things like age, gender, weight, etc. Particularly when analyzed probabalistically with other household level data they likely have.

totetsu 4 hours ago|||

One could just keep a rotisserie chicken roasting in the oven to make it seem like someone’s home

usefulcat 2 hours ago|||

> Sounds like, at least in some limited circumstances (using the provided WiFi AP, having this feature turned on, etc), ISPs are going to be able to tell law enforcement/courts whether anyone was home at a certain time or not.

Kind of, but I'll bet most homes would frequently also appear "empty" any time the occupants are asleep. Not everyone gets up to go to the bathroom in the middle of the night.

pdonis 1 hour ago|||

> using the provided WiFi AP

Which you can simply not do if you don't trust your ISP not to misuse it. Which is why I never run my ISP's router, I run my own instead.

timewizard 9 hours ago|||

You can turn the customer AP off; however, the Comcast Customer Shared WiFi is always on. This is true even for Comcast Business accounts. You're expected to be a hotspot for their other customers.

Which is one of the main reasons I bought my own modem.

slt2021 6 hours ago|||

just dont buy any device form comcast!

buy your own DOCSIS modem from Amazon and your own wireless AP. Separate AP is needed, because Comcast has some form of control over DOCSIS modem (they can reboot and send config to your modem)

problem solved

jhowison 7 hours ago||||

You can turn off the shared hotspot: https://www.xfinity.com/support/articles/disable-xfinity-wif...

lrvick 6 hours ago||

And they can turn it right back on again.

SoftTalker 3 hours ago|||

You can unplug your modem when you're not using it.

jiveturkey 3 hours ago|||

for comcast business you can get the modem that doesn't have wifi at all.

al_borland 4 hours ago|||

“Comcast does not monitor the motion and/or notifications generated by the service.”

Sounds like the above claim amounts to nothing more than, “trust me bro.” Or, rather, that that nothing stops them from monitoring it, other than the cost, as they haven’t monetized it yet.

taneq 4 hours ago||

Or someone else monitors them?

snarf21 8 hours ago|||

Curious: What about adding a small battery powered WiFi device to your dogs collar? Would that look like a person moving around the house? What about a WiFi controlled mini drone that flew around you house?

[Note: this should be illegal]

Yeri 7 hours ago|||

It doesn't require a WiFi device to work.

brewtide 6 hours ago||||

It's basically passive radar using the wifi bands as the reflection AFAIK. It doesn't seem to be about the active state of devices, but the deflections in known points. It's creepy.

Aurornis 8 hours ago||||

A much easier alternative is to not enable the feature on your router.

It's an opt-in feature. If you don't set it up, they aren't generating the home/away chart like shown in the article.

pixl97 3 hours ago||

It's an opt-in feature, for now.

If they find some way to sell the data you'll quickly find it difficult to opt-out of.

antonvs 2 hours ago||

Luckily it is still possible to opt out of Comcast.

godshatter 7 hours ago||||

I was thinking of attaching a wifi enabled device to a roomba if you wanted to appear to be home when you weren't. I would hope, though, that doing something like this wouldn't be illegal. It's your home, your stuff, etc. Besides, I don't want to get arrested for leaving a rotating fan on or something.

vel0city 7 hours ago||||

This technology doesn't rely on you actually having a WiFi device on you. It can detect presence/motion by changes to the standing waves of the EM propagation throughout the room.

As the salty water meatbags move from room to room we change how the reflections and scattering patterns of 2.4 and 5GHz waves move. Studying these changes and some calibration, you can even determine small changes (like is the person on the left side of the room breathing, are they standing or prone, etc).

In their docs, they show using the WiFi connection from a printer to determine motion sensing and have the option to exclude pets.

puppycodes 7 hours ago||

im very skeptical of the accuracy claimed. The layout and complexity of objects in most homes to do this is way to awkward to work reliably.

For someone breathing or a heartbeat you need much higher GHz signal. Usually this is done at 30ghz to 60ghz. The power flux leaving the antenna has an inverse square drop off rate which makes this basically impractical unless your standing directly in front of it.

lrvick 6 hours ago|||

I have personally tested wifi imaging from a cheap old 2.4Ghz linksys router that was accurate enough to tell if my hand was open or closed, maybe 10 years ago.

paavoova 5 hours ago|||

Is 60GHz not part of the standard now? Only a matter of consumer hardware support.

vel0city 1 hour ago||

I don't think 60GHz is required on WiFi 7 which includes a lot of sensing, but I'm open to be proven wrong.

miki123211 2 hours ago|||

They already can.

If they have access to your router and its logs, they can simply check whether your mobile device was in WiFi range at that time.

Sure, mobile devices can be turned off, but at that point, so can routers.

In 99.9% of circumstances, it's a "nothing burger" from a law enforcement perspective, except maybe for detecting actual crime occurring when no residents are home.

adolph 4 hours ago|||

Just don't use your vendor's hardware. Get a cheap cable modem and hang whatever infra you want on the other side. Get a hardware VPN like the Velocloud. Using your ISP's equipment is like using their SMTP.

wat10000 5 hours ago|||

You should assume that any information a company has about you will be turned over to law enforcement in that case. They don’t have a choice, they’re required to cooperate.

The purpose of that clause isn’t to allow them to cooperate with law enforcement. That’s a given. It’s to avoid problems with you when they do, so they have something to point to and say “we did warn you.” Law supersedes private contracts. They could write “we will never give your information to law enforcement” but all that means is that they’ll be forced to break the contract when that happens.

seany 5 hours ago|||

Would be curious how that works with larger family with pets. Depending on the week we're 5-7 people and 2-4 dogs. With a single AP the noise beyond "something happened" would be pretty rough I think.

puppycodes 7 hours ago|||

definitly an atrocious violation of privacy, but in reality discerning between an animal, something blowing in the wind, and a person moving would be very hard without a dedicated calibrated array for that to hold up in court. I'm aware they have "exclude animal" but theres no way its at all accurate.

Using your mobile data and internet traffic is far easier and already deeply integrated into off the shelf law enforcement products. Those progams are even more terrifying than this by an order of magnitude.

casper14 7 hours ago||

Spot on, device tracking is much better than wifi sensing

conradev 3 hours ago||

Can't they already do this with the data of which devices are connected when? Motion data doesn't identify you in the way that device data does

johnklos 8 hours ago||

I've been telling people for ages to not trust ISP provided hardware. Notice the vague language here which means they reserve the right to share private information for anything that might be called an investigation, or for any dispute which includes them (didn't pay your bill?), or a subpoena.

    Subject to applicable law, Comcast may disclose information generated by your WiFi Motion to third parties without further notice to you in connection with any law enforcement investigation or proceeding, any dispute to which Comcast is a party, or pursuant to a court order or subpoena.

Plus, sharing isn't limited to a court or law enforcemnt agency - they reserve the right to share information with any third party.

This is scary, particularly considering how the current administration wants to weaponize everything they possibly can.

bdcravens 5 hours ago|

Scary, but is it any scarier than the status quo before this feature was implemented? The fidelity of the data, perhaps, but it's more or less been the standard that our footprint where we intersect with a third-party is no longer ours to control.

JumpCrisscross 1 hour ago|||

> is it any scarier than the status quo before this feature was implemented

Yes. It's an invasion of privacy inside peoples' homes.

mrtesthah 4 hours ago||||

The status quo after January 2025 looks nothing like it did before.

hiddencost 3 hours ago|||

And that's a reason to give up privacy?

femiagbabiaka 9 hours ago||

Xfinity won't give folks in certain locales (maybe everywhere in the US?) unlimited bandwidth unless they use their modem/router. This seems like a good reason that practice should be illegal.

AzzyHN 3 hours ago||

If you want to remove the 1.2TB data cap, you can either pay $25/mo and get Xfinity's gateway router "included" OR pay $30/mo to use your own modem/router.

afruitpie 9 hours ago|||

As far as I’m aware, Xfinity fiber customers have to use the provided “Xfinity Wi-Fi Gateway” and cannot enable bridge mode.

If anyone knows a way around this, please share! I want to connect my Xfinity ONT directly to my UniFi router.

mixdup 7 hours ago|||

They have changed this policy with their new plans released last week. You no longer have to use their equipment to get unlimited data

0cf8612b2e1e 8 hours ago|||

In that situation, I would put the vendor modem in a microwave or other impromptu faraday cage to prevent the leakage. Remove/isolate the antennas as best as possible.

Saris 7 hours ago||

Can also open it up and disconnect the wifi antennas, or cut the traces if they're on the PCB.

0cf8612b2e1e 7 hours ago||

Those vendor modems are rentals and expected to be returned in working order. Would you likely get away with it? Sure, nobody is paying techs to diagnose why the WiFi is failing for unit #367326, but cutting traces is definitely crossing some lines.

soupfordummies 4 hours ago|||

I wonder what they do with them when they’re returned. Ship em off in pallets to e waste buyers in China I would guess.

hatsunearu 2 hours ago||

I think they get refurbished and sent back to other customers.

Saris 7 hours ago|||

I mean if they're going to track me then it's fair game IMO.

m463 7 hours ago|||

I was thinking about this with respect to the new uncomplicated no-contract service with no caps they started offering:

https://www.slashdot.org/story/25/06/26/2124252/comcasts-new...

Apparently you can get 1/2gbit ethernet only modems without wifi. You don't save any money over using their equipment.

kelnos 3 hours ago|||

I use my own modem/router with them, but I have to pay an extra $30/mo for unlimited download. Complete garbage. I wish there was competition; Comcast is my only realistic option in San Francisco.

zeta0134 7 hours ago|||

This practice, and fear of the exact sort of nonsense in this article, plus wanting to keep my wifi bandwidth free for the network I actually connect to, is why I'm still on AT&T DSL in my area, at 50 mbps. Comcast is available at up to gigabit, and they can keep it.

al_borland 4 hours ago|||

I had AT&T DSL many years ago. They forced me to use their modem/router combo from 2Wire. It was truly awful. I eventually got so fed up with trying to connect things to the WiFi that I bought a separate router to plug into it, and connected to that network, which it did let me do. That solved most of my problems, other than the overall poor service.

harles 7 hours ago|||

AT&T is pretty bad in its own way. They snoop DNS and to sell your info (including physical address) to advertisers - even if you switch your DNS providers. They used to had a paid opt out (~$20/mo IIRC) but I don’t see that option anymore.

aaronmdjones 6 hours ago||

This is quite easy to avoid by using DNS over TLS. It's like 15 minutes of effort in some OpenWRT documentation [1]. If you want any hope of having some semblance of control and privacy, you would already be using your own router, with their CPE being relegated to modem-only duties. It only makes sense that in this situation you choose a router that can run highly-configurable and privacy-preserving software.

I did it several months ago, including the optional adding an outbound firewall rule dropping forwarded UDP/TCP 53 traffic (I tried the redirect rule suggested there first, but it didn't work and the firewall ruleset failed to load, so a drop will have to do. I didn't bother investigating why, because everything on my LANs is configured to use the router as their only nameserver anyway).

I also added a rule dropping it from the router itself in case something breaks, for example if it suddenly decides to start honouring the DHCP-received nameserver addresses (my ISP) despite being configured not to.

EDIT: The article doesn't make this clear, but the bootstrap section is only necessary if you specify upstream nameservers by name (e.g. "https://dns.cloudflare.com/dns-query"). This is not required. For example, you can configure a manual upstream of "tls://1.1.1.1" like I did, and then it doesn't need to do any DNS lookups at all, so does not need to be configured with bootstrap servers, so will not break if you add the 2 firewall rules I mentioned.

[1] https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq...

dylan604 9 hours ago|||

So use their router, but connect your own to it. Then turn off the WiFi in their equipment

femiagbabiaka 8 hours ago||

I'm doing the first bit, but I can't turn off the wifi -- only stop broadcasting my "personal" network. And actually, as I went in to make sure that was the case, I saw that broadcasting of my personal network had been forcibly turned back on. Lovely!

nick__m 8 hours ago|||

If you cannot disable it and you don't trust the wifi but need the service, wrap the isp provided box it in aluminum foil and ground that foil ( no need to try to solder on the foil, an alligator clip is more practical), the wifi will still be on but it will be completely blind. Just make sure it doesn't overheat.

femiagbabiaka 8 hours ago||

These are the comments I come to HN for.

zzo38computer 5 hours ago||||

That is what should be illegal, for electronic devices (even if rented) to be unable to disable wireless communications, or for a contract to affect the operation of stuff other than wireless communications when the wireless is disabled. It should also be illegal to be unable to disable all power to electric devices (for devices with battery power, that would include that it must be possible to remove the battery, and the method to be documented).

dylan604 8 hours ago||||

If you don't broadcast your SSID, then how can device manufactures have hyper accurate location services available when GPS is not? You're not participating in the system! Hell, as much money as theGoogs gives to be the default search to various companies, would they not be willing to pay ISPs to keep that option on? I'm just throwing ideas out that I know nothing about, but I don't see why they would be opposed to the concept.

bowmessage 1 hour ago|||

I admittedly know little about this, but isn't GPS accurate enough on most modern devices to render the SSID refinement moot?

femiagbabiaka 8 hours ago||||

This is an old article, but still accurate. By default every Xfinity router also advertises Xfinity's public wifi offering: https://money.cnn.com/2014/06/16/technology/security/comcast.... Now if you turn that off then what? Not sure, but I trust Xfinity and their lawyers to find a way :)

nandomrumber 8 hours ago|||

Doesn’t turning off SSID broadcast result in devices that have the wifi network saved repeatedly broadcast a request for the AP to identify itself in an effort to establish a connection?

dylan604 8 hours ago|||

I'm not sure I follow. Why would a network known to the device not be connected to the network? If you never connected your device to their wifi and only connected to your wifi connected via ethernet, why would it even know to make a request? If you're not actively connecting to the WiFi in your house, why not just "forget network"? Seems like a strange hypothetical, but aren't they all?

craftkiller 5 minutes ago||

> Why would a network known to the device not be connected to the network?

I think they're referring to when you leave your home. Your device(s) will be constantly broadcasting probe requests for the hidden network.

The away-from-home probe requests wouldn't be that useful for mapping, but your AP/router is equally useful for mapping with or without broadcasting the SSID. Hiding your SSID just means it sets the SSID to null in the beacon frames but it's still sending out beacon frames with its far-more-unique MAC address. If you're on linux you can see this pretty easily by running `sudo iw dev wlan0 scan`. The "hidden" wifi networks will have their SSID as "SSID: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" but all the other information including MAC address is still there. Personally it seems there are two "hidden" wifi networks within range of my bedroom.

nullc 8 hours ago|||

They do that already... sum of all privacy losses.

Any time you go out in public your devices are crying out looking for your home AP. If someone can figure out which are you, e.g. by seeing you multiple times in different places they can then go look up where you live based on your home's SSID broadcasts.

dawnerd 8 hours ago|||

Put the thing in a faraday box.

kacesensitive 5 hours ago|||

Exactly why I rent the modem but it sits unplugged in the closet lol

reaperducer 9 hours ago||

I use a cellular connection for my internet, but my apartment building is wired with Xfinity, and probably 90% of people use it.

Naturally, there is no way for me to opt out of this.

bikenaga 8 hours ago|||

Does your apartment lease require that you use Comcast's hardware? When I signed up for Xfinity years ago I wanted to use my own hardware (NetGear cable modem, Buffalo Airstation with DD-WRT). I forget now whether I had to walk through the activation over the phone with a tech - I vaguely recall having to provide some information about the modem, which was one of the models listed as supported on their use-your-own-hardware web page - but the whole thing was easy.

Other people have mentioned that not using Comcast's stuff means that certain features won't be available, but I don't care. I don't have huge bandwidth needs, for instance.

MobiusHorizons 2 hours ago||

I believe the person you are replying to does not use comcast, but is saying they cant' opt out of this spying due to their neighbors using comcast.

BarryMilo 9 hours ago|||

Time to make your apartment a faraday cage!

Tijdreiziger 9 hours ago||

RF-blocking paint exists.

kube-system 8 hours ago||

And contrary to popular belief, neither it nor a faraday cage blocks RF. They attenuate it, to varying degrees.

zzo38computer 4 hours ago||

There is still the question of how much the attenuation is and if it can prevent the detection. There is also the issue if you want to receive other radio signals such as AM radio, FM radio, amateur radio, etc.

cs702 6 hours ago||

If you ask the Xfinity managers who came up with this idea whether thieves will be able to buy live information on whether your home is empty from hackers on the dark web, the managers will likely say... nothing. What they will do is look at you with a deer-in-the-headlights expression in their shocked faces.

Sigh.

Terr_ 4 hours ago|

The word "liability" might not always work, but occasionally it makes someone think a little harder about what their company is doing.

pilingual 3 hours ago||

I was reading Hyatt's Privacy Policy and they mention biometrics (and even genetic information for some reason). Does this mean they can analyze all of my behavior in the hotel room?

I'm not about to find out. I really liked Hyatt, too.

sneak 1 hour ago|

The ER I was seen at a few weeks ago had me sign a consent to use my data to (presumably) train AI.

aschla 2 hours ago||

To whom it may concern, for those who use the modem in bridge mode, it is possible to discreetly pop open the Xfinity modem and disconnect the wireless antennas.

yborg 9 hours ago||

I remember reading this paper when it came out, didn't think it would be commercializable, and here we are.

https://dl.acm.org/doi/10.1145/2486001.2486039

andy_xor_andrew 9 hours ago||

Yeah, it's bizarre.

Normally the pathway for this kind of thing would be:

1. theorized

2. proven in a research lab

3. not feasible in real-world use (fizzles and dies)

if you're lucky the path is like

1. theorized

2. proven in a research lab

3. actually somewhat feasible in real-world use!

4. startups / researchers split off to attempt to market it (fizzles and dies)

the fact that this ended up going from research paper to "Comcast can tell if I'm home based on my body's physical interaction with wifi waves" is absolutely wild

nomel 8 hours ago|||

It's not too crazy, if you're familiar with comms systems.

The ability to do this is a necessity for a comm system working in a reflective environment: cancel out the reflections with an adaptive filter, residual is now a high-pass result of the motion. It's the same concept that makes your cell location data so profitable, and how 10G ethernet is possible over copper, with the hybrid front end cancelling reflections from kinks in the cable (and why physical wiggling the cable will cause packet CRC errors). It's, quite literally, "already there" for almost every modern MIMO system, just maybe not exposed for use.

transpute 8 hours ago|||

> the fact that this ended up going from research paper to "Comcast can tell if I'm home based on my body's physical interaction with wifi waves" is absolutely wild

The 15-year path was roughly:

  1. bespoke military use (see+shoot through wall)
  2. bespoke law-enforcement use (occupancy, activity)
  3. public research papers by MIT and others
  4. open firmware for Intel modems
  5. 1000+ research papers using open firmware
  6. bespoke offensive/criminal/state malware 
  7. bespoke commercial niche implementations
  8. IEEE standardization (802.11bf)
  9. (very few) open-source countermeasures
  10. ISP routers implementing draft IEEE standard
  11. (upcoming) many new WiFi 7+ devices with Sensing features

https://www.technologyreview.com/2024/02/27/1088154/wifi-sen...

> There is one area that the IEEE is not working on, at least not directly: privacy and security.. IEEE fellow and member of the Wi-Fi sensing task group.. the goal is to focus on “at least get the sensing measurements done.” He says that the committee did discuss privacy and security: “Some individuals have raised concerns, including myself.” But they decided that while those concerns do need to be addressed, they are not within the committee’s mandate.

ddq 1 hour ago||

Sounds like IEEE is in need of fresh leadership and soon. Complacency at this point is folly.

hopelite 9 hours ago||

I have a sneaky suspicion this is not something that Xfinity/Comcast just woke up one day and thought they should implement. This has all the hallmarks of the treasonous surveillance state injecting itself to instrumentalize corporations to claim they’re not violating the supreme law called the Constitution if they simply make others commit the treasonous crimes against the people.

Because we all know, of course, the Constitution only applies to the federal government, right? If mega-corporation USA Inc uses its shell company Comcast to violate the Supreme law of the land in a treasonous manner, then you are of course SOL asa mere citizen since they aren’t the federal government and the Constitution does not apply to them.

In case it want clear, that was sarcasm.

schiffern 9 hours ago|||

I miss the old days when this would come off like a crazy rant, rather than being the evening news.

In case people missed it:

https://theconversation.com/from-help-to-harm-how-the-govern...

https://www.eff.org/deeplinks/2023/07/even-government-thinks...

https://www.politico.com/news/magazine/2024/02/28/government...

sojsurf 9 hours ago||||

I was just reading up on wifi 7 today. It sounds like the spec was designed with WIFI sensing in mind.

Tijdreiziger 8 hours ago|||

That’s speculation. In the article, you can see that it’s meant as a pseudo-alarm system. It’s plausible that someone at Comcast thought this is a value-add. (Netgear already offered this as a feature on their routers, it’s not a novel concept.)

Even within tech circles, lots of people aren’t worried about privacy and even have indoor cameras in their homes.

EvanAnderson 9 hours ago||

I don't want my ISP doing this to me, but it sounds like something pretty cool to do myself. Does anybody know what the current state of "self-hosting" this kind of functionality is?

ethan_smith 1 hour ago||

Check out ESP32-based projects like ESP32-CSI-Tool or the FreqSense library, which can implement WiFi sensing with minimal hardware and completely under your control.

0cf8612b2e1e 8 hours ago|||

I am also super interested for the personal use case. What is the resolution? Can I track my cat through the house? See when they go to the feeder? Count my own bathroom visits?

Aurornis 8 hours ago||

> What is the resolution? Can I track my cat through the house? See when they go to the feeder? Count my own bathroom visits?

None of the above.

The setup process has you select 3 reference devices. You should pick the devices so that your normal motion areas are between the device and the router.

The router then watches the WiFi signals from those devices. If they fluctuate more than baseline, it's assumed that something is moving around in the area.

It's a threshold detection that can serve as a crude motion sensor for home/away purposes.

HeavenFox 7 hours ago|||

For home / away purposes it's easier to just detect if your phone is connected to the network. I built something like that before by shipping the log from my UniFi controller to a RPi and listen for events where my phone's MAC address connect or disconnnect.

TechDebtDevin 2 hours ago||

This doesn't really tell you if someone without your wifi password is rummaging through your house while you're not there. Also wifi is not the right tool for this lol

0cf8612b2e1e 8 hours ago|||

Nuts. Less interesting than the claims of monitoring heart rate, but still potentially some applications “for free” if it just needs to analyze signal strength from devices I already have. Theoretically could put it directly onto my OpenWRT router and make it available from there.

sneak 8 hours ago||

Just get cameras and local storage/processing for them. No need for elaborate Wi-Fi presence detection hacks.

EvanAnderson 4 hours ago|||

Presence detection without the possibility of images being captured seems a reasonable application to me. So much the better if I could do it with hardware I already have versus installing motion detectors or other sensors.

TechDebtDevin 2 hours ago||

RF human detection sensors ((that can even tell you the heart rate of someone in the room (if its below 120 I think)), cost almost nothing. Or at least they did before tariffs .

They can also be programmed to detect people on the floor, so if you have elderly in your house you can know if someone fell, without cameras. They are made for hospitals but are cheap, but not 100% accurate for HR and falls, but reliable enough for security, and cheap.

ab71e5 4 hours ago|||

This is hacker news, of course there is a need

Aurornis 9 hours ago||

In case anyone is skimming the headline and comments: It's not enabled by default. This is an optional feature that you have to find, turn on, and then select up to 3 WiFi devices to use as reference signals:

> Activating the feature

> WiFi Motion is off by default. To activate the feature, perform the following steps:

The actual title of the article is "Using WiFi Motion in the Xfinity app".

snickerbockers 6 hours ago||

"...for you." --Bane

These days it is never safe to assume that opting-in does anything more than making some of the information that's being collected regardless available.

Although I actually agree with you that it probably isn't doing anything by default to the extent that it isn't doing anything yet because it's new they haven't worked out how to monetize it.

ocdtrekkie 6 hours ago||

I think at least right now this is reasonable: It's off by default, and if you choose to turn it on, they don't use it for anything themselves, but Comcast is disclosing that it may be forced to give the data over with a legal request.

If I was advising Comcast, I'd tell them this is a dumb thing to introduce because just the perception of bad behavior is not worth any particular benefit, but whatever. I can't imagine someone deciding they want a Comcast plan because it offers this, and there's no way for them to monetize it without almost assured legal backlash.

transpute 9 hours ago|

Sensing is (sadly) part of Wi-Fi 7. If you have a recent Intel, AMD or Qualcomm device from the past few years, it's likely physically capable of detecting human presence and/or activity (e.g. breathing rate). It can also be done with $20 ESP32 devices + OSS firmware and _possibly_ with compromised radio basebands.

al_borland 4 hours ago||

Was anyone asking for their network to be able to sense their breathing rate? What does this enable that actually improves people’s lives?

This is the kind of stuff that pushes me to pull a Ron Swanson and throw my technology in the dumpster.

jeroenhd 56 minutes ago|||

The network already could. The standardisation is just making the feature available without hiding it.

The core of the sensing technology is about improving MU-MIMO + OFDM + all the other speed tricks. Human bodies interfere in predictable ways so you need the tech to steer around that. As a side effect, you get detection capabilities for free.

In such a setup, your laptop and router already know where you are. The question is whether or not to offer it to you so you can use that information for things like home automation. Had they not made this part of the protocol, the privacy risks were just as bad, you just wouldn't be aware of them.

transpute 3 hours ago|||

Similar technology has been quietly in use for a while, with falling cost, e.g. "Inside a $1 radar motion sensor", https://news.ycombinator.com/item?id=40834349 (100 comments).

Commercialization gives consumers and regulators the opportunity to express their opinions on the sudden and unsolicited transparency of the walls, floors and ceilings of their homes and businesses.

AzzyHN 3 hours ago|||

What's the commercial use of having this data though? Or even law enforcement use? We all have our phones on us most of the time anyways, knowing where in my house I'm at doesn't really... change anything...

transpute 3 hours ago||

There are 1000+ public research papers on machine learning + RF detection of human activity, including but not limited to breathing rate, keystrokes, body position, body motion, gestures, sleeping, biometric (identity) signals and more, https://scholar.google.com/scholar?q=device+free+wireless+se...

What's the economic value of remote collection of human behavioral signatures without consent, integrated with AI and robotics and "digital twins"? We're not there yet, but if the technology continues improving, what's the future value of "motion capture" of humans without body-worn sensors?

In theory, this will enable "Minority Report" user interfaces. 3D gestures could be combined with "AI" voice interfaces. Biometric authentication (e.g. heart rate) could replace passwords. Walk into a room and it adapts itself to your preferences. Etc.

There are lots of "cool" Jetsons sci-fi use cases, but ONLY IF the data and automation are entirely under control of the human subjects, e.g. self-hosted home server, local GPUs, local LLM, local voice recognition, etc.

jml7c5 6 hours ago|||

Commercial use of WiFi sensing predates WiFi 7 (a notable example is Philips smart bulbs with presence detection). AFAIK WiFi 7 just includes an amendment by the 802.11bf working group to improve performance.

heywoods 8 hours ago||

[flagged]

tomhow 7 minutes ago|||

Please don't do this. Whether it's LLM-generated or not, HN is not a place for pasting big blocks of text from elsewhere in comments. Original human thoughts only here please.

anitil 6 hours ago|||

If you had a particular idea from the LLM that you wanted to share people would be more receptive, but just dumping the whole output comes across as intellectually lazy

More comments...