I Gave Up My Privacy For Beer Delivery

Recently my family and I took a cruise, or as I like to think of it, the sampler plate of vacations - you get to try a little bit of a number of places, just enough to decide if you'll order a full helping later. I've taken a few cruises in the past, but this one was unique in that we received medallions from the cruise company that looked suspiciously like Apple Air Tags.

These weren't optional, they were mandatory. They opened our cabins, they validated our identities as we boarded and disembarked, operated as "on-board credit cards,", and they located us for crew (and passengers!) to find us onboard.

The experience was seductively smooth. Just approaching my cabin door unlocked it for me most of the time. I'd walk up to the bar and place my order and the staff would say my name to me, like I was getting in a ride share car, to validate who I was so they could add beers to my tab. When I was sitting somewhere by the pool, I could use the accompanying phone app to order food and drinks, which were delivered to me quickly, even if I moved before it was delivered. When I wanted to know where my party was so I could join them at a bar or at some seats they'd saved, I could consult the app which pinpointed their location and would even help me navigate the ship to find them.

Indeed, no mucking about with an NFC card. No sticking a card into a reader. No mucking about trying to find my family when we went separate ways onboard.

Authentication Tokens In All But Name

All this was lovely, but I've left out some details so far. It gets both interesting and disturbing the more I looked into it.

Pre-Cruise

Before the trip we were required to do all the things that you'd expect for international travel: we had to share our passport details with the cruise line, and share payment methodologies as well. But then there was the demand to share a "selfie" headshot. This headshot was linked to the medallion, though I didn't know that until later.

If we shared these things early enough, medallions were personalized (with our names, ship name, and cruise date printed on them) and shipped to us. If we didn't do it early enough, medallions were handed out at embarkation.

When my medallion arrived I started testing and playing with it. I soon realized it was a combination NFC and Bluetooth LE device.

They don't seem to be WiFi aware, which makes sense to me based on power considerations. There's no user-replaceable battery, so I know these things are thought of as disposable by the cruise line.

Infrastructure

So I know that any radio signal can be triangulated to identify the physical location of the sender, in all three dimensions. GPS works off of this principle, but essentially in reverse - using transmissions from multiple satellites to let a receiver determine its own location. This was clearly the primary purpose of the Bluetooth LE capability. Sure enough, almost immediately on boarding I saw the white "hockey puck" sensors all over the ship. I quickly realized they weren't for the WiFi, as I identified the Cisco AP's quickly thereafter. Interestingly to me, our cabin (about 300 square feet) had two of these pucks in it - and one was in the bathroom! A guesstimate of about one sensor per 150-300 square feet is what I think we saw throughout the ship.

Roving servers and delivery people had NFC readers, as did the doorway to our room, and the staff monitoring as we got on and off ship at each stop.

In port there were some vendors along the dock area that would accept the medallions as payment devices - which did make me wonder if they were doing location tracking with those on land as well.

Use

I'll classify use cases for these tokens in two groups: useful to the passenger, and useful to the staff.

Useful to the Passenger

There were three main use cases that helped me as a passenger directly:

• Room entry - the NFC quality meant I could tap my medallion against a door reader to enter my room, but the Bluetooth meant that the system could track me coming down the hall and unlock my room via proximity without having to stop and "tap" the NFC reader.
• Party finding - instead of having to text/call/email/Signal/etc. my party, I could open up the accompanying phone application and simply ask where my party members were. It would get me to within about 100 square feet of my travel companions - and on the correct deck! This made finding each other by the pool, or by the bar, or wherever else extremely easy.
• Remote ordering - in those situations where I wasn't somewhere with swarming waitstaff, ordering beverages and snacks with the assurance that they'd know exactly where I was when they delivered it was impressive.

Useful to the Staff

• Room occupancy - our housekeeping staff knew immediately when we arrived in our room and when we left our room, every time. They were able to quickly and unobtrusively go about their business without waking us when we slept in late, and when they needed to make us aware of something they knew when to find us.
• Attendance - they knew how long we spent at the piano bar. They know which shows we went to see in the theater, and which movies we watched on the pool deck. How many times we went to the buffet, and how much time we spent in our cabins. The power of that information to plan more interesting diversions on their cruises, and to reward popular performers and performances or replace others who weren't drawing a crowd.
• Purchasing - every bar had tablets that would instantly show the pictures of those of us whose medallions were at the bar, allowing them to call us by name and to confidently charge our orders to our accounts. That said, a number of them still reverted to the "what's your room number" ordering method, meaning that the benefit of that proximity system wasn't good enough for them to be confident. The spa, every shop, and every restaurant was similarly able to charge us based on our medallions, whether via NFC "tap" or a combination of Bluetooth and photo verification. (Why do I consider this a benefit for them and not me? Because it is the vendor who benefits most from a smooth financial transaction, the buyer may simply choose not to buy if things don't proceed smoothly)

Security? Privacy?

Yeah, i was not excited about the implications of this sort of tracking device. I mean, here's a device whose sole purpose is to track your coming and going from a distance (or else it would be NFC only). Here are my concerns:

Wireless Security - Bluetooth

Bluetooth LE isn't like "original Bluetooth" (now available in vanilla/chocolate swirl!) in that it uses some of the same infrastructure but has very different purposes more suited to the "IoT" world than high-speed data transfer. LE is what I'd call an "industrial first" solution, intended to have minimum infrastructure, high battery life, and very little actual data. In fact the token itself may have had no more than a MAC address that just beaconed continuously like it was a tag on a pallet in a factory or warehouse.

Bluetooth LE does have a robust encryption solution for transmitted data. However if the data being transmitted is the exact same data, over and over and over again that leads to the possibility of a brute force decryption after enough traffic has been sniffed.

Basically, these medallions are customized Air Tags or Tiles. The security and privacy implications are almost exactly the same, except those tags are expected to be associated with "things," and these medallions are associated with people - people encouraged to wear them 24x7 - even mandated to take them with at port stops for access back on the ship.

Just like those consumer level solutions, the medallion (I expect, assume, predict) has no "personal" information on it - just a unique identifier of the device itself. There is a database somewhere else that points to "Bill" from that data.

However, the MAC address of the token is unique, and by definition is not encrypted or obscured in any way. That means that anyone wishing to track Bill needs only determine what MAC address is associated with Bill's token. At the very least it becomes easy to identify where Bill is NOT - if his medallion's MAC address isn't beaconing he's not within a few hundred feet of your position. Like, say, if you're interested in attempting to enter his cabin.

Wireless Security - NFC

I wasn't terribly worried about the NFC security. It was either as simple as the NFC on a hotel room keycard, or as complicated as the NFC chip on a credit card. (Though again, I expect the former from a cost perspective) NFC is far harder to interact with at distance than Bluetooth, and just like a hotel room keycard there's no "personal" data on it in most cases.

The Mobile App

Ah the app. This is where we passengers interacted with the database. And I saw one glaring privacy issue. There was the ability to look up ANY passenger on the ship by name. Yes, ~3700 of us could search the database for each other's names. The search function didn't return any results until you started typing, but still, it wouldn't take long to review the entire alphabet and retrieve every name.

Once someone found you they could request that you share location information with them, and the good news here was that you had to opt in to that sharing for each person, which I admit I was more shocked by than I should have been.

Facial Recognition

This one bothered me. I appreciate the need for facial recognition upon embarking and debarking the ship - after all, this was essentially border control. However I was disturbed by its use for things like bar purchases. This was something I had NOT opted into, and I did not find an easy way to opt out.

What About After the Cruise?

This is the largest security and privacy question I have about this whole process - what becomes the data in the database, and what becomes the medallion with it's traceable beacon and such?

I mean, I know what to do with the device itself...

But what of my data in that database? What of my photo? What of my payment data? Unfortunately that is out of my hands, and I essentially have to hope the company takes good care of that data - preferably deleting as much of it as is allowed by law (I'm sure that they have to keep some records for Immigration and Border Control purposes).

So What's the Message?

Honestly, this tracking was pretty benign as tracking goes. It is as anonymous as any Tile or AirTag, and the issue here was three-fold:

1. Who can track me based on the MAC address of the beaconing medallion via Bluetooth LE?
2. How safe is the database storing the "real" data that my medallion is the key for?
3. Who had access to the database AND tracking infrastructure on land/off-ship?

But that's just this instance and this cruise. It turns out you can be tracked this way via nearly any wireless device you carry with you. And you are. Yes, you.

WiFi Scanning Tracking

Your cell phone undoubtedly has the ability to connect to WiFi networks. You probably even have a setting that will allow it to try to automatically connect to unencrypted WiFi networks (you really want to turn that off). When your phone is somewhere and not connected to a network it continuously searches to see if there's a network it knows nearby. In doing so it broadcasts a unique MAC address, similar to how the Bluetooth LE tracking tokens we've been discussing do.

In the 2010's, retailers started using this capability to track customers inside their stores. That MAC address was a unique identifier and could tell them if you had spent 20 minutes in the shoe department and then went over to bedding or "big and tall." Fortunately both Apple and Google implemented MAC randomization capabilities that change the MAC address every few minutes until you are actually connected to a WiFi network, relatively thoroughly eliminating this issue - at least for iOS and Android devices, other mobile devices may not have this built in protection. However, if you DO connect to a store's WiFi network you need to know that your position can be tracked throughout your in store experience.

PS: if you think this sort of WiFi scanning and tracking was limited to retail stores I have a bridge to sell you.

App Based Tracking

This kind of tracking is one of the most insidious. Depending on the permissions you allow your app to have, it may have full access to your location, as well as to things like your network interface. So if you have your "valued customer" app on your phone (perhaps not even officially "running") and you're in their store that has WiFi access points, yes, you could be getting physically tracked. Apps can track you through Bluetooth beacons as well, if the app has access to that information.

Because of that I strongly recommend being parsimonious with your decisions to install apps for everything. If you can successfully interact via a mobile webpage that can have significantly fewer privacy concerns than interacting via an app for everything from your pharmacy to your box-office ticket solution to your favorite social media site, especially if you're using privacy-focused browsers.

Choosing a Place Between Paranoia and Blissful Ignorance

This is the difficult thing about these sorts of solutions. On the one hand it is absolutely wonderful that I can get my beer brought to me at any time onboard. On the other hand, that means that anybody with access to the tracking system knows where I am all the time, and who else is with me. Many of the conveniences we take for granted come with the risk of tracking and a lack of privacy and security associated with that. Even license plates when combined with OCR cameras and a database of vehicle information can be used as a tracking mechanism. Obviously there is value in at least some of these risks or we wouldn't take the risks.

The danger, to me, is in taking these risks without realizing what they are. Without understanding risks the benefits always seem worth the risk - the blissful ignorance side of the equation, where I contend many of us operate. Yet I won't tell you to destroy your phone and hide in a Faraday cage the rest of your life either - paranoia is not helpful either.

So let's look at some practical suggestions:

1. Limit the apps you install on your mobile device, and limit the permissions you grant to the ones you do install. Use mobile web-pages with a privacy focused web-browser like the DuckDuckGo mobile app to minimize the tracking those webpages can do.
2. Understand what trackers like this one, Tile, AirTag, and others do and can be used for. Choose how you use them based on that understanding, including perhaps removing the battery when you're not actually using them, and disposing of them when you're finished using them - you don't have to destroy them like I did, but getting them to your local electronics recycling right away is a good choice. (I wish the cruise had a "drop your medallions for recycling here" on the way off the ship)
3. If you're in a situation where being tracked would be detrimental to you - such as at a protest or similar event - know how to disable ALL signals to and from your devices or leave them at home. Cellular, WiFi, Bluetooth and any other signals can be used to identify your location by organizations with enough resources and the willingness to use it. The EFF has excellent guidance for this scenario (and others).
4. Choose your own place between paranoia and ignorance. Congratulations! By reading this far you can't say you're ignorant any longer. But the hard work is still to come, both choosing your level of risk/comfort and then using that to make informed decisions about how you manage your trackability.