I find this paper's title "surveilling the masses ..." not fitting for the (nevertheless important) findings in this paper. While "mass surveillance" is an ambiguous term, it invokes images of "this method allows wiretapping/reading society's private conversations, and/or pinpointing everybody's precise location in real-time".
But actually, the findings are:
"this method can be leveraged as an additional statistical proxy for population movement and infrastructure outages/destruction;
By taking several assumptions (e.g. BSSID not spoofed; BSSID is seen by some smartphone; BSSID of to-be-surveilled target is known; BSSID is actually used by target and not sold/handed to someone else; target is close to BSSID; BSSID is on; etc.), an individual's historical and possibly current whereabouts may be revealed".
"The central goal of the attacker we consider is to gather location and movement
data about a large number of devices, either globally or pertaining to a specific region of interest."
It remains to be seen to me what information is really being gathered here that wasn't already available. If you want to know where people are, geographic population demographics and residential density data is generally publicly available in most places. If you want to know where they're moving to, vehicular traffic, bus and train ridership, and airline ticket sales are also public knowledge.
This is simply providing another way to say "humans who connect to WiFi networks exist here, here, and here, and move to here, here, and here." Without knowing who actually owns and uses each device, it's hard to see how you can really call this mass surveillance, which typically implies the leakage of information that people expected to be private. The fact that my residential address has a WiFi access point in it does not seem to me to be private information. I can readily guess with at least 99% accuracy that every residential and business address in existence with visible furnishing, decoration, regular cleaning, trash outside, or any other sign of human occupancy, has a WiFi access point attached to it.
The threat they mention of intimate partner abuse and stalking whereby an attacker knows a specific person's MAC address and is able to track them if they move but retain the same device is a more obviously real concern, but easily mitigated by simply not retaining the same WiFi access point when you move to a new residential address.
My critique is not about the paper _content_, it is about the paper _title_, which currently (arXiv:2405.14975v1 ) verbatim is: "Surveilling the Masses with Wi-Fi-Based Positioning Systems".
Understand it as a minor pet peeve on my side that I would prefer a less sensational, better disambiguated title in order for the paper to express its content and significance. After all, it's arxiv.org, and possibly a preprint open for feedback.
But actually, the findings are:
"this method can be leveraged as an additional statistical proxy for population movement and infrastructure outages/destruction;
By taking several assumptions (e.g. BSSID not spoofed; BSSID is seen by some smartphone; BSSID of to-be-surveilled target is known; BSSID is actually used by target and not sold/handed to someone else; target is close to BSSID; BSSID is on; etc.), an individual's historical and possibly current whereabouts may be revealed".