• Project Overview: The author developed "Bluehood," a Python-based Bluetooth scanner, to demonstrate the extensive metadata leaked by devices merely by having Bluetooth enabled.
• Motivation: Triggered by a critical vulnerability (WhisperPair CVE-2025-36911) and a desire to visualize invisible digital footprints, the project highlights how "invisible" signals compromise privacy.
• What Bluetooth Reveals About Users: By monitoring signals passively, the author could determine:
  • Delivery Logistics: Exact arrival times of delivery vehicles and whether the same driver visits repeatedly.
  • Daily Routines: The specific daily patterns of neighbors based on their phone and wearable broadcasts.
  • Device Associations: Which devices belong to the same person (e.g., a specific phone moving in tandem with a specific smartwatch).
  • Occupancy & Location: Exact times people are home, at work, or elsewhere.
  • Security Vulnerabilities: Periods when a house is typically empty.
  • Social Patterns: Regular visitors (e.g., someone visiting every Thursday afternoon).
  • Employment Indicators: Patterns that suggest specific work types, such as shift work.
  • Family Schedules: Specific times children return home from school.
  • Consumer Habits: Which households share the same delivery drivers, implying similar shopping preferences.
  • Incident Evidence: Retrospective logs of who was present (passersby, dog walkers) during specific events like property damage.
• Uncontrollable Broadcasts:
  • Many devices broadcast continuously without user recourse, including medical implants (pacemakers, hearing aids), modern vehicles, and smart home tech.
  • Privacy tools like Briar or BitChat require Bluetooth for off-grid mesh networking, creating a paradox where privacy tools necessitate privacy leaks.
• Technical Functionality:
  • Bluehood uses passive scanning to identify vendors and device types without connecting.
  • It analyzes patterns (heatmaps, dwell times) and filters out randomized MAC addresses to focus on persistent tracking.

Hacker News Discussion

• Ubiquitous Tracking: Commenters confirmed that similar tracking is common in retail (using iBeacons to track shoppers to specific shelves) and via vehicle sensors (TPMS in tires broadcasting unique IDs).
• WiFi vs. Bluetooth: Users noted that WiFi signals from cars (often named "Audi", "Tesla", etc.) are just as leaky as Bluetooth, allowing for easy "wardriving" profiles.
• Medical Privacy: Significant concern was raised regarding medical devices (like CPAP machines) that broadcast 24/7, often to satisfy insurance requirements, with no way for the patient to disable the radio.
• Mitigation Strategies:
  • OS Features: GrapheneOS and recent Android versions offer settings to automatically turn off Bluetooth after a period of inactivity.
  • iOS Limitations: Apple users noted it is harder to keep Bluetooth permanently off without diving into settings or using Shortcuts, as the Control Center toggles are temporary.
• Legal Context: Several users pointed out that while such tracking is rampant in some regions, it is strictly regulated or forbidden in the EU without explicit consent.

• Companies aggressively push app downloads, especially in places like Taiwan, offering discounts but often installing without full consent, leading to spam and unwanted data collection.
• Avoid handing over your phone to staff and never download apps, as they provide minimal benefits compared to the risks involved.
• Primary risks include surveillance capitalism: apps enable extensive data tracking for targeted ads and "surveillance pricing," where prices vary based on inferred financial status (e.g., charging more after payday).
• This undermines fair pricing, giving corporations power over individual costs beyond market forces.
• Apps enforce binding arbitration clauses in Terms of Service, waiving rights to court, jury trials, or oversight; examples include Disney attempting to force arbitration in a wrongful death case linked to a Disney+ trial.
• Predictions highlight future abuses, like arbitration forced via unrelated services (e.g., Uber Eats leading to self-driving car disputes).
• Recommendation: Use websites or PWAs instead to preserve privacy and rights.

Hacker News Discussion

• Users debate apps vs. websites/PWAs: many praise PWAs (e.g., Mastodon, Photoprism) for performance when implemented well, criticizing poor web apps and noting apps often wrap webviews with extra tracking.
• Privacy concerns dominate: native apps access more device data (contacts, SMS, biometrics, etc.) even with permissions, unlike sandboxed PWAs; tools like NetGuard suggested for blocking app internet access.
• Loyalty discounts viewed as modern coupons by some, saving money despite data sharing, but others warn of surveillance pricing via purchase patterns and arbitration risks.
• Experiences shared: retailers reject Apple Pay to force accounts; global pushiness for apps noted; arbitrage limits price discrimination viability.
• Calls for better OS controls, open-source apps without tracking, and skepticism of app store security.

Nice succinct statement on the issue.