Privacy @lemmy.ml

1y ago

Usually connect to Walmart's WiFi but they changed their policy I guess, won't be doing that now...

228 comments

I created an account while in the store with an email of fuckyou@thisisstupid.com and a basic password and surprisingly didn't have to verify the email. Then turned on a VPN to my house.
I plan on just creating a new account every time I go in just to fill up their database with nonsense.
- GIGO (Garbage in, garbage out) is the correct way to deal with the surveillance system.
  
  This makes me feel a lot better about ChatGPT garbage corrupting Google search results.
  
  Fun fact: Android developer options has a Disabled Persistent Mac address randomization toggle. Or at least Pixel phones do
- Cool, is samwaltoncaneatabagofdicks@inhell.com still available?
  
  It is not. You need to add a number at the end.
  
  inhell.info is available and Postfix is a thing.
- You do realize that they are actually tracking the device itself by the hardware MAC address and other device fingerprints.
  The email is just a bonus to let them legally spam you. Anti-spam laws have an exemption. If there's a prior business relationship like shopping in their stores, they can put you on their spam list unless you opt out.
  Bogus email only helps for spam but doesn't do anything about tracking.
  EDIT: For Android when there's a Captive Portal like the screen shot. devices will use Persistent randomization which while not the hardware MAC will remain the same for the same network where they can track your visits.
  
  Pretty much all modern phones randomize the MAC address everytime they connect to a network unless the user explicitly says not to do that.
  
  GrapheneOS let's me do a per-connection randomized MAC.
  I'm sure they do collect a lot more about my device, but there's not much I can do about it short of wrapping my phone in tin foil.
- Don't forget to spoof your MAC address so they cant see who is making the fake accounts ;D
  
  That's done automatically on mobile devices
- This is the way. Fuck them.
- Not Walmart, not wifi but my default is gfy.com

I think the point of this post is all the stuff below the email field. Yikes.
- That data isn't nothing, either. Over ten years ago, Target was able to use shoppers habits to determine when women were pregnant, sometimes even before the women knew.
  https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html
  Imagine how much more robust this has gotten 10 years later.
  
  Exactly, a damn good reason to avoid the Wi-Fi in stores altogether. So many wifi access points are super weak in security and super sketchy.
  I try sticking to my home where I can manage it like a nervous hawk.
  
  This is a fantastic read.
  I remember febreeze coming out and being like, that would be cool but you can't trust ads and it sounds like total BS. I knew they added a scent, but I had not idea about the subtle social manipulation that they used to shift people's habits.
  Speaking of habits, this is the first time I have heard about all the science involved in studying and breaking them.
  Thank you for that link. Definitely going to save it.
  
  Now they can tell when women are pregnant before they even have sex.
  
  Would using a VPN remedy this?
- Bub, they always did this.
  They just tell you that they're doing it now.
  
  I was responding to all the people who said "just use a fake email," bub...
  
  Well now they can legally use that data since you now have to agree to the terms.

At least they're telling you. There's also a lot of hidden surveillance in stores - they've done it with Bluetooth and cameras for some time. Things like monitoring how long you look at products and evaluating your reactions to displays.
- That's why I always introduce a good bit of entropy to my shopping patterns:
  Enter and go straight to produce
  Spend 20 minutes examining eggplants
  Walk up and down 5 aisles pausing exactly the square of the aisle number in seconds.
  Grab a box of tampons
  Grab what I need as quickly as possible
  Return tampons
  Checkout and leave
  Somewhere a marketing team is spending hours trying to figure out how to improve the conversion rates for tampons and eggplants for customers in my demo.
  
  Don't forget to flick and knock on various fruits and vegetables. Randomize how many flicks/knocks per item, and throw in a few on produce items that normally don't get that kind of test e.g. grapes or potatoes.
  
  Don't forget to be visibly revolted by any ads you happen to glance at
- At least they're telling you.
  Now there telling you. They just didn't ask for consent before.
  
  That's what I mean.

In the EU they already had a complaint, because it violates GDPR, but in any case I would never use a public WiFi without a VPN, and even less in places with these conditions, there is also free WiFi in some Rstaurants (even in most McDonalds), public Libraries and others. Fuck surveillance advertising
- There's just no reason to unless you are really skimping on phone data. Random wifi hotspots are one of the most dangerous things for an average joe in terms of infosec.
- Agreed. My iPhone connects to my home VPN via Wireguard as soon as I leave my home WiFi. Has the added benefit of pihole ad filtering everywhere.
  
  Have you experienced any downsides to using pi hole? Does anything stop working?
  
  Wireguard and PiHole combo is such a blessing.
  
  So the first thing you give any sketchy WiFi is your home address?
- I have seen it on Europe... maybe there was some way to circumvent it hidden away, not sure. But you could type a random email and that's it, like they don't send anything to confirm the email or anything once you submit you have access to internet.
  
  Better to send a disposable mail, where yo can receive the log data before it expired.
  eg
  https://maildrop.cc
  https://altmails.com
  https://www.disposablemail.com
  https://www.lazyinbox.com/#/
  https://www.guerrillamail.com
  etc
- Went to a Walmart the other day and my phone automatically connected to a wifi that was apparently hosted by my cell carrier. Immediately turned on my VPN because wtf. I disconnected at first then realized I didn't have any service at all which was probably why it existed. Thankfully didn't need to log in but that's why I have Firefox relay.
- I was about to say.... Isn't using public wifi's extremely dangerous?
  
  Yes, because of this using an public WiFi without VPN is a no-go
- They seem to explain pretty well how your data will be used, why would this violate GDPR?
  
  No way to opt out?
  
  I might be wrong but i think it is because they don't give you the option to opt out and use the wifi.
- Right, and this Walmart in Europe would be where exactly?
  
  https://storelocator.asda.com/directory
  Asda is Walmart
  
  AFAIK it does not exist in Europe, but I meant that these conditions in the EU would not be tolerated. Maybe because of this there isn't a Walmart in the EU, there are a lot of Malls from other companies and none of these use this practices in their restaurants, mostly with free WiFi for their visitors. Offering free WiFi is already enough of a benefit for them, because it attracts customers, they do not need to intrude on their privacy with an obvious attempt to spam them and make money with their data.

Why would anyone interested in privacy connect to any public WiFi? That's crazy.
- When you need service, but data is blocked by all the steel in the ceiling/roof. I've used it, but with my VPN active. I wonder if they're now going to try to block VPN services?
  
  Just VPN to your home network. What are they going to do, block every IP but theirs?

More like "we were doing this before, but now we have to tell you we are doing it".

Why are all you mother fuckers shopping at Walmart. They are a welfare corporation offloading their costs to tax payers because despite making tons of money they pay shit and skirt employee benefits laws by keeping worker hours low and give new employees info on how to get financial aid such as food stamps.
- This is the most privileged thing you could say.
  "Hey, why isn't everyone eating sustainably sourced GMO-free, organic, locally-grown food all the time?"
  Spoiler alert: it costs more
  
  Yeah, this is the thing. Does literally anyone want to go to Walmart? No. Is it the place I can afford? Increasingly, still no. Not sure I can even afford to walk past whatever the good version of a Whole Foods is today, though.
  
  Haha exactly. People shop at Walmart because they work at target and don't make enough money to shop at Whole Foods.
- Cause WinCo doesn't always have what I need, but most importantly:
  I'm poor.
- A lot of people in rural areas find themselves in situations like being 10 minutes from a walmart and an hour from any other option. So then anything besides walmart costs gas and time, on top of the product cost difference to begin with.
  Nobody wants to drive extra after 8 hours of shitty minimum wage work and/or taking care of children.
  Not like other grocery stores are any good for workers, either.
- I needed a job, alright. I usually shop at hannaford although it's expensive. I wanna farm someday.
- Because all of the other retailers do the same shit only with higher prices. Here in Canada they don't pay their employees any less than the competition, yet their prices are 30-40% cheaper on average.
  That extra 40% doesn't result in better working conditions for the employees, it goes directly to the shareholders and bonuses for the C-suite.
  I respect the hell out of Walmart because they actually keep their price increases tied to inflation and aren't out there trying to sell a loaf of poverty white bread for $5 or a pack of 4 chicken breasts for $37.
  
  I got some insight from a friend who works at a major supplier for these retail stores in Canada. He said how they manage prices is that when they anticipate a rise in cost they'll jack the price all the way to a future projected target instead of following the current inflationary rate so that they won't need to constantly quote their customers different prices. They don't care because they know it will get passed downstream.

Fake email and vpn = Free private connection
- You dont even have to type a real email it doesn't verify anything. Just something@somewhere.xxx
  
  The amount of success I’ve had with optout@businessdomain.tld is unreal
  
  I usually do thepresident@whitehouse.gov
  Works most of the time.
  
  I sincerely hope no one has the email test@testtesttest.com because ohhhhh boy have they been getting some emails.
- Pedantic but
  vpn free
  Boy I hope not
  
  I’d like to hope they mean the VPN they pay for for other… uses. So it’s no extra money, cuz they already are using it at home to download Overwatch VR Porn.
  
  There was an equal sign in between those words. Idk if it's visible on your end but I see it on mine. That being said, the only free vpn I would use is protonvpn. Downside is it's slow and unstable due to using a free plan.
- I use https://temp-mail.org/en/ when signing up for one time stuff
  
  Yeah I use simplelogin but for stuff I don't care about like this I'd probably use that or spam keyboard for fake email

For the email, you can use an email alias service like Addy or SimpleLogin. They're both open-source and offer free tiers. I never give out my real email to anyone now except actual contacts.
After that, I think a VPN would probably still work to disguise what you're doing from Walmart, but I'm not a 100% certain on that so I won't link any.
But yeah, definitely use email alias wherever you can.
- Do you do that with utility companies and bills?
  
  I do.
  I use SimpleLogin and ProtonMail.
  Some sites have I’ll actually know you’re using SimpleLogin though and just say no, but they’re few and far between.
  You could also use your own domain if you have one or buy a cheap one.
  Then you can create as many as you like and just kill them as and when you need.
  SimpleLogin has plugins for all browsers and phones so it’s not too difficult to create new addresses.
  
  I do and it works great! I mostly did this to limit the blast radius of breaches, but aliases also provide an easy way to send those kinds of things to both me and my spouse.
  
  I do it with everything. The only people who have my real email address are my family. Everything else is a masked email. It's especially nice because if I start getting spam on one email I can immediately tell which site sold my info and I never use that site again.

Walmart, the biggest grocery retailer in the entire United States, uses face tracking in the majority of their stores in several sections, and we’re concerned about their Wi-Fi?
The Wi-Fi seems like such a minor problem compared to them collecting massive amounts of data off of something you aren’t consenting to explicitly.
Like you walk into their stores and they can know: How often you visit, what items you buy, what payment method you use most often, what items you looked at and what aisles you visit, who you bring with you, what your kids look like, what disabilities you may have, size of your household, and whatever else they want. There’s basically no respect for any privacy in their stores.
The US is a privacy nightmare in competition with China. Most of the US doesn’t have any option over their privacy. You just don’t get it here.
- It's even worse as an associate. They make us sign up for some social media I never use, download apps on our phones, and make us give them our handprints for a machine to take out our tills. And we're getting face scanned by cameras all day. Dystopian nightmare and it makes me feel ashamed to have accepted the job here.
  I use GOS and therefore believe that I have some level of protection on the WiFi level based off of that, and I have their apps on a separate profile but it's getting tougher on privacy here at Walmart.
  Edit: That's also why I have no pictures of me in my socials and deleted my Facebook, Instagram, and twitter, so they shouldn't have too many ways to market to me aside through my debit and credit cards possibly.
  
  Revoke the data privileges of the app on your phone. That will effectively neuter it, while you can show them it's there.

Your phone simply being in the store with Wi-Fi enabled makes you personally identifiable. A request for your email when they have your location, shopping habits, taste in electronics, estimated address, browsing habits, and your full appearance isn't shocking. That no one has pointed this out yet is a bit eye opening.
- Mac address randomization has been enabled by default since Android 10. I would assume iPhone does something similar.
  
  Oh, ok. Thanks for linking it! :)
  
  iOS requires each network to individually be randomized, there’s no singular setting, unfortunately.
  
  Per-network, though, not per-connection.
- That was an interesting read. Didn't know stores were doing that.

Not sure about this Walmart case but most you can write any email like random letters a@gmail.com or not even the Gmail part as long as it's a valid looking mail and then works like you don't even have to confirm the email or anything.
- my goto is go.fuckyourself@leavemealone.net
  
  I like steve@yahoo.com
  If he was lucky or early enough to get a single name email then I'm sure they can handle some spam emails or get an email full of numbers like the rest of us
- this is incorrect for the walmart case, next step is the password for the account, so you need to login or create a Walmart account for access
  
  Oh yeah I see I mis read the prompt, I thought it was going with a enter you mail as alternative to using an account.

Expecting privacy on someone else's network is absurd.

Never trust an open network. Even if the company providing isn't doing anything shady, the easy at which MITM (man in the middle) attacked, can be performed means that many insecure (and some secure) networks can be spoofed with a small amount of know-how.
Always make sure your connecting to a safe, secure wifi network, in a place where you expect that network to exist at.
If your phone connects in a place you wouldn't expect it to connect, double check what it's connecting to, and if necessary, disable your wifi.
- How would they do man in the middle attacks? Don't you need to trust their certificate first?
  
  That mechanism only happens after you connect to it, you have to connect to the wifi in order to download the certificate to connect. And it doesn't apply to all open WI-FI. A someone can still spoof the wifi. The fun part is when they set up their own false "I agree to the usage" pop up page that just steals your data - standardised systems like this are easily spoofed, especially when it comes to open and insecure wifi. They could even send you a bogus certificate that routes all the traffic through their gateway, allowing them to spy on the secure connections.

You do realize they were almost certainly doing this before, right?
- More of shock value of them announcing it and requiring an email now.
  
  Damn now I have to put in my real email! noooooo I don't know how to avoid this only real emails work?

it's not like they weren't doing this before

They can track you even if you dont accept. Turn Wifi off. If you connect, use VPN home.
- They can use your wifi signal as a beacon by triangulating the signal strength from at least 3 different points. Then they can figure out in which departments you spend the most time, how long you spend in store, heatmaps, which aisles you skip and generic info like what time you visit, which locations you also shop at.
  A quick google for "Retail Wifi tracking" brings up mirame.net , where you can see some of the features.
  I would suggest to set your phone to flight mode if you see a "free wifi" sign in your shopping mall.
  
  I fucking hate technology, man. I want to go to the 1800's and give the luddites C4.

Please, think about the improved products and services before making any rash decisions.

I always give some bs emails in those authentication forms. Mainly because as a client who tries to connect, I do not have internet access, so I cannot verify my email before they give me the access. And when they gave me access, there is no power in the world to make me do that 🤷
- I used to spoof my MAC to connect to Xfinity Wifi hot spots. I would give them emails like "eet4dickComcrap@gmail.com"
  
  I found a script for bypassing captive portals on Linux back in the day...
  The full functionality of how it works escapes me at the moment, but essentially it searches the network for a host that possibly already connected through the captive portal and spoofs their MAC address.
  This isn't the one I originally found, but its the same principal and a Kali tool, so it may be considered more secure than the original bash script I copied back in the day:
  https://en.kali.tools/?p=724
  
  Android automatically spoofs your MAC for every network and regularly changes it for each one too unless you explicitly disable that after connecting.
  Makes static DHCP leases a PITA.
- https://temp-mail.org/en/

I am so happy to live in Sweden. All open WiFi networks here are free to use and requires no email or account (VPN recommended as always, though). Even at grocery stores.
- That's generally true in the US as well. That's why people are so outraged by this.
  
  Lol, I'm jealous. Pretty much all public WiFi requires login in the UK.
  
  So Walmart has done it again, huh?
  
  It was very easy to get free WiFi in the US compared to most EU countries I've been in. But here in the EU at least I have cheap data so it's not all bad.
  
  This might be anecdotal tbh. I am in the US and I run into captive portals all the freaking time. It's so annoying.

Try luck with throwaway email + VPN. Although it's possible they'll still be able to identity you if you're the only one using that VPN on your local Walmart. At least they won't be able to see your traffic.

Sometimes these login portals accept any old bogus email or burner account. They were logging your IP anyway so realistically doesnt add any more compromised dafa
- I'm gonna assume that by IP you mean MAC address because your IP is something that gets negotiated with the AP when you connect, changes every time you connect and can't really be linked back to your device at a public AP. In that case, the right move is to enable MAC randomization and connect through a VPN if you need to hide who you're talking to or just rely on TLS if you don't care that they know who you're talking to and only need to hide what was said.
  
  You can also set randomized MAC addresses in your wifi settings
  
  Yup, meant MAC/other hardware info lol

relay.firefox.com
Brilliant service and add a VON om top it will make it no sweat.

I've never agreed to this, but I might be on Walmart Wi-Fi from a long time ago. Once recently shopping at Walmart in person I got an email to my account saying something really creepy like, "rate your in store purchases" and sent me pictures of each item I bought IN STORE with an invitation to rate each. Also included my real name. This isn't even the email I use for my online pickup orders.
- Don't all stores do this, particularly those with membership cards? Isn't one of the main reasons for these cards to track your purchases in exchange for discounts, besides fostering loyalty? All major stores in my area operate like this. If you use scan-and-pay with a smartphone or another device, joining their membership program is mandatory. They monitor what, when, and where you buy, and sometimes even why. I don't understand why this surprises some people.
  
  Walmart is not a membership store. I never scanned a membership card, or put in any code or anything. I walked in with my child, browsed around a little bit, ended up purchasing a water gun and some potted flowers, paid at the self-scan, and walked out. I did use a debit card, but that card shouldn't even be connected with the old account that I got an email for, as the card is years newer than the account.

Have you tried using any email? Literal example:
it@walmart.com
Somw setups don't validate much
- Have you tried reading all the stuff below the email field?
  
  I have. They don't need your email to do it. In fact, they've been doing it forever. Your phone is a bt and wifi beacon.
  My comment was to literally try helping op get at least some use out of their predatory behaviour.

Imo, this is part of the problem with lack of privacy in today's world.
People will accept this more than not, without a second thought. This leads to the taking of a little bit more until one day you are left wondering where your privacy went.
Again, this is just my humble opinion.
- And the poorer people find themselves having to trade their privacy for access to technology.

Not only were they already collecting that information, they likely are collecting information about your position in the store from wifi positioning.

Many people here suggesting a throwaway email and/or VPN. While this does migitate the impact somewhat, the only proper response is to not use their "service" and deactivate the WiFi fo your phone (else they might be tracking your MAC address).
- Android randomizes Mac by default.
- Walmart has an interesting app where if you're connected to their wifi then the app "transforms" to tell you what's in stock in the store you're connected to. I wish they'd just do something like Home Depot where the site just tells you if X location has an item or not, but alas.
  
  Wait, do they not do that anymore? I used to be able to search on their website for an item and it wold tell me if it's in stock at the store I selected and the aisle it's in if they have it.

Yeah, you can pretty much assume that any random Wi-Fi asking for that information is already doing that. My local mall has one that will accept any old email but it certainly looks like this one wants you to create an actual Walmart account.

From personal experience I've found that an OpenVPN connection routed over port 53 (same as DNS) bypasses their signin screen entirely.
Of course it's been months since I last tried since I rarely go into the store and don't have reception issues when I do. Could be they've patched it since. Still worth a shot.
- Now I have to imagine you standing in the store scanning ports just to get somewhat usable Wi-Fi :)
  
  This may or may not have actually happened.
  ...okay it totally did.

quick vpn over tor and firewall https://f-droid.org/en/packages/pan.alexander.tordnscrypt.stable/

In my experience you can type any vaguely email-like string there.
Agshfjfbsksns@jfjfdjjs.uej
Or something.
- I like fake@example.com

Well that's just plain invasive. I'll make sure to take myself off of their network next time I'm there.

Have you tried using Tor? Sometimes it works.
Why can't you use cell service?
- 2 GB data limit, need a different provider honestly...

It sounds to me like they are developing some tools to help map things inside the store. So they can give you directions to things you are looking for maybe. Also with this information they could do something similar to those Amazon stores where you just pick things up and walk out and it charges you automatically.
Not saying you all want to share the info with them. It is invasive. But as an engineer I can see so many cool features I could build with this information.

Junk email + VPN, but I've found that most free wifi services like this explicitly try to inhibit the functionality of mobile VPN clients.
- The irony being open wifi like this absolutely need a vpn running

People that make systems like these are not scared of those that stop using em. What they fear is getting information wrong or spam. Using these facts you can then adjust to the changes.

Temp-mail.org

This is messed up.

You can just make up some e-mail as, without internet, you couldn't verify it. Also one of the rare cases where VPN directly improve your privacy.

i'm pretty lucky to have unlimited data included with my phone plan. i would 100% have been hacked by now. public wifi is scary.
- That's great, unless the store you're in is a giant concrete bunker.
  Mobile data barely works in my neighbourhood supermarket; even text-based communication is frequently dicey, but you want to send someone a photo of something as a "should I buy this"? Fuhgeddaboudit.
  
  Then buy it, or come back later.
  Why open yourself up to all the nasty of public WiFi for that?
  Either you're buying something cheap, so just do it. Or it's something expensive, and in that case a simple quick message isn't really enough. Go out to the parking lot and talk about it, or come back later.

At nearly any gas station in NRW, Germany it's this way as well and I absolutely hate it.

just use a throwaway private email?

Ah, America, where public wifi is still a thing because they don't have mobile data.
- don't have mobile data? wym lmao
  
  I mean they either have limits so low they have to use public wifi or coverage so weak it's unusable. Which aren't a thing where I live.

228 comments