Re: [Mesh] Alternative look on localization in mesh (was: Fwd: [Commotion-discuss] Seattle Police mesh network for surveillance?)

Police, govt, and other evil adversaries are free to setup their own hardware, their own mesh, the idea is not to prevent this but to prevent the use of good mesh networks for evil. I want to give more thought to this subject sometime in the near future but for now this is what I have... The major concern here (as I see it) is the persistence of MAC addresses. The average user does not know how to change their MAC address and in the case of most mobile devices it is not possible to change the MAC address. We can ensure that IP addresses are cycled frequent enough because we'll have control over a majority of the DHCP servers on the mesh so I'll be focusing on MAC addresses. In any local network a MAC address can be associated with network traffic, the obvious solution here is to use encryption. The problem with MAC addresses in a mesh network is that they could also be associated with a location. On any layer 2 network it is possible for any connected host to determine the route to any other host using a MAC address as an identifier. Because mesh nodes have a fixed (and likely known) physical location it can be assumed that the last hop in the route corresponds to the physical location of the specific host. It is important to realize that only mesh nodes (access points) have *potential* knowledge of signal strength and other 802.11 broadcast type frames-- sure Oakland PD can setup a device to listen to all 802.11 traffic, but remember we're only focusing on how existing hardware can be abused. So, one host *cannot* triangulate the location of another host. *From the perspective of a host on the mesh, a host can only be connected to one mesh node or disconnected from the network.* In the context of physical location, the privacy of a host on the mesh is a function of the area covered by the mesh node it is connected to. To increase user privacy I would like to experiment with a MAC address spoofing service that could run on mesh nodes or volunteer hosts. The service would basically pretend to be just another host on the network identified by some MAC address. The service could intelligently spawn fake hosts depending on the number of other hosts connected to the shared mesh node. Mesh nodes with fewer connected hosts need more spoofed hosts to increase privacy, etc. But it is not that simple of course, because spoofed MAC addresses need to persist just as legitimate MAC addresses do, and move about in the physical world (connect to different mesh nodes) just as other legitimate users will. I've thought some of this through but it is a large undertaking that needs further planning. Another thing to keep in mind is that although MAC addresses could be used as a persistent identifier *they alone do not represent any identity.* It is not until an adversary obtains additional information that a MAC address could be used to identify an individual person. Not to say the surveillance of pseudo-anonymous individual and group movement is negligible, just pointing this out. In conclusion (for now) by keeping our software and build processes open we can convince reasonable users that it is not possible for us to track them with more than neighborhood level accuracy. If we go further and deploy something like the MAC spoofing service it could be possible to extend this guarantee further. I think it is also likely that this MAC spoofing service could be designed to prevent/degrade 802.11 style surveillance by hardware outside our control.