WiFi Whisperer at Moogfest 2016
In his art installation, Kyle McDonald shows how easy it is to digitally eavesdrop on festival-goers all weekend
Our first run-in with Kyle McDonald was his talk at INS-INT 2014 in Minneapolis. (The Eyeo team really loves him and he's spoken at quite of a few of their conferences). But really, we should be checking in on him at least twice a year to see what he's up to. The Brooklyn-based media artist and adjunct assistant professor at NYU's ITP always seems to be working on a million projects at once, from an interactive collab with The xx involving 50 robotic speakers, to faking bungee jumps in VR, an eyebrow-raising app to track-and-quantify social relationships, and confronting awkward talk in the website Who Pays Artists?. Regardless of how small or big or entertaining, each of McDonald's projects are always asking the questions the rest of us are too distracted to consider. His most recent, titled "WiFi Whisperer" (made in collaboration with Surya Mattu and sponsored by local ad agency McKinney) is up and running at Durham, NC's Carolina Theatre Alcove where it will be eavesdropping on Moogfest 2016 attendees all weekend and politely letting them know via data visualizations and the like. We hopped on the phone with McDonald earlier this week to learn the installation's secrets.
How did the idea for "WiFi Whisperer" come about?
I think about early 2014, I started to see that there was this data leaking from everyone's phones that was super-interesting. It was one of the most revealing things I had seen that was sort of publicly accessible—I didn't have to hack into anyone's device. I just had to listen for what was already in the air. That got me inspired and I started talking with friends. We knew we needed to make some kind of installation with this and how we could reveal all of this leaky data to people, and share it with them in a way that's kind of fun and playful but also a little scary. [laughs]
Can you walk us through how you're able to eavesdrop?
This is something that anyone can do with their laptop. If you open up your Terminal, if you're on OSX, and type in a few keys that I gave to you, you would get the same data that we're getting. But we're doing it with some small computers called Raspberry Pi. Each Raspberry Pi is listening to one wireless channel. We're just seeing what data is floating over the air, and the data which we're most interested in is something called "probe request frames"—which are kind of a dying breed of leaky data. It tells you where people have been connected to a network before, like "Nara@Home" or "Starbucks" or "Dropcam." If you look at these network names, you'll have an idea of what devices people own, where they've been, maybe where they go regularly like schools or airports. And that was the starting point for thinking about this.
We're also getting information about what people are actually doing in real time. So when they're on the network at Moogfest, we're collecting which websites that they're going to and using that as well.
Oh God, nothing is safe.
Yeah. [laughs] This is something you can do just by listening. Again, this isn't any kind of hardcore hacking where you're like breaking into someone's computer or convincing them to click on something that they shouldn't. This is just what's happening, normally. And really, the only things that protect us from this are buying hardware or software that doesn't do this; and using encryption. That's about it.
How are you translating all of this collected data on site?
When you go onto an unsecured network that doesn't ask you for a password, all of that traffic is available to people who are sitting nearby you. When you go on to Facebook, and it says HTTPS in your browser, you're OK. People can't see what you're doing but they'll still know you're on Facebook. Whereas if you're on a network that you had to put a password, they won't even know you're on Facebook. At festivals like Moogfest, they're still using open WiFi networks where you don't have to put a password in. And that means we can sit nearby and see if people are looking on Instagram, Facebook, what they're up to right now.
We've got two or three different things we're doing. The initial idea for this piece was having a text-to-speech robot voice hidden behind a wall that's just whispering all the time. "There are 10 people on the network." "Someone just opened up Skype." "It looks like someone's downloading an image from Instagram." Next to that voice, we've got a few screens that are sort of "internet stalking" people. Any of the data that we get about people, we're feeding it into Google and Twitter and trying to find out more information about them. This is happening behind the scenes but we're also doing it on the screens while people stand and watch. The other big component is a website that goes along the piece. When people sign onto the wireless network, they will get redirected to this website and it will tell them, "Hey, we tapped into your device! Here's all the stuff that we know about you." And we'll have a list of all the stuff that we've been able to find.
Do you hope that this installation will be educational, in the long run?
Yeah, ideally. A lot of this is already slated for becoming more secure. Things like probe request frames, and secure wireless networks are becoming more common. But I will still really like to see people become aware of why it's worth it to upgrade. [laughs] I was just reading an article yesterday where someone was complaining in the comment section. They're like "Why doesn't Microsoft understand that as a small business owner, we need to not upgrade sometimes because it's making us take a hit on our productivity?" And I think there's a lot of people who have that feeling, that upgrading is unnecessary or something that's being forced onto us by people who want to make us accept their new GUIs. But a lot of the time, it's a way to keep us more secure. And when you don't upgrade, you're inviting people like me to just look at your data more. [laughs]
That's creepy. I'm notorious in my office for refusing to auto-update my apps. Sometimes my editor will see my phone screen and ask me why I'm still on that iOS or older version of Instagram.
Instagram's an interesting example! I was just in Penn Station earlier today and I pulled out my laptop. It turns out Instagram, the app, is still using "HTTP" or unencrypted traffic to send all of the photos. So even if it's a private Instagram, it's still unencrypted. Sitting in Penn Station, I could just watch people... it's the same as looking over someone's shoulder, basically, except you're doing it from your computer in a corner of the room.
You can see the actual photos?
It's crazy, right? Instagram's been a little slow on this game; Facebook and Twitter have had encryption on that kind of data for much longer, but Instagram is a little behind. Ideally in the next version of Instagram—because this one they just released hasn't changed this—but in the next version, hopefully they'll have encrypted photo API end points. And then you won't be able to see it. But up until that happens, all of your traffic is in the clear.
Moogfest takes place this weekend through Sunday, 22 May 2016 in Durham, NC, and in between sets from the likes of Gary Numan, Oneohtrix Point Never, Laurie Anderson and Explosions in the Sky, there's lots of diverse, free programming open to the public.
Instagram image by Cool Hunting; all others courtesy of McKinney