Thanks for the insight. Might you be able to guess how the Bluetooth on/off/on and visible settings work for visibility for passive listening? If my phone is linked/paired with my Bluetooth headset but not visible to other devices, is it still noticeable by the passive listening devices?
From what I understand with WiFi and Google Location Services, if you have WiFi "on but not connected", your phone is regularly sending out messages to any router that will listen saying "Are you SSID x, y, z, a...etc.?" Android phones record this information, i.e., SSIDs pinged and your coarse location, and report this back to the mothership so as to improve the estimated position of all of these SSIDs/router MAC addresses. Theoretically, if I understand what you're saying, is that there could be hardware devices that require no input from the user: the routers themselves would be noting who (i.e. which phones/MAC addresses) ping them asking for which SSIDs and record those as they progress through a space. Put enough routers in a space and you can triangulate based on RSSI....is that the basic idea?
Wifi is easy - any wifi module that can be put into "monitor mode" will let you listen in for SSID probes. Apple have started randomising the MAC address the device uses for those probes in iOS8, which is a start, but there's often a close-to-unique fingerprint that you still get from the set of SSID's that are probed for (how many people do you suppose probe for "Company $A Staff Wifi, Shopping Mall $B free wifi, Cafe's $C $D and $E free wifi, and person $F home wifi") - there's also a trick that I think I heard WifiPineapple uses of listening for common SSID probed (McDonald Free Wifi, Netgear, etc), then responding as that base station - then getting the real MAC address during the negotiation phase).
BlueTooth is only a little more difficult - you only need a hundred or so dollars to start playing there though: http://ubertooth.sourceforge.net/ or https://github.com/mossmann/hackrf/wiki/HackRF-One will both let you see BlueTooth radio traffic - it's somewhat harder to dig into their encrypted traffic, but seeing and measuring the signal strength is easy.
From what I understand with WiFi and Google Location Services, if you have WiFi "on but not connected", your phone is regularly sending out messages to any router that will listen saying "Are you SSID x, y, z, a...etc.?" Android phones record this information, i.e., SSIDs pinged and your coarse location, and report this back to the mothership so as to improve the estimated position of all of these SSIDs/router MAC addresses. Theoretically, if I understand what you're saying, is that there could be hardware devices that require no input from the user: the routers themselves would be noting who (i.e. which phones/MAC addresses) ping them asking for which SSIDs and record those as they progress through a space. Put enough routers in a space and you can triangulate based on RSSI....is that the basic idea?