So a few weeks ago I got the dreaded letter and text from ATT about forcing me over to a tethering plan because they had detected tethering on my account. Admittedly, I do have PDAnet and foxfi installed, but I rarely use it, not enough to warrant them sending the threatening letter. I have been doing a lot of streaming (netflix, iheartradio, etc.) all day long, while at work. I usually get the data usage warning about halfway through my month. A few things have happened recently that lead me to believe they cant actually detect the tethering, but suspect it. I got the S4 on the day of release. I had the apps installed on both my Xperia play and my S3 previously, but on the S4 I get a warning on the phone that ATT wants me to have a tethering plan. If I hit OK on the warning then wifi tethering is disabled, but wired or bluetooth work (sadly my laptop does not have built-in bluetooth, but my tablet works). My original S4 had a few issues with it telling me the SIM card was removed randomly, then one day it just died and wouldnt come back on. I had the phone replaced and reinstalled all of my apps. I have not used pdanet since getting the new phone, but i got the letter anyway. This leads me to believe a few things are what triggers the letter. It appears to me that the downloading of the app sent up a red flag, then they looked at my data usage which is extremely high (8-10gb a month). I called ATT and the rep verified they knew I had downloaded a tethering app, and that they looked at my account and could see a device with a "hardware number" not matching my phone was using data. I believe this to mean they are doing MAC address monitoring. It is the only address that could be transmitted that would identify network traffic belonging to a different device. My speculation is this: ATT has variables that trigger further investigation, once triggered they send a letter and look for more proof. In my case the combo of downloading pdanet and high data usage were the triggers, then they looked through my data history and saw another device requesting data. I dont remember what the setting I had on PDA net for hiding, but if I remember right it was pretty high (1 or 2). I have contacted them to find out more. If they dont do some kind of MAC spoofing or stripping then I suspect this is one thing that can be done to further secure from getting these warnings from ATT. I will put MAC spoofing software on my laptop and just use my phone's MAC. A look through hundreds of previous posts on various forums seems to support my theory of these triggers. I have read many posts where the user had recently downloaded or changed their tethering software and then got the warning. many of the users claim very little usage. Seems to me maybe its just as simple as "we saw you download this software, therefore you are tethering" I made the mistake of downloading the software through the play store. What i am not sure of is this: Can ATT track what you download from the play store? I would think that the deal with the play store is between me and google, but I also know that ATT has the authority to limit what apps I can see and download, similar to what China does for its residents. Can ATT track what is installed on our phones? I.E. if I download an APK from the internet onto my computer and transfer it to my phone and install it while in airplane mode (if possible), will ATT be able to see what I have?