Kim Cameron’s comments on Touch2Id - and especially the way PI is used - make me want to see more discussion about the definition of privacy and the approaches that can be taken in creating such a definition.

To me Touch2Id is a disaster - teaching kids to offer their fingerprints to strangers is not compatible  with my understanding of democracy or of what constitutes the basis of free society. The claim that data is “not collected” is absurd and represents outdated legal thinking.  Biometric data gets collected even though it shouldn’t and such collection is entirely unnecessary given the PET solutions to this problem that exist, e. g chip-on-card.

In my book, Touch2Id did not do the work to deserve a positive privacy appraisal.

Touch2Id, in using blinded signature, is a much better solution than, for example, a PKI-based solution would be.  But this does not change the fact that biometrics are getting collected where they shouldn’t.
To me Touch2Id therefore remains a strong invasion of Privacy - because it teaches kids to accept biometric interactions that are outside their control. Trusting a reader is not an option.

My concern is not so much in discussing the specific solution as reaching some agreement on the use of words and what is acceptable in terms of use of words and definitions.

We all understand that there are different approaches possible given different levels of pragmatism and focus. In reality we have our different approaches because of a number of variables:  the country we live in, our experiences and especially our core competencies and fields of expertise.

Many do good work from different angles - improving regulation, inventing technologies, debating, pointing out major threats etc. etc.

No criticism - only appraisal

Some try to avoid compromises - often at great cost as it is hard to overcome many legacy and interest barriers.  At the same time the stakes are rising rapidly:  reports of spyware are increasingly universal. Further, some try to avoid compromises out of fear or on the principle that governments are “dangerous”.

Some people think I am rather uncompromising and driven by idealist principles (or whatever words people use to do character assaination of those who speak inconvenient truths).  But those who know me are also surprised - and to some extent find it hard to believe - that this is due largely to considerations of economics and security rather than privacy and principle.

Consider the example of Touch2Id.  The fact that it is NON-INTEROPERABLE is even worse than the fact that biometrics are being collected, since because of this, you simply cannot create a PET solution using the technology interfaces!  It is not open, but closed to innovations and security upgrades. There is only external verification of biometrics or nothing - and as such no PET model can be applied.  My criticism of Touch2Id is fully in line with the work on security research roadmapping prior to the EU’s large FP7 research programme (see pg. 14 on private biometrics and biometric encryption – both chip-on-card).

Some might remember the discussion at the 2003 EU PET Workshop in Brussels where there were strong objections to the “inflation of terms”.  In particular, there was much agreement that the term Privacy Enhancing Technology should only be applied to non-compromising solutions.  Even within the category of “non-compromising” there are differences.  For example, do we require absolute anonymity or can PETs be created through specific built-in countermeasures such as anti-counterfeiting through self-incrimination in Digital Cash or some sort of tightly controlled Escrow (Conditional Identification) in cases such as that of non-payment in an otherwise pseudonymous contract (see here).

I tried to raise the same issue last year in Brussels.

The main point here is that we need a vocabulary that does not allow for inflation – a vocabulary that is not infected by someone’s interest in claiming “trust” or overselling an issue. 

And we first and foremost need to stop - or at least address - the tendency of the bad guys to steal the terms for marketing or propaganda purposes.  Around National Id and Identity Cards this theft has been a constant - for example, the term “User-centric Identity” has been turned upside down and today, in many contexts, means “servers focusing on profiling and managing your identity.”

The latest examples of this are the exclusive and centralist european eID model and the IdP-centric identity models recently proposed by US which are neither technological interoperable, adding to security or privacy-enhancing. These models represent the latest in democratic and free markets failure.

My point is not so much to define policy, but rather to respect the fact that different policies at different levels cannot happen unless we have a clear vocabulary that avoid inflation of terms.

Strong PETs must be applied to ensure principles such as net neutrality, demand-side controls and semantic interoperability.  If they aren’t, I am personally convinced that within 20 or 30 years we will no longer have anything resembling democracy - and economic crises will worsen due to Command & Control inefficiencies and anti-innovation initiatives

In my view, democracy as construct is failing due to the rapid deterioration of fundamental rights and requirements of citizen-centric structures.  I see no alternative than trying to get it back on track through strong empowerment of citizens - however non-informed one might think the “masses” are - which depends on propagating the notion that you CAN be in control or “Empowered” in the many possible meanings of the term.

When I began to think about Touch2Id it did of course occur to me that it would be possible for operators of the system to secretly retain a copy of the fingerprints and the information gleaned from the proof-of-age identity documents - in other words, to use the system in a deceptive way.  I saw this as being something that could be mitigated by introducing the requirement for auditing of the system by independent parties who act in the privacy interests of citizens.

It also occured to me that it would be better, other things being equal, to use an on-card fingerprint sensor.  But is this a practical requirement given that it would still be possible to use the system in a deceptive way?  Let me explain.

Each card could, unbeknownst to anyone, be imprinted with an identifier and the identity documents could be surreptitiously captured and recorded.  Further, a card with the capability of doing fingerprint recognition could easily contain a wireless transmitter.  How would anyone be certain a card wasn’t capable of surreptitiously transmitting the fingerprint it senses or the identifier imprinted on it through a passive wireless connection? 

Only through audit of every technical component and all the human processes associated with them.

So we need to ask, what are the respective roles of auditability and technology in providing privacy enhancing solutions?

Does it make sense to kill schemes like Touch2ID even though they are, as Stephan says, better than other alternatives?   Or is it better to put the proper auditing processes in place, show that the technology benefits its users, and continue to evolve the technology based on these successes?

None of this is to dismiss the importance of Stephan’s arguments - the discussion he calls for is absolutely required and I certainly welcome it. 

I’m sure he and I agree we need systematic threat analysis combined with analysis of the possible mitigations, and we need to evolve a process for evaluating these things which is rigorous and can withstand deep scrutiny. 

I am also struck by Stephan’s explanation of the relationship between interoperability and the ability to upgrade and uplevel privacy through PETs, as well as the interesting references he provides. 

I also descibed Blizzard’s move as being the “kookiest” flaunting yet of the Fourth Law of Identity (Contextual separation through unidirectional identifiers). 

Today the news is all about Blizzard’s first step back from the mistaken plan that appears to have completely misunderstood its own community.

CEO Mike Morhaime  seems to be on the right track with the first part of his message:

“I’d like to take some time to speak with all of you regarding our desire to make the Blizzard forums a better place for players to discuss our games. We’ve been constantly monitoring the feedback you’ve given us, as well as internally discussing your concerns about the use of real names on our forums. As a result of those discussions, we’ve decided at this time that real names will not be required for posting on official Blizzard forums.

“It’s important to note that we still remain committed to improving our forums. Our efforts are driven 100% by the desire to find ways to make our community areas more welcoming for players and encourage more constructive conversations about our games. We will still move forward with new forum features such as the ability to rate posts up or down, post highlighting based on rating, improved search functionality, and more. However, when we launch the new StarCraft II forums that include these new features, you will be posting by your StarCraft II Battle.net character name + character code, not your real name. The upgraded World of Warcraft forums with these new features will launch close to the release of Cataclysm, and also will not require your real name.”

Then he goes weird again.  He seems to have a fantasy of his own:  that he is running Facebook…

“I want to make sure it’s clear that our plans for the forums are completely separate from our plans for the optional in-game Real ID system now live with World of Warcraft and launching soon with StarCraft II. We believe that the powerful communications functionality enabled by Real ID, such as cross-game and cross-realm chat, make Battle.net a great place for players to stay connected to real-life friends and family while playing Blizzard games. And of course, you’ll still be able to keep your relationships at the anonymous, character level if you so choose when you communicate with other players in game. Over time, we will continue to evolve Real ID on Battle.net to add new and exciting functionality within our games for players who decide to use the feature.”

Don’t get me wrong.  As convoluted as this thinking is, it’s one big step forward (after two giant steps backward) to make linking of offline identity to gaming identity ”optional”. 

And who knows?  Maybe Mike Morhaime really does understand his users…  He may be right that lots of gamers are totally excited at the prospect of their parents, lovers and children joining Battle.net to stay connected with them while they are playing WoW!  Facebook doesn’t stand a chance!

A year ago I wrote a blog post about how to use the Windows Identity Foundation with OpenID. Essentially the idea was writing an STS that can speak both protocol WS-Federation and OpenID, so your apps can keep using WIF as the claims framework, no matter what your Identity Provider is. WS-Fed == enterprise, OpenID == consumer…

Fast forward to May this year, I’m happy to disclose the proof of concept we did with the Microsoft Federated Identity Interop group (represented by Mike Jones), Medtronic and PayPal. The official post from the Interoperability blog includes a video about it and Mike also did a great write up…

The business scenario brought by Medtronic is around an insulin pump trial. In order to register to this trial, users would login with PayPal, which represents a trusted authority for authentication and attributes like shipping address and age for them. Below are some screenshots of the actual proof of concept:

While there are different ways to solve a scenario like this, we chose to create an intermediary Security Token Service that understands the OpenID protocol (used by PayPal), WS-Federation protocol and SAML 1.1 tokens (used by Medtronic apps). This intermediary STS enables SSO between the web applications, avoiding re-authentication with the original identity provider (PayPal).

Also, we had to integrate with a PHP web application and we chose the simpleSAMLphp library. We had to adjust here and there to make it compatible with ADFS/WIF implementation of the standards. No big changes though.

We decided together with the Microsoft Federated Identity Interop team to make the implementation of this STS available under open source using the Microsoft Public License.

And not only that but also we went a step further and added a multi-protocol capability to this claims provider. This is, it’s extensible to support not only OpenID but also OAuth and even a proprietary authentication method like Windows Live.

DISCLAIMER: This code is provided as-is under the Ms-PL license. It has not been tested in production environments and it has not gone through threats and countermeasures analysis. Use it at your own risk.

Project Home page
http://github.com/southworks/protocol-bridge-claims-provider

Download
http://github.com/southworks/protocol-bridge-claims-provider/downloads

Docs
http://southworks.github.com/protocol-bridge-claims-provider

If you are interested and would like to contribute, ping us through the github page, twitter @woloski or email matias at southworks dot net

This endeavor could not have been possible without the professionalism of my colleagues: Juan Pablo Garcia who was the main developer behind this project, Tim Osborn for his support and focus on the customer, Johnny Halife who helped shaping out the demo in the early stages in HTML :), and Sebastian Iacomuzzi that helped us with the packaging. Finally, Madhu Lakshmikanthan who was key in the project management to align stakeholders and Mike who was crucial in making all this happen.

Happy federation!

On June 20, Kim Cameron [KC] posted a piece on this blog titled: Harvesting phone and laptop fingerprints for its database - Google says the user’s device sends a request to its location server with a list of all MAC addresses currently visible to it. Does that include yours?

It was the start of a series of communications that reads like a thriller. Unfortunately the victim is not imaginary, but it is me and you.

He started with an example of someone attending a conference while subscribed to a geo-location service. “I [KC] argued that the subscriber’s cell phone would pick up all the MAC addresses (which serve as digital fingerprints) of nearby phones and laptops and send them in to the centralized database service, which would look them up and potentially use the harvested addresses to further increase its knowledge of people’s behavior - for example, generating a list of those attending the conference.”

He then explained how Google says its location database works, showing that “certainly the MAC addresses of all nearby phones and laptops are sent in to the geo-location server - not simply the MAC addresses of wireless access points that are broadcasting SSIDs.”

His first post was followed by others, including reference to an excellent piece of Niraj Chokshi in The Atlantic and demonstrating that Google’s messages in its application descriptions are, to say the least, not in line with their PR messages to Chokshi.

On 2 July a discussion of Apple iTunes follows in KC’s post: Update to iTunes comes with privacy fibs with as main message: As the personal phone evolves it will become increasingly obvious that groups within some of our best tech companies have built businesses based on consciously crafted privacy fibs.

The new iTunes policy says: By using this software in connection with an iTunes Store account, you agree to the latest iTunes Store Terms of Service, which you may access and review from the home page of the iTunes Store. So iTunes says: Our privacy policy is that you need to read another privacy policy. This other policy states:

We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

• We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

I think KC rightly asks the question: What does downloading a song have to do with giving away your location???

Clearly Apple would call its unique device identifier - and its location - ”non-personal data”. However, personal data means in Europe any information relating to an identified or identifiable natural person. Even Google CEO Eric Schmidt would under this EU definition supposedly disagree with Apple, given his statement in a recent speech quoted by KC: Google is making the Android phone, we have the Kindle, of course, and we have the iPad. Each of these form factors with the tablet represent in many ways your future….: they’re personal. They’re personal in a really fundamental way. They know who you are. So imagine that the next version of a news reader will not only know who you are, but it’ll know what you’ve read…and it’ll be more interactive. And it’ll have more video. And it’ll be more real-time. Because of this principle of “now.”.

We could go on with the post of 3 July: The current abuse of personal device identifiers by Google and Apple is at least as significant as the problems I discussed long ago with Passport. He is referring to a story by Todd Bishop at TechFlash - here I refer readers to the original thriller rather than trying to summarize it for them.

What is absolutely clear from the above is how dependent we all are on mobile technology. It is also clear that to enjoy the personal and location services we request one needs to combine data on the person and his location. However, I am convinced that in the complex society we live in, we will eventually only accept services and infrastructure if we can trust them to work as we expect, including the handling of our personal data. But trust can only be given if the services and infrastructure is trustworthy. O’Hara and Hall describe trust on the Web very well, based on fundamental principles. They decompose trust in local trust (personal experience through high-bandwidth interactions) and global trust (outsourcing our trust decisions to trusted institutions, like accepted roles through training, witnessing, or certification). Reputation is usually a mix of this.

For trust to be built up the transparency and accountability of the data collectors and processors is essential. As local trust is particularly difficult in global transactions over the Web, we need stronger global trust through a-priori assurances on compliance with legal obligations on privacy protection, transparency, auditing, and effective law enforcement and redress. These are basic principles on which our free and developed societies are built, and which are necessary to guarantee creativity, social stability, economic activity and growth.

One can conclude from KCs posts that not much of these essential elements are represented in the current mobile world.

I agree that the legal solutions he proposes are small steps in the right direction and should be pursued. However, essential action at the level of the legislators is urgently needed. Data Protection authorities in Europe are well aware of that as is demonstrated in The Future of Privacy. Unfortunately these solutions are slow to implement, whilst commercial developments are very fast.

Technology solutions, like developing WiFi protocols that appropriately randomize MAC addresses and also protect other personal data, are also needed urgently to enable develop trustworthy solutions that are competitive and methods should be sought to standardize such results quickly.

However, the gigantic global centralization of data collection and the possibilities of massive correlation is scaring and may make DP Commissioners, even in group in Europe, look helpless. The data is already out there and usable.

What I wonder: is all this data available for law enforcers under warrant and accepted as legal proof in court? And if not, how can it be possible that private companies can collect it? Don’t we need some large legal test cases?

And let’s not forget one thing: any government action must be as global as possible given the broad international presence of the most important companies in this field, hence the proposed standards of the joint international DP authorities in their Madrid Declaration.

Smart questions and conclusions.

• between industries (medical, financial, technical)
• between organizations (Medtronic, PayPal, Southworks, Microsoft)
• between protocols (OpenID and SAML)
• between computing platforms (Windows and Linux)
• between software products (Windows Identity Foundation, DotNetOpenAuth, SimpleSAMLphp)
• between identity requirements (ranging from strong identity verification to anonymous comment)

This is a super-concrete demonstration of the progress being made on the “Identity Metasystem” so many of us in the industry have been working on.   My favorite word in Mike’s piece is “quickly”, to which I have taken the liberty of adding my own emphasis:

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password. Furthermore, the demo showed the use of verified claims, where the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative to sign people up for the trial and ship them the equipment. I showed this to many of you at the most recent Internet Identity Workshop.

From a technology point of view, this was a multi-protocol federation using OpenID and WS-Federation – OpenID for the PayPal identities and WS-Federation between Medtronic and two relying parties (one for ordering the equipment and one for anonymously recording opinions about the trial). It was also multi-platform, with the Medtronic STS running on Windows and using the Windows Identity Foundation (WIF) and DotNetOpenAuth, the equipment ordering site running on Linux and using simpleSAMLphp, and the opinions site running on Windows and also using WIF. A diagram of the scenario flows is as follows:

We called the demo an “identity mash-up” because Medtronic constructed a identity for the user containing both claims that came from the original PayPal identity and claims it added (“mashed-up”) to form a new, composite identity. And yet, access to this new identity was always through the PayPal identity. You can read more about the demo on the Interoperability @ Microsoft blog, including viewing a video of the demo. Southworks also made the documentation and code for the multi-protocol STS available.

I’ll close by thanking the teams at PayPal, Medtronic, and Southworks for coming together to produce this demo. They were all enthusiastic about using consumer identities for Medtronic’s business scenario and pitched in together to quickly make it happen.

To get an idea of the dimensions of the backlash just type “WoW RealID” into a search engine.  You’ll hit paydirt:

The RealID feature is probably the kookiest example yet of breaking the Fourth Law of Identity - the law of Directed Identity.   This law articulates the requirement to scope digital identifiers to the context in which they are used.  In particular, it explains why universal identifiers should not be used where a person’s relationship is to a specific context.  The law arises from the need for “contextual separation” - the right of individuals to participate in multiple contexts without those contexts being linkable unless the individual wants them to be.

The company seems to have initially inflicted Real ID onto everyone, and then backed off by describing the lack of “opt-in” as a “security flaw”, according to this official post on wow.com:

To be clear, everyone who does not have a parentally controlled account has in fact opted into Real ID, due to a security flaw. Addons have access to the name on your account right now. So you need to be very careful about what addons you download — make sure they are reputable. In order to actually opt out, you need to set up parental controls on your account. This is not an easy task. Previous to the Battle.net merge, you could just go to a page and set them up. Done. Now, you must set up an account as one that is under parental control. Once your account is that of a child’s (a several-step process), your settings default to Real ID-disabled. Any Real ID friends you have will no longer be friends. In order to enable it, you need to check the Enable Real ID box.

 Clearly there are security problems that emerge from squishing identifiers together and breaking cross-context separation.  Mary Landsman has a great post on her Antivirus Software Blog called “WoW Real ID: A Really Bad Idea“:

Here are a couple of snippets about the new Battle.net Real ID program:

“…when you click on one of your Real ID friends, you will be able to see the names of his or her other Real ID friends, even if you are not Real ID friends with those players yourself.”

“…your mutual Real ID friends, as well as their Real ID friends, will be able to see your first and last name (the name registered to the Battle.net account).”

“…Real ID friends will see detailed Rich Presence information (what character the Real ID friend is playing, what they are doing within that game, etc.) and will be able to view and send Broadcast messages to other Real ID friends.”

And this is all cross-game, cross-realm, and cross-alts. Just what already heavily targeted players need, right? A merge of WoW/Battle.net/StarCraft with Facebook-style social networking? Facepalm might have been a better term to describe Real ID given its potential for scams. Especially since Blizzard rolled out the change without any provision to protect minors whatsoever:

Will parents be able to manage whether their children are able to use Real ID?
We plan to update our Parental Controls with tools that will allow parents to manage their children’s use of Real ID. We’ll have more details to share in the future.

Nice. So some time in the future, Blizzard might start looking at considering security seriously. In the meantime, the unmanaged Real ID program makes it even easier for scammers to socially engineer players AND it adds potential stalking to the list of concerns. With no provision to protect minors whatsoever.

Thanks, Blizz…Not!

And Kyth has a must-read post at stratfu called Deeply Disappointed with the ‘RealID’ System where he explains how RealID should have been done.  His ideas are a great implementation of the Fourth Law.

Using an alias would be fine, especially if the games are integrated in such a way that you could pull up a list of a single Battle.net account’s WoW/D3 characters and SC2 profiles. Here is how the system should work:

• You have a Battle.net account. The overall account has a RealID Handle. This Handle defaults to being your real name, but you can easily change it (talking single-click retard easy here) to anything you desire. Mine would be [WGA]Kazanir, just like my Steam handle is.
• Each of your games is attached to your Battle.net account and thereby to your RealID. Your RealID friends can see you when you are online in any of those games and message you cross-game, as well as seeing a list of your characters or individual game profiles. Your displayed RealID is the handle described above.
• Each game contains either a profile (SC2) or a list of characters. A list of any profiles or characters attached to your Battle.net account would be easily accessible from your account management screen. Any of these characters can be “opted out” of your RealID by unchecking them from the list. Thus, my list might look like this:
  
  X Kazanir.wga - SC2 ProfileX Kazanir - WoW - 80 Druid Mal’ganisX Gidgiddoni - WoW - 60 Warrior Mal’ganis_ Kazbank - WoW - 2 Hunter Mal’ganisX Kazabarb - D3 - 97 Barbarian US East_ Kazahidden - D3 - 45 Monk US West

  In this way I can play on characters (such as a bank alt or a secret D3 character with my e-girlfriend) without forcibly having their identity broadcast to my friends.When I am online on any of the characters I have unchecked, my RealID friends will be able to message me but those characters will not be visible even to RealID friends. The messages will merely appear to come from my RealID and the “which character is he on” information will not be available.

• Finally, the RealID messenger implementation in every game should be able to hide my presence from view just like any instant messenger application can right now. I shouldn’t be forced to be present with my RealID just because I am playing a game — there should be a universal “pretend to not be online” button available in every Battle.net enabled game.

These are the most basic functionality requirements that should be implemented by anyone with an IQ over 80 who designs a system like this.

Check out the comments in response to his post.  I would have to call his really sensible and informed proposal “wildly popular”.  It will be really interesting to see how this terrible blunder by such a creative company will end up.

 [Thanks to Joe Long for heads up]

I want to set the record straight about one thing: the headline.  It’s not that I object to the term “attempted privacy murder” - it pretty much sums things up. The issue is just that I speak as Kim Cameron - a person, not a corporation.  I’m not in marketing or public releations - I’m a technologist who has come to understand that we must  all work together to ensure people are able to trust their digital environment.  The ideas I present here are the same ones I apply liberally in my day job, but this is a personal blog.

Ms. Smith is as precise as she is concise:

A Microsoft identity guru bit Apple and smacked Google over mobile privacy policies. Once upon a time, before working for Microsoft, this same man took MS to task for breaking the Laws of Identity.

Kim Cameron, Microsoft’s Chief Identity Architect in the Identity and Security Division, said of Apple, “If privacy isn’t dead, Apple is now amongst those trying to bury it alive.”

What prompted this was when Cameron visited the Apple App store to download a new iPhone application. When he discovered Apple had updated its privacy policy, he read all 45 pages on his iPhone. Page 37 lets Apple users know:

Collection and Use of Non-Personal Information

We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

· We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

The MS identity guru put the smack down not only on Apple, but also on Google, writing in his blog, “Maintaining that a personal device fingerprint has ‘no direct association with any specific individual’ is unbelievably specious in 2010 - and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses. And - big surprise - my iPhone, at least, came bundled with Google’s location service.”

MAC in this case refers to Media Access Control addresses associated with specific devices and one of the types that Google collected. Google admits to collecting MAC addresses of WiFi routers, but denies snagging MAC addresses of laptops or phones. Google is under mass investigation for its WiFi blunder.

Apple’s new policy is also under fire from two Congressmen who gave Apple until July 12th to respond. Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) sent a letter to Apple CEO Steve Jobs asking for answers about Apple gathering location information on its customers.

As far as Cameron goes, Microsoft’s Chief Identity Architect seems to call out anyone who violates privacy. That includes Microsoft. According to Wikipedia’s article on Microsoft Passport:

“A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft’s Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.”

Cameron seems to believe location based identifiers and these changes of privacy policies may open the eyes of some people to the, “new world-wide databases linking device identifiers and home addresses.”

I’m talking about a British outfit called Touch2Id.  Their concept is really simple.  They offer young people a smart card that can be used to prove they are old enough to drink alcohol.  The technology is now well beyond the “proof of concept” phase - in fact its use in Wiltshire, England is being expanded based on its initial success.

• To register, people present their ID documents and, once verified, a template of their fingerprint is stored on a Touch2Id card that is immediately given to them. 
• When they go to a bar, they wave their card over a machine similar to a credit card reader, and press their finger on the machine.  If their finger matches the template on their card, the lights come on and they can walk on in.

   What’s great here is:

• Merchants don’t have to worry about making mistakes.  The age vetting process is stringent and fake IDs are weeded out by experts.
• Young people don’t have to worry about being discriminated against (or being embarassed) just because they “look young”
• No identifying information is released to the merchant.  No name, age or photo appears on (or is stored on) the card.
• The movements of the young person are not tracked.
• There is no central database assembled that contains the fingerprints of innocent people
• The fingerprint template remains the property of the person with the fingerprint - there is no privacy issue or security honeypot.
• Kids cannot lend their card to a friend - the friend’s finger would not match the fingerprint template.
• If the card is lost or stolen, it won’t work any more
• The templates on the card are digitally signed and can’t be tampered with

I met the man behind the Touch2Id, Giles Sergant, at the recent EEMA meeting in London.

Being a skeptic versed in the (mis) use of biometrics in identity - especially the fingerprinting of our kids - I was initially more than skeptical. 

But Giles has done his homework (even auditing the course given by privacy experts Gus Hosein and Simon Davies at the London School of Economics).  The better I understood the approach he has taken, the more impressed I was.

Eventually I even agreed to enroll so as to get a feeling for what the experience was like.  The verdict:  amazing.  Its a lovely piece of minimalistic engineering, with no unnecessary moving parts or ugly underbelly.    If I look strangely euphoric in the photo that was taken it is because I was thoroughly surprised by seeing something so good.

Since then, Giles has already added an alternate form factor - an NFC sticker people can put on their mobile phone so they don’t actually need to carry around an additional artifact.  It will be fascinating to watch how young people respond to this initiative, which Giles is trying to grow from the bottom up.  More info on the Facebook page.

Kim Cameron is an expert in digital identity and privacy, so when his iPhone recently prompted him to read and accept Apple’s revised terms and conditions before downloading a new app, he was perhaps more inclined than the rest of us to read the entire privacy policy — all 45 pages of tiny text on his mobile screen.

It’s important to note that apart from writing his own blog on identity issues — where he told this story — Cameron is Microsoft’s chief identity architect and one of its distinguished engineers. So he’s not a disinterested industry observer in the broader sense. But he does have extensive expertise.

And he is publicly acknowledging his use of an iPhone, after all, which should earn him at least a few points for neutrality…

At this point I’ll butt in and editorialize a little.  I’d like to amplify on Todd’s point for the benefit of readers who don’t know me very well:  I’m not critical of Street View WiFi because I am anti-Google.  I’m not against anyone who does good technology.  My critique stems from my work as a computer scientist specializing in identity, not as a person playing a role in a particular company.  In short, Google’s Street View WiFi is bad technology, and if the company persists in it, it will be one of the identity catastrophes of our time.

When I figured out the Laws of Identity and understood that Microsoft had broken them, I was just as hard on Microsoft as I am on Google today.  In fact, someone recently pointed out the following reference in Wikipedia’s article on Microsoft’s Passport:

“A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft’s Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.”

I hope this has earned me some right to comment on the current abuse of personal device identifiers by Google and Apple - which, if their FAQs and privacy policies represent what is actually going on, is at least as significant as the problems I discussed long ago with Passport.  

But back to Todd: 

At any rate, as Cameron explained on his IdentityBlog over the weekend, his epic mobile reading adventure uncovered something troubling on Page 37 of Apple’s revised privacy policy, under the heading of “Collection and Use of Non-Personal Information.” Here’s an excerpt from Apple’s policy, Cameron’s emphasis in bold.

We also collect non-personal information — data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

Here’s what Cameron had to say about that.

Maintaining that a personal device fingerprint has “no direct association with any specific individual” is unbelievably specious in 2010 — and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses. And — big surprise — my iPhone, at least, came bundled with Google’s location service.

The irony here is a bit fantastic. I was, after all, using an “iPhone”. I assume Apple’s lawyers are aware there is an ‘I’ in the word “iPhone”. We’re not talking here about a piece of shared communal property that might be picked up by anyone in the village. An iPhone is carried around by its owner. If a link is established between the owner’s natural identity and the device (as Google’s databases have done), its “unique device identifier” becomes a digital fingerprint for the person using it.

MAC in this context refers to Media Access Control addresses associated with specific devices, one type of data that Google has acknowledged collecting. However, in a response to an Atlantic magazine piece that quoted an earlier Cameron blog post, Google says that it hasn’t gone as far Cameron is suggesting. The company says it has collected only the MAC addresses of WiFi routers, not of laptops or phones.

The distinction is important because it speaks to how far the companies could go in linking together a specific device with a specific person in a particular location.

Google’s FAQ, for the record, says its location-based services (such as Google Maps for Mobile) figure out the location of a device when that device “sends a request to the Google location server with a list of MAC addresses which are currently visible to the device” — not distinguishing between MAC addresses from phones or computers and those from wireless routers.

Here’s what Cameron said when I asked about that topic via email.

I have suggested that the author ask Google if it will therefore correct its FAQ, since the portion of the FAQ on “how the system works” continues to say it behaves in the way I described. If Google does correct its FAQ then it will be likely that data protection authorities ask Google to demonstrate that its shipped software behaving in the way described in the correction.

I would of course feel better about things if Google’s FAQ is changed to say something like, “The user’s device sends a request to the Google location server with the list of MAC addresses found in Beacon Frames announcing a Network Access Point SSID and excluding the addresses of end user devices.”

However, I would still worry that the commercially irresistible feature of tracking end user devices could be turned on at any second by Google or others. Is that to be prevented? If so, how?

So a statement from Google that its FAQ was incorrect would be good news - and I would welcome it - but not the end of the problem for the industry as a whole.

The privacy statement for Microsoft’s Location Finder service, for the record, is more specific in saying that the service uses MAC addresses from wireless access points, making no reference to those from individual devices.

In any event, the basic question about Apple is whether its new privacy policy is ultimately correct in saying that the company is only collecting “data in a form that does not permit direct association with any specific individual” — if that data includes such information as the phone’s unique device identifier and location.

Cameron isn’t the only one raising questions.

The Consumerist blog picked up on this issue last week, citing a separate portion of the revised privacy policy that says Apple and its partners and licensees “may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device.” The policy adds, “This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services.”

The Consumerist called the language “creepy” and said it didn’t find Apple’s assurances about the lack of personal identification particularly comforting. Cameron, in a follow-up post, agreed with that sentiment.

SF Weekly and the Hypebot music technology blog also noted the new location-tracking language, and the fact that users must agree to the new privacy policy if they want to use the service.

“Though Apple states that the data is anonymous and does not enable the personal identification of users, they are left with little choice but to agree if they want to continue buying from iTunes,” Hypebot wrote.

We’ve left messages with Apple and Google to comment on any of this, and we’ll update this post depending on the response.

And for the record, there is an option to email the Apple privacy policy from the phone to a computer for reading, and it’s also available here, so you don’t necessarily need to duplicate Cameron’s feat by reading it all on your phone.

As incredible as it sounds in 2010, no user control.  Not even  transparency.  Just one thing is for sure.  If privacy isn’t dead, Apple is now amongst those trying to bury it alive.

Then today, just when I thought Apple had gone as far as it could go in this particular direction, a new version of iTunes wanted to install itself on my laptop.  What do you know?  It had a new privacy policy too… 

The new iTunes policy was snappier than the iPhone policy - it came to the point - sort of - in the 5th paragraph rather than the 37th page!

5. iTunes Store and other Services.  This software enables access to Apple’s iTunes Store which offers downloads of music for sale and other services (collectively and individually, “Services”). Use of the Services requires Internet access and use of certain Services requires you to accept additional terms of service which will be presented to you before you can use such Services.

By using this software in connection with an iTunes Store account, you agree to the latest iTunes Store Terms of Service, which you may access and review from the home page of the iTunes Store.

I shuddered.  Mind bend!  A level of indirection in a privacy policy! 

Imagine:  “Our privacy policy is that you need to read another privacy policy.”  This makes it much more likely that people will figure out what they’re getting into, don’t you think?  Besides, it is a really novel application of the proposition that all problems of computer science can be solved through a level of indirection!  Bravo!

But then - the coup de grace.  The privacy policy to which Apple redirects you is… are you ready… the same one we came across a few days ago at the App Store!  So once again you need to get to the equivalent of page 37 of 45 to read:

Collection and Use of Non-Personal Information

We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

• We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

The mind bogggggles.  What does downloading a song have to do with giving away your location???

Some may remember my surprise that the Lords of The iPhone would call its unique device identifier - and its location - ”non-personal data”.  Non-personal implies there is no strong relationship to the person who is using it.  I wrote:

The irony here is a bit fantastic.  I was, after all, using an “iPhone”.   I assume Apple’s lawyers are aware there is an ”I” in the word “iPhone”.  We’re not talking here about a piece of shared communal property that might be picked up by anyone in the village.  An iPhone is carried around by its owner.  If a link is established between the owner’s natural identity and the device (as Google’s databases have done), its “unique device identifier” becomes a digital fingerprint for the person using it. 

Anybody who thinks about identity understands that a “personal device” is associated with (even an extension of) the person who uses it.  But most people - including technical people - don’t give these matters the slightest thought.  

A parade of tech companies have figured out how to use peoples’ ignorance about digital identity to get away with practices letting them track what we do from morning to night in the physical world.  But of course, they never track people, they only track their personal devices!  Those unruly devices really have a mind of their own - you definitely need central databases to keep tabs on where they’re going.

I was therefore really happy to read some of  Google CEO Eric Schmidt’s recent speech to the American Society of News Editors.  Talking about mobility he made a number of statements that begin to explain the ABCs of what mobile devices are about:

Google is making the Android phone, we have the Kindle, of course, and we have the iPad. Each of these form factors with the tablet represent in many ways your future….: they’re personal. They’re personal in a really fundamental way. They know who you are. So imagine that the next version of a news reader will not only know who you are, but it’ll know what you’ve read…and it’ll be more interactive. And it’ll have more video. And it’ll be more real-time. Because of this principle of “now.”

It is good to see Eric sharing the actual truth about personal devices with a group of key influencers.  This stands in stark contrast to the silly fibs about phones and laptops being non-personal that are being handed down in the iTunes Store, the iPhone App Store, and in the “Refresher FAQ” Fantasyland Google created in response to its Street View WiFi shenanigans. 

As the personal phone evolves it will become increasingly obvious  that groups within some of our best tech companies have built businesses based on consciously crafted privacy fibs.  I’m amazed at the short-sightedness involved:  folks, we’re talking about a “BP moment”.  History teaches us that ”There is no vice that doth so cover a man with shame as to be found false and perfidious.” [Francis Bacon]  And statements that your personal device doesn’t identify you and that location is not personal information are precisely “false and perfidious.”

But I have to say that such an exploration is really hard right now. 

Whether on purpose or by accident, the Google PR machine is still handing out contradictory messages.  In particular, the description in Google’s Refresher FAQ titled “How does this location database work?” is currently completely different from (read: the opposite of) what its public relations people are telling journalists like Nitaj.  I think reestablishing credibility around location services requires the messages to be made consistent so they can be verified by data protection authorities.

Here are some excerpts from the piece - annotated with some comments by me.  [Read the whole article here.] 

The Wi-Fi data Google collected in over 30 countries could be more revealing than initially thought…

Google’s CEO Eric Schmidt has said the information was hardly useful and that the company had done nothing with it. The search giant has also been ordered (or sought) to destroy the data. According to their own blog post, Google logged three things from wireless networks within range of their vans: snippets of unencrypted data; the names of available wireless networks; and a unique identifier associated with devices like wireless routers. Google blamed the collection on a rogue bit of code that was never removed after it had been inserted by an engineer during testing.

[The statement about rogue code is an example of the PR ambiguity Nitaj and other journalists must deal with.  Google blogs don't actually blame the collection of unique identifiers on rogue code, although they seem crafted to leave people with that impression.  Spokesmen only blame rogue code for the collection of unencrypted data content (e.g. email messages.) - Kim]

Each of the three types of data Google recorded has its uses, but it’s that last one, the unique identifier, that could be valuable to a company of Google’s scale. That ID is known as the media access control (MAC) address and it is included — unencrypted, by design — in any transfer, blogger Joe Mansfield explains.

Google says it only downloaded unencrypted data packets, which could contain information about the sites users visited. Those packets also include the MAC address of both the sending and receiving devices — the laptop and router, for example.

[Another contradiction: Google PR says it "only" collected unencrypted data packets, but Google's GStumbler report  says its cars did collect and record the MAC addresses from encrypted data frames as well. - Kim]

A company as large as Google could develop profiles of individuals based on their mobile device MAC addresses, argues Mansfield:

Get enough data points over a couple of months or years and the database will certainly contain many repeat detections of mobile MAC addresses at many different locations, with a decent chance of being able to identify a home or work address to go with it.

Now, to be fair, we don’t know whether Google actually scrubbed the packets it collected for MAC addresses and the company’s statements indicate they did not. [Yet the GStumbler report says ALL MAC addresses were recorded - Kim].  The search giant even said it “cannot identify an individual from the location data Google collects via its Street View cars.”  Add a step, however, and Google could deduce an individual from the location data, argues Avi Bar-Zeev, an employee of Microsoft, a Google competitor.

[Google] could (opposite of cannot) yield your identity if you’ve used Google’s services or otherwise revealed it to them in association with your IP address (which would be the public IP of your router in most cases, visible to web servers during routine queries like HTTP GET). If Google remembered that connection (and why not, if they remember your search history?), they now have your likely home address and identity at the same time. Whether they actually do this or not is unclear to me, since they say they can’t do A but surely they could do B if they wanted to.

Theoretically, Google could use the MAC address for a mobile device — an iPod, a laptop, etc. — to build profiles of an individual’s activity. (It’s unclear whether they did and Google has indicated that they have not.) But there’s also value in the MAC addresses of wireless routers.

Once a router has been associated with a real-world location, it becomes useful as a reference point. The Boston company Skyhook Wireless, for example, has long maintained a database of MAC addresses, collected in a (slightly) less-intrusive way. Skyhook is the primary wireless positioning system used by Apple’s iPhone and iPod Touch. (See a map of their U.S. coverage here.) When your iPod Touch wants to retrieve the current location, it shares the MAC addresses of nearby routers with Skyhook which pings its database to figure out where you are.

Google Latitude, which lets users share their current location, has at least 3 million active users and works in a similar way. When a user decides to share his location with any Google service on a non-GPS device, he sends all visible MAC addresses in the vicinity to the search giant, according to the company’s own description of how its location services works.

[Update: Google's own "refresher FAQ" states that a user of its geo-location services, such as Latitude, sends all MAC addresses "currently visible to the device" to Google, but a spokesman said the service only collects the MAC addresses of routers. That FAQ statment is the basis of the following argument.]

This is disturbing, argues blogger Kim Cameron (also a Microsoft employee), because it could mean the company is getting not only router addresses, but also the MAC addresses of devices such as laptops and iPods. If you are sitting next to a Google Latitude user who shares his location, Google could know the address and location of your device even though you didn’t opt in. That could then be compared with all other logged instances of your MAC address to develop a profile of where the device is and has been.

Google denies using the information it collected and, if the company is telling the truth, then only data from unencrypted networks was intercepted anyway, so you have less to worry about if your home wireless network is password-protected. (It’s still not totally clear whether only router MAC addresses were collected. Google said it collected the information for devices “like a WiFi router.”) Whether it did or did not collect or use this information isn’t clear, but Google, like many of its competitors, has a strong incentive to get this kind of location data.

[Again, and I really do feel for Niraj, the PR leaves the impression that if you have passwords and encryption turned on you have nothing to worry about, but Googles' GStumbler report says that passwords and encryption did not prevent the collection of the MAC addresses of phones and laptops from homes and businesses. - Kim]

I really tuned in to these contradictory messages when a reader first alerted me to Niraj’s article.   It looked like this:

My comments earned their strike-throughs when a Google spokesman assured the Atlantic ”the Service only collects the MAC addresses of routers.”  I pointed out that my statement was actually based on Google’s own FAQ, and it was their FAQ (”How does this location database work?”) - rather than my comments - that deserved to be corrected.  After verifying that this was true, Niraj agreed to remove the strikethrough.

How can anyone be expected to get this story right given the contradictions in what Google says it has done?

In light of this, I would like to see Google issue a revision to its “Refresher FAQ” that currently reads:

The “list of MAC addresses which are currently visible to the device” would include the addresses of nearby phones and laptops.  Since Google PR has assured Niraj that “the service only collects the MAC addresses of routers”, the right thing to do would be to correct the FAQ so it reads:

• “The user’s device sends a request to the Google location server with the list of MAC addresses found in Beacon Frames announcing a Network Access Point SSID and excluding the addresses of end user devices like WiFi enabled phones and laptops.”

This would at least reassure us that Google has not delivered software with the ability to track non-subscribers and this could be verified by data protection authorities.  We could then limit our concerns to what we need to do to ensure that no such software is ever deployed in the future.

“Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities. ”

I say the current draft is historic because of the grasp of identity issues it achieves. 

At the core of the document is a recognition that we need a solution supporting privacy-enhancing technologies and built by harnessing a user-centric Identity Ecosystem offering citizens and private enterprise plenty of choice.  

Finally we have before us a proposal that can move society forward in  protecting individual privacy and simultaneously create a secure and trustworthy infrastructure with enough protections to be resistant to insider attacks.  

Further, the work appears to have support from multiple government agencies - the Department of Homeland Security was a key partner in its creation. 

Here are the guiding principles (beginning page 8):

• Identity solutions will be secure and resilient
• Identity solutions will be interoperable
• Identity solutions will be privacy enhancing and voluntary for the public
• Identity solutions will be cost-effective and easy to use

Let’s start with the final “s” on the word “solutions” - a major achievement.  The authors understand society needs a spectrum of approaches suitable for different use cases but fitting within a common interoperable framework - what I and others have called an identity metasystem. 

The report embraces the need for anonymous access as well as that for strong identification.  It stands firmly in favor of minimal disclosure.  The authors call out the requirement that solutions be privacy enhancing and voluntary for the public, rather than attempting to ram something bureaucratic down peoples’ throats.  And they are fully cognisant of the practicality and usability requirements for the initiative to be successful.  A few years ago I would not have believed this kind of progress would be possible.

Nor is the report just a theoretical treatment devoid of concrete proposals.  The section on “Commitment to Action” includes:

• Designate a federal agency to lead the public/private sector efforts to advance the vision
• Develop a shared, comprehensive public/private sector implementation plan
• Accelerate the expansion of government services, pilots and policies that align with the identity ecosystem
• Work to implement enhanced privacy protections
• Coordinate the development and refinement of risk management and interoperability standards
• Address liability concerns of service providers and individuals
• Perform outreach and awareness across all stakeholders
• Continue collaborating in international efforts
• Identify other means to drive adoption

Readers should dive into the report - it is in a draft stage and “Public ideas and recommendations to further refine this Strategy are encouraged.“  

A number of people and organizations in the identity world have participated in getting this right, working closely with policy thinkers and those leading this initiative in government.  I don’t hesitate to say that congratulations are due all round for getting this effort off to such a good start.

We can expect suggestions to be made strengthening various aspects of the report - mainly in terms of making it more internally consistent.  

For example, the report contains good vignettes about minimal disclosure and the use of claims to gain access to resources.  Yet it also retains the traditional notion that authentication is dependent on identification.  What is meant by identification?  Many will assume it means “unique identification” in the old-fashioned sense of associating someone with an identifier.  That doesn’t jive with the notion of minimal disclosure present throughout the report.  Why? For many purposes association with an identifier is over-identification or unhelpful, and a simple proof of some set of claims would suffice to control access.  

But these refinements can be made fairly easily.  The real challenge will be to actually live up to the guiding principles as we move from high level statements to a widely deployed system - making it truly secure, resilient and privacy enhancing.  These are guiding principles we can use to measure our success and help select between alternatives.

Schmegga

Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you must do in order to download anything via the iTunes store) you agree to let Apple collect store and share “precise location data, including the real-time geographic location of your Apple computer or device.”

Apple says that the data is “collected anonymously in a form that does not personally identify you,” but for some reason we don’t find this very comforting at all. [Good instinct ! - Kim]. There appears to be no way to opt-out of this data collection without giving up the ability to download apps.

Here’s the full text [Emphasis is mine - Kim]:

“Location-Based Services

“To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Some location-based services offered by Apple, such as the MobileMe “Find My iPhone” feature, require your personal information for the feature to work. “

I wonder how The Consumerist will feel when it figures out how this change ties in to the new world-wide databases linking device identifiers and home addresses?

The consumerist piece is dated June 21, 2010 9:50 PM, and seems to confirm that the change in policy has only been made public since Google’s WiFi shenanigans have been discovered by data protection authorities… The point about “no opt out” is very important too.

No such luck.  Apple had changed it’s privacy policy, and I was taken to the screen at right,  To proceed I had to “read and accept the new Terms and Conditions”.  I pressed OK and up came page 1 of a new 45 page “privacy” policy.

I would assume “normal people” would say “uncle” and “click approve” around page 3.  But in light of what is happening in the industry around location services I kept reading the tiny, unsearchable, unzoomable print.

And there - on page 37 - you come to ”the news”.  Apple’s new “privacy” policy reveals that if you use Apple products Apple can disclose your device fingerprints and location to whomever it chooses and for whatever purpose:

Collection and Use of Non-Personal Information

We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

• We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

No “direct association with any specific individual…”

Maintaining that a personal device fingerprint has “no direct association with any specific individual” is unbelievably specious in 2010 - and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses.  And - big surprise - my iPhone, at least, came bundled with Google’s location service.

The irony here is a bit fantastic.  I was, after all, using an “iPhone”.  I assume Apple’s lawyers are aware there is an ”I” in the word “iPhone”.  We’re not talking here about a piece of shared communal property that might be picked up by anyone in the village.  An iPhone is carried around by its owner.  If a link is established between the owner’s natural identity and the device (as Google’s databases have done), its “unique device identifier” becomes a digital fingerprint for the person using it. 

Apple’s statements constitute more disappointing doubletalk that is suspiciously well-aligned with the statements in Google’s now-infamous WiFi FAQ.  Checking with the “Wayback machine” (which is of course not guaranteed to be accurate or up to date) the last change recorded in Apple’s privacy policy seems to have been made in April 2008.  It contained no reference to device identifiers or location services. 

Bees are being fitted with tiny radio ID tags to monitor their movements as part of research into whether pesticides could be giving the insects brain disorders, scientists have revealed

The study is examining concerns that pesticides could be damaging bees’ abilities to gather food, navigate and even perform their famous “waggle dance” through which they tell other bees where nectar can be found.

I can’t help wondering if wearing an antenna twice one’s size might also throw off one’s “waggle dance”? There is too the question of how this particular bee gets back into its hive to be tracked another day.  But I leave those questions to the researchers.

Nearly every digital copier built since 2002 contains a hard drive storing an image of every document copied, scanned, or emailed by the machine.  Because of this, the report shows, an office staple has turned into a digital time-bomb packed with highly-personal or sensitive data.  To quote the narrator, “If you’re in the identity theft business it seems this would be a pot of gold.”

In the video, the investigators purchase some used machines and then John Juntunen of Digital Copier Security shows them what is still stored on them when they are resold.  As he says, ”The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms… would be very valuable.”   He’s been trying to warn people about the potential risk, but “Nobody wants to step up and say, ‘we see the problem, and we need to solve it.’”

The results obtained by the investigators in their random sample are stunning, turning up:

• detailed domestic violence complaints;
• a list of wanted sex offenders;
• a list of targets in a major drug raid;
• design plans for a building near Ground Zero in Manhattan;
• 95 pages of pay stubs with names, addresses and social security numbers;
• $40,000 in copied checks; and
• 300 pages of individual medical records including everything from drug prescriptions, to blood test results, to a cancer diagnosis.

Why are these records sitting around on the hard disk in the first place?  Why aren’t they deleted once the copy has been completed or within some minimal time?  If they are kept for audit purposes, why aren’t they encrypted for the auditor? 

Is this “rainy-day data collection?” Gee, we have a hard disk, why don’t we keep the scans around - they might come in useful sometime. 

It becomes clear that addressing privacy and security threats was never a concern in designing these machines - which are actually computer systems.  This was an example of “privacy chernoble by design”.  Of course I’m speaking not only about individual privacy, but that of the organizations using the machines as well.   The report makes it obvious that digital copiers, or anything else that collects or remembers information, must be designed based on the Law of Minimal Disclosure.

This story also casts an interesting light on what the French are calling “le droit à l’oubli” - the right to have things forgotten.   Most discussions I’ve seen call for this principle to be applied on the Internet.  But as the digital world collides with the molecular one, we will see the need to build information lifetimes into all digital systems, including smart systems in our environment.  The current and very serious problems with copiers should be seen as profoundly instructive in this regard.

[Thanks to Francis Shanahan for heads up] 

A reader wrote to express disbelief that the MAC addresses of non-subscribers would be collected by a company like Google.  So I close this series on WiFi device identifiers with this quote from what Google calls its “refresher FAQ” (emphasis in the quote below is mine):  

How does this location database work?

Google location based services using WiFi access point data work as follows:

• The user’s device sends a request to the Google location server with a list of MAC addresses which are currently visible to the device;
• The location server compares the MAC addresses seen by the user’s device with its list of known MAC addresses, and identifies associated geocoded locations (i.e. latitude / longitude);
• The location server then uses the geocoded locations associated with visible MAC address to triangulate the approximate location of the user;
• and this approximate location is geocoded and sent back to the user’s device.

So certainly the MAC addresses of all nearby phones and laptops are sent in to the geo-location server - not simply the MAC addresses of wireless access points that are broadcasting SSIDs.  And this is significant from a technical point of view.

Why not edit out the MAC addresses you don’t need prior to transmission, reducing transmission size, cost and the amount of work that the central database server must do? Clearly, it was considered useful to collect all the phone fingerprints - including those of non-subscribers.  Of course Google’s  WiFi cars also collect the same fingerprints - while driving past peoples’ homes.  So it is clearly possible for their system to match the fingerprints of non-subscribers to their home locations, and thus to their natural identities. 

Is this matching of non-subscribers being done today?  I have no idea.  But Google has put in place all the machinery to do it and pays a premium to operate its geolocation service so as to gather this information.  Further, if allowed to mature, the market for the extra intelligence collected about our behaviors will be immense.

So there is nothing unlikely about the scenario I describe.   I have now examined all the issues I wanted to bring to light and I’ll move on to other matters for a while.

I was taken back to an unforgettable experience I had in 2005 while working on the Laws of Identity.  I had finished the Fourth Law and understood theoretically why technical systems should use “unidirectional identifiers” (meaning identifiers limited to a defined context) rather than “universal identifiers” (things like social security numbers) unless the goal was to be completely public.  But there is a difference between understanding something theoretically and right in the gut.

Rather than retell the story, here is what I wrote on my blog in Just a few scanning machines on Tuesday 6 September 2005:

Since I seem to be on the subject of Bluetooth again, I want to tell you about an experience I had recently that put a gnarly visceral edge on my opposition to technologies that serve as tracking beacons for us as private individuals.

I was having lunch in San Diego with Paul Trevithick, Stefan Brands and Mary Rundle. Everyone knows Paul for his work with Social Physics and the Berkman identity wiki; Stefan is a tremendously innovative privacy cryptographer; and Mary is pushing the envelope on cyber law with Berkman and Stanford.

Suddenly Mary recalled the closing plenary at the Computers, Freedom and Privacy “Panopticon Conference” in Seattle.

She referred off-handedly to “the presentation where they flashed a slide tracking your whereabouts throughout the conference using your Bluetooth phone.”

Essentially I was flabbergasted. I had missed the final plenary, and had no idea this had happened.

Of course, to some extent I’m a public figure when it comes to identity matters, and tracking my participation at a privacy conference is, I suspect, fair game. Or at any rate, it’s good theatre, and drives home the message of the Fourth Law, which makes the point that private individuals must not be subjected - without their knowledge or against their will - to technologies that create tracking beacons.

Later Mary introduced me to Paul Holman from The Shmoo Group. He was the person who had put this presentation together, and given our mutual friends I don’t doubt his motives. In fact, I look forward to meeting him in person.

He told me:

“I take it you missed our quick presentation, but essentially, we just put Bluetooth scanning machines in a few of the conference rooms and had them log the devices they saw. This was a pretty unsophisticated exercise, showing only devices in discoverable mode. To get them all would be a lot more work. You could do the same kind of thing just monitoring for cell phones or WiFi devices or whatever. We were trying to illustrate a crude version of what will be possible with RFIDs.”

The Bluetooth tracking was tied in to the conference session titles, and by clicking on a link you could see the information represented graphically - including my escape to a conference center window so I could take a phone call.

Anyway, I think I have had a foretaste of how people will feel when networks of billboards and posters start tracking their locations and behaviors. They won’t like it one bit. They’ll push back.

A foretaste indeed

One of my readers wrote to say I should turn my Bluetooth broadcast off, and I responded:

You’re right, and I have turned it off. Which bothers me. Because I like some of the convenience I used to enjoy.

So I write about this because I’d rather leave my Bluetooth phone enabled, interacting only with devices run by entities I’ve told it to cooperate with.

We have a lot of work to do to get things to this point. I see our work on identity as being directed to that end, at least in part.

We need to be able to easily express and select the relationships we want to participate in - and avoid - as cyberspace progressively penetrates the world of physical things.

The problems of Bluetooth all exist in current Wifi too. My portable computer broadcasts another tracking beacon. I’m not picking on Bluetooth versus other technologies. Incredibly, they all need to be fixed. They’re all misdesigned.

If anything has shocked me while working on the Laws of Identity, it has been the discovery of how naive we’ve been in the design of these systems to date - a product of our failure to understand the Fourth Law of Identity. The potential for abuse of these systems is collosal - enterprises like the UK’s Filter are just the most benign tip of an ugly iceberg.

For everyone’s sake I try to refrain from filling in what the underside of this iceberg might look like

Google’s Street View group, which has been assembling a massive central registry of WiFi MAC addresses, has definitely crawled out from under this iceberg, and the project is more sinister than any I imagined only a few years ago.

But so as not to leave everyone feeling completely depressed, all the dreams of Billboards that recognize you from your Bluetooth phone have now been abandoned by Bluetooth manufacturers, and the specification has been greatly improved in light of the criticism it received.  Let’s hope that geo-location providers, and Google in particular, see the same light, and assure us they will no longer collect or store the MAC address of any device unless that collection is approved by the subscriber.

But before doing that he makes an important and novel point about why regulation may be useful even if it can’t “prevent all abuses”:

I’d discounted the payload snooping issue as a distraction because I’d believed (and still do) that it was almost certainly an unfortunate error. I’d then made the point that a legal barrier to a technical problem was insufficient to prevent the bad guys doing bad things but I used that as an excuse to ignore the problem – small scale abuses of this sort of thing are not good but systematic large scale abuses “benefit” from network scaling effects. You might not be able to prevent small scale\illegal abuse through legal means but just because you can’t does not mean that you can’t control large scale abuses this way. The benefits and dangers inherent in this data become exponentially worse as the scale of the database that contains it increases. Large scale means companies and companies react to regulation by being much more careful about what they do. If a technology that is already out there has major privacy issues the regulatory approach is the only way to keep a lid on the problem while the technologists argue about how to fix the bits. Even if we assume that the law was OK about companies creating Geo-location databases using WiFi SSID\MAC mapping, effective regulation would have made the additional mistake made by Google (assuming it was a mistake) much less likely.

Next he explains how WiFi works as a layered protocol in which MAC addresses are exposed despite encryption and SSID suppression:

Now the obvious question is should scanning for identifiers that are broadcast openly by all WiFi radio signals be acceptable and legal?

802.11 WiFi signals are pretty complex things - Wikipedia has a brief overview here for those who want to see the alphabet soup of standards involved. Despite the range of encoding\modulation schemes and the number of frequency bands and channels almost all 802.11 devices revert to a couple of basic communication modes. This makes it easy for devices to connect to each other, and it’s what makes public WiFi hotspots practical. However it also makes configuring a device to monitor WiFi traffic trivially easy – the hardware does all the heavy lifting and the standards don’t really do anything to stop it happening. An important feature of WiFi is that, even though the payload encryption standards can now be pretty robust, the data link layer is not protected from snooping. This means that the content (my Google searches, the video clip I’m streaming down from Youtube etc) can be pretty well kept away from prying eyes but, at what the Ethernet folks call layer 2, the logical structures called frames that carry your encrypted data transmit some control data in the open.

So even with WPA2’s thorough key management and AES encryption your WiFi traffic still contains quite a bit of chatter that isn’t hidden away. The really critical thing for me is that the layer 2 addresses, the Media Access Control (MAC) addresses, of the sender and receiver (generally your PC\Phone’s WiFi adaptor and your Access Point) for each frame are always visible. And remember that MAC addresses are globally unique identifiers by design. Individual WiFi networks are defined by another identifier, the Service Set Identifier or SSID – when you set up your home WiFi AP and call the network “MyWLAN” you are choosing an SSID. SSID’s are very important, you can’t connect to a wireless LAN without knowing the relevant SSID, but they are not secure even though they can be sort of hidden they are never protected and can always be seen by someone just watching your wireless traffic. Interestingly SSID’s are not globally unique – there’s generally no real issue so long as my chosen SSID doesn’t match that of another network that’s relatively close by.

So SSID’s are possibly visible but MAC addresses are definitely visible, and MAC addresses are unique. While driving along a street or sitting in a coffee shop, hotel lobby or conference room your WiFi adaptor will see dozens if not hundreds of WiFi packets all of which will contain globally unique MAC addresses. It is possible to hack some WiFi hardware to change the MAC address but that practice is rare. Your PC has a couple (one for the wired Ethernet adaptor which isn’t important here, and usually one for WiFi these days), your Wii\PS3\XBox-360 has one, so does your Nintendo DS, iPhone, PSP … you get the picture. Another feature of MAC addresses is that it is very easy to differentiate between the MAC address of a Linksys Access Point, an iPhone and a Nintendo DS – Network protocol analyzers have been doing that trick for decades.

So the systematic scanners out there (Google, Navizon, Skyhook and the rest) can drive around or recruit volunteers and gather location data and build databases of unique identifiers, device types, timestamps, signal strengths and possibly other data. The simplest (and most) benign use of that would be to pull out the ID’s of devices that are known to be fixed to one place (Access Points say) and use that for enabling Geo-location.

Joe then looks at what it means to start collecting and analyzing the MAC addresses of mobile devices.

It’s not a big leap to also track the MAC addresses that are more mobile. Get enough data points over a couple of months or years and the database will certainly contain many repeat detections of mobile MAC addresses at many different locations, with a decent chance of being able to identify a home or work address to go with it. Kim Cameron describes the start of this cascade effect in his most recent post, mapping the attendees at a conference to home addresses even when they’ve never consented to any such tracking is not going to be hard if you’ve gone to the trouble of scanning every street in every city in the country. With a minor bit of further analysis the same techniques could be used to get a good idea of the travel or shopping habits of almost everyone sitting in an airport departure lounge or the home addresses of everyone participating in a Stop The War protest.

And remember that even though you can only effectively use WiFi to send and receive data over a range of a few 10’s to maybe a 100m you can detect and read WiFi signals easily from 100’s to 1000’s of metres away without any special equipment.

The plans to blanket London with “Free WiFi” start to sound quite disturbing when you think about those possibilities.

To answer my own title question – MAC addresses can tell far more about you than you think and keeping databases of where and when they’ve been seen can be extremely dangerous in terms of privacy.

Finally, he compares WiFi to Bluetooth:

Bluetooth is a slightly different animal. It’s also a short range radio standard for data communications but it was developed from the ground up to replace wires and the folks building the standard got a lot of stuff right. It doesn’t appear to be all that bad from a privacy leakage perspective – when implemented correctly nothing is sent in clear text (the entire frame is encoded, not just the payload) and the frequency hopping RF behaviour makes it much harder to casually snoop on specific conversations. Bluetooth devices have a Bluetooth Device ID that is very like a MAC address (48 bits), with a manufacturer ID that enables broad classification of devices if the ID can be discovered but most Bluetooth devices keep that hidden most of the time by defaulting to a “not visible” mode even when Bluetooth is enabled. When actively communicating (paired) all data is encrypted so the device ID’s are not visible to a third party. Almost all modern Bluetooth devices only allow themselves to remain openly visible in this way for a short period of time before they revert to a safer non broadcasting mode. The main weakness is that when devices are set to “visible” the unique identifiers and other data can be scanned remotely and used in just the same way as scanned WiFi MAC addresses. That’s not to say that Bluetooth doesn’t have its share of security problems but they made an attempt to get some of the fundamentals right. It does also show that there is a practical way to approach the wireless privacy challenge which is good to see.

All in all a very nice explanation of the issues involved here.   The only thing I would add is that the early versions of Bluetooth had few of the privacy-respecting behaviors present in the recent specifications.  The consortium has really worked to clean up its act and we should all congratulate it.  This came about because privacy concerns came to be perceived as an adoption blocker. 

“I think it’s likely they committed a criminal misdemeanor of the Pen Register and Trap and Traces Device Act,” said Ohm, a prosecutor from 2001 to 2005 in the Justice Department’s Computer Crime and Intellectual Property Section. “For every packet they intercepted, not only did they get the content, they also have your IP address and destination IP address that they intercepted. The e-mail message from you to somebody else, the ‘to’ and ‘from’ line is also intercepted.”

“This is a huge irony, that this might come down to the non-content they acquired,” (.pdf) said Ohm, a professor at the University of Colorado School of Law.

I understand how people unacquainted with the emerging role of identity in the Internet can see this as an irony - a kind of side-effect - whereas in reality Google’s plan to establish a vast centralized database of device identifiers has much longer-term consequences than the misappropriation of content.  Metadata is no less important than other data -  and ”addresses” being referred to are really device identifiers clearly associated with individual users, much like the telephone numbers to which the statute applies.  Given the similarity to issues that arose with pre-Internet communication, we should perhaps not be surprised that there may already be regulation in place that prevents “registering” of the identifiers.

The Wired article continues:

Google said it was a coding error that led it to sniff as much as 600 gigabytes of data across dozens of countries as it was snapping photos for its Street View project. The data likely included webpages users visited and pieces of e-mail, video and document files…

The pen register act described by Ohm, which he said is rarely prosecuted, is usually thought of in terms of preventing unauthorized monitoring of outbound and inbound telephone numbers.

Violations are a misdemeanor and cannot be prosecuted by private lawyers in civil court, Ohm said. He said the act requires that Google “knew, or should have known” of the activity in question.

Google denies any wrongdoing.

In fact, Google knew about the collection of MAC addresses, and has never said otherwise or stated that their collection of these addresses was done accidently.  In fact they have been careful to never state explicitly that their collection was limited to Wireless Access Points.  The Gstumbler report makes it clear they were parsing and recording both the source and destination MAC addresses in all the WiFi frames they intercepted. 

The Wired article explains:

As far as a criminal court goes, it is not considered wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

It is not known how many non-password-protected Wi-Fi networks there are in the United States.

What makes this especially interesting is the fact that it is not possible to configure a WiFi network so that the MAC addresses are hidden.  Use of passwords protects the communication content carried by the network, but does not protect the MAC addresses.  Configuring the WIreless Access Point not to broadcast an SSID does not prevent eavesdropping on MAC addresses either.   Yet we can hardly say the metadata is readily accessible to the general public, since it cannot be detected except acquiring and using very specialized programs. 

Wired draws the conclusion that,  “The U.S. courts have not clearly addressed the issue involved in the Google flap.”