Ben Adida has a list of achievements as long as my arm – many of which are related to privacy and security. His latest post concerns what he calls, “privacy advocacy theater… a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater.”
Ben then proceeds take me to task for this piece:
I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the WiFi access points that don’t actively nudge users towards encrypting their WiFi network.
But let's hold on a minute. My argument wasn't about the payload data that was collected accidently. It was about the device identification data that was collected on purpose. As Google's Alan Eustace put it:
We said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data…
Device identifiers were collected on purpose
SSID and MAC addresses are the identifiers of your devices. They are transmitted as part of the WiFi traffic just like the payload data is. And they are not “publically broadcast” any more than the payload data is.
Yet Google consciously decided to abscond with, tabulate and monetize the identities of our personal, business and home devices. The identifiers are persistent and last for the lifetime of the devices. Their collection, cataloging and use is, in my view, more dangerous than the payload data that was collected. Why? The payload data, though deeply personal, is transient and represents a single instant. The identifiers are persistent, and the Street View WiFi plan was to use them for years.
Let's be clear: Identity has as much to do with devices, software, services and organizations as with individuals. And equally important, identity is about the relationships between these things. In fact identity can only be adequately expressed through the relationships (some call it context).
When Google says, “MAC addresses are a simple hardware ID assigned by the manufacturer” and “We cannot identify an individual” using those “simple hardware IDs”, it sounds like the devices found in your home and briefcase and pocket have nothing to do with you as a flesh and blood person. Give me a break! It reminds me of an old skit by “Beyond the Fringe” where a police inspector points out that “Once you have identified the criminal's face, the criminal's body is likely to be close by…” Our identities and the identities of our devices are related, and understanding this relationship is essential to getting identity and privacy right.
One great thing about blogging is you find out when you haven't been clear enough. I hope I'm making progress in expressing the real issues here: the collection of device identifiers was purposeful, and this represents precisely the kind of “systemic privacy design flaw” to which Ben refers.
It bothers me that this disturbing systemic privacy design flaw – for which there has been no apology – is being obscured through the widely publicized apology for a completely separate and apparently accidental sin.
In contemporary networks, the hardware ID of the device is NOT intended to be a “universal identifier”. It is intended to be a “unidirectional identifier” (see The Fourth Law) employed purely to map between a physical machine and a transient, local logical address. Many people who read this blog understand why networking works this way. In Street View WiFi, Google was consciously misusing this unidirectional identifier as a universal identifier, and misappropriating it by insinuating itself, as eavesdropper, into our network conversations.
Ben says, “The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data.” But I hope he rethinks this in the context of what identity really is, its use in devices and systems, and the fact that human, device and service identities are tied together in what one day should be a trustworthy system. I also hope to see Google apologize for its misuse of our device identities, and assure us they will not be used in any of their systems.
Finally, despite Ben's need to rethink this matter, I do love his blog, and strongly agree with his comments on Opera Mini, discussed in the same piece.