Joe Mansfield's comment that Bluetooth “doesn’t appear to be all that bad from a privacy leakage perspective” left me rummaging through memory lane – awakening memories that may help explain why I now believe that world-wide databases of MAC addresses constitute a central socio-technical problem of our time.
I was taken back to an unforgettable experience I had in 2005 while working on the Laws of Identity. I had finished the Fourth Law and understood theoretically why technical systems should use “unidirectional identifiers” (meaning identifiers limited to a defined context) rather than “universal identifiers” (things like social security numbers) unless the goal was to be completely public. But there is a difference between understanding something theoretically and right in the gut.
Rather than retell the story, here is what I wrote on my blog in Just a few scanning machines on Tuesday 6 September 2005:
Since I seem to be on the subject of Bluetooth again, I want to tell you about an experience I had recently that put a gnarly visceral edge on my opposition to technologies that serve as tracking beacons for us as private individuals.
I was having lunch in San Diego with Paul Trevithick, Stefan Brands and Mary Rundle. Everyone knows Paul for his work with Social Physics and the Berkman identity wiki; Stefan is a tremendously innovative privacy cryptographer; and Mary is pushing the envelope on cyber law with Berkman and Stanford.
She referred off-handedly to “the presentation where they flashed a slide tracking your whereabouts throughout the conference using your Bluetooth phone.”
Essentially I was flabbergasted. I had missed the final plenary, and had no idea this had happened.
|Kim Cameron Mobile
|Grand I (G1)||Wed 09:32||09:32||????|
|Grand Crescent (gc)||Wed 09:35||09:35||Adware and Privacy: Finding a Common Ground|
|Grand I (G1)||Wed 09:37||09:37||????|
|Grand Crescent (gc)||Wed 09:41||09:42||Adware and Privacy: Finding a Common Ground|
|Grand I (G1)||Wed 09:46||09:47||????|
|Grand III (g3)||Wed 10:18||10:30||Intelligent Video Surveillance|
|Baker (ol)||Wed 10:33||10:42||Reforming E-mail and Digital Telephonic Privacy|
|Grand III (g3)||Wed 10:47||10:48||Intelligent Video Surveillance|
|Grand Crescent (gc)||Wed 11:25||11:26||Adware and Privacy: Finding a Common Ground|
|Grand III (g3)||Wed 11:46||12:22||Intelligent Video Surveillance|
|5th Avenue (5a)||Wed 12:33||12:55||????|
|Grand III (g3)||Wed 13:08||14:34||Plenary: Government CPOs: Are they worth fighting for?|
Of course, to some extent I'm a public figure when it comes to identity matters, and tracking my participation at a privacy conference is, I suspect, fair game. Or at any rate, it's good theatre, and drives home the message of the Fourth Law, which makes the point that private individuals must not be subjected – without their knowledge or against their will – to technologies that create tracking beacons.
Later Mary introduced me to Paul Holman from The Shmoo Group. He was the person who had put this presentation together, and given our mutual friends I don't doubt his motives. In fact, I look forward to meeting him in person.
He told me:
“I take it you missed our quick presentation, but essentially, we just put Bluetooth scanning machines in a few of the conference rooms and had them log the devices they saw. This was a pretty unsophisticated exercise, showing only devices in discoverable mode. To get them all would be a lot more work. You could do the same kind of thing just monitoring for cell phones or WiFi devices or whatever. We were trying to illustrate a crude version of what will be possible with RFIDs.”
The Bluetooth tracking was tied in to the conference session titles, and by clicking on a link you could see the information represented graphically – including my escape to a conference center window so I could take a phone call.
Anyway, I think I have had a foretaste of how people will feel when networks of billboards and posters start tracking their locations and behaviors. They won't like it one bit. They'll push back.
A foretaste indeed
One of my readers wrote to say I should turn my Bluetooth broadcast off, and I responded:
You’re right, and I have turned it off. Which bothers me. Because I like some of the convenience I used to enjoy.
So I write about this because I’d rather leave my Bluetooth phone enabled, interacting only with devices run by entities I’ve told it to cooperate with.
We have a lot of work to do to get things to this point. I see our work on identity as being directed to that end, at least in part.
We need to be able to easily express and select the relationships we want to participate in – and avoid – as cyberspace progressively penetrates the world of physical things.
The problems of Bluetooth all exist in current Wifi too. My portable computer broadcasts another tracking beacon. I’m not picking on Bluetooth versus other technologies. Incredibly, they all need to be fixed. They’re all misdesigned.
If anything has shocked me while working on the Laws of Identity, it has been the discovery of how naive we’ve been in the design of these systems to date – a product of our failure to understand the Fourth Law of Identity. The potential for abuse of these systems is collosal – enterprises like the UK’s Filter are just the most benign tip of an ugly iceberg.
For everyone’s sake I try to refrain from filling in what the underside of this iceberg might look like
Google's Street View group, which has been assembling a massive central registry of WiFi MAC addresses, has definitely crawled out from under this iceberg, and the project is more sinister than any I imagined only a few years ago.
But so as not to leave everyone feeling completely depressed, all the dreams of Billboards that recognize you from your Bluetooth phone have now been abandoned by Bluetooth manufacturers, and the specification has been greatly improved in light of the criticism it received. Let's hope that geo-location providers, and Google in particular, see the same light, and assure us they will no longer collect or store the MAC address of any device unless that collection is approved by the subscriber.