{"id":1105,"date":"2010-06-02T01:07:13","date_gmt":"2010-06-02T09:07:13","guid":{"rendered":"\/?p=1105"},"modified":"2010-06-19T23:24:54","modified_gmt":"2010-06-20T07:24:54","slug":"i-just-did-it-because-skyhook-did-it","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1105","title":{"rendered":"&#8220;I just did it because Skyhook did it&#8221;"},"content":{"rendered":"<p>I received\u00a0a helpful and informed comment by\u00a0<a href=\"http:\/\/www.open-mike.org\/about\" class=\"broken_link\">Michael Hanson<\/a> at\u00a0Mozilla Labs on the Street View MAC Address issue:<\/p>\n<p style=\"PADDING-LEFT: 30px\">I just wanted to chip in and say that the practice of wardriving to create a SSID\/MAC geolocation database is hardly unique to Google.<\/p>\n<p style=\"PADDING-LEFT: 30px\">The practice was invented by <a href=\"http:\/\/en.wikipedia.org\/wiki\/Skyhook_Wireless\">Skyhook Wireless<\/a>], formerly Quarterscope. The iPhone, pre-GPS, integrated the technology to power the Maps application. There was <a href=\"http:\/\/davetroy.blogspot.com\/2008\/01\/apple-knows-where-you-are-sniffing.html\">some discussion<\/a> of how this technology would work back in 2008, but it didn&#39;t really break out beyond the community of tech developers. I&#39;m not sure what the connection between Google and Skyhook is today, but I do know that Android can use the Skyhook database.<\/p>\n<p style=\"PADDING-LEFT: 30px\">Your employer recently<a href=\"http:\/\/www.navizon.com\/Microsoft_selects_navizon_for_geolocation.asp\" class=\"broken_link\"> signed a deal <\/a>with Navizon, a company that employs crowdsourcing to construct a database of WiFi endpoints.<\/p>\n<p style=\"PADDING-LEFT: 30px\">Anyway &#8211; I don&#39;t mean to necessarily weigh in on the question of the legality or ethics of this approach, as I&#39;m not quite sure how I feel about it yet myself. The alternative to a decentralized anonymous geolocation system is one based on a) GPS, which requires the generosity of a space-going sovereign to maintain the satellites and has trouble in dense urban areas, or b) the cell towers, which are inefficient and are used to collect our phones&#8217; locations. There&#39;s a recent <a href=\" https:\/\/issg.cs.duke.edu\/~ionut\/2010_compacc.pdf\" class=\"broken_link\">paper by Constandache (et al)<\/a> at Duke that addresses the question of whether it can be done with just inertial reckoning&#8230; but it&#39;s a tricky problem.<\/p>\n<p style=\"PADDING-LEFT: 30px\">Thanks for the post.<\/p>\n<p>The scale of\u00a0the &#8220;wardriving&#8221;\u00a0[can you beieve the name?] boggles\u00a0my mind, and the fact that this has gone on for so long without attracting public attention is a little incredible.\u00a0\u00a0But in spite of the scale, I don&#39;t think\u00a0the <a href=\"http:\/\/googlepolicyeurope.blogspot.com\/2010\/04\/data-collected-by-google-cars.html\">argument\u00a0<\/a><span style=\"font-family: Arial;\"> <\/span>that it&#39;s OK to do something because other people have already done it\u00a0will hold much water with regulators or the thinking public\u00a0 In fact\u00a0\u00a0it all sounds a bit like a\u00a0teenager trying to\u00a0avoid\u00a0his detention\u00a0because\u00a0he\u00a0was\u00a0&#8220;just doing what Johnny did.&#8221;<\/p>\n<p>As\u00a0Michael say, one can argue that there are benefits to drive-by device identity theft.\u00a0\u00a0In fact, one can argue that there would be\u00a0benefits\u00a0to appropriating and reselling all kinds of private information and property.\u00a0 But in most cases we hold ourselves back, and find other,\u00a0socially acceptable ways of achieving the same benefits.\u00a0 We should do the same here.<\/p>\n<p><strong>Are these databases decentralized and anonymous?<\/strong><\/p>\n<p>As hard as I try, I don&#39;t\u00a0see how one can say\u00a0the databases are decentralized and anonymous.\u00a0 For starters, they are highly centralized, allowing monetized lookup of any<a href=\"http:\/\/en.wikipedia.org\/wiki\/MAC_address\"> MAC address <\/a>in the world.\u00a0 Secondly, they are not anonymous\u00a0&#8211; the databases contain the identity information of our personal devices as well as their exact locations in molecular space.\u00a0\u00a0 It is\u00a0strange to me that\u00a0personal information can just be &#8220;declared to be public&#8221; by those who will benefit from\u00a0that in their businesses.<\/p>\n<p><strong>Do these databases\u00a0protect our\u00a0privacy in some way?\u00a0 <\/strong><\/p>\n<p>No &#8211; they erode it more than before.\u00a0 Why?<\/p>\n<p>Location information has\u00a0long been available to\u00a0our telephone\u00a0operators, since they use cell-tower triangulation.\u00a0 This conforms to the Law of Justifiable Parties &#8211; they need to know where we are (though not to remember it) to provide us with our phone service.\u00a0<\/p>\n<p><em>But now yet another\u00a0party has insinuated itself into the mobile location\u00a0equation: the MAC database operator &#8211;\u00a0be it Google, Skyhook or Navizon.<\/em>\u00a0<\/p>\n<p>If\u00a0you carry a cell phone that uses one of these databases &#8211; and maybe\u00a0you already do &#8211;\u00a0your phone queries\u00a0the database for the locations of MAC addresses it detects.\u00a0 This means means that in additon to your phone company, a\u00a0database\u00a0company\u00a0is constantly being informed\u00a0about\u00a0your exact location.\u00a0\u00a0\u00a0From what Michael says it seems the\u00a0cell phone vendor might additionally get in the middle of this\u00a0location reporting\u00a0&#8211;\u00a0<em>all parties who\u00a0have no business being part of the location transaction unless you specifically opt to include them.<\/em><\/p>\n<p>Exactly\u00a0what MAC addresses does your phone collect and submit to the database for location analysis?\u00a0 Clearly, it might be <strong>all the MAC addresses detected in its vicinity<\/strong>, including those of other phones and devices&#8230;\u00a0\u00a0You would then be revealing not only your own location information, but that of\u00a0your friends, colleagues, and even of complete strangers who\u00a0happen to be passing by &#8211; even if they have their\u00a0<em>location features turned off<\/em>!\u00a0<\/p>\n<p>Having\u00a0broken into our home device-space to take our network\u00a0identifiers without our consent, these database operators are thus able to turn themselves into intelligence\u00a0services\u00a0that know not only the locations of people who have opted into their system, but of people who have opted out.\u00a0 I predict that this situation will not be allowed to stand.<\/p>\n<p>Are there any controls on this, on what\u00a0WiFi sniffing outfits\u00a0can do with their information,\u00a0and on\u00a0how they relate it to other information collected on us, on who they sell it to?<\/p>\n<p>I don&#39;t know anything about Navizon or the way it uses crowdsourcing, but I am\u00a0no happier with the idea that crowds are &#8211; probably without their knowledge &#8211; eavesdropping on my network\u00a0to the benefit of some technology outfit.\u00a0 Do people know how they are being used to scavenge private network identifiers &#8211; and potentially even the device identifiers of their friends and colleagues?<\/p>\n<p>Sadly, it seems\u00a0we might now have a competitive environment in which all the cell phone\u00a0makers will\u00a0want to employ these databases.\u00a0 The question for me is one of whether, as these issues come to the attention of the general public and its representatives, a technology breaking two Laws of Identity will actually survive without major reworking.\u00a0\u00a0My prediction is that it will not.\u00a0<\/p>\n<p>Reaping private identifiers is a mistake that, uncorrected, \u00a0will haunt us as we move into the age of the smart home and the smart grid.\u00a0 Sooner or later society will nix it as acceptable behavior.\u00a0 Technologists will save a lot of trouble\u00a0if we\u00a0make our mobile location systems conform\u00a0with reasonable expectations of privacy and security<em> starting now<\/em>.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MAC database operators will know not only the locations of people who opt into their system, but of people who opt out, since people who opt in report the device identities of those who don&#39;t.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[21,71,2,3,47,11,77],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1105"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1105"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1105\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}