{"id":1107,"date":"2010-06-03T00:34:43","date_gmt":"2010-06-03T08:34:43","guid":{"rendered":"\/?p=1107"},"modified":"2010-06-19T23:24:07","modified_gmt":"2010-06-20T07:24:07","slug":"ben-adida-discussion-of-device-identifiers-is-necessary","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1107","title":{"rendered":"Ben Adida releases me from the theatre"},"content":{"rendered":"<p>When I published\u00a0<a href=\"\/?p=1102\">Misuse of network identifiers was done on purpose<\/a>,\u00a0<a class=\"tweet-url screen-name broken_link\" href=\"http:\/\/twitter.com\/benadida\">Ben Adida<\/a>\u00a0 twittered that &#8220;Kim Cameron answers my latest post with some good points I need to think about&#8230;&#8221;.\u00a0\u00a0And he came through on that\u00a0promise, even\u00a0offering me\u00a0a &#8220;Get out of theatre free&#8221; card:<\/p>\n<p style=\"padding-left: 30px;\">&#8220;A few days ago, I wrote about Privacy Advocacy Theater and lamented how some folks, including EPIC and Kim Cameron, are attacking Google in a needlessly harsh way for what was an accidental collection of data.\u00a0 Kim Cameron responded, and he is right to point out that my argument, in the Google case, missed an important issue.<\/p>\n<p style=\"padding-left: 30px;\">&#8220;Kim points out that two issues got confused in the flurry of press activity: the accidental collection of payload data, i.e. the URLs and web content you browsed on unsecured wifi at the moment the Google Street View car was driving by, and the intentional collection of device identifiers, i.e. the network hardware identifiers and network names of public wifi access points.\u00a0 Kim thinks the network identifiers are inherently more problematic than the payload, because they last for quite a bit of time, while payload data, collected for a few randomly chosen milliseconds, are quite ephemeral and unlikely to be problematic.\u00a0 [Just for the record, I didn&#39;t actually say &#8220;unlikely to be problematic&#8221;\u00a0&#8211; Kim]<\/p>\n<p style=\"padding-left: 30px;\">&#8220;Kim\u2019s right on both points. Discussion of device identifiers, which I missed in my first post, is necessary, because the data collection, in this case, was intentional, and apparently was not disclosed, as documented in EPIC\u2019s letter to the FCC. If Google is collecting public wifi data, they should at least disclose it. In their blog post on this topic, Google does not clarify that issue.<\/p>\n<p style=\"padding-left: 30px;\">&#8220;So, Google, please tell us how long you\u2019ve been collecting network identifiers, and how long you failed to disclose it. It may have been an oversight, but, given how much other data you\u2019re collecting, it would really improve the public\u2019s trust in you to be very precise here.&#8221;<\/p>\n<p>Ben also says my initial post seems &#8220;to weave back and forth between both issues&#8221;.\u00a0 In fact I see payload and header being two parts of the same WiFi packet.\u00a0 Google &#8220;accidently&#8221; collected one part of the packet but collected the other part on purpose.\u00a0 I\u00a0think it is\u00a0really bizarre that\u00a0a lot of technical people\u00a0consider\u00a0one part of the packet (emails and instant messages) to be private,\u00a0and then\u00a0for some irrational reason assume\u00a0the other part of the same packet (the\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/MAC_address\">MAC address<\/a>) is public.\u00a0 This makes no sense and as an architect it drives me nuts.\u00a0 <em>Stealing one part of the\u00a0WiFi packet\u00a0is as bad as stealing another<\/em>.<\/p>\n<p>Ben also says,<\/p>\n<p style=\"padding-left: 30px;\">&#8220;I agree that device privacy can be a big deal, especially when many people are walking around with RFIDs in their passports, pants, and with bluetooth headsets. But, in this particular case, is it a problem? If Google really only did collect the SSIDs of open, public networks that effectively invite anyone to connect to them and thus discover network name and device identifier, is that a violation of privacy, or of the Laws of Identity? I\u2019m having trouble seeing the harm or the questionable act. Once again, these are public\/open WiFi networks.&#8221;<\/p>\n<p>Let me be clear:\u00a0 If Google or any other operator only collected the SSIDs of &#8220;open, public networks that invite anyone to connect to them&#8221; there would be zero problem from the point of view of the Laws of Identity.\u00a0 They would, in\u00a0the terminology of Law Four, be collecting &#8220;universal identifiers&#8221;.\u00a0<\/p>\n<p>But when you drive down a street, the vast majority of networks you encounter are NOT public, and are NOT inviting just anyone to connect to them.\u00a0 <em>The routers\u00a0emit packets\u00a0so the\u00a0designated users of the network can connect to them, not so others can connect to them, hack them, map them or use them for commercial purposes.\u00a0 <\/em>If one is to talk about intent, the intent is for private, unidirectional identifiers to be used within a constrained scope.<\/p>\n<p>In other words,\u00a0as much as I wish I didn&#39;t have to do so, I must\u00a0strongly dispute Ben&#39;s assertion that &#8220;Once again, these are public\/open WiFi networks&#8221; and insist that private\u00a0identifiers are being misappropriated.<\/p>\n<p>In matters of eavesdropping I\u00a0subscribe to\u00a0EPIC&#39;s argument\u00a0that proving harm is not essential &#8211; it is the eavesdropping itself which is problematic.\u00a0 However, in my next post I&#39;ll\u00a0talk about harm, and the problems of a vast world-wide system capable of inference based on use of device identifiers.<\/p>\n<p>\u00a0\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stealing one part of the WiFi packet is as bad as stealing another.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,17,3,11,77],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1107"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1107"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1107\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}