{"id":1117,"date":"2010-06-07T14:51:08","date_gmt":"2010-06-07T22:51:08","guid":{"rendered":"\/?p=1117"},"modified":"2010-06-12T01:47:23","modified_gmt":"2010-06-12T09:47:23","slug":"more-input-and-points-of-view","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1117","title":{"rendered":"More input and points of view"},"content":{"rendered":"

Dave Nikolejsin, CIO of British Columbia and a man who sees identity as the key to efficient government, writes:<\/p>\n

“I agree with your comments and focus on the MAC layer data collection going on with Google. One observation I would have re all the \u201cother\u201d similar type activity would be that no others have Google\u2019s resources and thus no others are doing systematic sweep of the western world on such a data gathering mission. As we all know the value of data increases in an N-squared manner and the \u201cN\u201d once Google is done will be a big number.”<\/p>\n

Dave\u00a0goes on to compare\u00a0wirelesstapping\u00a0with Facebook's privacy\u00a0problems and makes what I think is\u00a0a very insightful comment:<\/p>\n

At least (for all its warts) we actually willingly give our info to Facebook!<\/p>\n

Heavy duty SOA architect Gunnar Peterson<\/a> (an expert on Service-Oriented Security)\u00a0condenses our discussion to date and comes out strongly in\u00a0favor<\/a> of the arguments I've been making with regards to the wirelesstapping of MAC addresses:\u00a0<\/p>\n

Google's Macondo<\/span> Street View team cannot seem to get the right combination of top kill or cap to fit on its MAC spillage. Your MAC is not like a house number<\/a> (which everyone knows and are used for many purposes), MAC address is scoped to one use. There's no harm in collecting MACs, the hell you say, there's a number of evil emergent cocktails<\/a> that can come out of this. Its not so much the MAC itself, its the association of the MAC and the gelocation and time – combining something unique like MAC with geolocation.<\/p>\n

This looked like a rogue team (or as Google put it last week a “rogue software engineer<\/a>“) until this shocking announcement<\/a> that Google is patenting (emphasis added) – “The invention pertains to location approximation of devices, e.g., wireless access points and client devices<\/strong> in a wireless network.”<\/p>\n

It seems pretty obvious that any number of permutations of problems<\/a>\u00a0\u00a0will result by combining private client data and geolocation. Maybe Google books should scan a copy of J.C. Cannon's book “Privacy: What Developers and IT Professionals Should Know”<\/a>\u00a0and Stefan Brands Primer on User Identification<\/a>. \u00a0In both works you see the risks of promiscuously mixing identification cocktails and the unexpected leakages that result. In addition, what does benefit to the user who is being spied upon does all this spying create…?<\/p>\n

[More here<\/a>]<\/p>\n

It's true that\u00a0J.C. and Stefan both do a great job of helping explain the issues at play here, and I advise people who want to understand the issues better to check out their work.<\/p>\n

Hal Berenson got back to me after my response to him<\/a>, saying,<\/p>\n

One thing I would suggest is that you write language attempting to ban what you want to ban and let the rest of us poke holes in it\u00a0 – meaning, show all the legitimate scenarios you would make illegal or accidental criminals you would create… \ud83d\ude42<\/p>\n

I have total sympathy with this concern of course.\u00a0 We want the minimum intervention necessary.\u00a0 But\u00a0our society has come to realize there are\u00a0many instances where consumers and\u00a0citizens\u00a0need be protected in various ways.\u00a0\u00a0In introducing these protections, lawmakers had to deal with\u00a0exactly the same difficult concerns about balancing rights.\u00a0 The good news here:\u00a0 our legal system seems to handle this just fine.\u00a0 In fact, that's what it is\u00a0about.\u00a0\u00a0 So I will leave the crafting of the appropriate disincentives to professionals.<\/p>\n

Ted Howard, who has broad experience including in the Games industry, commented,<\/p>\n

Regarding the issues of Google's collection of MAC addresses and wireless SSIDs:<\/span><\/p>\n

“If I leave my blinds open so that I can get sun into my home, that means I\u00a0have no problem with anyone walking past my house pausing to watch me in my home. When I talk with a friend while walking in the park, that means I cannot\u00a0be bothered by a stranger walking alongside us listening to every word. In both cases, am I “publicly broadcasting” something or is the broadcast just a side effect of my activities? The analogy should be clear.<\/span><\/p>\n

\u00a0<\/p>\n

“Do a survey to see how many wireless router owners understand what MAC and SSID are. I suspect that very few (< 5%) people know. If they don't know what these are, then how can anyone claim that these people have been intentionally publicly broadcasting these with an understanding that the broadcast has become publicly-available knowledge? Government regulation exists to, among other reasons, protect the public when the public needs protection and would otherwise be unprotected. This seems to me like a good case for protecting the truly ignorant public.<\/span><\/p>\n

Journalist Mary Branscombe <\/a>comments:<\/p>\n

For me there are 3 big questions.<\/p>\n

    \n
  1. \n
    How much info did or could someone capture; and by the way Google is in the data capture and data mining\/machine learning business and that data *has* been used because if they didn't know it was there they didn't know they had to exclude it.<\/div>\n<\/li>\n
  2. \n
    How personally identifiable or anonymised that information is (i don't think my phone has a bunch of captured MAC addresses and if it does I don't think it has any pii about them but I may be wrong.<\/div>\n<\/li>\n
  3. \n
    How much people care. What is public or private about my SSID or about my MAC address? (I honestly don't know is how much you can find out about me from my MAC address but I'm assuming not much; if I'm wrong that's a data point! I know in 2007 Skyhook told me they were confident they had privacy cracked but they would and they're not the only people and they're the good guys…)<\/div>\n<\/li>\n<\/ol>\n

    Location services is a *huge* business and people are oversharing location information for trivial rewards (see Foursquare). 8000 apps use Skyhook location data. It's Facebook with co-ordinates. I don't think we can not do this – but I think we can regulate and do it more safely.<\/p>\n

    In answer to Mary's question two, systems like the Street View Wifi system exist to map peoples’ device MAC addresses to their residential address, as described in the Google patent.\u00a0 Her point about big business is a BIG POINT.\u00a0 But to me it just increases the urgency to give people the geo-location capabilities they want without creating a privacy chernoble that will explode down the line.<\/p>\n

    Jan and Susan Huffman write,<\/p>\n

    “Standing naked in my front yard is like broadcasting my MAC address. \u00a0If I don\u2019t want people to look at me naked in my front yard, I wear clothes. I don\u2019t ask that the law punish those who might take a look through the bushes.<\/p>\n

    My response:\u00a0 your MAC address is visible in your wireless packets no matter what you do.\u00a0 Turning on encryption doesn't help.\u00a0 So there are no clothes to put on.\u00a0 <\/em>The analogy with clothes and bushes therefore just doesn't stand up.\u00a0 Furthermore, in most neighborhoods, if you spend your time trawling the neighborhood and peeking through bushes you end up with people giving you a pretty hard time…\u00a0 Maybe that's what's happening here.<\/p>\n

    \u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

    Some comments from readers<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,47,11,77],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1117"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1117"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1117\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}