Schneier on Security
A blog covering security and security technology.
« U.S. Navy Fleet Broadcast Security |
| Instantaneous Data Grabbing »
November 4, 2005
A 24/7 Wireless Tracking Network
It's at MIT:
MIT's newly upgraded wireless network -- extended this month to cover the entire school -- doesn't merely get you online in study halls, stairwells or any other spot on the 9.4 million square foot campus. It also provides information on exactly how many people are logged on at any given location at any given time.
It even reveals a user's identity if the individual has opted to make that data public.
MIT researchers did this by developing electronic maps that track across campus, day and night, the devices people use to connect to the network, whether they're laptops, wireless PDAs or even Wi-Fi equipped cell phones.
WiFi is certainly a good technology for this sort of massive surveillance. It's an open and well-standardized technology that allows anyone to go into the surveillance business. Bluetooth is a similar technology: open and easy to use. Cell phone technologies, on the other hand, are closed and proprietary. RFID might be the preferred surveillance technology of the future, depending on how open and standardized it becomes.
Whatever the technology, privacy is a serious concern:
While every device connected to the campus network via Wi-Fi is visible on the constantly refreshed electronic maps, the identity of the users is confidential unless they volunteer to make it public.
Those students, faculty and staff who opt in are essentially agreeing to let others track them.
"This raises some serious privacy issues," Ratti said. "But where better than to work these concerns out but on a research campus?"
Rich Pell, a 21-year-old electrical engineering senior from Spartanburg, S.C., was less than enthusiastic about the new system's potential for people monitoring. He predicted not many fellow students would opt into that.
"I wouldn't want all my friends and professors tracking me all the time. I like my privacy," he said. "I can't think of anyone who would think that's a good idea. Everyone wants to be out of contact now and then."
Posted on November 4, 2005 at 12:44 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Like many other systems, it's only a concern if it's abused. Things like this do make life much easier for administrators - letting you plan capacity and track problems.
FYI, Cisco has a product - the 2700-series Wireless Location Appliance - that does more or less the same thing:
CMU reported on something similar at this years ISWC conference, though theirs was a study rather than an application that lets others see where you are:
Analysis of Movement and Mobility of Wireless Network Users
Of course, it's only tracking you if you have your laptop with you, and it's on. If you left your laptop in your dorm room while you went out to cause trouble, the system still thinks you're in your room.
This, coupled with the "opt in" nature of it, leads it to not bother me.
Wouldn't it be very easy to fool? You need to sniff a couple of active MAC addresses and then just do the change on yours and you have automagically become someone else.
Well, you know how they say college campuses can have some pretty crazy "wildlife"...
"Researchers at the University of Missouri have mounted wireless video cameras on white-tailed deer to get a better idea of how the animals see their world and what's behind their behavior."
Privacy issues indeed. I like the MIT's senior engineer's eagle-eyed of this, as quoted above:
"I can't think of anyone who would think that's a good idea. Everyone wants to be out of contact now and then."
Sure, if you're the hunted trying to get away from the hunter. The temptation for corporations to track consumers and understand human behavior is a major concern -- it's like asking a canning company if they would rather just shoot fish in a barrel.
Could MIT find it convenient to subsidize their wireless network (for study purposes only, of course) through grants and advertising from sponsors?
Frankly, the MIT evaluation should account for the fact that location-specific advertising is seen as a viable method for providers to make money on a centrally managed wifi service. That would be more insightful as an exercise since it brings the real guns to the table in terms of corporate interests versus the public's right to privacy:
Also, I remember consulting with some software companies that wanted to track cell-phone locations (even through an opt-in method) as a way to establish the popularity of an event or venue. Imagine seeing a real-time tracking report that says all the cool people are reporting to the system that they are over at Joe's Pizza...the huge incentives to abuse this kind of system are pretty easy to predict, but it's not clear that anyone is establishing sufficient controls to deter/detect actual abuse.
Beyond privacy, what about the safety concerns. This type of system would give a "bird's eye" view wrt concentrations of (technically savy) people and the specific locations, days, and times those concentrations occur. Not that one couldn't get similar info by plain old in-person surveillance, but this type of system makes it much easier (and could even be done remotely). Seems that "bad guys" (i.e. terrorists, thieves, whatever) that like to target large groups of people would have a great new way to gather intelligence on their potential victims. In the case of a terrorist, to remotely detonate a bomb either by predicted patterns of people concentration or observing the data in real time.
Only a concern if it's abused?
I think that the ability to blend into a crowd is a little too important to write it off with such a dismissive statement.
Would you say a program that held a loaded gun held to someone's head was only a concern if it was abused by having the safety off? Disregard for safety like that, just like any sort of mass tracking, is wrong on a very fundamental level.
"Like many other systems, it's only a concern if it's abused."
The problem with a statement like this is that it's true for everything. Hence, it's a meaningless criteria with which to judge different systems.
Back @ Stephen
Yes, it's only a concern if it's abused. The system doesn't track people. It tracks active, radiating devices that are participating on a campus network owned by MIT. Don't want to be tracked? Don't participate. Nobody's sticking a gun to anybody's head as your incredibly poor analogy suggests. Sticking a gun to somebody's head has far less to do with the position of the safety switch - assuming the gun has one - as it does with the motivation and intentions of the person holding the gun. Or perhaps you forgot: guns do not point themselves at peoples heads. People point guns at people's heads. A little thing like a safety switch isn't going to stop anyone (except in horrible movie plots involving the 'Oh yeah? How are you going to shoot me with the safety on?' gimmick).
Back on topic: People (system admins) design network monitoring systems. These are necessary to keep networks running smoothly and efficiently. As these tools improve, so does our ability to manage networks (especially ones as complex in their usage patterns as wireless ones). Could this tool be abused? Certainly. So can any tool. A hammer can be used to build a house, or to beat someone to death.
People are mass-tracked all of the time. Sometimes it's harmless (such as when Amazon tries to figure out what to sell you on their home page), sometimes it's annoying (like when credit bureaus sell your information to companies who flood your mailbox with offers), and sometimes it's used to abet criminal activity (like when said credit bureaus sell your data to a gang of identity thieves). But instances where people have crimes committed against them are relatively rare. Instances where it results in a loss of physical safety are more in the realm of 'movie plot threats'.
That doesn't mean that we shouldn't debate these issues, and that mass tracking is always good and / or harmless. In this case, I would strongly support an effort to anonymize the information so that it can't easily be abused (although there is some value in tracking specific users, as they all represent various classes of usage. Not all users are anywhere near equal, so you can't treat them all the same for planning and analysis purposes. Perhaps a system could be designed that places users into groups based on their usage, and tracks semi-anonymized group members). I also strongly favor disclosure of mass-tracking systems and, where possible, give people the option to opt-out. And finally, I favor liability for the owners of mass-tracking systems for cases where they are abused for criminal ends.
Having just left college, I think I would have enjoyed being able to let my friends know where I was.
If it monitored me without my opt-in, I would be pissed, and even if it was an "opt-in once and it's on forever" kinda thing it would be a pain, but I get the impression that you should be quite able to turn it on and off at will. I would like to see some way to get around the "it knows how many people are active in a location" thing... and it being at MIT, I'd guess someone will figure out how to get around that soon, if they haven't already.
This is an old hat. A much more powerful campus surveillance network has been established long ago at Hogwarts. It's called a magic map - it was reported, I think, in Harry Potter and the Goblet of Fire.
"I think I would have enjoyed being able to let my friends know where I was."
When you want to send the very best...if you think people want to monitor your movements, then I have to ask, why?
What if a coffee shop on campus finds that they can attract business by advertising that people are already on-site, so they setup a hive of cheap wi-fi signals to emulate real people? Or what if they just start paying people to login from cafe devices so it looks like real people are on site?
The article states:
"researchers also found that study labs that once bustled with students are now nearly empty as people, no longer tethered to a phone line or network cable, move to cafes and nearby lounges, where food and comfy chairs are more inviting"
And that's exactly where I'd focus my energy if I were a company that wanted to start guerrilla marketing directed at MIT campus life. I'd want to get my hands on that data, and/or change the data if I thought it could influence behavior. Thus, even if data is anonymous it can be abused.
The article goes on to say "Researchers say this data can be used to better understand how wireless technology is changing campus life, and what that means for planning spaces and administering services."
Please. How hard is it for these researchers to gather this data without the wireless?
Or let me put it another way: is real-time tracking of wifi user behavior required to gain an accurate picture of human behavior on campus? And what controls have been put in place to ensure that the data collected represents actual human behavior?
Finally, if/when a criminal case tries to use the data as evidence, I think MIT will have lot of questions to answer about data integrity.
A female student alone in the library stacks late in the evening would be wise to opt out.
Opting out, however, means being included, just being additionally flagged for privacy. Anyone able to finagle the security protection gets access to what's flagged. And successful finagling would raise no flags itself.
This would be invaluable to burglars, letting them know who's still in the chem lab that night, and even who's the last to leave and when. Leaving a light on will fool no one.
MIT is not exactly Redbrick U. I'm sure there are plenty of prominent people there who'd make good targets for troublemakers. This system would be a must-have.
I think 'safety' is the bolt-on, not built-in, type, always a bad idea.
My guess is the convenience to academia, and other interested but not necessarily identified parties, will keep this going. Any harm done will be sad news but won't change anything.
Shark attacks won't keep people from swimming in the ocean.
SlashDot is running a story that now the FBI wants access to that tracking network 7x24.
Correction: SlashDot story is about Carnegie-Mellon reporting that the FBI wants to tap their internet access. But, this raises the possibility that the MIT network is next.
It would be better if you choose whether or not to be on the system at all at any given moment, and if the data were never stored anywhere. In that scenerio, it's really a high tech version of the sign on your office door that says, "In the library" or "Meeting with advisor."
I can already predict large concentrations of technically savvy people, using an amazing technology called the "class schedule". Big lecture in 10-250? There'll be lots of people there.
At least one can use a laptop or PDA without having the WiFi enabled; unless you turn off your cell phone, you're already trackable, and over a much larger area than the MIT campus.
Bruce, when you're predicting whether a technology is The Next Big Thing in surveillance based on how open it is, then this applies of course only to adversaries with a very limited budget and manpower like J. Random Sniffer. It seems like you of all people is arguing for Security by Obscurity?! (Mass deployment is of course a factor, though.)
Government agencies love cell phones, I'm sure.
Imagine if this system were extended to a full-scale, 24/7, video-enabled surveillance system (in public places). Everyone would be able to see where everyone else was, all the time. Everyone would be able to get video of any public place on campus, at any time. Basically this is Brin's "Transparent Society" brought to life in a microcosm.
Is the coed walking alone endangered by this system, because everyone can see where she is? Or is she protected, because she and everyone else can see who else is there, and she can be watched constantly by the surveillance cameras?
Is the known-empty lab a tempting target for burglars? Or does the system's knowledge of their location and activities act to deter such thefts?
It would be an interesting experiment to see how these various scenarios play out in a restricted environment such as a college campus. Like it or not, we are on a path towards this kind of universal surveillance system. In a few years it will be so cheap and easy to do it, it will happen unless there is a very good reason not to.
Marauders map (from "Harry Potter")
"Marauders map (from "Harry Potter")"
ok so how do you change your options to be private and not let anyone track you?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.