Schneier on Security
A blog covering security and security technology.
« The League of Women Voters Supports Voter-Verifiable Paper Trails |
| Annual Report from the Privacy Commissioner of Canada »
July 5, 2006
Cell Phone Security
No, it's not what you think. This phone has a built-in Breathalyzer:
Here's how it works: Users blow into a small spot on the phone, and if they've had too much to drink the phone issues a warning and shows a weaving car hitting traffic cones.
You can also configure the phone not to let you dial certain phone numbers if you're drunk. Think ex-lovers.
Now that's a security feature I can get behind.
Posted on July 5, 2006 at 2:45 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Combined with US Government record siezing, GPS data, etc, now your phone can be used in conjunction with rate of motion and path to destination to tell if you were driving drunk while talking on the phone!
Or I am just paranoid....
A fair point Havvok.
Could your phone could upload a boolean Yes/no whenever your breath indicates greater than a certain standard?
I mean...it's all good to NOT call my ex's phone when I'm "out of it"...but do I want my phone company to notify my car insurance company of how many "overages" I have per month?
Would I get a discount from the insurer if I only used that phone when sober and recorded no "overages"?
Of course then I'd end up talking to the ex...
But wait! Think about a fee-based system...every time your phone company saves you from talking to the ex while inebriated they charge you five bucks!
Again I find myself in the wrong business.
So, can retal car companies use this to track whether or not you drove drunk.. if you breathe into your phone, it sends the info to the phone company.. the car rental tracks the date/time that the car is in motion and compares with records of the phone companies breathalizer result..
sure, they can't have you arrested, but they can charge you a fine.. after all, that's what the red light cameras do anyway.
I think this further demonstrates why stand-alone devices have value in a world where you can't trust that any external record won't become available to anyone interested (especially in governments).
Well, they can just put breathalyzers in the rental cars. End of story.
People with iffy exes shouldn't be using cell phones anyway. They should stick to rotary phones. By the time you're done dialing, you'll have thought better of it and hung up.
No, they can't charge a fine. This was determined a couple of years ago when a rental car company tried to charge additional fees when the uploads from the in-car GPS showed the car going faster than the posted speed limit. This was shot down (rather angrily) by a judge who said, in short, that the company was not in the business of law enforcement, and had no legislated right to attempt to be so.
You are correct...they can't charge you a "fine".
A "fee" however...well...rental companies can charge all the special "fees" they want...so long as you sign the dashed line and initial all the boxes before you take the keys.
Businesses and fees go together like tickets and fines go with Courts.
I would think that the phone company couldn't do anything with the "is the user drunk or not" anyway...
Breath freshener sprays can mislead standard breathalysers. I would imagine that a cell phone being used by "an untrained operative" under unknown circumstances would not have any weight in court. However it might be handy for users to get a warning that they are over the limit so they know to get a cab rather than drive.
@Z. Mythbusters had an episode where they showed using breath fresheners don't work to beat the test.
@The others. I don't get it. Why would this data be uploaded to the phone company? They have no interest whether or not someone is drunk. This information seems about as interesting to them as someone's high score on one of the cellphone games.
The phone company may not care if you're driving drunk, but they'd certainly be willing to sell the information to people who do care, in much the same way they're willing to sell your phone number to telemarketers (well, unless you're willing to pay them _not_ to sell it to telemarketers - ever wondered why an unlisted number costs more?
Heh, hate to follow up on my own post, but, along the same vein, would the phone company be willing to let you pay them not to sell breathalyzer type information to your insurance company?
John, you've invented a wonderfull new business. Simply pay me everytime you don't want me to tell anyone you're drunk, or out of state or whatever.
I'd rather the companies work on fixing dropped calls and short battery life (both of which could be a problem in times of need/danger).
"You can also configure the phone not to let you dial certain phone numbers if you're drunk"
I keep wondering about this scenario. You have to have the foresight to enter the "block" numbers, as well as the foresight to breathe into the phone before you dial, just to prevent yourself from dialing.
It seems so easy to bypass these controls that it must be meant for Dr. Jekyl and Mr. Hyde-like symptoms. In that sense, perhaps just making the car keys so difficult to operate that you have to be sober to actually use them would be a better control.
How does this device identify who is breathing?
Not at all - I guess.
So the data is not reliable, to sell it to insurances.
If someone is in doubt whether to drive or not, he shouldn't ask his phone, but stay away from the car.
Are the measurements exactly enough to prevent someone from penalty? Will the vendor pay if his product reportet values too low?
Davi - the phone, once so configured, would presumably not let you dial the blocked-out numbers unless you did breathe into the sensor. So you'd only need the foresight to do the configuration. Other problems with the idea are left as an exercise...
With the digital age, it is an interesting facet of security....protecting ourselves form ourselves. I would say it is safe to assume that many people may be "tempted" to do things they may later regret either via cel phone or internet or whatever...and in their more lucid moments being able to set up some fences against that isn't such a bad idea....but it has to be such that you can't then easily bypass it. But can you get to it at all to change it? I wouldn't be surprised to see more of this in "security" applications in the future.
It's akin to blocking 900 numbers on your phone, I suppose...
what if your phone said you were ok, but then killed a bunch of people and blew slightly over the limit on the PD's *calibrated* meter?
Sounds like a business I would *not* want to be in if I were a phone manufacturer.
Now suppose YOU killed those people, instead of your phone. Bah. (preview is your friend)
dudes, you don't have to buy this cellphone! you're free to continue on with standard cellphones that don't rat out your state of intoxication.
here in rural oregon, we'd just sit at the bar drinking and blowing into our phones competitively.
"How does this device identify who is breathing?
Not at all - I guess.
So the data is not reliable, to sell it to insurances."
Since when do businesses care if the info is reliable or not? There is always someone that will buy and use the info, regardless of reliability. Unfortunately.
But I still have not figured out why the info should have to be passed to the telcos...
Sometimes, just because you CAN develop a technology, does not mean you SHOULD do so.
"you're free to continue on with standard cellphones that don't rat out your state of intoxication."
For now, yes. However, compare to the cries for "smart guns". Some politician, looking to "leave his mark", WILL call for banning "phones only a drunk driver could love", and the sheeple will baa in chorus.
Ah, you must be right. But in that case perhaps the phone should be programmed to auto-dial based on the breathalyzer results. Since this is probably a semiconductor oxide based system:
1) high alchohol = autodial a taxi and provide your location for pickup
2) high NO/CO2 ratio = autodial a doctor and schedule an appointment (to check for inflammatory-related diseases)
Incidentally detection devices are often very susceptible to environmental changes. Smoke, temperature and other airborne variations commonly found in a bar seem highly likely to throw the sensors off and thus require some sort of calibration to be useful. Maybe you could set the phone to "smoky bar" or "sweaty club" before you start drinking to avoid false positives/negatives later on.
"The phone company may not care if you're driving drunk, but they'd certainly be willing to sell the information to people who do care, in much the same way they're willing to sell your phone number to telemarketers"
They could probably do quite well by telling the telemarketers you're drunk - you may be more likely to bend to their sales pitch when in an inebriated state...
"The phone company may not care if you're driving drunk, but they'd certainly be willing to sell the information to people who do care"
This will be only the start of it. Given the ease and near 100% reliability with which the rental car companies can determine the ID of the driver at a given point in time (i.e. most vehicles are rented with a single named driver) it will be only a matter of time before they install gas analysers under the driver's seat to sniff your farts so they can sell the resulting data to health insurers, lawyers. employers etc. Ditto for hotels, airlines etc. Once the costs to collect the data drop below the TOTAL VALUE to them of the data (a figure likely to be much higher than the prima facie selling price), these organisations, and others, will be analysing your DNA if they think they can get away with it. It'll be buried in the small print that none of us read: "Customer understands that for the safety of all our customers, XYZ Inc. uses sensors to monitor a variety of data points in the bla bla bla"
All your farts are belong to us. It's when not if.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.