Schneier on Security
A blog covering security and security technology.
« A Security Assessment of the Internet Protocol |
| TSA Follies »
August 20, 2008
Nice Article on Personal Surveillance
Nice article on personal surveillance from the London Review of Books.
Posted on August 20, 2008 at 12:40 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Now what else could they apply the technology to,
1, Travel Cards
2, Credit cards
3, RFiDs in cloathing
Then tie the profiling together and they will very soon know all about your habits.
Then just for fun link the location information to CCTV footage etc (either live or retrospectivly) and they can pick up biometric info like your "face points" or "gait".
Sling it all in a big database and the chances are you will never be able to hide again...
As I have said before on this blog "welcome to the Goldfish bowl" of the new age society.
So those who resent these intrusions and distrust the intruders should communicate safely by avoiding digital altogether -- by handwritten messages on postcards? Good thing the terrorists and criminals will never think of this.
At least in the US, this data cannot be released to individuals or 3rd parties per se. There is some ability to use it in aggregate for analysis (people watching ESPN on their phone are also on the highway!) and the operator can do stuff, but the scary bits in this article are not, to my knowledge, available in the US.
Sadly to me, this has also stifled 99% of the usefulness of location based services.
There is a way to get location data, but it generally requires each-time permission from the handset. A message pops up and you agree or not. If you have turned off location services then these messages won't pop up. Sure, the operator or government can (generally) still use device telemetry, but none of these commercial enterprises can.
If you are cynical about it, fine. But its the same protection level you have for all CPNI. That's what prevents the operator from selling info about your address, billed amount and which games you downloaded to a 3rd party also. Imperfect, but miles better than nothing. Get a prepaid if you need more anonymity.
Don't forget the automotive iPass (U.S.) and train/bus electronic passes, coupled with the analysis of sewage flow from your loo, and your purchasing rewards cards, plus the electronic bar tabs (plus the bar provided electronic coaster that tells what you drink, how often it is refilled, and your elbow activity). How will they monitor ho's.
Other tracking includes your electronic ID for getting in and out of work, the electronic gate card for your gated home community or apartment building or condo complex, and the RFID in you car tires and/or automotive snooping...ah...onboard electronic communications.
Remember when the internet was going to free us...well, that is all monitored (mostly under the covers) as well. Your radio (maybe), TV, music tracks, and video, are all hooked up, and in some places, your appliances, furnace, air conditioner, and who knows, maybe even your electronic bed.
We don't need no steenking snitches...we are the snitch.
Maybe it's better that "everyone" be able to get the information. Then at least everyone knows that everyone else knows where they are. In the alternate scenario, the police always know where you are, but people forget about it.
I wrote a long response on my blog. I'll spare you the details, but in short these developments are not new.
"Designing protections against abuse related to mobile device data should be like designing the next wheel -- new technology, same old concepts."
"in short these developments are not new"
No indead they are not. I have been predicting this since I was designing phones back in the last century.
And although I made my concernes public nobody realy treated them seriously, and to be honest I don't think they will be taken seriously in the next ten years either...
I also made predictions about credit cards and electronic wallets (enyone remember Mondex) and the early smart cards and RFiD chips (anyone else remember the Dallas Semiconductor RF serial numbers for use in taging, and later for "pet passports").
I even worked out how many tags in items you wore would be required to identify you to 99.9%.
I was not the only one an artical appeared in Wireless World and others sent letters to various industry journals.
A lot later I posted briefly my concerns to this blog and coined the phrase "welcome to the gold fish bowl" (google for my name and goldfish bowl).
And even now some 20 years down the line one or two journos are finally picking up on it.
It is to little way to late and Gov's are not going to pass legislation to stop this sort of data gathering agrigation and profiling when they can make use of it themselves for raising tax.
In Isaac Asimov's story 1956 "The Dead Past", in which a couple of researchers develop a machine for viewing the past that can also be used to view the present, the government agent who tried to stop them leaves them with the line, "Happy goldfish bowl to you, to me, to everyone, and may each of you fry in hell forever. Arrest rescinded."
I think there must be re-evolution for using new protocol on the net, we can create consortium and organize the need of security. The spirit of Linus Trovalt, El Che Guevara, Sun Java and Obama!
Ladies and gentlemen, you forgot a simple way of tracking even without using cell phones or person-attached device. A lot of ISP providers have a vast quantity of data about their visitors, yahoo mail and gmail as largest. All users are simply addicted to their mail, and all the ISP needs to do is analyze which ip address is accessing certain mail account - no need for active tracking, password recovery or anything. Furthermore, this information is then transferred into the mail headers of email, so another isp receiving e-mails from a certain address can easily sift through them and find originating ip addresses.
While this may not be as precise as a cell phone or RFID location, it is more then enough to give an approximate position of a terrorist or his/hers affiliate
You are assuming that "face points" or "gait" are enough to identify someone *out* of a population. The current results give little hope that this is true.
"At least in the US, this data cannot be released to individuals or 3rd parties per se"
What? In the US the company that collects the data owns it. They can sell to however they like. Whats worse is that you can't even make corrections to this data if its wrong, let alone get it deleted.
OK, they win the "highest https port number" contest.
So how about if a large group of people (picturing several million, like an epic or eff) who prefer human rights over industry did a low-intensity, long-term DDoS attack on the website where you retrieve this nefarious information? They could have a "privacy@home" screensaver that used their idle time to share-bombard lists of sites selected for antisocial behavior like this. Would all their customers go away and extinct the business if they couldnt get their info in a timely fashion?
The 142 "antisocial" elements calling only one number look to me like substations reporting data to the process controll host. This technique is widely used if you have no cable, but the line of sight is ok. By using solar panels you have energy and the GSM is much cheaper than cabeling.
Ah, but remember a key point in the Asimov story, they couldn't easily locate the person with the device. In "The Island", they used pervasive CCD cameras to find people. In "Minority Report", they used pervasive retinal scanners to find people. Unless the target passed by one of these devices, you still couldn't locate them. Heck, even the Matrix didn't know where you were unless you did something odd to attract attention.
The phone tracking easily allows anyone to track your current physical location, as long as you have your device. That's pretty much all it does. You could leave your phone at home, or do the old trick of throwing it in the back of a pickup truck moving in the opposite direction...
@ Bryan Feir,
'In Isaac Asimov's story 1956 "The Dead Past",'
You know now you mention the plot line I think I read it in a collection of his short stories when I was around ten. I guess the phrase must have stuck in my head.
Therefore with apologies to Issaca Asimov and his fictional agent the original is much better and I will paraphrase it on this occasion,
"Happy goldfish bowl to you, to me, to everyone, and may each of you fry in hell forever. Claim to phrase rescinded..."
P.S. The frying sentiment is most apt for the commercial "data theives" and their minions who do their bidding.
@ Bruce, Anonymous,
"You are assuming that "face points" or "gait" are enough to identify someone *out* of a population. The current results give little hope that this is true."
That is possibly untrue.
The U.K. Passport and Identity Service, has (according to BBC news) just started a trial at Manchester Airport of automatic passport control stations. The person puts their biometric passport into the machine and looks at a camera and it compairs you facial points to the digital photo in your passport and decides if you are the valid holder or not.
If what you are saying is true then Manchester has just become a great place for illegal immigrants with stolen passports to enter the U.K...
@Clive: Authentication (matching the guy in front of the camera to the data in the passport) seems like a much easier business than Identification (matching the guy in front of a camera to any of millions of entries in the database).
I suspect "face points" and "gait" will always have way less than 99% accuracy when matching against a large database. Actually I'd be really impressed if they could identify people out of a large population with even 70% accuracy.
...It would probably be as useless and disruptive as the "terrorist" no-fly list.
"Maybe it's better that "everyone" be able to get the information"
No. Not everyone has the same level of power.
e.g. Imagine you know about a Policeman and he know about you. You think this is an equal situation?
My wife and I dislike cell phones. We each have one, don't give out the number, and only use it to call each other, rarely.
So now luddites look like terrorists?!
brb.. heavy knock at the door....
If this wasn't a real issue, it would be laughable...
Security bust: Berkeley woman misses flight when bra triggers alarm
Tyche Hendricks, Chronicle Staff Writer
Monday, August 25, 2008
(08-25) 16:51 PDT OAKLAND -- When Berkeley resident Nancy Kates arrived at Oakland International Airport to board Jet Blue flight 472, she thought she was heading off on a routine journey to visit her mother in Boston. Instead she ended up in a standoff with Transportation Safety Administration officials over her bra.
In the post-9/11 world of heightened airport scrutiny, Kates, like most travelers, is familiar with the drill: Take off shoes and belts, open the laptop, carry shampoo in 3 oz. bottles.
For Kates, on Sunday, though, the security check got too invasive. A big-busted woman wearing a large underwire bra, she set off the metal detector. She was pulled aside and checked by a female TSA agent with a metal-sensitive wand.
"The woman touched my breast. I said, 'You can't do that,' " Kates said. "She said, 'We have to pat you down.' I said, 'You can't treat me as a criminal for wearing a bra.' "
Kates asked to see a supervisor and then the supervisor's supervisor. He told her that underwire bras were the leading item that set off the metal detectors, Kates said.
If that's the case, Kates said, the equipment must be overly sensitive. And if the TSA is engaging in extra brassiere scrutiny, then other women are suffering similar humiliation, Kates thought.
The Constitution bars unreasonable searches and seizures, Kates reminded the TSA supervisor, and scrutinizing a woman's brassiere is surely unreasonable, she said.
The supervisor told her she had the choice of submitting to a pat-down in a private room or not flying. Kates offered a third alternative, to take off her bra and try again, which the TSA accepted.
"They tried to humiliate me and I was not going to be humiliated over this," Kates said. "If I was carrying nail clippers and forgot about them, I wouldn't have gotten so upset. But here I was just wearing my underwear."
So back she went to the ladies room, then through the security line a second time. Walking through the airport bra-less can be embarrassing for a large-chested woman, not to mention uncomfortable. The metal detector didn't beep on the second time through, but then officials decided to go through Kates' carry-on luggage, she said.
The whole undertaking took 40 minutes, Kates said, and caused her to miss her flight. Jet Blue put her on another one, but she was four hours late getting to Boston.
"It's actually a little funny in a way, but a sad, sad commentary on the state of our country," Kates said. "This is bigger than just me. There are 150 million women in America, and this could happen to any of them."
TSA spokesman Nico Melendez said Monday that he wasn't familiar with the incident. But he said in all circumstances, "we have to resolve an alarm."
That's the case for bras, artificial hips or anything with metal that triggers an alarm, he said. "Unfortunately, we can't take a passenger's word for it."
Melendez said he didn't have any statistics on how many times passengers are screened because of bras. But he said, "we do everything we can to ensure that a passenger doesn't feel humiliated."
Kates said she plans to talk to her family lawyer as well as the American Civil Liberties Union and the National Organization for Women and decide how to pursue the incident.
Barry Steinhardt, the director of the ACLU's technology and liberty program, said Monday of federal security officials, "They can't find bombs in checked luggage, and they're essentially doing a pat-down of private parts. This is a security apparatus that is out of control."
Although she flies about once a month, Kates said the only other time her bra has set off alarms in an airport was while she was being "wanded" in Cedar Rapids, Iowa. When she explained to the security agent that the wand was picking up the metal in her bra, she said, that was the end of the matter and she was allowed to go on her way.
Chronicle staff writer Henry K. Lee contributed to this report. E-mail Tyche Hendricks at firstname.lastname@example.org.
From "None's" post,
"Kates said she plans to talk to her family lawyer as well as the American Civil Liberties Union and the National Organization for Women and decide how to pursue the incident."
Personaly I would encorage all women to complain as much and loudly as possible, as quickly as possible.
As it is comming up to U.S. Presidential Election time the "blood suckers" will actually listen to people at this time to secure their pork-n-gravy for the next few years.
If a particular group who are seen to be becoming adversly politicaly active and growing in numbers then they will get the ears of "our representatives" and have a possibility of making real changes.
If women get active on this and the politicos actually act then a crack will have opened in the "theatrical edifice" that is the TSA and DHSec and other significant drains on the U.S. Economy that are very probably driving the world into significant recession.
Once one crack is open it is up to the rest of us to drive a wedge into it, to open up it, and other cracks to either bring the whole mess down or make it actually (cost?) effective.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.