Schneier on Security
A blog covering security and security technology.
« Man-in-the-Middle Trucking Attack |
| Friday Squid Blogging: Squid and Owl »
August 14, 2009
EFF on Locational Privacy
Excellent paper: "On Locational Privacy, and How to Avoid Losing it Forever."
Some threats to locational privacy are overt: it's evident how cameras backed by face-recognition software could be misused to track people and record their movements. In this document, we're primarily concerned with threats to locational privacy that arise as a hidden side-effect of clearly useful location-based services.
We can't stop the cascade of new location-based digital services. Nor would we want to -- the benefits they offer are impressive. What urgently needs to change is that these systems need to be built with privacy as part of their original design. We can't afford to have pervasive surveillance technology built into our electronic civic infrastructure by accident. We have the opportunity now to ensure that these dangers are averted.
Our contention is that the easiest and best solution to the locational privacy problem is to build systems which don't collect the data in the first place. This sounds like an impossible requirement (how do we tell you when your friends are nearby without knowing where you and your friends are?) but in fact as we discuss below it is a reasonable objective that can be achieved with modern cryptographic techniques.
Modern cryptography actually allows civic data processing systems to be designed with a whole spectrum of privacy policies: ranging from complete anonymity to limited anonymity to support law enforcement. But we need to ensure that systems aren't being built right at the zero-privacy, everything-is-recorded end of that spectrum, simply because that's the path of easiest implementation.
I've already written about wholesale surveillance.
Posted on August 14, 2009 at 6:30 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They are going to be built with zero privacy as the default because it's the cheapest way to do it.
1) Adding in crypto requires programmers who know crypto. Crypto--useful crypto isn't an API, it's also rigorous coding. Those people don't come cheap.
2) Crypto is complicated. Complicated takes time and time is not cheap. See 1.
"Crypto--useful crypto isn't an API, it's also rigorous coding."
I disagree. Java (at least!) has very useful Crypto APIs that don't require extensive crypto knowledge. You need to be smart enough to know what to use where, but that's something a general programmer can be taught in a few days.
If it's cheaper to convince people to relinquish privacy in order to get location-aware gear, than to build privacy-preserving location-aware gear, that's most likely what's going to happen. The usefulness of location-aware gear is obvious to most people. The value of privacy (with respect to location) is not.
Even in applications where there is a need to, under given circumstances, to reveal location information, identity and the relation between them, privacy can be protected. Protocols that allow for anonymity revocation only under given circumstances, by authorized entities (possibly even more than one) are available. Methods to generalise, obfuscate and mix location data are no hidden magic as well.
I am skeptic about the benefits of people tracking. When I go shopping I don't need nobody meeting me because he saw me on his movile google maps app. Information comming from all directions isn't going to improve my productivity. Passive information is much more useful because it can be used as a tool and does not act on its own when it's not asked to do so.
Multitasking makes us less efficient in doing single threaded tasks and the bombardement of information becomes more and more annoying and overwhelming.
The advances in surveillance and other means of data tracking has in some cases become a way of harvesting the population.
Clearly the main motivation behind the advancement of these technologies is driven by the mid-term benefits they bring, some being: improved marketing, more sales, better risk analysis and so forth ...
And while there are niche products that make good use of the new information they are still the exception.
We need to understand which data is worth collecting and which isn't and that it is actualy useful to forget data after some time. Until we learn how to do that there will be many more cases of information misuse and privacy right violations.
What is needed is partialyephemeral location data.
That is location data usefull to the individual and their friends does not need to be anything other than current (if they want to route locate for excercise etc logging then they need to do it explicitly not implicitly).
Information of use to rescue services (finding lost persons etc) again needs to be current plus stretching back no more than 5 hours.
Only for certain individuals does the state need to keep location data in the identifiable form.
However properly anonymised data on the general populus is of great benifit to planners ond other civic amenity organisations.
Arguably historians might find location data usefull a generation or so later but then only in the general sense for the majority of the population.
Information usefull to a police state is the only personal location data that needs to be kept for a life time by anybody other than the individual and their immediate friends and family.
The real question is not storage or non storage of identifiable location data, but how to keep what is of social use (general) and what is not (personal).
Turning personaly identifying location information into general population location data for things like traffic planning etc is actually a very very difficult problem due to other database information such as credit card and travel card and other info that has to be tied to an individual or entity for financial reasons.
Untill we can resolve this issue my vote is for not keeping any location data at all.
"Adding in crypto requires programmers who know crypto.... Those people don't come cheap."
Actually we are not all that expensive, but even if we were, programmer cost is a negligible part of product cost because it's a one-off. A few person-months of software development get amortized over hundreds of thousands of devices.
I gotta disagree. Those APIs are certainly useful for avoiding a whole load of common mistakes, but the bottom line is that if you don't understand exactly why your app is secure, it's not.
It's that knowledge and the rigorous examination it requires that take a lot of time and cash money.
I can do a location-aware search on my iPhone which is actually quite useful. How would I take advantage of this without telling Google where I am? Presumably all communication channels can be made secure, the iPhone can be made secure, and so forth, but Google's search engine still needs to know my approximate location to do a search.
Similarly, my ability to pop up Google Maps for the rough area I'm in is very useful. Again, Google has to be told where I am to provide the right maps.
Crypto can do an excellent job of keeping my information private in transit, but AT&T Mobile needs to know about where I am at all times, and Google when I need to use their apps.
We can't trust anyone not to sell, share, or lose data once we've let them collect it. Turn off your PDA/phone. Pay in cash. Use public transportation. Wear nondescript loose-fitting clothes. Use the PC at the library. Grow a beard. Eat at the mission. Sleep under the bridge on a sheet of cardboard. Oh, never mind...
That was my first thought. The big reason privacy won't be designed in is because it costs more to do so. Sloppy is cheap.
My second thought is more cynical: Privacy won't be designed in because the people doing the designing don't *want* it. How can they mine all that juicy data if they can't decrypt it? That the system remembers all your past movements is not a bug, it's a feature. One that's probably at the very top of the requirements list.
It's enough to make you cry. Mark Weiser's group at PARC (and others) were addressing these issues as part of ubiquitous computing research projects almost 20 years ago. And half a dozen generations of mobile hardware later we still aren't bothering to do it right (at least then they had an excuse, back when passing a few thousands bytes around and doing crypto on them cost real processor time).
(One ironic side note is that their worries about getting people to carry "active badges" that would potentially identify their locations at all times seem to have been misplaced. Everybody now pays hundreds of dollars for the privilege of carrying tracking devices.)
You don't have to tell Google where you are, just where someone is.
The current model for privacy is to collect everything and then only use what you are entitled to use. Imagine if you had to give a vendor all of your money and then they returned only what they did not need in order to provide the promised service - also they don't have to account for their decision. That is what is going on now.
I've never been anyplace that used EZ-Pass or similar (although I have seen the signs while travelling) but I have thought they should have a "pay-as-you-go" version similar to cellphones.
"best solution to the locational privacy problem is to build systems which don't collect the data in the first place"
The EFF is trying to solve the "privacy problem" but their solution doesn't seem balanced with the growing market for location data.
In practicing security it is a fantasy to sit at the boardroom table and say "my recommendation is to securely remove all the sensitive data and prohibit it...". The business lines would laugh security right out of the room.
Disobedience and gaming surveillance could be the cheapest response on an individual level. Just look at how the US state department is recommending evasive technology in China and Iran:
Arguing for an absolutist position is helpful, but only in the sense of defining boundaries. A more moderate position would be to say under what circumstances it is acceptable to acquire the data and how it should be handled. Thus, the "best" system is one that can serve more than a single objective and avoid an all-or-nothing dilemma.
From the paper:
"But the protocols are such that these interactions can’t be linked to him specifically and moreover repeated accesses can’t be correlated with one another. That is, the bike locker knows that someone authorized to enter has come by, but it can’t tell who it was, and it can’t tell when this individual last came by."
No public transit organization will want to buy a system like that. Without correlation, the same pass could be used to let several people in at once. Public transit systems will usually refuse to let the same card unlock the turnstiles twice within 5 or 10 minutes.
I've been playing with Google's Latitude. It uses your phones knowledge of your location sent to Google to allow you to publish your location to other people. I believe that they only store your current location but I haven't checked their privacy statement at all. And I'm sure that law enforcement could compel them to start recording a particular person's location if they wanted.
They have a way to publish your location to publicly through a special URL with a UID in it (a simple API). But the thing is, you only get 1 UID, and you can't change it. So you can never revoke it for a single person, and if you make it public by using their default location badge it's public forever. All you can do is completely turn it off. My plan is to proxy it through a webservice on my server, so I never reveal the actual URL for my location. Of course, this is security through obscurity, and if the secret does get out (someone sniffs my outgoing connection) then there is no way for me to know that someone is monitoring my location through the actual URL. If I did find out, the only recourse would be to sign up with a new Google account which would get me a new UID and abandon my old one.
That's my current observations on one location services privacy in practice.
This problem is likely to seem like a complete non-issue to anyone who's never had the experience of consistently being found without any expectation or understanding of why anyone should be looking in the first place. Casual technology users are offered nothing if not opportunities to self-promote in order to provide the rest of the world a means of being found, and amidst all of the noise it can often appear as though your signal is likely to be drowned out and lost.
Once you've had the experience of discovering that some number of people actually really want to know you, the value in taking the time to broadcast your presence to the world looks more like a risk than a benefit. Anyone who really wants to know you is likely to be the last person you want to meet.
The Marine Corps recently took a half step in this direction by banning social networking on government computers. While it doesn't abridge marines' personal freedom to get around online on their own time, accessing this sort of crap while deployed is an obvious compromise of operational security. After all, who in their right mind would invite their enemies to know them quite that well?
Google would do well to enable ssl in their location aware apps.
@Casey: However, the benefit of the applications is that they take the location information from my iPhone and apply it. Since I'm never far from my phone, it's a reasonable assumption that I was where my phone was.
This is something like the argument for targetted ads, but more so. I get a direct benefit from allowing Google to know where I am executing certain apps from. The quoted paragraphs from the paper agree with me that the services are valuable. What I don't understand (and I didn't read the paper) is how crypto will prevent Google from knowing that a certain request with a certain location came in from a certain phone at a certain IP address.
It won't, but Google is at least a reasonably responsible actor in the scheme of things. If you someday become concerned about what Google does with your data, stop using their services.
Goog Brother is a reasonably responsible actor?! No wonder we have a privacy problem if anyone can seriously say that their policy of tracking everything all the time and keeping everything forever is 'reasonably responsible'.
It doesn't even take a warrant to get that info. Not even a subpoena (a letter). Not even a corrupt employee, or a cracker breakin. All it takes is an NSA wiretap. And of course NSA wouldn't be tapping a domestic location that reports the whereabouts and activities of everyone who ever used Google...
Responsible from the perspective that they actually mean well, that they take reasonable steps to safeguard your data once they have it, and reasonable steps to expunge data beyond a certain time horizon. If you're more worried about the NSA than you are the proverbial Russian hacker, then we have different concerns.
If you design the architecture so that the requests go directly from your phone (at a fixed IP) to Google, then crypto won't help you. If you get yourself an architecture with one or more intermediaries, crypto will help arrange things so that Google doesn't know your phone's IP, and the intermediaries don't know your location or the contents of your phone's conversation with Google. If you want to get even fancier, the message back to your phone can be multicast to a range of IP numbers, since only your phone will be able to read it. And so forth.
We are rolling out a site that is at one end of the spectrum - the private one. No PII is collected (unless you consider email address PII - which I don't since anyone can get an anonymous email account) and every shred of data on our servers is encrypted (with external passkeys if you so desire). My goal was to provide an ultra secure service to people that want to share conversation and files with others in total privacy. This is not a social networking site. Check it out at http://www.threadthat.com.
@ Goog Brother,
"It doesn't even take a warrant... ...All it takes is an NSA wiretap.
Actually it takes a good deal less than that, a simple java app on the phone is all that is required and that can be put on at any time by a network operator, or somebody who embeds the code into another app. All without a mobile phone user knowing.
"And of course NSA wouldn't be tapping a domestic location that reports the whereabouts and activities of everyone who ever used Google..."
You are looking at the wrong people. The mobile phone operator makes the location data available to all and sundry for next to nothing and it certainly ends up in marketing databases currently.
The easiest way for a government to get around the laws restraining the likes of the NSA / FBI / LEO's is simply to buy the data at a knock down price on the comercial market.
And lets be honest if I knew your phone number I could easily fake an SMS response to one of those web tracking services that only "pretend" to use a secure "sign back" (the sort certain Paperazi and Private Eye's have been caught using).
It's amazing the power that worried parents / spouses have if only they could be bothered to enrole there child / partners mobile phone...
Although it certainly won't hurt to have crypto on the systems, the real issue (for me) is how much power is given once someone has your data. I don't know if there is a real solution to the level of risk that come with allowing so much personal information to be in ANYones hands.
Isn't that what they call it when I hand a clerk a 100 dollar bill and they make change?
Heck, even after this long thread, nobody thought to ask about who might really be funding this? :)
Reminds me of Minority Report where people's retinas are scanned automaticcaly as they walk around in their day to day lives. I hope we never get there, great movie though.
Systems involving locational privacy are going to be built with zero security because the proportion of people who care is incredibly minuscule, just like it is for every other system with privacy implications which aren't grotesquely obvious.
Does anyone remember the advent of electronic toll-collection systems? I distinctly recall a very clever description of how such systems could be designed to preserve anonymity by the judicious use of various cryptographic primitives. Electronic toll-collection systems, of course, do nothing of the sort.
I appreciate the EFF's ideas here, but they're paddling upstream.
I wrote PlaceMask for Android to deal with this problem at the application tier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.