Schneier on Security
A blog covering security and security technology.
« Rand Paul Takes on the TSA |
| Far-Fetched Scams Separate the Gullible from Everyone Else »
June 21, 2012
Apple Patents Data-Poisoning
It's not a new idea, but Apple Computer has received a patent on "Techniques to pollute electronic profiling":
Abstract: Techniques to pollute electronic profiling are provided. A cloned identity is created for a principal. Areas of interest are assigned to the cloned identity, where a number of the areas of interest are divergent from true interests of the principal. One or more actions are automatically processed in response to the assigned areas of interest. The actions appear to network eavesdroppers to be associated with the principal and not with the cloned identity.
A device-implemented method, comprising: cloning, by a device, an identity for a principal to form a cloned identity; configuring, by the device, areas of interest to be associated with the cloned identity, the areas of interest are divergent from true areas of interest for a true identity for the principal; and automatically processing actions associated with the areas of interest for the cloned identity over a network to pollute information gathered by eavesdroppers performing dataveillance on the principal and refraining from processing the actions when the principal is detected as being logged onto the network and also refraining from processing the actions when the principal is unlikely to be logged onto the network.
EDITED TO ADD (7/12): Similar technology and concept has already been developed by Breadcrumbs Solutions, and will be out as a free beta software in a few months.
Posted on June 21, 2012 at 5:51 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's not a new idea? This appication was under examination for over 6 years. And they disclosed not only prior art as it existed at the time, but the examination process would scrape and scratch for 6 years to find a reason the patent should not be granted. The application was also published and was available to the public years ago.
How on earth could the patent examiner let this one pass...
This is such a well known technique, there is a good historic record of this "signals analysis and deception" from World War II and was most certainly described in books commonly available in the 1970's (See Prof R.V.Jones's "secret war" and others from around that time".
For more uptodate efforts but prior to Apple enntering mobile phone arena, people were cloning mobile phones for secrecy and profit in the 90's and presumably still do today.
The USPO should be ashamed of themselves for issuing on this, there is nothing new or original in claim 1, it should have fallen before it even got to the USPO examiner.
I suppose Apple are now going to use it to attack other Mobile Phone manufacturers and Google etc through the courts, to get a comercial advantage their products do not deserve.
IMHO they should have included the term "device" somewhere - so that no one may get the idea of challenging the patent on grounds of lacking technicality.
Oh wait, they did... thrice.
Do you even know what a patent is?
Techniques to pollute electronic profiling
Coming soon to the App store, the obfuscram app:
Verb: To obfuscate your own personal information immediately prior to leaving a social web site.
I quit Facebook when I signed up for Google+, but since Facebook won't actually delete my account, I obfuscrammed it by deleting all my friends, then I "liked" a bunch of religious pages, disconnected my mobile link, removed all my pictures, personal information and notes and things, posted a bunch of nude pictures of Kasia, changed my profile name to Kasia, then posted my password everywhere I could think of.
They deleted my account for me.
Am I the only one wondering if Apple is doing this, in part, to prevent 3rd party apps from interfering with their data collection?
If Google was patenting this that would be definitely be my first guess, but Apple seems to rely less on information about consumers so maybe they are actually going to try and implement a service around it.
Sounds more like a method than a patentable technique or even a process design (which I assume can be protected under some mad interpretation of Intellectual Property).
The USPO just keeps drifting futher and further from its intended function and becoming more and more of a neighborhood mobster selling terratorial exclusivity to corporations too lazy to actually produce a better, and therefor more desirable, product.
@Jack - if you're going to defend the patent system and not just this patent, then you'll need to take on the one about a kid swing, the 'entertaining a cat with a laser pointer patent', compression patents that don't even work, and quite a few others. Good luck ...
"... a variety of privacy laws and rights enjoyed by American citizens, which remains the envy of much of the rest of the world."
Good to see an American dream is alive and well!
FTR: American citizens do not enjoy anything approaching the level of privacy provided by European Laws.
It reads like a beer-inspired brainstorm written-up later by a tame lawyer. Fun game if you can afford to play it.
"Thus, even the most cautious Internet users are still being profiled over the Internet via dataveillance techniques from automated Litter Brothers."
Which is nicely surreal.
I could imagine Apple doing this to undermine Google et al. In fact lots of reasons.
The next escalation in this war would be profiling tools that try to automatically identify profile pollution bots. Could the pollution be convincing enough to evade detection by people who must already have the analytical muscle to spot signature traits?
The absence of any kind of compromising behaviour in the profile could raise suspicions for a start.
Could the Internet traffic of the future consist mostly of proxy-profile bots posing as real people and gibbering at each other while we humans "go fishing" or something?
If you read the actual claim, it is quite restrictive. The long list of "and" clauses limits it to a very narrow field of application.
To me it looks like this claims something that:
Creates a bot that will act as you, but with different interests, which will then do searches and other actions related to those interests and will only do that if the user is not currently active but will not do that if the user would never be active at that time.
If you don't meet all of those at once, then I don't think you violate claim 1.
The later claims are all based on claim 1 with some additional twists.
Apple's biggest competitor in the mobile market is from a company that makes its money on targeted advertising.
Apple files a patent for a technique to make that advertising less valuable.
More of a business decision than a security one, I think.
Of course, at first read through I thought it was just a patent for using a fake "mother's maiden name."
Espionage virus sent blueprints to China - “ACAD/Medre.A” -
TSCM Audio Countermeasures: Demo - 'Babble Tape'
I thought Microsoft patented data poisoning 30 years ago ...
+1 . You should patent this technique.
Bunk. I was doing that for years until I heard about trackmenot. And that isn't really as nice as I'd like, but it's simple enough to work.
Ever since I found out about vmware.
Just took a single linux workstation with some ethereal logs of a windows xp box that were sent into google. The system would boot up with a fake clock set for a timezone 8 hours off and appropriate internationalization settings, run some queries it pulled from a feedburner account against google and yahoo, and randomly load one of the first three links in a headless browser.
Repeat for about five minutes, then shut down and revert snapshot. I had to have the most "average" query pattern in history.
Active, not active... whatever. The hardest part was writing a cronjob that believably overlapped with my real person and normal activities, but made it look like this bogon was home and awake at different hours.
Does this mean that every time I sign up for some dam website as Mickey Mouse (or my other nom-de-web - 'Miguel Raton') with suitably comical attributes I am infringing an Apple patent? By using a smartphone, laptop, or even pencil and paper is it not 'device'implemented'?
Actually I have a coworker who was building a business on this very thing. "misinformation services"
He's pretty bummed about the patent.
It does surprise me from the comments here, that a lot of people don't understand what Apple's patent is attempting to do. Either you did not read the patent closely, or you do not have much imagination.
Tyrell: "More human than human" is our motto.
I've happily let these various services slurp up my usage, and you know what? Not a one of them has ever shown me a targeted ad, a product recommendation, a friend/follow recommendation or anything else of the sort that was even remotely appropriate.
Apparently even *with* all of this history and data, the actual *analysis* of it is completely useless. At least for the one case I can personally vouch for (which is me).
I might be profiled, but it saves bandwidth to just have a very big HOSTS file. I hardly ever see ads, and it helps keep trojans away too.
Alas, when advertisers realise IPV6 gives them unlimited free ever-changing traceable addresses, new techniques will be necessary.
I made a program that does this. It was written well over 6 years ago. I didn't even try to patent it because I thought "this is so obvious that there is no way it should be eligible for patent protection. There must be tons of prior art."
Oh well. I wasn't going to sell it anyway. If it's going to be in demand maybe I should just open source it.
I floated an idea to Steve Gibson (grc.com) for "tainting" cookies back in 2002, particularly for the more scummy trackers, but it didn't seem to fly and although from time to time I manually "adjust" a few I've never pursued it seriously.
Like tOM, I maintain a large hosts file (600K+) and I too don't tend to get taken to the majority of scumbag sites or see many ads. Various browsers handle the missing data to varying degrees of competence but frankly I don't mind the messy view if it means I stay out of harm's way (as far as I can).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.