IoT Inspector Tool from Princeton

Researchers at Princeton University have released IoT Inspector, a tool that analyzes the security and privacy of IoT devices by examining the data they send across the Internet. They’ve already used the tool to study a bunch of different IoT devices. From their blog post:

Finding #3: Many IoT Devices Contact a Large and Diverse Set of Third Parties

In many cases, consumers expect that their devices contact manufacturers’ servers, but communication with other third-party destinations may not be a behavior that consumers expect.

We have found that many IoT devices communicate with third-party services, of which consumers are typically unaware. We have found many instances of third-party communications in our analyses of IoT device network traffic. Some examples include:

  • Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook­even though we did not sign in or create accounts with any of them.
  • Amcrest WiFi Security Camera. The camera actively communicates with cellphonepush.quickddns.com using HTTPS. QuickDDNS is a Dynamic DNS service provider operated by Dahua. Dahua is also a security camera manufacturer, although Amcrest’s website makes no references to Dahua. Amcrest customer service informed us that Dahua was the original equipment manufacturer.
  • Halo Smoke Detector. The smart smoke detector communicates with broker.xively.com. Xively offers an MQTT service, which allows manufacturers to communicate with their devices.
  • Geeni Light Bulb. The Geeni smart bulb communicates with gw.tuyaus.com, which is operated by TuYa, a China-based company that also offers an MQTT service.

We also looked at a number of other devices, such as Samsung Smart Camera and TP-Link Smart Plug, and found communications with third parties ranging from NTP pools (time servers) to video storage services.

Their first two findings are that “Many IoT devices lack basic encryption and authentication” and that “User behavior can be inferred from encrypted IoT device traffic.” No surprises there.

Boingboing post.

Related: IoT Hall of Shame.

Tags: , ,

Posted on May 1, 2018 at 6:32 AM44 Comments

Comments

Herman May 1, 2018 7:23 AM

Hmmm, count me unsurprised. When I evaluated Windows 10 three years ago and put tcpdump on the wire, it connected to 39 servers around the world, when it was just sitting there supposedly doing nothing at all.

David May 1, 2018 7:35 AM

IoT Crap again. All they need to do is pay a script-kiddie to point a Kali box at these things and find the holes to plug. But nope, the manufacturers don’t bother. Either that or nobody in Management has any clue about technology. (It’s likely the latter.)

stine May 1, 2018 7:47 AM

The reason the Samsung TV connects to all of those sites is that the apps are pre-installed, which is fine, but usually uninstallable, which isn’t.

Only For Research, Mom! May 1, 2018 8:29 AM

I was impressed by one item on the “IoT Hall of Shame” linked from the end of Bruce’s post:

… sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws. … multiple vulnerabilities were discovered in “Vibratissimo” secy toys and in its cloud platform that compromised not only the privacy and data protection but also physical safety of owners. … A total lack of security measures had caused the enumeration of all explicit images of users compromising their identities due to the utilization of predictable numbers and absence of authorization verification. Hackers could even give pleasure to users without their consent using the internet or standing nearby the address within the range of Bluetooth.

Oh, swell. Soon we can expect an epidemic of the opposite of wardriving: teledildonics driving. Involuntarily inflicted whoopee.

TimH May 1, 2018 8:44 AM

I can work around TVs that want to phone home by disallowing the connection, and doing firmware upgrades by USB. But when the TV won’t work out of the box without the (surveillance) connection, then there’s a problem.

Tanterei May 1, 2018 8:47 AM

@OFRM

They can market that vulnerability as a feature (the old adage: It’s not a bug…). Methinks it could be appealing to a clientele with certain fetishes.

Impossibly Stupid May 1, 2018 9:15 AM

@stine

The reason the Samsung TV connects to all of those sites is that the apps are pre-installed, which is fine, but usually uninstallable, which isn’t.

None of it is fine. Even pre-installed things should not phone home unless the user is actually interested in using the service. As it is now, the massive data sharing creates a large and expanding attack surface of who owns what, and quite possibly metadata of their usage habits. Now you have to not only worry about how insecure an IoT manufacturer’s products/services are, you have to worry about how insecure all these third-party servers are. One successful hack on any of them and you’re on your way to being part of a botnet.

In a way, it’s like email. The more people who know you as me@example.com, the more likely it is that your address will leak and start receiving spam, and it’s too late to close the barn door. But giving each contact a disposable email like me+you@example.com means that not only will the spread of the main address be minimized, it allows you to attribute the leak to a particular party. It’s sad that basic lessons like this, learned over decades of work by security professionals, are being ignored by incompetent IoT developers.

müzso May 1, 2018 11:20 AM

Some think that GDPR is going to change things, including the practise that hardware vendors don’t care about their devices phoning home (even if this is not their own intent, but the apps they use/preinstall). I don’t think that GDPR will bring any change in this regard. Even if phoning home includes some personal information (eg. a mobile phone sends the IMEI to a chinese server … and I’m not even sure whether an IMEI counts as personal info … it can be tied to a person, but in theory only by the cellular network provider), the authorities will not bother to go after the responsible party. It’ll be difficult to actually determine who’s fault is the violation: the hardware manufacturer or some 3rd party supplier (firmware, driver, app, etc.).

echo May 1, 2018 12:44 PM

@müzso

I believe EU case law has determined that a persons IP address is their personal property. I understand this is why a lot of sites that published IP address with comments stopped doing this. Wikipedia went in the exact opposite direction. I expect the IMEI code is no different. As an IMEI is personally identifying information and has risks attached my understanding under UK case at least is that improperly divulging it is unlawful.

I disagree with the idea which is very popular lately of spreading the blame around so it is difficult to identify responsibilty.

The GDPR is like any major piece of human rights legislation. An idea can be made concrete in a moment but it can take years, decades even, for organisations and society to change.

albert May 1, 2018 12:45 PM

@TimH,
“…But when the TV won’t work out of the box without the (surveillance) connection, then there’s a problem….”

A problem for the store you bought it from when they have to refund your money. Do you know of any case of this happening?

Imagine a world where it says right on the box, “This TV requires an internet connection.”

. .. . .. — ….

"phone home" May 1, 2018 3:21 PM

ok, guys… what exactly does “phone home” mean?

If I serve an image from another site, is my site “phoning home” to that other site??? So, then… 99.9999% of ALL WEB SITES “phone home” to dozens or more of other third party sites… is this what you mean? It’s just such a common practice to grab content from anywhere on the whole web and serve it, that’s WHY IT IS CALLED a “web” to begin with (besides the whole hyperlink thing)…

But, using the term “phone home” makes it sound much much more sinister than that… so surely everyone here means something more than just basic usage of the internet?

Granted, part of the problem is that even totally innocent image serving can be used for sinister purposes which are not in your control if you don’t control the image… So this is really the crux of the issue, it’s a basic design of the web, not that we’re aghast that everyone’s willfully doing sinister things…

"phone home" May 1, 2018 3:31 PM

Ok… this whole idea that “an IP address is personal property” (i.e. private data, not to be shared, by law)

Again, what does this mean? At its maximal extent, it means the WHOLE INTERNET MUST BE SHUT OFF (at least, in Europe)…. BY LAW… later this month… is this really what you mean? For anything to communicate with anything else, it must necessarily publish its ip address. If that is illegal, then the whole internet is illegal… yep… everything.

So… surely we don’t mean that, right? Or maybe you mean, only by knowing consent… First, how many users even know that they’re publishing an IP address when they click around on things… and second, are you really intending to outlaw ALL AUTOMATED PROCESSES (non explicitly user-initiated) that use the internet in any way, shape, or form????

What kind of breakage are you willing to go for, for your ultimate security… if you really want that, turn off all electronics, and don’t come back… ever… Is this what regulators really want? I doubt it…

"phone home" May 1, 2018 3:52 PM

@ albert

“This TV requires an internet connection.” … “Do you know of any case of this happening?”

Ever heard of Netflix or a Roku Player? Or even YouTube… These are the modern TV tuners. And people buy up living-room hardware devices for these like candy, knowing that they require an internet connection… Because they’re sick and tired of the cable company monopoly on what they can watch and the ridiculous amount they charge… (and no, they’re not going back to rabbit ears, the number of local stations is shrinking with the internet taking over)

echo May 1, 2018 3:59 PM

@”phone home”

The issue of an internet address (or IMEI or similar label) being private property and/or private information is dependent on context. It’s about respecting the rights a person has at that point in time and not using the information in a way which disregards those rights. Everyone in possession of this data whether they be a site owner or communciations company have ‘data at rest’ and ‘transit’ responsibilities too. Both respect and responsibility can work together so there is no issue with the internet becoming unlawful or unworkable.

I have posted links about abuses in healthcare and law enforcement who throw up their hands in despair or bury their ignorant heads in the sand when faced with similar beaurocratic issues. Complain and the bully sticks come out or they stick their grubby mittens out for more resources (a.k.a money).

I have to laugh… One UK state sector manager (who in law had additional liabilities because they were professionally qualified and regulated) I spoke with a few weeks ago when challenged said they were “not a solutions person”. Their answer to a failure of standards and professional negligience was “fill in a complaint form”. The “complaint form” very neatly went to a another department in another building who would pass it to another department in another building with umpteen levels of management and a six layer deep (I kid you not) complaint investigations process which became weaker and weaker as you uncovered the deeply buried policies dictating this. Oh, and they forgot to mention there is a mandatory management standards rsponsibility to report abuse and also a mandatory abuse investigations policy which must be actioned. Their failure for this lands on them. Whoops.

There really is little excuse of not making it work.

"phone home" May 1, 2018 5:32 PM

@echo

Oh, so with the GDPR, sharing an IP address is fine, as long as it’s done respectfully? Do you know how internet routers work? They just share the information, without regards to respectfulness or laws or privacy rights…

In fact, on the internet, with everything you do (or some hidden automated process does), your private IP address is shared with dozens of different companies that you have no personal relationship with… all without your knowledge. All without respect to any laws or privacy rights. This is the basic way of how packets are routed.

But this is all ok.. because… why? Because of no evil intent? Or maybe the fact that you hooked up to the internet in the first place is considered “consent” to all this? Though I can hardly argue that most people understand this, and gave informed consent to that much data sharing… Most people probably think things are far more direct and private than they really are on the internet.

Try running “traceroute” and see the dozen or two companies that just saw your IP address. This is what happens every single time you connect to anything.

I’m not claiming there’s an “excuse” for refusing to obey the law. I’m suggesting that if sharing IP addresses is illegal then the law may be so broadly worded, as to make the whole internet illegal in Europe. So there’s one clear way to obey the law: turn it off. All of it. For the whole continent. No excuse.

or… maybe sharing IP addresses isn’t that illegal after all?

If there’s some sort of middle ground where sharing IP addresses is fine in certain circumstances, but highly illegal in others.. what are the rules? what are the exceptions? how do I know? Motivation and intent and anything else that ultimately requires mind reading doesn’t really sound concrete enough of an answer to me…

Security Sam May 1, 2018 6:11 PM

When your geeni smart light bulb cheats on you
And your halo smart detector is a smoke screen
It’s time to decide if it’s just a case of Deja vous
Or it’s high time to blurt out something obscene.

Impossibly Stupid May 1, 2018 6:31 PM

@”phone home”

what exactly does “phone home” mean?

Your questions seem disingenuous, but let’s play your game. It means someone else directing your hardware/software to contact their server. It may be “legitimate”, or it may be a hacker who has made your device part of a botnet.

If I serve an image from another site, is my site “phoning home” to that other site???

No, since it is under your control to make that link. The users of your site have no control of that, though, so it may very well be the case that your web bug is doing unwelcome things.

So, then… 99.9999% of ALL WEB SITES “phone home” to dozens or more of other third party sites… is this what you mean?

Yes, that is the major problem. Companies large and small can scoop up that metadata, do analytics, and invasively monitor your behavior online. Just because 99.9999% of sites do it doesn’t mean it’s OK.

At its maximal extent, it means the WHOLE INTERNET MUST BE SHUT OFF (at least, in Europe)…. BY LAW… later this month… is this really what you mean?

No. I’m not going to speak for the specifics of the European law, but the fact is that an IP address is one piece of information that can be used to deanonymize an individual. How many identifying bits it represents depends on a lot of factors. Some countries/organizations may choose to err on the side of caution because many companies are doing everything they can to correlate all the identifying information they can find on people.

"phone home" May 1, 2018 10:00 PM

@Impossibly Stupid

My intent is not to be disingenuous… it’s just that, we’re going “omg, devices are phoning home” like this is some terrible thing, and I’m going, “wait a minute, the whole internet is fundamentally flawed and therefore at great criminal prosecution risk (every single site, program, or company that uses it), if the problem is as basic as loading any resource from a third party or ‘sharing’ any IP address…”

I realize that ISPs and others have been riding the gravy train for years selling our browsing habits to hundreds to thousands of companies to market to us, and the intent of this new law is to curtail that… but if it’s too broadly worded, then the law could end up worse than the disease, making all kinds of innocuous activities illegal too (such as routing IP packets, serving web pages that have any third party content, etc)… My intent is to either raise alarm over this, or stir up enough discussion that I’m proved wrong on this point. So far I’ve seen people claim I’m wrong, but I haven’t seen any evidence or really convincing arguments that I am. Just because this kind of reading of the law is ridiculous doesn’t guarantee it’s a reading that won’t be used by courts.

Jonathan Wilson May 1, 2018 11:46 PM

Why is there so much of a rush to put “smart technology” in everything from kettles to lawnmowers? I have a fridge that is just a fridge, a washing machine that is just a washing machine, a TV that is just a TV (32″ Samsung LCD in this case) and a bog standard key operated lock on my front door and that’s exactly the way I like it.

The only networked devices I own are my Netgear router, my desktop PC and my Nokia N900.

Dave May 2, 2018 1:20 AM

Dahua is also a security camera manufacturer, although Amcrest’s
website makes no references to Dahua.

Amcrest is a Dahua OEM, that’s no secret and never has been. Their cameras use dyndns, if you enable it, for easy setup for people who aren’t familiar with reconfiguring their routers and whatnot. They also contact Amazon cloud, which hosts video footage if you’ve signed up for that.

Winter May 2, 2018 3:28 AM

@Phone home
“At its maximal extent, it means the WHOLE INTERNET MUST BE SHUT OFF (at least, in Europe)…. BY LAW… later this month… is this really what you mean?”

I’ll assume you really do not know what this is all about.

Let us take this blog as an example. The server running this blog gets my IP address, the pages I read, and the comments I make. The IP address can be traced back to my person. It must be clear to anyone who can think that this means that the people running this server know what type of articles I read, and what I think about them. They can also deduce my political opinion from my reading and my comments. If this is not “private information” what is?

The GDPR says that the mere fact that they obtain these data does not mean they are free to do with it what they like. According to EU law, these data are still mine, wherever they reside. Therefore, the people behind this blog and it’s infrastructure are not allowed to store or use these data for anything else than serving me these pages unless I explicitly consent to the storage or use. Even then, I still have control over the use of my data and can retract my consent at any time.

All this means that web-sites and companies are not allowed to store or use IP addresses except for the immediate goals of serving up web pages and, possibly, securing the proper use of their services. It is absolutely forbidden to share IP addresses with third parties unless there is a legal reason to do so, e.g., consent, contract, or legitimate requests from law enforcement.

Now, what is difficult about this?

supersaurus May 2, 2018 5:25 AM

from the list of remote exploits, this was interesting: carwash attack. seriously? attacked by a carwash? what next, an internet-connected lawnmower?

Herman May 2, 2018 5:49 AM

This was supposed to be only a song, not reality:
Every breath you take
Every move you make
Every bond you break
Every step you take
I’ll be watching you

Iain May 2, 2018 8:03 AM

@Bruce

As far as I can tell, BoingBoing slightly misreported this, and you have picked-up the same mistake. Princeton have released findings discovered using their tool, but not actually released the tool itself.

Impossibly Stupid May 2, 2018 8:23 AM

@”phone home”

My intent is not to be disingenuous… it’s just that, we’re going “omg, devices are phoning home”

No, we are not doing that. People are just showing rational concern for how this issue has expanded into the IoT space. Only you are acting like a chicken little, which I maintain is at best disingenuous.

the intent of this new law is to curtail that… but if it’s too broadly worded, then the law could end up worse than the disease

Such is the nature of many laws. But this article is not about any laws, so rasing that issue only serves to derail the discussion of IoT security. And you’re not raising any new alarms when you say laws can be abused; some would argue that they are often ambiguously worded specifically to do just that. Save it for a blog that discusses EU laws, ideally one with lawyers that actually know the law better than to get outraged by a misunderstood interpretation/opinion of said laws.

So far I’ve seen people claim I’m wrong, but I haven’t seen any evidence or really convincing arguments that I am.

Just because you remain unconvinced says nothing. It is not the responsibility of the world to make sense to our limited understanding of it.

Impossibly Stupid May 2, 2018 8:43 AM

@Winter

All this means that web-sites and companies are not allowed to store or use IP addresses except for the immediate goals of serving up web pages and, possibly, securing the proper use of their services. It is absolutely forbidden to share IP addresses with third parties unless there is a legal reason to do so, e.g., consent, contract, or legitimate requests from law enforcement.

Now, what is difficult about this?

Well, it’s difficult in that an IP address (especially as it get propagated over the Internet) isn’t really a personal identifier. It gives some unique bits, but a lot depends on exactly how your ISP is set up. So, really, it doesn’t make sense to forbid their use in the context of anything other than how they, like any other form of imperfect identifier, can be used in conjunction with other data to deanonymize users. That’s why the sharing with third parties is such a bad thing. The actual danger is not that someone knows my IP address, it’s when they correlate it with a lot of other bits of information that do ultimately (and intimately) personally identify me.

PeaceHead May 2, 2018 9:12 AM

So apparently, it seems as if all these device act like sloppy web pages on the typical web browser. What a bummer.

MAYDAY RECEIVED, what to do about it though, that’s the question…?

Luddites seem to have a burgeoning case, hehehehe.

echo May 2, 2018 10:10 AM

@Winter

The law is a specification like anything else. To some degree good implementation depends on skill and understand. Both of these come from education and practice.

I sense people who are baffled and cannot cope with more than one element of a problem at a time have a problem with integrating this mode of reasoning. A problem within many general areas is people in one field often cannot communication or understand another field. This can happen too within a given field as specialities or exceptional cases split things further. Taken to its extreme this can lead to situations where opportunities are lost, health and safety issues like workplace bullying arise, and in some cases bankruptcy.

In UK law an opinion (no matter how expert and popular) is merely an opinion. Only a court judgement counts in law and there have been plenty of rulings on these issues including the specific issue of IP addresses being personal property and identifiers.

As with a lot of things many “experts” are rote learned in processes and have access to the manuals which are usually locked away. (Anyone who has worked within IT will know this.) This is one reason I suspect why the major newspapers in the UK continually fail to cite court judgments when writing up articles.

For anyone who wishes to education themselves begin here:

https://ials.sas.ac.uk/digital/bailii

and here:

http://www.bailii.org/

echo May 2, 2018 10:11 AM

Apologies for the typos. Blame autocorrect syndrome or stress induced dyslexia.

"phone home" May 2, 2018 10:33 AM

@Winter

“All this means that web-sites and companies are not allowed to store or use IP addresses except for the immediate goals of serving up web pages”

So, when you connect to this blog, it’s completely ok to share IP addresses with literally DOZENS of companies that are not your ISP, and are not Bruce’s site, as long as it’s part of “serving the web page?” So then, you realize that TV that is “phoning home” to dozens of places is generally just serving a few web pages too, right? Its whole “smart” interface is a web site, and it runs a full screen web browser, so to speak (some of it local, some of it remote). Its embedding of ads is technically the same way as web pages embed ads. You cannot ban (or be horrified at) one without banning (or being horrified at) the other…

So I’ve seen arguments that it’s not the actual IP address sharing that’s the issue, but the combining it with other tracking… hmm, interesting idea… so then, it’s perfectly ok to share IP addresses by themselves, just not combining them with other things? What about combining them with what sites you visit? You know that internet routers do that too (since they have to know both ends to route)… oh, but that’s “part of serving a web page”… my head is spinning.

@Impossibly Stupid

The article was not about laws, true enough. But the discussion (before I joined it) had turned to that, relating IoT with the new law… if the moderator would like, I’m happy to move to the squid thread…

"phone home" May 2, 2018 10:46 AM

Perhaps part of my problem is that I’m an American. Over here in the States, too-broadly worded laws are commonly used to crush the little guy in all sorts of ridiculous ways. If any law can be interpreted in a moronic way, it will be by some court… and then the steamroller gets going…

Maybe Europeans and their courts are all much more rational, and I should just relax, everything will be fine?

x2bike4u May 2, 2018 2:31 PM

@Herman

Every breath you take
Every move you make
Every bond you break
Every step you take
I’ll be watching you

Sounds like my in-laws

Greg May 2, 2018 6:52 PM

The findings of the Samsung Smart TV is no surprise, it is chock full of apps/app access and I am sure the connections listed aren’t the only ones. Likely checking for updates, I’m not as paranoid about this stuff as I once was. IF there was anything I wanted to hide, I sure as hell would still be using a CRT. Yeah TV watching in my house runs the gambit – from PBS to HSN to FOX, there, now the data they collect has been made public by me; no worries. 😛

"phone home" May 2, 2018 8:36 PM

@Greg

“there, now the data they collect has been made public by me; no worries.”

Not exactly… You aren’t posting a continual real-time list of every program you flick through, along with dates and times, so that every one of us crazy criminals that use the internet can clearly see when is a good time to break into your house… But don’t worry, the longer time goes, the more likely some hacker has already hacked in and slurped up their whole database, and is sharing it with all of us criminals anyway! Problem solved for ya! 🙂

CallMeLateForSupper May 3, 2018 7:41 AM

IoT fails have drip-dripped onto the scene for some years now. Memory of the details of each one faded before the next hit the news. The only memory that stayed with me was the common thread: poorly implemented “smart” devices.

So, for me, the Hall of Shame (linked by Bruce) was an eye-opener, a reminder of the depth and scope of the problem. Scroll (and scroll and scroll and …) down the page and renew many “acquaintances” you had forgotten.

A Nonny Bunny May 5, 2018 2:50 PM

@”phone home”

So, when you connect to this blog, it’s completely ok to share IP addresses with literally DOZENS of companies that are not your ISP, and are not Bruce’s site, as long as it’s part of “serving the web page?”

No, because it’s not necessary to share an ip-address with any other company just to serve a webpage.

It’s really quite simple. You can use identifying information as necessary (or as agreed), not at your convenience.

Concretely, at our company we have to anonymize ip-addresses from access-logs (and any other places) within two weeks. (Our services have no other legitimate reasons to store ip-addresses other than serving webpages and usage analysis.) Removing the last 8 bits is considered sufficient anonymization as a trade-off that leaves the logs somewhat usable after those two weeks.

"phone home" May 5, 2018 10:04 PM

@A nonny bunny

Please run a “traceroute” to different common web sites you visit. Count how many companies that see your IP address (i.e. have had your IP address “shared” to them, in order to complete that request), that are not your ISP, and are not the actual sites you visit. Yes, on the one hand, it’s part of providing the service, but on the other hand, it ABSOLUTELY IS SHARING your IP address with lots and lots of companies all over the place that you don’t know who they all are. They are not your ISP, and they are not the web site you’re connecting to. This is the way the internet works. It’s the way it’s always worked, and always will work (unless it’s ever totally redesigned from the ground up). If any court ruled that this were illegal (because all “sharing IP addresses” were outlawed), the whole internet would have to be shut down to comply (at least, within that court’s jurisdiction)!

Additionally, view the source of most web pages you visit (or look at the “network” tab in the development tools). you will find references to other third party libraries, scripts, images, and all kinds of various other things in there, often a dozen or more different ones. This is also “just part of serving the web page” It’s dozens of different companies that are not you, not your ISP, and not the entity you contacted by visiting the web site. If this is ever outlawed (because “sharing IP addresses” is illegal), most web sites currently in existence would become illegal.

Using the two above two examples as evidence for this claim, here’s my main point: Everyone needs to be careful how they word stuff, or they could inadvertently be declaring common innocuous activities illegal too along with the “bad stuff” just because they don’t understand the inner workings of things…. If that were to happen within the wording of the law itself, someone somewhere is bound to use that to use the court itself as a tool to do evil things… perhaps possibly even more evil than that law does good. This has already happened with certain other laws…

If anyone doesn’t understand my explanation above, I can go into greater detail, or perhaps more simple detail…

echo May 6, 2018 1:08 AM

@”phone home”

Please read up on the UK Data Protection Act (and European Convention plus the UK Human Rights Act and possibly even the Goods and Services Directive).

Basically, if your IP address (“the data”) is used lawfully within the aims and purposes etcetera of the facilities being provided then the action is lawful. It is when this confidence is abused where it becomes unlawful.

Some years ago the position of UK law made cacheing by ISPs unlawful. The law has since been updated with a specific provision for cacheing. ISPs used to tout their service as being fast enough to download a movie or music track in so many minutes or seconds. While a court case and the law can be uncertain the view is this kind fo advertising crosses the line into unlawful advocacy of copyright infringing behaviour for gain. Recent prosecutorial action has reflected this with very recent marketing attempts although marketing best practcie has since improved and moved on. With caches and amrketing bandwidth activity was strictly speaking unlawful at the time. Both practice and the law has caught up. At no stage did the internet stop working.

The UK has played fast and loose with census data. A private case brought to rule transfer of data to the US to be processed because it broke safe harbour gaurantees failed. Judges have since ruled that the action by the government was indeed lawful. This kind of thing is part and parcel of the dialogue leading up to EU GDPR legislation and is of course ongoing in civil society. I am not aware at the time of writing and up to the point I pressed the “submit” button that the internet stopped working because of this.

If you wish to discuss this further there are plenty of lawyers willing to take money off you!

"phone home" May 6, 2018 9:27 AM

@echo
Here’s the kind of thing I’m talking about:

First, @”phone home” wrote:

So, when you connect to this blog, it’s completely ok to share IP addresses with literally DOZENS of companies that are not your ISP, and are not Bruce’s site, as long as it’s part of “serving the web page?”

Then @A Nonny Bunny wrote:

No, because it’s not necessary to share an ip-address with any other company just to serve a webpage.

Then when @”phone home” explained how basic internet routing worked (i.e. try “traceroute”), that it DOES require sharing an IP address with other companies just to serve a web page…

Then @echo comes back with more clarification (“within the aims and purposes etcetera of the facilities being provided”) to explain that the internet itself is lawful again.. whew!

If us techies are having this kind of trouble being specific, how do you expect any old half-technologically-inept lawmakers to have an easier time at it?

Indeed plenty of lawyers are willing to take money, that’s the main business that profits from all of this.

By the way, it’s great that in the UK things got ironed out without half shutting off the internet, I wish I could say the same for Russia. I hope Europe fares better than that.

Impossibly Stupid May 7, 2018 7:43 AM

@”phone home”

If us techies are having this kind of trouble being specific, how do you expect any old half-technologically-inept lawmakers to have an easier time at it?

The only person here that seems to be having trouble is you. To the rest of us, it is quite easy to define what “sharing” means in the context of abuse. Either you’re not actually a “techie”, or you’re trolling. It’s times like these I wish I could ignore people who are dedicated to derailing a conversation with off-topic nonsense like this.

"phone home" May 7, 2018 10:42 AM

“it’s not necessary to share an ip-address with any other company just to serve a webpage”… when it very much is absolutely necessary to share it with several companies for the internet to function at all… (just, you could say it’s within the scope of providing internet service, not for advertising/marketing/etc)… is not trouble understanding anything?

I appreciate the insults though.

echo May 7, 2018 4:15 PM

Whoops. Sorry. Major typo correction! I meant to say judges have since ruled UK government action was unlawful.

“The UK has played fast and loose with census data. A private case brought to rule transfer of data to the US to be processed because it broke safe harbour gaurantees failed. Judges have since ruled that the action by the government was indeed lawful. This kind of thing is part and parcel of the dialogue leading up to EU GDPR legislation and is of course ongoing in civil society. I am not aware at the time of writing and up to the point I pressed the “submit” button that the internet stopped working because of this.”

Sancho_P May 7, 2018 4:32 PM

No need for a personal infight, @“phone home”’s (second) posting may be a bit radical, but he has a point.

Contemporary IP sharing laws are void, and we have to assume they are deliberately designed as such. The horses have left the barn, it’s too late, even if lawmakers were now willing to kill Internet and businesses.

Instead of the useless cookie warning (it doesn’t work without session cookies) sites / devices should present a list of third party domains (= IP sharing) to accept before any external content / site is accessed.

  • Or hold (and process) all that stuff on their own server! :-)))

Impossibly Stupid May 8, 2018 8:11 AM

@Sancho_P

No need for a personal infight, @“phone home”’s (second) posting may be a bit radical, but he has a point.

Absolutely no point about IoT security is being made by anyone who has derailed this conversation. It’s all just more political incitement, and this blog does not benefit by being permissive of that kind of misuse. Unless he wants to turn it into another sewer like Facebook or YouTube, Bruce needs to better moderate the comments, or he should remove them entirely.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.