Detecting Malicious Trackers

From Slashdot:

Apple and Google have launched a new industry standard called “Detecting Unwanted Location Trackers” to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them. The move comes after numerous cases of trackers like Apple’s AirTags being used for malicious purposes.

Several Bluetooth tag companies have committed to making their future products compatible with the new standard. Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking.

This seems like a good idea, but I worry about false alarms. If I am walking with a friend, will it alert if they have a Bluetooth tracking device in their pocket?

Tags: , , , , , ,

Posted on May 21, 2024 at 7:09 AM43 Comments

Comments

Uaf May 21, 2024 7:25 AM

Might get annoying on a bus or train. I wonder if there may be a spike in distracted driving related crashes in periods of cargestion. Hopefully what is good for security does not become bad for road trauma.

Ed May 21, 2024 8:12 AM

Been playing around with an app called AirGuard. I have it installed on my GrapheneOS device. Supposed to only alert if device found in several locations. When it alerts you can manually scan for it and trigger it.

And yes false alarms are possible like in public transport.

Peter May 21, 2024 8:13 AM

Curious if there is a magic ID to exclude it from reporting LEO ones to create a false sense of security.

Geordie W Korper May 21, 2024 8:49 AM

Spurious notification avoidance is a large part of linked to spec. This specific section is probably the most relevant:

3.8. Near-owner bit

It is important to prevent unwanted tracking alerts from occurring
when the owner of the accessory is in physical proximity of the
accessory, i.e., it is in near-owner mode. In order to allow
suppression of unwanted tracking alerts for an accessory advertising
the location-enabled advertisement with the owner nearby, the
accessory MUST set the near-owner bit to be 1 when the near-owner
state is in near-owner mode, otherwise the bit is set to 0.

Hell by any other name May 21, 2024 9:07 AM

@ALL

It’s not going to work for a couple of reasons as can be seen with

“Several Bluetooth tag companies have committed to making their future products compatible with the new standard”

Flip that over and you will see,

  1. It will only work with some tags that comply with an unenforceable standard.
  2. It creates a ‘premium market’ for tags that do not comply with the standard.

If I was designing a non-compliant tag I would ‘play the standard’ against it’s self.

Think about “False Alarms”

To stop them happening there would have to be an ‘integration period’ to decide if the tag is ‘in your pocket’ or in the hand bag of the person sitting next to you.

Even then there would still be “False Alarms” so there would need to be a mechanism by which a user could have the adjacent tag ignored.

Both of these provide ‘windows of opportunity’ which can be exploited to attack the system.

One overly complicated way would be to make a tag that looks like many tags from many manufacturers in some kind of random rolling sequence.

Due to what these tags are designed to do and the fact they were designed as a system the wrong way from the get go, they are always going to have ‘windows of opportunity’ that can be exploited.

So the choices are limited. First they need to stop making selling and supporting these poorly designed tags. Secondly they need to design a tag system that does not have exploitable ‘windows of opportunity’.

As there is so much money involved with these tags, and many would say designing a non-exploitable system near if not actually impossible. Two things can be concluded

  1. These tags will continue to be sold indefinitely.
  2. These tags will continue to be exploitable indefinitely.

The Genie is not going to go back in the bottle, it is in effect

‘The spectre at the feast of capitalism and a authoritarian wet dream.’

As was once written in a short story over a lifetime ago,

“You have created a new world among the three of you, I congratulate you. Happy goldfish bowl to you, to me, to everyone, may each of you fry in hell forever.”

https://classicsofsciencefiction.com/2023/12/21/the-dead-past-by-isaac-asimov-2/

It’s a story all technologists should not just read but be required to understand as part of professional ethics.

dr2chase May 21, 2024 9:52 AM

It seems like it would make these tags somewhat useless for theft-tracking purposes. Each of my bicycles has a Tile stashed on it, if the bike vanishes, I am curious where it went. Bike theft is depressingly common; just last night I watched a review of a “takes 3 grinder blades” bike lock.

I have no idea how to reconcile tracking and stalking prevention; what works for one is bad for the other, no matter what technology is used.

echo May 21, 2024 9:56 AM

Trackers are generally not user serviceable. They can be obsoleted. Any none compliant tracker only has criminal purpose. It’s no different from a grenade being sold in Fisher-Price colours. It still has only one purpose. Treat accordingly.

When people begin getting slapped with attempted kidnap, harassing and stalking women, or sex offending charges they’ll soon stop using them. Make possession or seeking to posses or sell a none compliant tracker without a permit (typically restricted to security services and law enforcement) a strict-liability offence just to be sure, and put them on an import-export watch list.

Problem solved…

madge May 21, 2024 11:02 AM

@Hell by any other name,

It will only work with some tags that comply with an unenforceable standard.

It creates a ‘premium market’ for tags that do not comply with the standard.

As I understand it, these tracking devices only work by enlisting the public without knowledge or consent. Apple phones scan for Apple tags, Samsung phones scan for Samsung tags, but who’s gonna be scanning for these third-party non-compliant tags? Without stooges, the system doesn’t seem workable. Unless maybe the third-party manufacturers can integrate with the existing networks, but I’m not sure the standards are sufficiently open for that; Tile tags can apparently only be located when near someone who’s voluntarily installed the Tile app, which puts them at a significant disadvantage.

Oddly, Wikipedia classifies AirTag as a type of “key finder”, which seems absurd. The search space for one’s lost keys is not the entire world. Generally, it’d be within one’s home, and maybe in areas where one’s walked recently, so this could just be done with Wi-fi or Bluetooth (and re-tracing one’s steps), with little risk of unwanted tracking.

Daniel Popescu May 21, 2024 11:31 AM

Although this seems to be a commendable initiative from these two tech giants, it won’t work simply because they are not standardisation bodies, national or international. Until something similar gets published by ISO and adopted by most national standardisation entities and then transformed into laws, and then those laws aplied, it usually takes about 10 years. So no, this is just a not so clever business decision fueled by, you guessed it above, profit.

madge May 21, 2024 11:52 AM

@Daniel Popescu,

Until something similar gets published by ISO and adopted by most national standardisation entities and then transformed into laws, and then those laws aplied, it usually takes about 10 years.

Or the privacy regulators could get off their asses and be proactive for once, and notice that these tracking networks probably violate existing laws including the GDPR. Few people meaningfully consented to collect and share data about their surrounding RF-space with Apple.

But, like Facebook’s obvious and egregious violations, probably nothing will be done till some organization pushes in court, and keeps pushing when the privacy commisions say that some minor revisions seem to have made it okay.

Morley May 21, 2024 12:23 PM

Why would tag makers have to implement anything? Seems like a on-phone feature. Stalkers will buy ones without it implemented.

lurker May 21, 2024 1:18 PM

@echo, @ALL

So is this another burden on the LEAs? To carry a BTLE sniffer and sort out legal from illegal tags?

Taobao and Alibaba will have heaps of devices that comply, do not comply, and pretend to comply if examined by import contral officials.

vas pup May 21, 2024 2:09 PM

Israel’s CyberArk inks deal to buy US cybersecurity firm for $1.54 billion
https://www.timesofisrael.com/israels-cyberark-inks-deal-to-buy-us-cybersecurity-firm-for-1-54-billion/

“Israel’s CyberArk has inked an agreement to snap up US cybersecurity firm Venafi in a cash and share deal worth $1.54 billion.

CyberArk specializes in identity security and in protecting privileged accounts on corporate servers against external attackers and malicious insiders.

The cybersecurity market continues to face new challenges with the fast emergence and adoption of AI-powered tools and software by businesses and organizations as they move to cloud services and hybrid working environments, which in turn has expanded their threat landscape and attack surface.

All this has created an explosion of identities by people, whether they are employees, third-party users, or customers, using many devices to connect to a network. In parallel, the digital transformation and the ongoing migration to cloud services have

led to an increase in the use of non-human applications or identities, such as
machines, bots, and workloads.

The number of machines is rapidly outpacing the growth in their human
counterparts, with more than 40 machine identities for every human identity, which if left unprotected, serve as a hunting ground for cybercriminals, CyberArk said.

With the acquisition of Venafi, CyberArk seeks to expand its security arsenal as more businesses need to keep their machine-to-machine connections and communications safe.

“This acquisition marks a pivotal milestone for CyberArk, enabling us to
further our vision to secure every identity – human and machine – with the
right level of privilege controls,” said CyberArk CEO Matt Cohen. “By combining
forces with Venafi, we are expanding our >abilities to secure machine identities in a cloud-first, GenAI, post-quantum world.”

ben senise May 21, 2024 2:10 PM

as i understand it, a tracker that is near its owner’s phone will not be considered to be tracking you.
it’s only when the tracker is near you and is not communicating with its owner will you be notified.
this is described as “near owner mode” and “separated mode” in the paper bruce linked.
If a tracker uses either apple or google “find my” networks, then the features should work since they are server side, not on the phones or tags themselves. tags like the tile ones that don’t use either network and instead rely upon a network of people who have installed the tile app are most likely not affected by this newly implemented security feature.

Bcs May 21, 2024 2:33 PM

How will the system differentiate between someone illegitimately tracking someone or legitimately tracking something that a person has with them?

Tracking stolen property is the obvious case, but what about wanting to track packages in transit or checked baggage if the carrier isn’t happy with people having a better idea of where their own property is than the people it was entrusted to do?

echo May 21, 2024 4:28 PM

So is this another burden on the LEAs? To carry a BTLE sniffer and sort out legal from illegal tags?

Taobao and Alibaba will have heaps of devices that comply, do not comply, and pretend to comply if examined by import contral officials.

I suggest people do some light research on strict liability offences involving kidnap, harassment and stalking, and sexual abuse and which land on international import-export watch lists. They are not the kind of offences which make friends. You will be divorced. You will lose your business. You will go to jail. Your time in jail will be… uncomfortable. You will be marked for life. You may even acquire an ankle tag and have your movements restricted. Holidays abroad and internet access get super special attention from authorities.

Diplomats and VIP’s of none compliant states don’t like being left in the corner twiddling their thumbs at embassy parties and international conferences.

In China this might attract the death penalty. I don’t think Chinese quality control or Alibaba will be a problem. Moreover, I think they would be exceedingly keen to comply.

How will the system differentiate between someone illegitimately tracking someone or legitimately tracking something that a person has with them?

Tracking stolen property is the obvious case, but what about wanting to track packages in transit or checked baggage if the carrier isn’t happy with people having a better idea of where their own property is than the people it was entrusted to do?

Assuming a device is compliant with regulations even a legitimate item can be restricted for travel and postal services. They may be whitelisted for this purpose.

as i understand it, a tracker that is near its owner’s phone will not be considered to be tracking you.
it’s only when the tracker is near you and is not communicating with its owner will you be notified.
this is described as “near owner mode” and “separated mode” in the paper bruce linked.
If a tracker uses either apple or google “find my” networks, then the features should work since they are server side, not on the phones or tags themselves. tags like the tile ones that don’t use either network and instead rely upon a network of people who have installed the tile app are most likely not affected by this newly implemented security feature.

If it’s not compliant and not accompanying you and not on a whitelisted activity i.e. accompanied public travel or point to point delivery or postal service to a known address or a vehicle owned by you and the driver is not aware of the presence of the device one could assume illegitimate purpose.

Not everyone will carry or want to carry or want to be forced to carry a monitoring device for a compliant device. Nobody should have to. How does it sound if you legally mandated everyone carry a smartphone (or monitoring device) at all times whether they like it or not? Exactly… I will leave it to the lawyers and judges to work out whether their use will be struck down in the courts.

echo May 21, 2024 6:22 PM

@Peter

I’m sorry your friend suffered a miscarriage of justice. These things can and do happen anywhere in the world and must be stamped on when they occur.

I’ll leave strict liability open for discussion. If a tracker is obtained for the purpose of or used to facilitate some crimes that would unquestionably be a strict liability offence so it’s not entirely off the table. At the very least someone might have a lot of explaining to do if they were caught with one especially one not compliant with regulation or used strictly for permitted purposes. This would be for the lawyers and civil liberties people to discuss during framing of any law.

Neither the UK or rest of Europe is perfect but the US could certainly learn a few things. To some degree this is on the voters. The more you know of better systems the more you go “hangaboutaminute” and “Why don’t we have this over here too?” I know universal healthcare has a lot of traction among a lot of Americans both from a social justice and national security point of view and this is just one thing. Why not other things too? I was chatting with an American lady last year and she groaned when voting for the kitchen sink right down to the local dog catcher. I understand why this aspect of American democracy exists but what is the benefit and how can it be detrimental? Gerrymandering? Another issue.

All of Europe (apart from Russia and Belarus) are signed up to the UN Universal declaration of Human Rights via the European Council (a none EU body) and the European Convention on Human Rights. The European Court of Human Rights has jurisdiction. Lack of human rights at a constitutional level is a gaping hole in US law not helped by weak federal law and undeveloped case law.

Since the scandals of 1970’s/1980’s policing the UK has the Police and Criminal Evidence Act (PACE). You just can’t get away with obtaining signed confessions from prisoners covered in bruises from falling down the stairs of a one story building with no basement. UK forensics are separate from police officers. Training and quality of service across the board is universally higher than US equivalents which can be so so to very flaky especially none FBI or away from the big cities. In the 1980’s/1990’s UK police and forensics pretty much wrote the book.

Judges and the Crown Prosecution Service (CPS) are not political appointments. They don’t run for public office. The Civil Service Code applies to the CPS and Director of Public Prosecutions who does not run for election.

In the UK we’re stuck with a First Past the Post (FPTP) voting system but also have the Electoral Commission which sets constituency boudnaries and regulates elections. It was independent but the Tories took it under control of the Secretary of state with most would agree is suspicious. Postal voting exists and is nowhere near as contentious as in the US. No stupid voting machines to be hacked either. My voting place is less than a ten minute walk away and I was in and out in five minutes. Voter participation and ease of voting and reliability and fair none gerrymandered boundaries is a form of security and helps make everything else more secure as it effects governance and infrastructure and your rights and society.

People don’t get overcharged in the UK and bail where available is not onerous. It’s usually free with no restrictions or no more than the sensible obvious. You’re not getting bounced into a “plea” deal or put your house and children’s futures on the line to avoid a rat infested hole unless you have been very very naughty. Like, where are you going to run too? We’re an island. You can’t budge in mainland Europe without someone demanding “Papers please!” and European Arrest Warrants are not fun. No hiding behind state boundaries!!

Unavailable for Pairing May 21, 2024 8:12 PM

It seems more practical to OUTLAW BLUETOOTH, in my opinion and advise opt-in participants to forcefully and voluntarily remove all bluetooth hardware (when possible) and purge away the drivers and isolated libraries.

We didn’t need bluetooth when it got here.
Has it ever been secure? Other people have written, “No, bluetooth has never been secure”.

Wow.
It’s not much, but at least it’s a start.

Marko May 21, 2024 10:24 PM

@echo

If a tracker is obtained for the purpose of or used to facilitate some crimes that would unquestionably be a strict liability offence

If the defendant’s purpose is an element of the crime, it’s not strict liability. Look up “mens rea” for further reading.

Make possession or seeking to posses or sell a none compliant tracker without a permit (typically restricted to security services and law enforcement) a strict-liability offence just to be sure, and put them on an import-export watch list.

Problem solved…

This is a terrible idea. This would make it criminal for me to build a GPS tracker for my own car, or at least burden me with learning and implementing a regulatory regime in my own device.

Hedo May 21, 2024 11:56 PM

@echo

“Make possession or seeking to posses or sell a none compliant tracker without a permit (typically restricted to security services and law enforcement) a strict-liability offence just to be sure, and put them on an import-export watch list.

Problem solved…"

CBP seized the shipment of 15K of FlipperZero Devices coming into the US. Then they released them… I think it’s because some smart guy @ CBP/HS/FBI/NSA….. told them that a lot of the high-school kids play around with nearly identical LEGAL devices with LimeSDR/rPi/bakeyourownPi BOARDS in them, to practice building many cool gadgets, drones…and a million other devices with legal and practical uses. To program these boards to do great many things, useful/noble as well as sinister – as they say “Sky’s the Limit.” So why ban something that’s already in use, all over the place, in legal applications? I mean, one could try it, but “you can’t stop the progress.”

Hell by any other name May 22, 2024 12:07 AM

@Unavailable for Pairing
@ALL

To answer your question,

“We didn’t need bluetooth when it got here. Has it ever been secure? Other people have written, “No, bluetooth has never been secure”.

The answer is effectively ‘NO’ it never has been from the get go.

Because it was never intended to be secure to start with and never in the way we would think of secure today.

The security we both want and need today requires ‘High Computational Load’ which means three things,

  1. Lots of CPU cycles.
  2. Lots of silicon real estate.
  3. Lots of electrical power.

Back in the mid to late 1980’s when the idea of what became Bluetooth was thought up in Ericson Mobile, getting it working even without any kind of security with the technology of the time was thought by many to be effectively near impossible not just technically, but logistically, and legally as well.

Which is why it suffered in part from ‘standards body thinking’ which gave us all the early WiFi security issues.

You can argue that in the US the IEEE standards were ‘got-at’ by the likes of the NSA and subsequently there has been evidence to the effect that the NSA has got-at NIST and other Standards Committee working groups on as many occassions as they could. Likewise we know that in Europe the GSM Public Mobile Phone and various other Standards for ‘Private / Land Mobile Radio'(PMR/LMR) were got-at by the French via the ETSI standards (and still very much are).

Put simply ‘The Unelected Powers that be’ of the SigInt and similar Intel Agencies that see themselves as ‘above elected politicians’ and the law, do not want you or I to have secrets from them and they have ‘fought tooth and claw’ to stop it. In Europe where Bluetooth originated it is by ‘backdooring crypto’ via ‘stream ciphers’ that as a rule are low hardware complexity and much lower power than Block Ciphers favoured in the US.

Further Stream Ciphers are very much easier to,

  1. Put Backdoors in.
  2. Put covert side channels in.

Than Block Ciphers.

See the saga of the ETSI GSM ‘A Algorithms’ for GSM Mobile Phone voice crypto A5/0 A5/1 A5/2 that were well known to be ‘deliberately weak’ in the Industry in the 1990’s
https://lorenzobn.github.io/security-of-gsm-a5-encryption

And was deliberately leaked in the UK allegedly because someone in BT forgot to get a University to sign a ‘Non Disclosure Agreement’. The late Prof Ross J. Anderson of Cambridge and Edinburgh Universities put up some info on it in the early 1990’s and if memory serves mentioned it in his security engineering book.

See ref 3 in

https://arxiv.org/vc/arxiv/papers/1305/1305.6817v1.pdf

Winter May 22, 2024 12:56 AM

If I am walking with a friend, will it alert if they have a Bluetooth tracking device in their pocket?

Why would that be a problem. Does it even count as a false alarm?

Everybody should be informed about the presence of trackers. These trackers use the phones of everybody around. These people should know that their devices are used.

Hell by any other name May 22, 2024 6:15 AM

@Madge

“As I understand it, these tracking devices only work by enlisting the public without knowledge or consent.”

Correct, they have to if one of the primary design requirements is to be carried out.

The design is to track/locate tagged items that a person has lost in some way. There are three basic ways this can happen

  1. The person is forgetful.
  2. Another person has moved it.
  3. Another person has stolen it.

The last two only work without “knowledge or consent” of the other person.

@Winter

Which brings us to your

“Everybody should be informed about the presence of trackers. These trackers use the phones of everybody around. These people should know that their devices are used.”

Not if the third primary function is to work. If you notify the person who has stolen an item then they will look for the tag and remove it. Just as shoplifters do with bottles of alcoholic spirits and designer items thieves can quickly become expert at removing them.

@echo

“I suggest people do some light research on strict liability offences involving kidnap, harassment and stalking, and sexual abuse and which land on international import-export watch lists. They are not the kind of offences which make friends. You will be divorced. You will lose your business. You will go to jail. Your time in jail will be… uncomfortable. You will be marked for life. You may even acquire an ankle tag and have your movements restricted. Holidays abroad and internet access get super special attention from authorities.”

All very highly desirable consequences for some.

Consider the case of a malicious ‘Machiavellian’ / ‘narcissistic’ or in more up to date psychiatric thinking ‘spiteful’ pathology.

They have a couple of ways to attack a person.

Firstly they can steal a tag from their target and carry it around and claim they are being stalked.

Secondly they can acquire such unlawful tags and put them in the possession of their target of choice.

The target is the victim of the ‘spiteful’ party, in just the same way as some one being stalked.

Thus a strict liability is a very bad idea as it instantly weaponises such tags.

@ALL

Every time you see strict liability legislation you should ask the very important question

“Who gains by another loosing due process and the right to be innocent untill proved guilty?”

Only the truly despotic want such legislation as it gives them tools of oppression.

echo May 22, 2024 7:34 AM

@ALL

People need to understand the law and how it works and what offences attract “strict liability” and go from there. I actually got it slightly wrong myself. It’s not my area of interested and I goofed it.

“Strict liability” offences hold responsible parties accountable for their actions, even if they did not intend for harm to result or were not negligent in their actions. So strict liability could still apply and isn’t a wholly unreasonable consideration. You may agree or not agree “strict liability” should apply. It’s a thing and exists all over the place with nobody screaming about it. Disagreeing with the existence of “strict liability” is not an excuse to bulldoze through laissez-faire regulation which doesn’t properly consider public safety. I personally think “strict liability” should apply and screaming OMG authoritarian spiteful dictatorship is going overboard.

A tag may be innocent or not innocent. If a tag is used in the pursuit or attempt pursuit of a crime then it might attract a separate charge. If the crime relates to something very serious like CSA then of course it will be frowned upon whether possession of a tag is a “strict liability” offence or not. “Strict liability” does not mean your rights are suspended. You will still get a trial. It’s just that it is in the public interest for some offences to be “strict liability”. There is also whether a case may be dropped because it is not in the public interest, or jury nullification if people want to get really funny.

Having an unlicenced firearm will land you in severe trouble because of the nature of the instrument. I don’t see why the same should not be true of tags which don’t meet regulations.

Tags would be a kidnappers and stalky rapist and child abusers tool of choice. What about women fleeing from domestic violence? What about some poor innocent man avoiding a thug down the pub who perceived a slight? What about professions like nurses or lawyers working in public facing roles with staff car parks which offer easy access? What about the local bullion dealer? As far as I’m concerned possession or the use of or the seeking to obtain or offering for retail or manufacture of an unregulated tag should result in law enforcement action. Put it this way – what kind of person would want an unregulated tag? That’s a person up to no good for sure. Therefore I think “strict liability” isn’t unreasonable but this is just my unqualified opinion.

Lastly, I’ll ask again, why should someone be forced to carry a smartphone or equivalent monitoring device 24/7 to guard against even a regulated tag? That’s a loophole right there. What if the standard is updated and their phone is out of support and receives no updates? What if their phone is lost or broken? Why should an innocent third party carry all the liability and risk for an unwanted and badly regulated tag? That’s like saying anyone who doesn’t have their own personal food taster and gets food poisoning because of a factory taking short-cuts should just put up with it.

But, hey, if people are fine with stalky wife beating rapist abusers having free reign be my guest. If that’s the kind of behaviour you’re fine being complicit with you can own it.

Winter May 22, 2024 8:35 AM

@echo

You may agree or not agree “strict liability” should apply.

We have people here too that claim they are not subject tot he law as they declare themselves “sovereign” or something like that. They deregister from the national population registry and have their own “passport”.

They seem to be very angry that the law and courts do not care whether they accept it or not.

madge May 22, 2024 12:40 PM

@Hell by any other name,

There are three basic ways this can happen
The person is forgetful.
Another person has moved it.
Another person has stolen it.

The last two only work without “knowledge or consent” of the other person.

I believe you’ve misunderstood the point. I’m not talking about, nor do I care about, the consent of a thief to be tracked. What I mean is that if you’re carrying an iPhone, it’s constantly scanning for tags—including the tags of other people—and sending the results to Apple. Even if you don’t own an AirTag, you’re unwittingly participating in its surveillance network.

It’s not the only way this could work. Apple could’ve set up its own network of devices to scan for AirTags—-essentially, its own cellular network, which maybe it’ll eventually want to do anyway. Or it could’ve made a deal with the existing cellular network operators, to have their towers constantly scan the world… assuming one even wants to scan out of Bluetooth/Wi-Fi range, which is unnessary for a true “key finder” (a thief would remove the tag, and an honest person wouldn’t move them far).

Instead, Apple decided to co-opt their users’ devices and batteries, because that saves the company money and effort.

Winter May 22, 2024 1:19 PM

@echo

but there’s some quote about people who wish to dismantle all laws may wish to ask themselves whether they could survive in the world they create.

Quote from A man for all seasons

Roper: So now you’d give the Devil benefit of law?

More: Yes. What would you do? Cut a great road through the law to get after the Devil?

Roper: I’d cut down every law in England to do that!

More: Oh? And, when the last law was down, and the Devil turned round on you – where would you hide, Roper, the laws all being flat? This country’s planted thick with laws from coast to coast – man’s laws, not God’s – and, if you cut them down – and you’re just the man to do it – d’you really think you could stand upright in the winds that would blow then? Yes, I’d give the Devil benefit of law, for my own safety’s sake.

Winter May 22, 2024 1:22 PM

@

Actually what ‘strict liability’ is, is also called ‘rights striping’.

You seem to be unable to distinguish between the law as it is and you own wishes on how it should be.

Neither the police nor the courts are interested in your thoughts about what is just law and what is not.

lurker May 22, 2024 2:28 PM

@Madge
“Apple decided to co-opt their users’ devices and batteries, because that saves the company money and effort.”

Some might say that in an altruistic society people might be willing to do that in order to help their neighbours find lost or stolen items. Some might say that Apple are making everyone complicit when stalkers use this function.

I say don’t use or possess devices with always on BLE. Reduce electronic smog.

echo May 22, 2024 7:57 PM

@winter

That’s the quote I was thinking of.

@All

https://www.libertyhumanrights.org.uk/issue/3-facts-that-expose-the-governments-bill-of-rights-as-a-rights-removal-bill/

The Government is trying to rip up our Human Rights Act, the law that protects us all from abuse of power.

Despite the Conservative Party manifesto saying it would “update” the HRA – which could have been bad enough in itself – it turns out the real plan is to get rid of it.

And the so-called ‘Bill of Rights’ ministers want to replace it with will strip people’s rights away and make it harder for everyone to hold the Government and other public bodies like the police to account.

It is a ‘Rights Removal Bill’ – more power for them, fewer rights for you. Here’s what it does:

Thankfully they were never able to make this work without the courts, House of Lords, or public throwing a wobbly. The Tories haven’t given up this ambition and have been sabre rattling over leaving the European Court of Human Rights for some time which would mean they would have to quit the European Council and put the UK on the same level as Russia and Belarus.

That’s rights stripping not throwing a snot over whether you can wander around with an unlicenced tag.

Ardie May 22, 2024 8:18 PM

maybe apple should first explain how they justify turning every iphone into a location beacon, even when powered down

who’s ACTUALLY the stalker, given they operate a captive mesh network on that scale?

cimmarian gadzillas calling the kettle black. vultures; vampires really.

give me a hook switch dialer if I have to stomach this level of espionage with my quick oats. At least my babysitters are openly contemptful.

Speaking of global rights-stripping !!!

“used for malicious purposes” is right.

well, my backup battery is overheating…

HI @JKN! Drop us a line soon.

Hell by any other name May 23, 2024 2:50 AM

@Winter

You seem to be unable to distinguish between the legislators and the Police, Prosecuters, and Judiciary.

Look up “rights striping” it’s a technical term and it is very much designed to stop people accused being able to mount any kind of way to establish their innocence.

In the past it was usually done by taking defendants assets away from them in some way so they could not pay for representation. However for various reasons this was found to nolonger work the way it was hoped to as those who thought ahead arranged to have assets invested abroad in such a way it was beyond the reach of the judges and courts

But legislators find their plans and legislation fails as the judicary finds against them and declares the legislation unlawful for various reasons. One such recent case being

https://www.bbc.co.uk/news/uk-politics-69043611

The appeal by the Home Office Minister may now not actually happen as a “snap election” has been called.

But also in the current news another “rights striping” activity,

https://www.bbc.co.uk/news/articles/c9xxyl3gp39o

And there are a heck of a lot more. Much of it started with Tony Blair and Lord Faulkner who wanted to do two things,

Cut the cost of Court cases to the Government.
Get the conviction rate up for political propaganda reasons.
Because all the other initiatives had unsurprisingly failed.

It ain't what you do it's... May 23, 2024 3:13 AM

@echo
@winter

A response to @winter’s comment

https://www.schneier.com/blog/archives/2024/05/detecting-malicious-trackers.html/#comment-437203

Correcting them about their notion of ‘rights striping’ and containing a link to the current news subject of the UK courts saying ‘unlawful’ to legislation pushed out by the UK Home Office minister has been put up several times already and removed by moderation.

It will be curious to see after four attempts how long it stays up this time.

The previous posts also contained a link to current news on children being ‘rights striped’.

Hell by any other name May 23, 2024 5:09 AM

@madge

My comments are getting moderated so hopefully you will get to see this reply to your

“What I mean is that if you’re carrying an iPhone, it’s constantly scanning for tags—including the tags of other people—and sending the results to Apple. Even if you don’t own an AirTag, you’re unwittingly participating in its surveillance network.”

You have the technicalities slightly wrong. The tags are constantly broadcasting and all receivers designed for Bluetooth will pick them up.

It’s like the old Ethernet Hubs where you got every bit put on the wire regardless of if the data packet was addressed to your hardware address (MAC) or not.

The software (often as firmware) in your hardware down at a low level decided if an incoming packet got put forward to be put on the “network stack” in your device.

Look up Ethernet ‘promiscuous mode’ for more technical details.

It’s not just Apple mobile phones that receive the BLE packets the Apple tags put out but ALL Bluetooth receiving devices including some medical electronics in peoples bodies. Look up ‘electronic smog’ (not to be confused with electrosmog) to see why this is a problem in the 2.5GHz and other ISM bands. It’s also something that will critically effect 5G and subsequent GSM mobile phone standard operations.

During C19 Lockdown both Apple and Google put a Bluetooth beaconing and response mode in their respective mobile phone OSs updates. Which makes the phones act as both sides of the tag system so that ‘contact tracing’ could be done. All without ‘user consent’. As a side note it was a disaster for many reasons not least that whilst Bluetooth BLE signals can go through brick walls and airtight windows etc pathogens can not. Also it was unreliable as not everyone carries a mobile phone for various quite valid reasons. They got away with it because many countries were mandating electronic Covid Passports on mobile phones.

What is different is that for the tag system to work your Apple Mobile has to additionally use the GSM mobile data network and “ET Phone Home” to Apple’s “mother ship” giving them your location and the tag information. This can cause a lot of mobile phones to take up 3G, 4G and 5G ‘air space’ creating way more significant ‘electronic smog’. Worse in some places the users have to pay for sending that data.

Which brings us onto,

“Apple could’ve set up its own network of devices to scan for AirTags—-essentially, its own cellular network, which maybe it’ll eventually want to do anyway”

No they can not. All the RF spectrum is ‘licensed from DC to Daylight and beyond’. Apple would not get a world wide frequency allocation from the UN ITU. Cellular phones did not get it back in the 1980’s and there were at least five competing ‘National Standards’ before the EU pushed GSM and it eventually over two or so decades became a standard excepted by most nations in the world. Many nations now see ‘air space’ as a very valuable source of revenue hence you now get ‘Spectrum Auctions’ that have raised billions.

Apple like everyone else would have to ‘share the air space’ and there are rules they have to play by to do this. There are parts of the RF spectrum that were originally reserved for ‘Industrial Scientific and Medical'(ISM) usage. Where ‘in the spectrum’ the ISM bands fell was discretionary to the National Government (France for years caused many RF Spectrum issues).

Such ISM and similar bands have to be shared and they can quickly become not just a ‘Free for all sprawl’ but a significant cause of interference for other communications users. Not that this does not stop large or wealthy Corps from pushing their luck.

The last time I looked Amazon’s “SideWalk Network” for Ring was using Bluetooth BLE for short range and a discretionary US 900MHz band using LoRa to do long range for it’s proposed pet tags.

Amazon have built the network by covertly installing it in other “home security” and IoT devices they sell and piggy back via WiFi onto the internet all at others expense.

So this ‘lack of ethics’ is very common with US tech pushing Corps, and it is already causing problems for others by harmful emissions.

But a fun fact, one of the larger Medical Implant Corps uses Bluetooth without security. So anyone can by an appropriate electronic gizmo with knowledge of the protocols can change the settings on your implanted pacemaker / defib / pump.

Now consider an app for your mobile phone can already turn it into such a gizmo…

Winter May 23, 2024 9:07 AM

@Hell by any other name

Look up “rights striping” it’s a technical term and it is very much designed to stop people accused being able to mount any kind of way to establish their innocence.

Look up “Strict Liability”, it’s a legal term.
‘https://www.law.cornell.edu/wex/strict_liability

“Strict liability” is independent of “rights stripping” and exists independent of whether we think it is right and just. That is, it is a fact of life and law.

Hell by any other name May 23, 2024 9:56 AM

@Winter

‘“Strict liability” is independent of “rights stripping” and exists independent of whether we think it is right and just.’

As the article you link to confirms it is very much about ‘rights striping’.

Maybe you should read it more carefully.

Winter May 23, 2024 10:14 AM

@Hell by any other name

Re: Strict Liability vs Rights Stripping

As the article you link to confirms it is very much about ‘rights striping’.

“Strict liability” enshrines in law that your rights have limits. You have a responsibility to check the age of your prospective partner or the contents of your luggage.

Looking the other way is not always a defense in court.

echo May 23, 2024 11:35 AM

Some people (especially some not all Americans) don’t understand that law which restricts some behaviour creates freedoms.

One example is food regulation. The number of Americans who gush about the quality of food and low prices relative to income in Europe when they visit? That’s regulation. Quality consumer goods and BS free advertising? Regulation and regulation. Strategic legal action that takes millionaire money? That’s a statutory Ombudsman free at the point of access created by regulation. Knowing a car on the road won’t crash into you or blow up because it has passed its annual inspection? Regulation. The looks on the faces of visiting Americans on Youtube gushing about how they had an accident and the trip to hospital and medicare care was free? All established and governed by regulation.

Pretty much every single European from birth is the equivalent of a dollar millionaire if you count the benefits acquired by regulation and public funded services. Gawd, it’s such a prison over here.

There’s so much snark in this post I wouldn’t blame moderator for deleting it.

madge May 23, 2024 12:40 PM

@Hell by any other name, I think we’re basically saying the same thing about how the tags work. Whether the “scanning” is active or passive doesn’t make much difference; even if passive, it means an iPhone will have their Bluetooth receiver active when the user doesn’t think they’re using Bluetooth. And will be sending the collected data to Apple, unlike non-Apple products that see those Bluetooth messages.

And if passive, there’s absolutely no RF-regulatory reason why Apple couldn’t have set up a passive receiver network. It’s just that it would require basically the same density as a 5G “small cell” network, and if Apple were gonna roll that out, making it a cellular network too would be the obvious next step. Yes, it would be difficult in regulatory terms, requiring per-country registrations and allocations and a hell of a lot of money. But Apple usually has a couple hundred billion dollars sitting around, and could probably buy a US carrier (Dish Wireless?) with 10 to 20 percent of that. I’m not saying that’s gonna happen, but I’d be shocked if they haven’t considered it and done that math.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.