Your privacy is a bit like love. It is in the eyes of the beholder. What you protect may not be what I protect. We have spent a fair amount of time talking about privacy policies, privacy by design, etc. These are all systemic issues. What about other assaults on your privacy and information? Forewarned is forearmed, so today is a bit of a PSA.
Before I go too far, do any of you remember the scene in Dark Knight Rises where Batman is able to use the cell phones of all of Gotham’s citizens? By accessing their microphones he can image the entire city. This small scene describes this in a bit more detail:
What if something like this was possible? In real life, by real people, I mean. Not just superheroes. Well, someone actually has been able to do it. As reported in the BITS blog of the NY Times on August 2, 2013, a security researcher did it.
Off The Shelf – Out of This World
The security researcher, Brendan O’Connor, used the maker community’s darling, the Raspberry Pi. If you haven’t read about these things they are amazing. A fully functional computer for just $25 that is expandable anywhere your mind can take it. Mr. O’Connor certainly went pretty far.
He was wondering how easy it would be to monitor people. By adding a wi-fi adapter and putting the computer in an enclosure, he seeded them around an area and connected them back to a control system. The control system visualized the data from all the devices within wi-fi range. All their wireless traffic, and all the wireless devices. He then turned the system on himself as he began to do what we all do at a local coffee shop – just surf.
Very quickly he was able to find out the unique identifier of his connected devices. Since he also didn’t tunnel his activity through a secure connection, like most of us, all his traffic was able to be harvested. His operating system version, his browser version and type, his browsing history, what services did he use, what he shopped for, etc. All laid to bare and all data that could be sold by and to bad actors.
What was even more troubling to my read was that this continued even when the device wasn’t connected to a wi-fi network. Remember when I talked about the ability of stores to track you via mobile devices? This system is able to do the same, even when you weren’t connected. The devices would respond to wi-fi pings which can reveal location.
Some of the built-in features of our operating systems are also exposing information about us to systems such as this. A history of your wi-fi connections remains stored on your device, allowing someone to trace your movements. O’Connor calls this a “fundamental flaw.” The follow-on problem is, do we really care? If every time your device gets a wi-fi ping you got alerted, how long would it be before you turned it off. Even if you could disable that functionality, what would be the downside? Would you lose functionality on the device? If you did, how long before you turned that ‘feature’ back on?
Doing the Right Thing
I have to applaud Mr. O’Connor for his methods though. He only monitored his own traffic, being wary of the government’s uncaring attitude towards security research like this. He is highlighting another aspect of the war on your data. The more we use services, the more we expose ourselves, not only to legitimate operators, but also to bad actors. If you are using a free service, like wi-fi at the local coffee shop, you are accepting some risk already. What I have said about free services before?
By highlighting this flaw at a security conference, perhaps some of those very same researchers will be able to develop systems to help consumers. Much easier to say this, than do it, I think. O’Connor was exploiting ‘features’ deep within the hardware and the operating system.
O’Connor’s conclusion that we can’t really guard against such intrusions is the most troubling. The possibility of systems like this make it impossible to blend in. Add this data collection method to other types of big data, and all sorts of connections might be made. Protecting your privacy is a hard thing to do effectively, isn’t it?
So Why Am I Talking About This?
If you are not paying attention to news like this, you are going to be ill-equipped to deal with exploits like this, personally and professionally. Do your contracts have specific call-outs about activities like this? Indemnity provisions that protect your company when your suppliers/vendors do things that your consumers would find objectionable? What if your customers found out you bought data from a consumer tracking tool (let’s assume a legal one, for the moment)? What is your response? Do you even know where your data comes from? It is getting harder and harder these days, isn’t it?
Do the right thing, folks. That is your only defense. Put yourself in your customer’s shoes and objectively investigate data collection and use. If it doesn’t feel right, it probably isn’t.
And Now For Something Completely Different
This has been a pretty serious post to end the week on. So, I will switch gears and give you my favorite Dark Knight video. Not from the movies, but from Toronto Batman as he crashes a car review. Priceless, but language may be slightly NSFW: