Category: Uncategorized

On another note, I just found out my panel submission to FC2012 has been accepted. I’ll be moderating a panel with Peter Swire, Stuart Shapiro and Travis Breaux. The topic will be legal and regulatory impediments to the adoption of PETs (Privacy Enhancing Technologies). More information to follow.

I just found out that I won’t be giving my talk at the IAPP Global Privacy Summit. However, I will be talking soon, again, to the Verizon Architect’s Club. I’m still scheduled to speak at the previously mentioned SAIS conference here in Tampa Florida.

I’ll be speaking at the Software Architecture Symposiums International conference on May 18-19th, 2012. The conference will be about software architecture in the cloud and my speech in particular will be about architecting for privacy (what else?!).

Here is a Youtube video of Ann Cavoukian speaking at Web 2.0. Zero sum is not the solution, privacy will always lose. Positive sum is the way to go.

Consider signing up for this online class in Cryptography taught by Stanford University’s Dan Boneh.

H/T to Vince for sending me this one.

Clearly the writing is on the wall with mobile tracking.  Euclid aims to do for “brick and mortar” stores what Google does for online stores.  I won’t comment about they business model, it does seem interesting and possibly viable in metropolitan areas with high percentage of mobile phone users but whether that turns into a successful business is another question.

On the issue of privacy, they clearly seem to at least put privacy front and center.  They, at least know it’s going to be an issue.  Their privacy statement, while lengthy, is fairly clear and straight forward, not legalese, and puts three principles at its core: limited data collection, anonymous and aggregate and easy opt out.  I’m intrigued by this product, so I’m going to analyze the privacy statement here in a stream of conscious form, so please forgive me it seems rambling.

As mentioned, the overview cites their three privacy principles.
1) limited data collection -I’m wondering how much is a result of the limitations of technology as opposed to self imposed limitations.  They identity users by MAC address and say they don’t collect information such as who is using the phone or any content on the phone.  Again, that seems like a technical limitation.  I suppose they could use cameras to take pictures of people as they walked by to correlate the signal, and don’t think that’s not coming.

2) Only share aggregate and anonymous information.  Fair enough, but what if the merchant correlates the data somehow the aggregate data?  Also, does it aggregate across stores?  If Joe walks into Starbucks 1 and doesn’t buy a coffee but then crosses the street and buys a coffee there, can they tell me that 1% of customers bought from a different store than they initially walked in?

3) Opt-out. I’m not crazy about this one.  Yes you can opt out by giving them your Mac address on their website but what about at the store?  I understand their desire to go opt-out but wouldn’t it be more privacy friendly if it were opt in?  Let store give away coupons for “scanning” your phone and tracking you, or something of that nature. What if I don’t mind one store tracking me (Starbucks) but don’t want another doing it (Hustler).


What exactly do we collect and why?
A repeat of the statements that they only collect information from phones with Wifi that is enabled and then anonymize it and aggregate it.  


How do we collect information?


“Euclid’s sensors passively detect these MAC addresses and encrypt them, then transmit the data to our collection server”  Obviously I am not privy to their exact technology but I’m curious if they encrypt, transmit and decrypt or if they hash the MAC address.  Better yet, how about hashing it with a unique code for the store (thereby making each store or chain’s data independent)?  The could send a generic hash too, to compare against the opt out database, although here again it would be easier if it was opt in per store or chain then they could easily do a comparison of what to include, not what to exclude. 


If your data does not contain my name or any other personal information, how is it useful?


“Do more people usually tend to grab a coffee or an ice cream after going to the dentist?”  Ahh… is this the smoking gun in terms of showing that they correlate the data across merchants.  It’s like the ultimate http referrer but with your complete history (again aggregated).  I would think some merchants might be concern for their own competitive purposes with allowing them access to this information.  What if their customers are leaving their store and going to a competitor to make their purchase?  


“Euclid may augment the records in its database with information it guesses infers from user activity, such as whether a device owner is male or female, income bracket, etc”  Here is another statement that concerns me.  How exactly does one infer income bracket from a MAC address?  What other information are they correlating it against? Have you ever been discriminated against at a car dealer because you didn’t fit their profile for who purchases their cars?  Consider a system like this that informs a store owner than on Tuesdays, 90% of visitors are from a low income part of town and are likely to be window shoppers (or thieves) rather than purchasers.  What are the ramifications of this?


With whom do you share information?


“Euclid does not combine data from multiple retail locations into one report EXCEPT when all the locations in question are owned by the same company”  How do they tell the ice cream store that 50% of their visitors came directly from the dentist office next door?  Or was that just a really bad example that isn’t an accurate display of the types of information?


“We only use qualified, respected 3rd-party providers (such as Amazon Web Services) where for data exchange, aggregation, and storage, which is necessary to provide Euclid services”  The grammarian in me is coming out; is this a sentence?


How do you store data?


“Once collected, it is transferred securely (using SSL) and is anonymized (hashed) before it is stored on Amazon Web Services.”  AH! They do hash it.  Given the above statement that it can only be correlated by chain, I’m wondering if they concatenate the hash with a code specific to that chain?  


Is there any way to link data about your device’s physical location back to you?
“If someone already knows both your name and your MAC address, they could potentially legally require that we provide them with information in our database about your mobile device including the locations of the sensors where we recorded your signal.”  Hmm, one of the limitations of hashing.  If they were to take it to the next level, they could use M of N secret splitting or some other technique to only store the data in aggregate form thereby not storing the hashes in a way that could be subpoenaed. One of the benefits of not having such data (but still having the data to function) is that you avoid the inevitable cost of responding to subpoenas and court orders.  




All in all, I must say I’m impressed that they took privacy seriously.  I only have two primary concerns, 
(1) whether adequate notice is given In-Store about the ability to opt-out or even notice on the collection of information, and
(2) whether an easier way of showing their commitment is possible.  I can tell, by reading, and them talking about hashes they aren’t just paying lip service to “we value your privacy” but really are embedding it into their service.  The question is how can they demonstrate this to someone who is not going to take the time to read the privacy statement.  Going back to my vot
ing analogy that I use often, when I drop my ballot in the ballot box, I know they can’t tie my vote back to me.  

This article brings up an interesting point, as surveillance and privacy become more difficult for the average citizen, it also becomes increasing difficult for the spooks who need to remain anonymous in their detective work. Tor, the anonymous network, was originally a project of the U.S. Navy who saw the benefits of anonymity in cyberwarfare.

Two recent articles highlight what is probably old news to most security professionals: the weakest security link is the user. This is why it’s important to help users help themselves. They aren’t security (or privacy) experts. This is especially true when circumventing what user’s trust is a secure connection (i.e. a supposedly helpful man in the middle). I find it especially interesting to see that most users, who view going to a webpage as a very solitary and privaty experience, aren’t even aware of all the other users who can go to the same website as them. This is why they choose “password” as their password, because for them they are alone in going to the site, no one is around to see them type in “password.” They just are cognizant that other people might try to type in their username and “password.”

WPES is going on mid October. I just learned about it or I might have tried to go.

Upon further reflection after my interview with Google for their Product Manager, privacy position, I’d have to say that I still they don’t “get privacy.” I was trying to explain to the interviewer that privacy by design was the way to go for Google, creating necessary functionality while preserving user privacy. While the interviewer, upon my questioning, affirmed Google’s commitment to privacy, most of his substantive comments about my suggestions and raising of issues were dismissive or patronizing of the privacy concerns. I must admit my own great like of the benefits of Google products….but maybe I’m giving up to much.