I just wrapped up the NYU/Princeton’s Mobile and Location Privacy: A Technology and Policy Dialog. Some very interesting discussion from some of the leaders in the privacy world including Kashmir Hill, Julian Sanchez, Helen Nissenbaum, Sid Stamm, Askhan Soltani, and many more.
The event was broken into three round tables with a few speakers in between: Models of Self Regulating and Regulating Privacy; Phones, Drones & Social Networks: New Technologies and the Fourth Amendment after Jones; Privacy and the Many Layers of Mobile Platforms.
Some of the other things I learned at the conference include
That NYU Privacy Research Group has a blog which I’ll be adding to my list of sites I’ll be reading.
The idea that a smartphone with an application to remind people to take medicine becomes a medical device.
That Grindr uses UUID to essentially provide anonymity to users (by not requiring any other uniquely identifying information). However, now that Apple is deprecating the UUID, Grindr may be forced to ask for additional information from user to authenticate them.
Julian Sanches talked about how some companies, such as Google, are arguing they are not communications provider in some instances, such as with Google Maps, but rather that recipients of information in the context of ECPA. An interesting concept I haven’t heard before and that I want to research further.
Askhan Soltani, when asked how he was reading encrypted traffic over SSL to check what information phones were transmitting, replied that he created his own root CA and thus falsified the certificates apps were using for SSL, essentially causing a man in the middle attack. He said, some corporations do the same thing in order to do deep packet inspection on “encrypted” traffic on their networks. The can do this because they can control the root certificates on the devices distributed to their employees, something that can’t control under BYOD (Bring You Own Devices). This is good reason you should always validate your SSL certs against publicly know signatures.
Finally, I made the comments that The Girls Around Me application, is actually a good thing because it brings visibility to the information that people are exposing. More specifically, under Ryan Calo’s Privacy Harm regime, it transfers the risk of objective harm (being stalked) into a more subjective harm (that some creep might know my location).
The second point I made is why can’t my phone lie for me? We are concerned when an alarm clock application asks for location information but why can’t I just tell my phone to respond with a lie? Whenever a retailer asks my zip code, I tell them 90210. The usually give me a funny look but they accept it.