role of identifiers in location architecture kim cameron distinguished engineer microsoft university...
Post on 19-Dec-2015
215 views
TRANSCRIPT
ROLE OF IDENTIFIERS INLOCATION ARCHITECTURE
Kim Cameron Distinguished EngineerMicrosoft
University of LuxembourgWorkshop: Location-based Services and Privacy Assurance (LSPA)
Architecture and Privacy• We need to think about architecture when we think about privacy in the
digital age.• Over the past years I’ve worked on digital identity for the Internet: minimal
disclosure and user control of identity (e.g., U-Prove and Identity Selectors)• Part of this work has been to understand the role of and issues raised by
identifiers – unique “names” for people, devices and systems. • Over the last few years location technology has evolved so that the use of
identifiers has eclipsed identifier-free approaches like GPS. • Location has now become part of the identity landscape.• Because of the interplay of human and device identifiers, location technology
has significant implications for personal, corporate and governmental privacy.• The population, policy makers and most technologists do not understand the
way location technologies work, the way information flows or the privacy threat model. Industry has not been forthright in explaining them.
HOW ARE IDENTIFIERS USED IN DETERMINING LOCATION?
Architecture
Wireless Access Point Beacons
Wireless access pointBroadcast beacon
00-16-CB-9D-71-51 00-16-CB-9D-71-51
NETWORK00-16-CB-9D-71-51
Streetview Car
Streetview Car plus WiFi Sensor
00-16-CB-9D-71-51
00-16-CB-9D-71-51
is a wireless access pointLegend
00-16-CB-9D-71-51 is its identifier
StreetView Cars Assemble Data
00-80-b8-9D-25-9200-09-FF-44-7E-F2
00-11-b2-85-CC-4F
00-80-b8-9D-25-42
00-88-b2-91-25-87
00-80-b1-99-35-4300-5C-F8-96-CC-77
00-16-CB-9D-71-51
Resultant Location Database
MAC Address Street Address
00-80-b8-9D-25-42 56 Old English Lane
00-09-FF-44-7E-F2 50 Old English Lane
00-88-b2-91-25-87 46 Old English Lane
00-80-b1-99-35-43 44 Old English Lane
00-16-CB-9D-71-51 29 Old English Lane
00-11-b2-85-CC-4F 22 Old English Lane
00-5C-F8-96-CC-77 18 Old English Lane
John, you’re near 29 Old English Lane
00-16-CB-9D-71-5129 Old English Lane
00-80-b8-9D-25-9200-09-FF-44-7E-F2
00-11-b2-85-CC-4F
00-80-b8-9D-25-42
00-88-b2-91-25-87
00-80-b1-99-35-4300-5C-F8-96-CC-77
Architecture: explicit privacy issues• Implications for owners of network access points
– What personal information is released?• MAC Address linked to stationary location • SSID (may or may not contain personally identifying information)
– Mitigation: convert SSID into numeric information (Hash)
– Can people opt out?• What are the privacy implications for users like John?• Relationship between John and location service provider
– What does the service provider do with the location information?– Does it share the information? With whom? For what purposes? Can users
control this?– How long does the service provider keep location information?– Is this expressed in a “contract” that users understand and approve?– How is location information combined with other information?– How will location information be used to limit our experience
WHAT KIND OF PRIVACY POLICY IS IN VOGUE TODAY?
Architecture
Have an iPhone? Use iTunes?
Collection and Use of Non-Personal InformationWe also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
ARE DEVICE IDENTIFIERS NON-PERSONAL INFORMATION?
What are my phone identifiers saying?
Sleep Time Day Time Evening
“I’m at “I’m at “I’m at
“I’m at “I’m at “I’m at
00-16-CB-9D-71-51 00-FB-22-94-A0-44 00-92-41-88-FA-A9
00-16-CB-9D-71-51 00-88-21-48-C7-1A 00-16-66-CC-9D-54
Sleep Time Day Time Evening
MAC Address Street Address
00-80-b8-9D-25-42 56 Old English Lane
00-09-FF-44-7E-F2 50 Old English Lane
00-88-b2-91-25-87 46 Old English Lane
00-80-b1-99-35-43 44 Old English Lane
00-16-CB-9D-71-51 29 Old English Lane
00-11-b2-85-CC-4F 22 Old English Lane
00-5C-F8-96-CC-77 18 Old English Lane
What are my phone identifiers saying?
Sleep Time Day Time Evening
“I’m at 9328 SE ShorelandDrive, Bellevue, WA!”
“I’m at One MicrosoftWay, Redmond, WA!”
“I’m at the Symphony!”
Sleep Time Day Time Evening
“I’m at 9328 SE ShorelandDrive, Bellevue, WA!”
“I’m at the shoppingCenter and the park”
“I’m ata restaurant!”
What are my phone identifiers saying?
“I spend 310 nights a year at 9328 SE Shoreland Drive. In other words I live there.”
“I spend most of my working days at One Microsoft Way. In other words, I work there.”
“I go to the Seattle Symphony, the Bellevue Square Shopping Center, a number of restaurants and Bellevue Park very regularly.”
Few linkagesare easier to automate
If my phone lives there…
Database: Location / Name / MAC address
00-16-CB-9D-71-51
00-16-CB-9D-71-51
Meets definition of Personal Data
MAC Address Street Address Name…
00-80-b8-9D-25-42 56 Old English Lane John Hill
00-09-FF-44-7E-F2 50 Old English Lane Laura Finney
00-88-b2-91-25-87 46 Old English Lane Jeffrey Robertson
00-80-b1-99-35-43 44 Old English Lane Francesco Ballini
00-16-CB-9D-71-51 29 Old English Lane Martin Ballam
00-11-b2-85-CC-4F 22 Old English Lane Frank Wittenberg
00-5C-F8-96-CC-77 18 Old English Lane James Maybank
Conclusions
• Issue is not simply one of location tracking or “anonymous device identifiers”, but of linking location data to natural identity and location activity
• Conventional privacy policies are duplicitous
“INFORMER LOCATION ARCHITECTURE”
Is there a line between “reporting” and “informing”
Architecture: implicit privacy issues
• Products can implement an architecture with different possible uses than those motivating the product
• Need to ask two questions:– Can an architecture satisfy specific usage requirements– What other uses can that architecture make possible?
• Privacy threat analysis is the basis of “Privacy By Design”
Reporting a new access point
00-80-b8-9D-25-4200-09-FF-44-7E-F2
00-11-b2-85-CC-4F
00-80-b8-9D-25-42
00-88-b2-91-25-87
00-5C-F8-96-CC-77
00-16-CB-AA-4C-66
00-80-b1-99-35-43
00-16-CB-9D-71-51
Reporter
Consumer devices have MAC addresses too
Wireless access pointnetwork packet
00-16-CB-9D-71-51
00-92-41-77-A8-B2
NETWORK00-16-CB-9D-71-51
DEVICE00-92-41-77-A8-B2
Personal device network packet
Conspicuously absent from industry submissions and publications
Reporting the IDs of Martin’s and Mary’s devices
00-16-CB-9D-71-5129 Old English Lane
00-80-b8-9D-25-42
00-5C-F8-96-CC-77
Informer
Both devices now in database
00-80-b8-9D-25-42 00-5C-F8-96-CC-77
Martin Ballam orMary Markham
29 Old English Lane,Markham, ON L3T 2T9
Martin Ballam orMary Markham
29 Old English Lane,Markham, ON L3T 2T9
Martin goes to the office
00-5C-F8-96-CC-77Martin Ballam
Informer at340 King Street West
00-11-b2-85-CC-4FSSID: Med24
Informer bootstraps WiFi access point location and reports Martin’s presence
Martin goes to a conference
Informers atSpace Needle
Aug 17-19
00-5C-F8-96-CC-77Martin Ballam
Martin goes to a customer
00-80-b8-9D-25-42Martin Ballam
Informers atCustomer’s premise
11/09/10
“Informer Architecture” is now in place…
“How does this location database work?”
Google location based services using WiFi access point data work as follows:
– The user’s device sends a request to the Google location server with a list of MAC addresses which are currently visible to the device;
– The location server compares the MAC addresses seen by the user’s device with its list of known MAC addresses, and identifies associated geocoded locations (i.e. latitude / longitude);
– The location server then uses the geocoded locations associated with visible MAC address to triangulate the approximate location of the user;
– and this approximate location is geocoded and sent back to the user’s device.
ARE THE ISSUES LIMITED TO WIFI?Implications of an informer location architecture
Enter Bluetooth…
Linking Bluetooth IDInformer at
340 King Street West
00-80-b8-9D-25-42
C5-FF-A2-33-91-DD
09-A8-11-7A-22-96
Name: Martin Ballam Physical: 29 Old English Lane, Markham, ON L3T 2T9 WiFi: 00-80-b8-9D-25-42Bluetooth 1: C5-FF-A2-33-91-DDBluetooth 2: 09-A8-11-7A-22-96
Database Entry
Martin goes to a club
00-80-b8-9D-25-42Martin Ballam
0D-4A-B9-99-62-73SSID: MinkHotSpot
Informer at150 Pearl Street
10:15 PM 06/07/10
Martin goes for a walk
Mail Online
00-80-b8-9D-25-42 Plus
00-80-B8-48-A2-BB
Multiple Informers onQueen Street,
11:00 AM to 11:30 AM, 06/08/10
00-80-b8-9D-25-42Martin Ballam
00-80-B8-48-A2-BBYvette Marley
Informers inform about co-location
SHOULD WE BE ABLE TO MAKE “ATOM BOMBS” IN OUR BASEMENTS?
“The trouble with allowing policy makers, CEOs and journalists to define technical solutions is that their ability to do so is constrained by their limited understanding of the available technologies. At Google (who I emphatically do not represent in this post), we have this idea that engineers should design the systems they work on.”
DO NON-ENGINEERS BELONG IN THE CONVERSATION?
“Society isn't ready for questions that will be raised as result of user-generated content…"The only way to manage this is true transparency and no anonymity. In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it."
Some of take-aways regarding identifiers
• MAC addresses of end user devices are AT LEAST as important as MAC addresses of Network Access Points
• Duplicity of industry is very troubling• MAC addresses and other identifiers of mobile personal devices
are personal data• Identifiers created from personal data are personal data• Informers should not be able to reveal personal data without
explicit consent• It should not be permitted to share knowledge of personal device
identifiers with third parties• Systems must obtain explicit consent on a per-party basis before
a person’s location is shared with a third party