RSS FeedHave a Wi-Fi Device in Your Pocket? You Can Be Tracked!
Introduction (Surprise!)
I got a new iPod Touch today and one of the first things I did was fire up wi-fi and launch google maps. I noticed a button that allowed the system to automatically zoom in to my “current location”. Because the iPod does not have a GPS chip, I was expecting it to use my IP to narrow me down to a city or even a province. Imagine my surprise when it narrowed me down with an accuracy 30 meters (~100 feet)!
The first time I tried this, I was at the university. I was not too surprised by this because I know that the university has static IPs that may well be in some geo-locator database. I was more surprised (and concerned) when this worked at home. My IP is dynamic, so there is no way it could be stored in a central database. For curiosity, I looked my current IP up in a geo-locator database and it pointed me to Kingston, ON, which is 500km off, but it makes sense because my ISP operates all over Canada.
Technical Explanation (With Limited Amounts of Geekiness)
So how did the iPod do it? A few minutes of googling took me to a company called Skyhook Wireless. Without getting too technical, what this company does is it sends out about 200 cars in all cities in North America and they do what is known as “wardriving”. Essentially, they take a unique ID (MAC address for the technically inclined) from all wireless routers and log the physical location of those routers in a central database. The MAC address is freely available, even from protected networks. To be perfectly clear: you do not need to connect to a network (and thus do not need any passwords) in order to get a MAC address.
Once the location is in a central database, it is available for triangulation. Say I’m walking down the street with my iPod and press the “locate me” button. The Wi-Fi radio on my iPod sends Skyhook the MAC addresses of all the routers around me in a 80-200 meter radius. If three of those are in Skyhook’s database, I am triangulated, and skyhook knows where I am (give or take a few meters). The data is sent back to me and I get a google map of my surroundings.
Implications (Why You Should Turn Off the Wi-Fi on Your Cell Phone/iPod)
The negative implications of this can be quite clear. What if, for example, you’re not the one who requested your location? What if it was done by a virus/trojan or spyware (brings a new meaning to the term, eh?)? But your location is probably of little use to petty hackers and virus-writers. It’s also not precise enough for someone to physically walk up to you, especially if you’re in a dense place such as any city center. 30 meters worth of error downtown Toronto (or even downtown London) is enough for someone to never find you.
But what if your location is wanted by someone who knows you personally? Let’s say a spouse/significant other who thinks you’re cheating. Then your location with a 30 meter margin of error becomes more than enough for that person to know what you’re doing.
Legal Issues (This is a Law Blog, right?)
I can’t definitively say whether any of this is an invasion of privacy. Skyhook’s technologies does not circumvent any security systems and uses only information that is publicly available. I am not sure whether posting a location of a MAC address constitutes invasion of privacy (an enterprising “enthusiast” found a way to query Skyhook’s database to get Lat/Lon coordinates associated with MAC addresses). There’s an argument to be made both ways and of course none of this has been tested by a court.
What’s more concerning is that router owners cannot opt out of this. Furthermore, once a router’s MAC address is in the database, it cannot come out. The company’s stance on the issue is the following:
“we cannot remove individual access points…every access point by
definition broadcasts a radio beacon …The only way to stop an access point from broadcasting its
presence is to unplug it….we don’t actually identify the location of access points, just the signals
that they create”
That statement is technically true, but misses the point entirely. “The signals” (MAC address broadcasts) can be definitively associated with the physical router because every router has a unique MAC address (otherwise their system wouldn’t work). So, yes, they are tracking the location of access points. It is true though that once that access point (router, switch, etc.) is no longer broadcasting, it cannot be identified. This is the same thing that was said by computer security experts back in the 1980′s:
“…the only truly safe computer system is one that is disconnected from the network, switched off and buried six feet under ground…and even then I’m not sure.”
Mitigating Factors (Why You Should Not Lose Sleep Over This)
I have already alluded to some of the mitigating circumstances. Some of them are social (i.e. your location within 30 meters is useless to 99.999999% of the population) others are more technical. For example, most devices that are not laptops shut off wi-fi connectivity when their screens turn off in order to conserve their batteries. This is certainly true for iPods and iPhones and is also true for every Windows Mobile device I ever owned. Also, an internet connection is not needed to establish your coordinates (unconnected wi-fi is enough), but an internet connection IS required in order to do anything with those coordinates (i.e. send them to someone).
Also note that there need to be at least three known broadcasting access points within at most 200 meters, which likely means that this positioning system will not work in rural areas.
Lastly, and perhaps most importantly, I did not find any evidence of this system being misused. So far, there has not been any malware written that would take advantage of Skyhook’s database to track people. That doesn’t mean it cannot happen, it just means that it is not something to worry about today.
For More Info…
For the more technically inclined, you can check out my source material:
http://thebmxr.googlepages.com/Don_t_Locate_me.pdf (Background and tricking the system, very technical)
http://en.wikipedia.org/wiki/Skyhook_Wireless (Wikipedia entry on skyhook. Describes the technology)
http://en.wikipedia.org/wiki/Wifi (Wikipedia entry on wifi. Look at “Reach” for wifi service ranges)
Cross-Posted at Lawyerling.ca
Facebook Agrees to Comply with Canada’s Privacy Laws
A triumphant Jennifer Stoddart, Canada’s Privacy Commissioner came out this morning and said that Facebook agreed to make changes to its privacy policy within a year. The following changes are being touted:
- Denying third-party application developers access to user information without the user’s express consent in each of the categories the applications wants to access (currently, a user clicks just one button and the application can access all info regardless of whether or not it needs it);
- Giving users the opportunity to provide meaningful consent to retain profile pages after their death (currently there is no such provision that I know of);
- Add information about the privacy of non-users;
- Allow users the option of deleting accounts and all information associated with the account from Facebook’s databases (currently, a user may “deactivate” their account, meaning that the info still stays on Facebook’s servers).
This is indeed a meaningful victory. However, it does raise some interesting questions. Facebook is not the only platform out there that indefinitely maintains the information of its users. Other platforms such as Myspace, twitter, countless small(er) sites such as meetmeinto and the ever expanding vacuum of information called Google.
Are the laws on privacy clear? How do they apply to non-Canadian companies? How can they be meaningfully enforced, especially outside borders? I see Facebook’s agreement to comply with laws as largely a goodwill measure. If the company wanted to dig in its heels and refuse to make any changes, what could the Privacy Commissioner have done? Let’s see if someone can answer this question.
Cross-posted on Lawyerling.ca
Passwords are the new guns
Your password is a gun. It can’t shoot but at least the government treats it like a gun. In the UK, they made it a crime to refuse to give up your password to the government. The US long considered encryption an armament. It means encryption has military uses like weapons, infra-red goggles, plutonium, and armoured cars. When the government forces you to give up your password, it can read your data. Then you can’t hide anything from the government. It can get what it wants by demanding your password. In the UK, you can go to prison for years if you say no. In this information age, there is a real public interest in giving the government electronic investigation powers. But the UK is doing it the wrong way. They breach your right not only to privacy but also to due process. If gun rights didn’t sound so silly today, I would call the encryption rights the new gun rights.
The UK government recently disclosed that two people had been convicted for refusing to give up their encryption keys. There is no word on the sentence, but the prison term for this offence can stretch to five years. The UK government has had a power to take passwords by force since October 2007. This is how it works. If the government believes it needs your password for national security, crime prevention, or for economic well-being of the UK, it can give you a section 49 notice, named after the authorizing section of the Regulation of Investigatory Powers Act. A permission of the court is not necessary for this notice. You have only “reasonable” time to comply. After that, prosecutors can charge you with a criminal offence if you “knowingly” fail to give up the password.
Don’t say you have nothing to hide because you didn’t do anything wrong. There is a good reason to hide anything you want and still be a good citizen. Governments consist of people, even democratic governments. No matter how much you feel your government represents you, there are two ways in which a government can go rogue. First, you stop being in the majority. Second, a government official figures the majority won’t notice or will forgive him for abusing only you. That’s why many modern democratic countries enshrine human rights in their constitutional law: the US, Canada, and the EU, for example. Our Charter of Rights and Freedoms lets you ask the courts for protection from rogue government officials no matter what the majority thinks. The Canadian Constitution is a curb on both the government and the will of the majority. It presumes that both of them can do bad things. No one is a saint.
There are two ways to protect yourself from the government’s or the majority’s abuse. One is the constitutional law. The other one is physical. Many, many years ago gun ownership was such a physical barrier to government abuse. In the 18th century, it was reasonable to think that if men had guns, the government would not abuse them for fear of an armed response. Today it doesn’t make sense, of course, because no armed band of neighbourhood dads will be a match for the modern state’s professional military machine. But things we want to protect with physical barriers from governments gone astray are different today. It’s not land, or crops, or not even our physical liberty or security (courts do a good job protecting those two from abuse, and if a day comes when they can’t, a higher being will be our only hope).
What we more and more often want to protect today is computer data. Our lives are online or on the hard drive. Emails, records of every website we go to, diaries, mad or creepy thoughts we share with the computer screen, political manifestos, ideas, inventions, art: it’s really anything that can change the world in a perfectly legal way but an official may want to censor, delete or use in some other way to harass you, charge you, or declare that you don’t look like your passport picture when you go abroad. Do we live in a dictatorship? Of course not. Does our government do things like that routinely? No, no, and no. Does it looks like it wants to? Not really. But like the Charter presumes that the government has the capacity for evil, every citizen must have a right to presume the same thing and to build impenetrable walls around his private life. Gun lovers in a certain country south of the border got a wrong target in their sights. They cling to the wrong tools. Guns are outdated, good-for-nothing protection of human rights. Passwords are the new guns.
The UK law wants to take your passwords from you. And like many things in the computer age, passwords are tricky. You can’t rip them from the owner’s arms and break them into pieces. You can’t even know for sure who has them or who the owner of the data they protect is. That’s a huge problem with the UK law. To overcome this problem, the law must make presumptions. First, it must presume that whoever has the hardware, owns the data on it. Unfair. Plug your computer and lots of stuff will land on your hard drive in the first five minutes without your knowledge. Second, the law must assume that whoever has the encrypted data, knows the password. Don’t ever forget passwords that the government wants. It’s may be a criminal offence in the UK. Finally and most scarily, the law must presume that every chunk of random data is encrypted. Without a password, there is no way to tell an encrypted Word document from a piece of an image file. Encryption works by making ordered data appear random. Sadly, much legitimate, unencrypted data on your hard drive looks exactly like that. Experts can even encrypt text by turning it into a jpeg of a cat.
There is a very thin line between enforcing the UK password law and letting cops wade through arbitrary computers under the cover of the today’s hottest flavour of the public interest. There are just too many legal fictions in this criminal offence. For this reason, I think Canadian courts would not let it stand if our Parliament passed a similar law. It’s just not necessary to force people to give up passwords to defend the absolutely legitimate public interest of safety or national security. The government can do its job without breaching human rights this much. Forcing people to surrender passwords will not minimally impair their Charter rights. The offence in the UK law is also too vague because any file with random data is potentially encrypted and subject to investigation. Giving up passwords may also be self-incriminating. No one should be punished for refusing to testify against themselves.
Let’s not kid ourselves. More and more criminals will encrypt the data used to commit crimes. But the way computer networks work makes it easy for that data to end up on an ordinary citizen’s computer. The government shouldn’t have powers to force us to give up passwords to any random heap of data that it believes to be connected to criminal activity. Passwords to our email or computer accounts will not be safe from such investigations either. Spammers bombard our computers with billions of attachments every year. There is a good chance spammers’ networks or computers are implicated in crime. That’s a real connection to our pretty Macs or drab PCs humming in our living rooms or bedrooms. And little can stop the police from suspecting that you know the password. This scenario doesn’t have to be common to cause alarm. It should cause alarm because of its potential for abuse. Making it an offence to refuse to give passwords justifies police involvement that can go beyond reasonable limits. That’s too much for our civil liberties, even in the name of fighting crime.
The UK password law is harsh and unreasonable. It can make too many law-abiding citizens targets of police interest. It will make them potential criminals when they refuse to take down barriers between their private space and the government. Someone said we increasingly lived online. If we take our affairs to the electronic realms, let’s make sure we take our civil liberties there too, even if we have nothing to hide.
Taxes are inevitable
Swiss banking giant UBS AG (UBS-N15.51-0.39-2.45%) agreed Wednesday to turn over to the IRS the details of 4,450 accounts suspected of holding undeclared assets by American customers, piercing Switzerland’s long-standing tradition of banking secrecy.
Luigi Benetton on Collaboration Systems
In his regular column for Lawyers Weekly Magazine, freelance technology writer Luigi Benetton has a piece in the Aug. 21, 2009 issue on drafting and editing documents in real-time.
He discusses real-time applications like NetMeeting, and asynchronous platforms like wikis and traditional DMS. He suggests the latter are more appropriate for lawyers who don’t collaborate as smoothly together.
I point out that the efficiencies created by collaboration tools help boost lawyer productivity, which can raise billable hours and improve work/life balance. The amount of time learning new technologies is minimal compared to the returns over time.
Fostering more collaboration can help avoid group-think, especially in highly hierarchical cultures like law firms.
Benetton also discusses why security fears may be unfounded, and the flexibility that these systems can provide to users.
More on jury background checks
Ontario reveals juries given secret background checks
Facebook and privacy
Ottawa takes on social media giant for violating Canada’s law
The privacy of police officers on the witness stand
If a police officer is a witness in court, can the defence lawyer bring up his disciplinary record? Police forces across the country don’t like this idea at all, fearing that the cop’s integrity will end up on trial (Edmonton Sun article).
I was in a bail hearing on Friday. A proposed surety took the stand. He is apparently a respected member of his community, a hard-working man, and a father. What did the Crown do during the cross-exam? They pulled out his criminal record. The man had been long pardoned, and the other charge had been dropped. It still came up though, and the Crown had easy access to this information.
I guess no privacy issues came up because he is an ordinary citizen. But it was certainly awkward.
(post sponsored by advicescene.com)
What country has the strongest civil liberties?
There is a lively discussion on Slashdot about which countries are best for civil liberties and privacy. It all started when someone from the UK said s/he was unhappy with growing restrictions and wanted to emigrate.
It struck me how little Canada came up in the discussion. Why? We have the Charter; reasonable, independent, strong courts; decent privacy laws; evidence of the judiciary keeping the government on its toes. I guess the world just doesn’t know Canada that well.
Do you have other ideas why Canada is not mentioned? Any other countries you think are better?
FBHive Can Access Your Facebook Info
Despite all the warnings about using privacy settings we’ve been hearing about, here comes a stark revelation: your Facebook account can be hacked anyways.
FBHive, a new blog all about Facebook, premiered today with a revelation that they can access certain profile information, even if the user has made it private.
Robin Wauters of TechCrunch confirmed that they were indeed able to access his private information.
FBHive claim that it has taken over 15 days for Facebook to fix they security hole. And they promise to give their secrets on how they do it within the next few days.
Yet another reminder that no matter how secure we think online data is, there are always ways to get around it. And for some “computer terrorists,” it will be as simple as a walk in the park.
Update
How they did it:
Facebook Basic Information Exploit from FBHive on Vimeo.
Police and the Internet
The government introduced two bills in the House on Thursday that raised some serious allegations in the media this week. The bills concern, among other things, police access to data collected by Canadian internet service providers. The story appeared on Slashdot.
Data centres instead of car plants
Michael Geist proposed a digital strategy for Canada in Toronto Star on Saturday. It’s a big topic that we should definitely write more about here on Law is Cool. But let me just say one thing for now: Canada could be a fantastic global data centre haven. Here are two reasons: cold climate and privacy laws. And there are no border wait times for digital goods!
