W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2010

Re: MAC addresses and privacy...

From: Jens de Smit <jens.desmit@surfnet.nl>
Date: Fri, 08 Oct 2010 10:59:14 +0200
Message-ID: <4CAEDD62.4010503@surfnet.nl>
To: Thomas Roessler <tlr@w3.org>
CC: David Singer <singer@apple.com>, Richard Barnes <richard.barnes@gmail.com>, public-privacy@w3.org
Hi list,

Perhaps/probably relevant to the discussion is this recently published
Internet Draft:

http://tools.ietf.org/html/draft-brim-mobility-and-privacy-00

Although it focuses more on Layer 3 problems/solutions, it takes a look
at the entire stack and, perhaps more importantly, acknowledges and
describes the problem that was recently discussed on this list. Perhaps
interested parties could converge on this document and work on it or in
some other way cooperate.

Best regards,

Jens

On 05/10/2010 13:31, Thomas Roessler wrote:
> David Singer wrote:
> 
>> Indeed, it's the more general concern I was having an anxiety attack
>> about.  I always imagined it was *infrastructure* Mac addresses that
>> were harvested.  The thought that my *laptop's* Mac address is in the
>> database feels rather different.  And no, I never put my laptop into
>> 'infrastructure mode' at home.
> 
> That's what I thought as well.  
> 
> Trying with my laptop, the service was reliably finding the location of
> the MAC address of the network I'm in, but had nothing about the (wifi)
> MAC address of my laptop. And yes, I've used the Google geolocation
> service from that laptop, through both Chrome and Firefox.
> 
>> Bluetooth also uses Mac addresses.  Maybe someone is harvesting those
>> as well.  You could probably track a person's movements by following
>> sightings of their WiFi or Bluetooth.  Ugh.  I am effectively
>> broadcasting "It's me, I'm nearby" all the time, to anyone who cares
>> to listen.
>>
>> Can I have a tin-foil hat, please?
> 
> And yes, it certainly is possible to use a geolocation provider to
> harvest this sort of information about users' machines. It's also
> possible (to go down the tin-foil route a bit further) to harvest this
> sort of information about *nearby* machines, e.g,. using malware.
> 
> Cheers,
> --
> Thomas Roessler, W3C  <tlr@w3.org <mailto:tlr@w3.org>>  (@roessler
> <https://twitter.com/roessler>)
> 
> 
> 
> 
> 
> 
>> On Oct 4, 2010, at 11:47 , Richard Barnes wrote:
>>
>>> Worth noting that this attack doesn't even involve any advanced web
>>> APIs.  It's a generic XSS against the web-based interfaces that home
>>> gateways present.  The more general concern is of course the
>>> existence of MAC-to-location databases.
>>>
>>>
>>>> On Oct 4, 2010 2:09 PM, "David Singer" <singer@apple.com
>>>> <mailto:singer@apple.com>> wrote:
>>>>
>>>> I was actually quite disturbed when I entered the mac address of my
>>>> *laptop* on this page:
>>>>
>>>> http://www.samy.pl/mapxss/
>>>>
>>>> and it got my location to within one house (i.e. it attributed it to
>>>> the house next door).
>>>>
>>>> This means anyone sniffing my mac address when I am traveling will
>>>> have a pretty good idea of where I am from.  My iPhone's MAC address
>>>> did not trace....
>>>>
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>>
>>>>
>>>
>>
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>>
> 
Received on Friday, 8 October 2010 08:59:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 October 2010 08:59:47 GMT