W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2010

Re: MAC addresses and privacy...

From: Erin Kenneally <erin@elchemy.org>
Date: Mon, 11 Oct 2010 15:18:36 -0700
Message-ID: <4CB38D3C.4030508@elchemy.org>
To: Rigo Wenning <rigo@w3.org>
CC: Mark Lizar <info@smartspecies.com>, public-privacy@w3.org

On 10/11/10 1:17 PM, Rigo Wenning wrote:
> Hi Mark, 
> On Monday 11 October 2010 11:04:30 Mark Lizar wrote:
>> In this regard maybe some more research and analysis of this issues is  
>> warranted? What do you think about the idea of tracking the use of MAC  
>> addresses and submitting a subject access request (or two) to  
>> organisations that are storing MAC addresses?
> This only works for the EU where you have subject access requests. And those 
> are burdensome. We are techies here, right? What about a subject access API 
> for web services? I know a lot of privacy advocates would like to have such an 
> API. 
indeed, such a capability would go far in forcing accountability to the
self-reg regime that predominates the online playing field in the u.s. 
the ftc does not want to regulate and companies don't want to be
regulated, but there continues to be pushback that industry
self-regulation is inadequate because it is still largely opaque and is
being gamed by many of the entities who benefit from the information

implementation of a subject access api would put teeth behind the recent
>> The challenge (I propose) is to track institutional use of MAC address  
>> to attempt to find the frequency and occurence of a MAC address in  
>> databases.   What these MAC addresses are being used for, their state  
>> of storage and transmission. Etc.
> I think the challenge is less in finding out evil service behavior. We know 
> how to track that more or less. Incidents like the one David Singer describes 
> very often trigger people to look more closely to things. 
> What we don't know is the social expectations in our societies and into what 
> that translates technology wise. Hiding all the risks and tracking like there 
> is no tomorrow hasn't really helped the Web to gain trust. We have to do more 
> research on real user expectations and the traps inherent to this social 
> field. 
i'd suggest the challenge is a hybrid of the above, ie., knowing the
capabilities (the frequency, occurrence AND demographics of the entities
that storehouse MAC addys) and social expectations of their USES as it
relates to causing injury/damage/harm from a legal perspective.    so,
for example, people are more concerned about IPA as a secondary
identifier/digital fingerprint because it's often the principal
evidentiary underpinning in affidavits for search warrants or subpoenas
relied upon by private IP owners (e.g., RIAA, John Doe lawsuits) and
gov't investigators.  so, there's a normative expectation of privacy in
that network artifact that hasn't attached to mac addy's because of how
IPA is being used to impact people negatively.  i think it's just a
matter of time before we get there w/ mac addys. 

perhaps it's helpful to analogize to expectations associated with dna:
there was little concern about dna expectation of privacy when our best
methods to identify people were based on a/b/o blood group typing ...
that changed as pcr or rflp technology enabled that same blood spatter
evidence to distinguish individuals to the exclusion of others by
anchoring off of the dna in blood.

given that diatribe, that's not to say that our laws don't have some
evolving to do w/ respect to interpreting privacy harms, but people
don't take notice until they suffer tangible harm.


Erin E. Kenneally, M.F.S., J.D.
CEO, Founder
8677 Villa La Jolla Dr., #1133
La Jolla, CA  92037

Received on Tuesday, 12 October 2010 02:01:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:23:52 UTC