Re: MAC addresses and privacy... from Mark Lizar on 2010-10-11 (public-privacy@w3.org from October to December 2010)

From: Mark Lizar <info@smartspecies.com>
Date: Mon, 11 Oct 2010 10:04:30 +0100
To: public-privacy@w3.org
Message-Id: <C2B6151F-51A3-458C-BA51-9DC86DD32BFF@smartspecies.com>
Rigo,

I like the idea of  'Controllability' especially when discussing what  
seems like a serious privacy vulnerability.  I definitely think that  
the 'leakyness' of MAC addresses is a bad thing?   Although, recent  
headlines of Russian spies being caught in the US are due to MAC  
address sniffing.  http://www.bbcfocusmagazine.com/issue/ispy  Which  
illustrates that context and perspective seems to determine its  
benefit or detriment.

In this regard maybe some more research and analysis of this issues is  
warranted? What do you think about the idea of tracking the use of MAC  
addresses and submitting a subject access request (or two) to  
organisations that are storing MAC addresses?

The challenge (I propose) is to track institutional use of MAC address  
to attempt to find the frequency and occurence of a MAC address in  
databases.   What these MAC addresses are being used for, their state  
of storage and transmission. Etc.

With this research we could then look at stuff like 'Controllability'  
across both technology and policy implementations.

Does this sound like an interesting approach?

Mark Lizar



(strawman) Subject Access Request

Dear (enter org)

We respectful request (informal) subject access to information  
regarding the transmission of a MAC address and its technical  
environment for research and personal purposes. As such we require:
a description of how MAC addresses are harvested and used;
the purposes for which they are being processed; and
the disclosees, or potential disclosees, of this personal data.
Do you provide notice of this activity to the MAC address owner?  Do  
provide notice of this activity at all?

Ask if org Informed of basic legal notice that is required to a data  
subject (if appropriate)

Or/And  Formally:
We would like to submit this request under section (what ever law)  
(e.g. Data Protection Act. UK)

I understand that you collect and harvest this "xxxx" MAC address, is  
this true? If (Y) then

Please present a log of this MAC address, its frequency in your  
databases, and its use.

Please provide a list of all third parties this MAC address  has been  
shared with along with when this MAC address was shared with a 3rd  
party.

Best Regards,

Signed The Inquiring Research/Data Subject.

*** Rinse and Repeat **

E.g. change the MAC address and query third parties in the same way  
until the use of the MAC address is as mapped as possible.




On 9 Oct 2010, at 00:13, Rigo Wenning wrote:

> I think the trouble we are facing is that something is working  
> different than
> the way we expect it to work. I still lack sufficient knowledge  
> about the real
> bits, but I wanted to share my thoughts.
>
> I think we react (and that was also my reaction) because MAC- 
> addresses are
> something useful in my local network. It helps me to do all kinds of  
> things.
> But if some software is capable of blowing the boundaries of this  
> local
> network, the MAC address turns into a uniqueID facilitating  
> traceablility.
>
> Now while we have other expectations for MAC addresses, IPv6  
> addresses are
> supposed to identify a device. So no need for a MAC address to do  
> the tracing
> in a near future.
>
> But is this evil? Evil means that somebody has consciousness about a  
> behaviour
> being rejected by society and still continues to do it. But I think  
> somebody
> just tried to be useful so that they can provide your location  
> history (and
> benefit from that at the same time)
>
> So what we should discuss here is the profound expectations and  
> requirements
> we have for a democratic society concerning this unique identifiers.  
> And there
> things like "controlabilty" come to my mind.
>
> To conclude, I think it is not without value to collect such cases  
> and give
> some opinions that may even turn into some best practice in one way  
> or the
> other.
>
> One way to do that may be the PLING wiki, where we collect already  
> those
> enlightening cases. The challenge in this case is to describe the  
> case as
> neutral as possible and keep the emotions of deceived expectations  
> in a
> separate statement.
> http://www.w3.org/Policy/pling/wiki/InterestingCases
>
> Anyone willing to write this down?
>
> Best,
>
> Rigo
>
>
>
> On Tuesday, October 05, 2010 13:31:17 Thomas Roessler wrote:
>>> Bluetooth also uses Mac addresses.  Maybe someone is harvesting  
>>> those as
>>> well.  You could probably track a person's movements by following
>>> sightings of their WiFi or Bluetooth.  Ugh.  I am effectively
>>> broadcasting "It's me, I'm nearby" all the time, to anyone who  
>>> cares to
>>> listen.
>>>
>>>
>>>
>>> Can I have a tin-foil hat, please?
>>
>> And yes, it certainly is possible to use a geolocation provider to  
>> harvest
>> this sort of information about users' machines. It's also possible  
>> (to go
>> down the tin-foil route a bit further) to harvest this sort of  
>> information
>> about nearby machines, e.g,. using malware.
Received on Monday, 11 October 2010 19:14:09 UTC