Re: MAC addresses and privacy... from Mark Lizar on 2010-10-12 (public-privacy@w3.org from October to December 2010)

From: Mark Lizar <info@smartspecies.com>
Date: Tue, 12 Oct 2010 14:39:37 +0100
To: Rigo Wenning <rigo@w3.org>
Cc: public-privacy@w3.org
Message-Id: <A813C1C2-A50A-43AC-B0DC-0FC11C3BB5E1@smartspecies.com>

On 11 Oct 2010, at 21:17, Rigo Wenning wrote:

> Hi Mark,
>
> On Monday 11 October 2010 11:04:30 Mark Lizar wrote:
>> In this regard maybe some more research and analysis of this issues  
>> is
>> warranted? What do you think about the idea of tracking the use of  
>> MAC
>> addresses and submitting a subject access request (or two) to
>> organisations that are storing MAC addresses?
>
> This only works for the EU where you have subject access requests.  
> And those
> are burdensome. We are techies here, right? What about a subject  
> access API
> for web services? I know a lot of privacy advocates would like to  
> have such an
> API.

The idea of a SAR API I think is a rockin' idea but I think there is a  
fundamental lack of standard quality in digital notices to enable an  
API to be very effective. I think the two need to happen in conjunction.

My approach to research with MAC addresses was to highlight the SAR  
process, its obstacles, issues with global adoption to discuss (like  
we are) collaboration.

>>
>> The challenge (I propose) is to track institutional use of MAC  
>> address
>> to attempt to find the frequency and occurence of a MAC address in
>> databases.   What these MAC addresses are being used for, their state
>> of storage and transmission. Etc.
>
> I think the challenge is less in finding out evil service behavior.  
> We know
> how to track that more or less. Incidents like the one David Singer  
> describes
> very often trigger people to look more closely to things.
>
> What we don't know is the social expectations in our societies and  
> into what
> that translates technology wise. Hiding all the risks and tracking  
> like there
> is no tomorrow hasn't really helped the Web to gain trust. We have  
> to do more
> research on real user expectations and the traps inherent to this  
> social
> field. I target mainly  the economics of privacy and the behavioral  
> economics
> of privacy as researched by Alessandro Acquisti:

I am not totally with you on this approach, although I recognise its  
primary importance.  I was fortunate to come across Acquisti chapter  
on 'Economic Incentives and Technological Solutions' last year.  I  
found this greatly inspiring and have quoted this work.  What I found  
so inspiring is the expression of  economics in law and technology,  
this had me looking at the ad hoc quality and usability of digital  
notice for subject access to information.  As well an individuals  
digital process of notifying a service provider that they want to  
exercise control over information they are sharing.  (e.g. that they  
dont want their MAC address harvested.)

The bottom line being that it looks like digital notice is broken (non  
existence) and a SAR API would look (at this time) like a waste of  
effort.  I was thinking that a cross jurisdictional metric on notice  
would make a SAR API much more usable and attractive. This then comes  
full circle to the behavioural economics of privacy, in which I think  
the economics of notice are more relevant to behavioural privacy than  
the economics of privacy.

Kind Regards,

Mark

Received on Tuesday, 12 October 2010 13:53:30 UTC