CNET’s Declan McCullagh reports on Microsoft restricting access to their Wi-Fi geolocation database shortly after this CNET article describing how to track devices using such databases. I have written about these databases before here, here, and here. Specifically Microsoft is preventing users from querying for the location of a single Wi-Fi device by specifying just one MAC addresses. Prior to the change it was possible to track an individual phone or laptop by querying for the location of that device’s MAC address.

CNET describes a test where they were able to track a device as it moved around Columbus Ohio. This would indicate that the underlying database is updated in near real time, and that it is collecting on mobile devices as well as on the fixed Wi-Fi base stations it is supposed to catalog for enhanced location services.

Tracking mobile devices can only harm the accuracy of enhanced GPS location services because they move around and could potentially give misleading information. It would be easy to eliminate such devices from the database because the type of device is discoverable from the MAC address they are collecting.

While there is no reason to track mobile devices for enhanced GPS, there are all kinds of less savory reasons to gather and track this kind of information. I note that Microsoft’s solution is to prevent access to this individualized tracking information about mobile devices rather than to stop collecting it…..

House panel approves broadened ISP snooping bill | Privacy Inc. – CNET News

Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain “customers’ names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses”.

They are calling it the “Protecting Children From Internet Pornographers Act of 2011″ in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.

Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.

Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.

It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.

Contact your Representitive and Senators if this is something you feel strongly about.

Schneier on Security: Full Body Scanners: What’s Next?.

I have been avoiding talking about the TSA airport screening insanity, but wanted to post a link to this excellent essay.

This NYTimes article discusses a bill which the Obama administration is proposing to submit to congress. The general background of the bill is that evolving technology has made it more difficult for law enforcement to conduct effective wiretaps and other intercepts because much of the targeted communication now takes place on the Internet and is often encrypted.

The actual text of the proposed bill does not appear to be available, but the article lists the following likely requirements.

1. Communications services that encrypt messages must have a way to unscramble them.
2. Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
3. Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

The first of these is similar to the CALEA law which requires telecommunications carriers to design their services to enable automated real time intercepts. While this generally sounds reasonable when “we” say it, the idea is more ominous when coming from some other governments.

The second of these feels uncomfortably familiar. See my past blog posts (and here)on the attempts of privacy hostile countries to require similar concessions from RIM.

The third proposal is completely outrageous. In effect it says that I may not speak in a way which is unintelligible to the wire tappers. As a colleague quipped “I am hiring Navajo code talkers.” This would require a back door be inserted in to cryptography tools. Experience shows that any crypto system with such a back door will be breached and then left vulnerable to the enormous number of criminal hackers on the Internet today.

In 1993 the US Government proposed a system called the “Clipper Chip” which would provide all encryption for personal computers, but to which the US Government would have back door access. This was a terrible idea then, it was widely ridiculed, and suffered a well justified death by 1996. This third proposal would be much worse. It is asking huge numbers of non-crypto experts to build back doors in to their systems. Frankly, the cryptography in most software is already badly broken in many cases. Something as subtle and complex as a secure and effective law enforcement back door would be far beyond their abilities and render currently poor security completely untrustworthy.

All this is not to mention the potential abuse by oppressive regimes, who will pounce on the capability to further crush dissent within their countries. Finally, it will be largely ineffective against serious threats. Very strong and easy to use cryptography is already available world wide, for free (GPG, ZPhone, TrueCrypt, etc.). This is a classic case of damaging the innocent while leaving the guilty and dangerous unaffected.

It seems to me that there is a pendulum swing to these things. Technology cuts both ways. Some times it favors the interceptor and some times it favors the communicator. In most ways the Internet has been a fantastic boon to law enforcement. Cloud computing, email hosts, social networking, open WiFi, and huge hard drive that encourage people to save everything all provide law enforcement with enormous amounts of information they could never have collected in the past.

It may not be shocking to anyone that there is no federal push to make that more difficult to access while pushing to enhance their ability to intercept encrypted communications.

All this is argument about a bill we have not seen yet. Let us hope that the furor that has swirled around it will cause it to be retraced or modified significantly before it is actually delivered to congress.

The European Parliament appears to be trying to create a regulation to require search engine companies to retain total information about their user’s searches for a period of years. If you are in the EU area, I strongly encourage you to reach out to fight this.

Declaration29: “A group of members of European Parliament is collecting signatures for a Written Declaration that reads: ‘The European Parliament [...] Asks the Council and the Commission to implement Directive 2006/24/EC and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively’.

The Data Retention Directive 2006/24/EC requires that details on every telephone call, text message, e-mail and Internet connection be recorded for months, for the entire population, in the absence of any suspicion. As to what is wrong with data retention please refer to DRletter. The Written Declaration even wants to extend data retention to search engines, meaning that your search terms could be tracked for months back.

The proposed declaration has been signed by 371 MEPs (list of names here) – and thus reached the 368 members needed to pass it. Many MEPs signed because of the title of the document (‘setting up a European early warning system (EWS) for paedophiles and sex offenders’), not knowing that they are endorsing blanket data retention as well. More than 30 MEPs decided to withdraw their signature, one even on the day of adoption.”