Anonymized Data Really Isn't Anonymous: Vehicle Data Can Easily Be Used To Identify You

Companies increasingly hoover up larger and larger oceans of consumer data, promising that security and privacy aren't much of a worry because data is "anonymized." But as research has shown time and time again, anonymous data isn't all that anonymous -- since it takes only a modicum of effort to either analyze the data -- or cross reference it with other data -- to ferret out personal identities. It doesn't really matter whether we're talking about NSA surveillance troves or social networking data: anonymous data just isn't anonymous.



As yet another example of this, researchers from the University of Washington and the University of California at San Diego have found that the data collected by a car's onboard computer can be surprisingly personal. In fact it's so personal, the researchers found that they could identify a driver -- from a possible list of fifteen drivers -- just by looking at data collected from the brake pedal alone:

"The research team found that 15 minutes' worth of data from the brake pedal - and only the brake pedal - could lead them to choose the right driver, out of 15 options, 90% of the time. Again, with just the brake pedal data, upping that collected data to 90 minutes' worth, allowed them to pick the correct driver 100% of the time. For a 100% hit rate with 15 minutes' worth of data, they just had to collect records from more than one car part.

By itself, especially with the fifteen person pool, this isn't really all that alarming. But as we shift toward self-driving automobiles or just highly connected vehicles, this data is going to increasingly find its way into the hands of insurance companies and others. Verizon, for example, is making a significant push toward selling a $15 per month subscription "Hum" service -- comprised of a device that plugs into the vehicle's OBD port and a Bluetooth-enabled device that is clipped to the vehicle visor. The service not only makes a dumb car smart by providing emergency and other services, it gives Verizon -- a company already awash in consumer cellular location and other behavior data -- a huge amount of additional data to ferret through and monetize.



Especially when cross-referenced with other datasets already in government or corporate collection piles, researchers warn that this opens up the door to allowing insurance companies to dictate rates based on everything from emerging medical problems to when you let your kid drive the car (warning: Wired's ad block blocker still doesn't work properly and may block all users):

"...the fingerprinting study, Enev argues, should serve as a more general warning to car owners about the sensitivity of the data that travels across their vehicles' internal networks. The same data that tells their insurance company when they've let their 16-year-old kid take their car to prom might just as easily be used to identify drunk driving or a medical condition that's altered someone's driving ability, tests Enev claims would actually be simpler than trying to distinguish a driver's identity."

Those examples are likely just the tip of the iceberg, as companies cooperate to use that data to their collective, coordinated advantage in ways we haven't even thought of yet -- while consumers are increasingly treated like criminals should they want to control or access much of this data. And given that the "internet of things" continues to have embedded security that's about as good as no security at all, it's inevitable that this collected data will increasingly find its way into the public domain.

Permalink | Comments | Email This Story

Lawmakers From The Great Theocracy Of Utah Looking To Block Porn On Cell Phones

When we've talked in the past about government attempting to outright block pornography sites, those efforts have typically been aimed at sites hosting child pornography. Blocking child porn is a goal that's impossible to rebel against, though the methods for achieving it are another matter entirely. Too often, these attempts task ISPs and mobile operators with the job of keeping this material out of the public eye, which is equal parts burdensome, difficult to do, and rife with collateral damage. Other nations, on the other hand, have gone to some lengths to outright block pornography in general, such as in Pakistan for religious reasons, or in the UK for save-the-children reasons. If the attempts to block child porn resulted in some collateral damage, the attempts to outright censor porn from the internet resulted in a deluge of such collateral damage. For this reason, and because we have that pesky First Amendment in America, these kinds of efforts attempted by the states have run into the problem of being unconstitutional in the past.

But, as they say, if at first you don't succeed, just try it in an even more conservatively prudish state again. Which brings us to Utah, where state Senator Todd Weiler is leading the effort to purge his state of any access to porn on mobile devices.

Utah Senator Todd Weiler has proposed a bill to rid the state of porn by adding Internet filters and anti-porn software on all cell phones and requiring citizens to opt-in before viewing porn online. It's to save the children, he says. Weiler successfully pushed an anti-porn resolution through the state Senate earlier this year, declaring porn a "public health crisis." He now hopes to take his movement a step further by making it harder for Utah citizens to have access to digital porn.

"A cell phone is basically a vending machine for pornography," Weiler told TechCrunch, using the example of cigarettes sold in vending machines and easily accessed by children decades ago.

This is where we'd usually talk about how this sort of thing is almost certainly unconstitutional, not to mention how easily circumvented the attempt would be. And both of those remain true for this case. But I would like to instead focus on the lazy analogies Weiler chooses to make and let them serve as an example of how easily twisted people's opinions can become if you simply add "saving the children" to the goals of a particular piece of legislation.

Let's start with the quote above, although I promise you there is more from Senator Weiler that we'll discuss. He claims that a cell phone is basically a porno vending machine, like a cigarette vending machine. The only problem with his analogy is how wildly untrue it is. A cigarette vending machine has no other purpose than, you know, vending smokes. A cell phone, on the other hand, has a few other purposes. Like playing video games, for instance. Or serving as a music device. Or making god damned phone calls. A claim that a phone is simply a vending machine for porn shows either a tragic misunderstanding of basic technology or, more likely, is simply a veiled hate-bomb at the internet itself. Regardless, it is not upon government to decide how our property is used lawfully. And it isn't on government to parent children. We have people for that. They're called parents.

But Weiler wasn't done.

The senator says England was successful in blocking porn on the Internet. Prime Minister David Cameron pushed legislation through in 2013 requiring U.K. Internet service providers to give citizen's the option to filter out porn.

The good Senator must have a strange definition for success, because the UK law is easily circumvented, has managed to censor all kinds of educational and informational non-pornography sites and material, and was created by a lovely chap who was later arrested on charges of child pornography himself. If one wishes to draw upon the success of something in order to push his own interests, that something probably shouldn't be a complete dumpster fire.

Local Utah ISPs are already calling the plan unrealistic and comparing it to censorious governments that I am certain Senator Weiler would recoil from. Not that this matters, I guess, since Senator Weiler fantastically admits that he has no idea how this will all work under his law.

Weiler says he doesn't know how it would work but just wants to put the idea out there and that his main concern is kids looking at porn.

"The average age of first exposure to hard-core pornography for boys is eleven years old," he said. "I'm not talking about seeing a naked woman. I'm talking about three men gang-raping a woman and pulling her hair and spitting on her face. I don't think that's the type of sex ed we want our kids to have."

Look, I usually like to back up my rebuttals to these types of things with facts and figures, but I just don't have them in this case. That isn't going to stop me from declaring that the average first exposure to pornography is an eleven year old boy seeing exactly three men gang-raping a woman is a line of bullshit so deep that the Utah Senate certainly must provision knee-high boots to its membership for such a thing to even be suggested. And this should tell you everything you need to know about Senator Weiler's plans: he doesn't know how successful its been elsewhere, he doesn't know how it works, and he's willing to sell it to the public on the basis of a scary lie.

Oh, and it's unconstitutional, so screw your law altogether.

Permalink | Comments | Email This Story

FBI Questions Veracity Of Emails It Released To FOIA Requester While Defending Refusal To Discuss Hacking Efforts

The FBI has entered its explanation for its declaration that it won't discuss the NIT (Network Investigative Technique) in open court or with the defense -- no matter what. Its decision to run a child porn website for two weeks while it deployed the NIT has backfired immensely, resulting in successful challenges of the warrant and the evidence obtained. For the most part, the NIT warrant used by the FBI has been declared invalid because it violates Rule 41's limitations on deployment: a warrant obtained in Virginia can't be used to search computers located in other jurisdictions.



The FBI says it will only discuss the NIT with the judge in an ex parte in camera proceeding, cutting the defense entirely out of the loop. It also argues against the defendant's portrayal of the agency as inherently untrustworthy, what with its long history of hiding information from the courts, starting with its Stingray NDAs.



While not directly related to the subject matter at hand, Jay Michaud's lawyer is buttressing his arguments against the agency's trustworthiness with a wealth of released documents showing the FBI routinely demanded law enforcement agencies hide Stingray-related information from defendants, judges -- even other prosecutors.



Michaud's defense also submitted emails obtained with a FOIA request that showed the agency even hid information on surveillance tech from other FBI agents and federal prosecutors. The choice to cut the latter out of the chain of evidence was based on a supposed trend of prosecutors examining FBI surveillance technology/methods before retiring to work as defense lawyers.



What's most hilarious about the FBI's arguments is the fact that it openly questions the legitimacy of documents it released to Brad Heath and USA Today.

The actual emails (assuming they are genuine) show no improper concealment.

This is an awfully strange thing to say about documents originating from its own offices and released, presumably after a review, to a FOIA requester. If the FBI is forced to assume the emails it released are genuine, it argues that they don't actually say what they appear to say -- which is that information about FBI surveillance techniques must be hidden from damn near everybody but especially those who might be called to testify in court.

Nothing in the email suggests that anyone should be deceived or misled. Rather, the email merely urges the common-sense practice of not disseminating sensitive information unless there is a reason to do so. This concept is called “need to know.” It is familiar to anyone who has worked in the military or law enforcement, and it is an entirely proper way to protect sensitive information.

The government says this shows the FBI does disseminate this info, but only on a "need to know" basis. But it says nothing as to why the "need to know" list doesn't include judges, defendants or prosecutors involved in these cases.



And its other arguments are just as terrible, but at least they don't include the FBI raising doubts as to the legitimacy of documents it generated itself. It claims -- as it has in the past -- that the restrictive NDAs it forces law enforcement to sign before using Stingray equipment aren't restrictive and don't heavily hint (if not state outright) that agencies are to let perps walk rather than introduce Stingray-related evidence in court.

[A] careful reading of this material shows no evidence that the FBI has deceived or misled courts or prosecutors.

Technically true. But plenty of law enforcement agencies have. And when these omissions are challenged, they tend to excuse them by citing the FBI's NDA. So, the FBI ties up agencies with NDAs in hopes of limiting disclosures. Then it throws them under the bus when disclosures aren't made.

[T]he FBI made no false or misleading statements to courts, prosecutors, or anybody else in the Andrews investigation. The pen/trap application and related statements in Andrews were made by local law enforcement and local prosecutors.

Yes, but only because they felt they needed to do so, or because they may have been explicitly told to do so after asking the FBI. The FBI cites only this case because Michaud's defense only cites this case. There are countless others where it's been made apparent evidence of Stingray use has been hidden from everyone but the agency deploying the device.



We don't know what the outcome will be yet, but it's apparent the FBI will not be discussing the details of its NIT in court -- even as it tries to make itself out as a paragon of transparency in this filing. It even says it would prefer to handle this in an adversarial fashion (in the "allow the defense to participate" sense of the word) but simply cannot because it would presumably allow any number of criminals to escape its NIT tentacles in the future.

Permalink | Comments | Email This Story