There's Privacy, Then There's Practicality
from the now-you-know-i-run-really-slowly dept
We first posted last week about the minor uproar that developed after some security researchers said that the Nike+iPod unit, which lets runners track their workouts, could be used to “track” people. However, as we pointed out, trying to track someone with the device was rather impractical — almost to the point of uselessness. But the story has continued to smolder, and yesterday well-known security blogger Bruce Schneier weighed in with a post slamming Nike and Apple for failing to consider the privacy implications of the product before putting it on the market and calling for a law “requiring companies to add security into these sorts of systems”, which fits nicely with the original researchers’ calls for a body to investigate the privacy implications of every new product. Schneier doesn’t accuse the companies of being evil, just lazy — but what seems more realistic is that they probably did consider the privacy implications of the wireless device, and realized that any information that could be gleaned from it was relatively useless, and that any method of tracking somebody with it would be discouragingly cumbersome. And, if so, they’re right: calling what one could do with this device “tracking” is a stretch. To actually track someone with it, a person would have to place one of the researchers’ $250 readers every 100 feet or so, or follow them within 60 feet, which sort of defeats the point. While all too often companies act with disregard for privacy, practicality has to enter in somewhere, before people start calling for new laws and restrictions. Crying the privacy equivalent of wolf on rather harmless products doesn’t help; if anything, it marginalizes legitimate concerns and complaints and makes them easier to ignore.
Comments on “There's Privacy, Then There's Practicality”
How bad laws start
All ideas for bad laws start with “there ought to be a law. . .”
This is then compounded by the fact that some lawmaker listens but doesn’t understand.
The only concern I have is basically the slippery slope arguement – if the tracking devices needed to be every 300ft, is that ok? Every 1000ft? Every mile? every 10miles? What is the exact threshold where you say it is ok?
Schneier is right on track with this one. He doesn’t make any broad claims and only points out that companies need to give due consideration to security issues. Techdirt is saying that the security issue is minimal so Schneier shouldn’t have brought it up. I disagree. We shouldn’t wait for disasters waiting to happen to happen before we respond–which is, in part, what Techdirt is suggesting he do. Schneier is bringing up an important issue **before** it has become a real threat.
It is important for Schneier and others to bring this up now to try and headoff the major threats to privacy before they are implemented. RFIDs and other systems which broadcast a unique ID will be serious privacy threats in the very near future. All those who “poo poo” the issue are ignoring the evidence that the temptation to collect as much data as possible on individuals is irresistible to companies and government via the web (Amazon, Google, DoubleClick, etc), and in person (club cards, Fast Pass scanners on freeways to monitor traffic flow, DHS’s ” Automated Targeting System” tracking and scoring **all** travelers for security risks). These companies and governmental organizations hold on to their data as long as possible, so the privacy threat is enormous.
When RFIDs in consumer goods, credit cards, government issued IDs and others are added to the mix along with transaction based scanning, companies and government organizations obtain the ability to track individuals with increasingly precise resolution and invasion of their personal lives–where they go, what they do and buy and, to a large extent, even what they think based on their patterns and preferences. This is happing now and isn’t speculation, the only question is how much worse we are going to let it get.
Criticizing Schneier for showing the lack of security considerations in everyday products isn’t the way to work towards reducing the privacy threat that is in progress.
Some people commenting apparently missed the point of this article. The problem here is that Schneier is crying wolf about a product that has little practical danger to one’s privacy. That devalues any of their future arguments regarding security, since it establishes him and others like him as over-reacting critics with little concern for the actual dangers.
Obviously proliferation of numerous tracking (capable) devices is a concern that should be addressed, but pointing finger every which way won’t help it.
As far as slippery slope goes, at 1 mile of tracking distance you can start worrying. Also, you are forgetting about PRACTICALITY. Even with a 1 mile tracking radius, you will need several tracking stations to actually be able to calculate where the person is. And if someone has the time/money to do that, you can bet your hidden-nazi-gold that they will track you down even if there were no RFIDs to speak of.
…only points out that companies need to give due consideration to security issues…
Then he needs to define what “due consideration” is. “Due consideration” to one company may not be the same to another. If due consideration is defined, the required resources may be too great for smaller companies (such as mine with about 20 people) to compete with larger companies (Apple with 1000+ people).
haven’t you seen the law and order episode? All you need to do is put a sensor on your door, your wife’s work, her car, grocery store, etc…
then you know that after she left the store… she was away from the car for 2 hours… before she came home.
it doesn’t tell you where she stopped, but you know she stopped somewhere.
chuck the batteries out if you’re affraid.
while yes the threshold is a sticky topic, one must also realize that you willingly buy this product(and use/not use it also).
anyways its much cheaper to track you’re movements via cell phone if someone really wanted to.
People who are concerned about being “tracked” should probably avoid purchasing devices that monitor their movement, regardless of any range requirements. They should also avoid cell phones or satellite radio. Encryption doesn’t change where the signal is being received.
Also, all aquatic mammals should be killed off, because you COULD stuff a nuke into a humpback whale and blow up the west coast.
“Also, all aquatic mammals should be killed off, because you COULD stuff a nuke into a humpback whale and blow up the west coast.”
ITS TRUE! IVE SEEN IT!
You’re apparently confused. AFAIK no whale ever tried to blow up the west coast, but I seem to recall the west coast attempting to blow up a whale once…
“That devalues any of their future arguments regarding security, since it establishes him and others like him as over-reacting critics with little concern for the actual dangers.”
If you were a real sceptic (as opposed to someone who goes by that name but has his mind already made up) you might consider the implications of your statement.
Here, I’ll help:
This devalues any of your future arguments regarding security, since it establishes you and others like you [such a lovely, weasely turn of phrase!] as over-reacting critics with little concern for the actual dangers.
Re: Dennis Savage
Hmmm, weaselly way of proving nothing.
Here, I’ll help you too, my generous friend:
You have “turned” the wording on me, yet you didn’t even try to back it up. I’ll chew this for you a little bit more. The metaphor of “crying wolf” has to do with people raising fears for no or very little reason and by the time a real danger comes, people are too tired of hearing it and ignore the finally true cry for wolf. In Nike case, it is most definitely crying wolf over a product that can hardly be practically or usefully used for spying on people.
A better approach instead would be starting with products/devices that are CERTAINLY a danger to privacy and bringing people’s awareness about technology so they could actually understand what the risks are instead of being scared of every toaster they buy from now on. RFIDs in your passport and credit cards are much more dangerous to your privacy than any Nike/Apple product. It quite easily allows institutional spying: any airport has numerous chances to scan for who is moving where and what cards they have with them. And that’s just one example.
One person that was worried about slippery slope should remember that it goes the other way. You can always start with technology that is OBVIOUSLY dangerous to your security/privacy and then expand from there until you arrive to products that are obviously not dangerous privacy.
Dear Dennis, I bet you thought that I am in favor of RFIDs and any other spy techniques, which is why you decided to pointlessly try to quote me against myself. Although I tried showing you what I think is a better approach in the battle to keep our privacy, you are free to misquote and misunderstand me as you wish. I still would like to see your point of view on the matter without lame trolling, that usually helps the debate better. Care to prove that you can do that?
It kinda makes sense to mention this...
simply because the threat to privacy is real even if it is somewhat unlikely. Is worth a massive uproar and the addition of a law that would ultimately be ineffective? No.
This isn’t big enough to be the next “hot button” issue but I think it is worth talking about.
You seem to assume that any tracking needs to be continuous to violate security in a practical way, but if you think about it you just need to “track” key points in the training route(s) to reveal a lot. And you may not be interested in just one target – you could track a lot of people !.
“People who are concerned about being “tracked” should probably avoid purchasing devices that monitor their movement, regardless of any range requirements”
As RFID become cheaper it may become impossible for you to do that except for the very cheapest of items. That is why Schneier’s article is important.
“anyways its much cheaper to track you’re movements via cell phone if someone really wanted to.”
Indeed, it is and the police do do this. However, merchants currently can’t track you this way because they can’t associate your cell phone’s ID, which is transmitted every 30 seconds, with your identifying information. There are both privacy laws and technical limitations which make associating you with your cell phone less than idea. RFID chips, however, can be polled at any time and can be associated with you at time of transaction and RFID chips are not covered by the privacy laws that apply to telecommunications companies.
Although the privacy implications of the Nike+iPod may not set fire to the imaginations of some, they are an important lesson in how our privacy is rapidly eroding due to negligence and apathy. The “no big deal” attitude of the OP and many commenters provides a further example of indignant apathy that could lead to the eventual destruction of the idea of privacy as a right.
Then we should all be more concerned about being tracked through the bluetooth headsets that many use. These devices were around long before the Nike+iPod, and they are also not covered by privacy laws which apply to telecommunications companies. If Schneier were truly concerned, he would use the predominant technology as an example instead of a minor gadget with little market penetration.
I agree with you in regards to the practicality. But let me add just one thing to that, we really don’t need any more of those silly laws governing every tiny part of our lives. The more laws, the more the government gets involved, the less freedom or privacy you will have.
“The more laws, the more the government gets involved, the less freedom or privacy you will have.”
That is just absolute balderdash. Total lack of regulation != privacy !!!!
Why every 100 ft?
Why would you have to put a reciver every 100 ft? Couldn’t you just get a transmitter and an ipod, taple them together, and toss them in the trunk of someones car?
Retreive it at a later date and see where they’ve been?