Tagged: privacy

Sharing Goes Both Ways – No Secrets Social

A long time ago, I wrote a post on Personal Declarations on Your Behalf – Why Visiting One Website Might Tell Another You Were There that describes how publishers who host third party javascript on their website allow those third parties to track your visits to those websites.

This means I can’t just visit the UK Parliament website unnoticed, for example. Google get told about every page I visit on the site.

(I’m still not clear about the extent to which my personal Google identity (the one I log into Google with), my advertising Google identity (the one that collects information about the ads I’ve been shown and the pages I’ve visited that run Google ads), and my analytics Google identity (the one that collects information about the pages I’ve visited that run Google Analytics and that may be browser specific?) are: a) reconciled? b) reconcilable? I’m also guessing if I’m logged in to Chrome, my complete browsing history in that browser is associated with my Google personal identity?)

The Parliament website is not unusual in this respect. Google Analytics are all over the place.

In a post today linked to by @charlesarthur and yesterday by O’Reilly Radar, Gizmodo describes How Facebook Figures Out Everyone You’ve Ever Met.

One way of doing this is similar to the above, in the sense of other people dobbing you in.

For example, if you appear in the contacts on someone’s phone, and they allowed Facebook to “share” their phone contact details when they install the Facebook app (which many people do), Facebook gains access firstly to my contact details and secondly to the fact that I stand in some sort of relationship to you.

Facebook also has the potential to log that relationship against my data, even if I have never declared that relationship to Facebook.

So it’s not “my data” at all, in the sense of me having informed Facebook about the fact. It’s data “about me” that Facebook has collected from wherever it can.

I can see what I’ve told Facebook on my various settings pages, but I can’t see the “shadow information” that Facebook has learned about me from other people. Other than through taunts from Facebook about what it thinks it knows about me, such as friend suggestions for people it thinks I probably know (“People You May Know”), for example…

…or facts it might have harvested from people’s interactions with me. When did you, along with others, last wish someone “Happy Birthday” using social media, for example?

Even if individuals are learning how to use social media platforms to keep secrets from each other (Secrets and Lies Amongst Facebook Friends – Surprise Party Planning OpSec), those secrets are not being held from Facebook. Indeed, they may be announcing those secrets to it. (Is there a “secret party” event type?! For example, create a secret party event and then as the first option list the person or persons who should not be party to the details so Facebook can help you maintain the secrecy…?)

Hmm… thinks… when you know everything, you can use that information to help subsets of people keep secrets from intersecting sets of people? This is just like a twist on user and group permissions on multi-user computer systems,  but rather than using the system to grant or limit access to resources, you use it to control information flows around a social graph where the users set the access permissions on the information.

This is not totally unlike targeting ads (“dark ads”) to specific user groups, ads that are unseen by anyone outside those groups. Hmmm…

 

See also: Ad-Tech – A Great Way in To OSINT

Ad-Tech – A Great Way in To OSINT

Open Source Intelligence – OSINT – is intelligence that can be collected from public sources. That is to say, OSINT is the sort of intelligence that you should be able to collect using a browser and a public or academic library that also provides access to public subscription content. (For an intro to OSINT, see for example Sailing the Sea of OSINT in the Information Age; for example context, Threat Intelligence: Collecting, Analysing, Evaluating). OSINT can be used as much by corporates as by the security services. It’s also up for grabs by journalists, civil society activists and stalkers…

Looking at the syllabus for a OSINT beginners course, such as IMSL’s Basic Open Source (OSINT) Research & Analysis Tradecraft turns up the sorts of thing you might also expect to see as part of one of Phil Bradley or Karen Blakeman’s ILI search workshops:

  • Appreciation of the OS environment
    • Opportunities, Challenges and Threats
  • Legal and Ethical Guidance
  • Search Tradecraft
    • Optimising Search
    • Advanced Search Techniques
  • Profile Management and Risk Reduction
    • Technical Anonymity/Low Attribution
    • Security Tradecraft
  • Social Media exploitation
    • Orientation around the most commonly used platforms Twitter, Facebook, LinkedIn etc.
    • Identifying influence
    • Event monitoring
    • Situational Awareness
    • Emerging social media platforms
  • Source Evaluation
    • Verifying User Generated Content on Social Media

And as security consultant Bruce Schneier beautifully observed in 2014, [s]urveillance is the business model of the Internet.

What may be surprising, or what may help explain in part their dominance, is that a large part of the surveillance capability the webcos have developed is something they’re happy to share to with the rest of us. Things like social media exploitation, for example, allow you to easily identify social relationships, and pick up personal information along the way (“Happy Birthday, sis..”). You can also identify whereabouts (“Photo of me by the Eiffel Tower earlier to day”), captioned or not – Facebook and Google will both happily tag your photos for you to make them, and the information, or intelligence, they contain more discoverable.

Part of the reason that the web companies have managed to grow so large is that they operate very successful two-sided markets. As the FT Lexicon defines it, these are markets that provide “a meeting place for two sets of agents who interact through an intermediary or platform”. In the case of the web cos, “social users” who gain social benefit from interacting with each other through the platform, and the advertisers who pay the platform to advertise to the social users (Some Notes on Churnalism and a Question About Two Sided Markets).

A naive sort of social media intelligence would focus, I think, on what can be learned simply through the publicly available activity on the social user side of the platform, albeit activity that may be enriched through automatic tagging by the platform itself.

But there is the other side of the platform to consider too. And the tools on that side of the platform, the tools developed for the business users, are out and out designed to provide the business users – the advertisers – with intelligence about the social users.

Which is all to say that if surveillance is your thing, then ADINT – Adtech Intelligence – could be a good OSINT way in, as a recent paper from the Paul G. Allen School of Computer Science & Engineering, University of Washington describes: ADINT: Using Targeted Advertising for Personal Surveillance (read the full paper; Wired also picked up the story: It Takes Just $1,000 to Track Someone’s Location With Mobile Ads). Here’s the paper abstract:

Targeted advertising is at the heart of the largest technology companies today, and is becoming increasingly precise. Simultaneously, users generate more and more personal data that is shared with advertisers as more and more of daily life becomes intertwined with networked technology. There are many studies about how users are tracked and what kinds of data are gathered. The sheer scale and precision of individual data that is collected can be concerning. However, in the broader public debate about these practices this concern is often tempered by the understanding that all this potentially sensitive data is only accessed by large corporations; these corporations are profit-motivated and could be held to account for misusing the personal data they have collected. In this work we examine the capability of a different actor — an individual with a modest budget — to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads.

The attack is predicated in part around knowing the MAID – the Mobile Advertising ID (MAID) – of a user you want to track, and several strategies are described for obtaining that.

I haven’t looked at adservers for a long time (or Google Analytics for that matter), so I thought I’d have a quick look at what the UIs support. So for example, Google AdWords seems to offer quite a simple range of tools, that presumably let me target based on various things, like demographics:

or location:

or time:

It also looks like I can target ads based on apps a user users:

or websites they visit:

though it’s not clear to me if I need to be the owner of those apps or webpages?

If I know someone’s email address, it also looks like I can use that to vector an ad towards them? Which means Google cookies presumably associate with an email address?

This email vectoring is actually part of Google’s “Customer Match” offering, which “lets you show ads to your customers based on data about those customers that you share with Google”.

So how about Facebook? As you might expect, there’s a range of audience targeting categories that draw heavily on the information users provide to the system:

(You’ve probably heard the slogan “if you aren’t paying for the product, you are the product” and thought nothing of it. Are you starting to feel bought and sold, yet?)

Remember that fit of anger, or joy, when you changed your relationship, maybe also flagging a life event (= valuable to advertisers)?

Or maybe when you bought that thing (is there a Facebook Pay app yet, to make this easier for Facebook to track?):

And of course, there’s location:

If you fancy exploring some more, the ADINT paper has a handy table summarising what’s offered by various other adtech providers:

On the other hand, if you want to buy readymade audiences from a data aggregator, try the Oracle Data Marketplace. It looks as if they’ll happily resell you audiences derived from Experian data, for example:

So I’m wondering, what other sorts of intelligence operation could be mounted against a targeted individual using adtech more generally? And what sorts of target identification can be achieved through a creative application of adtech, and maybe some simple phishing to entice a particular user onto a web page you control and which you can use to grab some preliminary tracking information from targeted users you entice there?

Presumably, once you can get your hooks into a user, maybe by enticing them to a web page that you have set up to show your ad so that the adserver can spear the user, you can also use ad retargeting or remarketing (that follows users around the web, in the sense of continuing to show them ads from a particular campaign) to keep a tail on them?

[This post was inspired by an item on Mike Caulfield’s must read Traces weekly email newsletter. Subscribe to his blog – Hapgood – for a regular dose of digital infoskills updating. You might also enjoy his online book Web Literacy for Student Fact-Checkers.]

UK Ministry of Justice GPS Tagging Trial

A couple of days ago, NOMS (the National Offender Management Service) and the Ministry of Justice put out a toolkit for a pilot GPS tagging programme, or as they call it, an Electronic Monitoring Global Positioning System.

According to the toolkit documentation, tags can be be used as a condition of bail:

The Bail Act 1976 is the legislation governing court-imposed bail. This allows the use of electronic monitoring but only to ensure compliance with another bail condition (e.g. curfew, geographical exclusion): s6ZAB. To note there is no power to impose Electronic Monitoring as a stand-alone bail condition but only to monitor another pre-existing bail condition. … Where the court does impose electronic monitoring of a pre-existing bail condition then a person must be made responsible for the monitoring. That person can only be someone named by the Secretary of State in secondary legislation. (s.3AC).

If you’re looking for key phrases throughout bits of legislation relating to court orders that can be used to justify tagging as a condition, “electronic monitoring requirement” looks to be a good one. I assume there is also a corresponding “electronic monitoring equipment” phrase defined somewhere, in which case it would be good to know how tightly that is defined or how broadly it can be interpreted…

More generally, the toolkit states that:

“Electronic monitoring” is a generic term, which encompasses different technologies, it is generally used to support punitive requirements, however in principle EM can also be seen as a preventative measure if, for example, an exclusion zone prevents the offender from approaching a specific person or location. It is important to note that EM with location monitoring should only be proposed where it provides a particular identifiable value in protecting the public or specific victims, or in deterring the offender from crime.

The system looks like it provides a range of geo-fencing services, going by some of the instructions given to offenders wearing the tag, who must:

  • stay at their approved address (usually their home) during your curfew;
  • not enter any exclusion zones included in the order, bail or licence conditions;
  • not leave any inclusion zones included in the order, bail or licence conditions.

This is backed up by case study examples:

annex_a_-_case_studies_pdf

I’m not sure if an exclusion zone can be dynamic? For example, two offenders, both wearing tags, not allowed to be with 50m of each other – can one be the centre of an exclusion zone defined for another? (Also, I’m not sure what the resolution of the devices is?)

According to the toolkit, an inclusion or exclusion zone:

… must be unambiguous. Ideally it should be marked on a map so that the monitoring centre can clearly see what the judge or magistrate intended. If the monitoring centre cannot interpret an exclusion or inclusion zone they may request clarification if the requirement is unclear. … [O]ther conditions that might be supported by a GPS tag, such as attendance at work or at a programme. Again, the purpose must be clear, and where applicable timings should be included. 

That said, the pilot seems to be a bit hacky…

GPS tags used for the pilot cannot easily monitor a curfew without a manual workaround so for the purposes of the pilot we have excluded GPS tagging alongside an electronically monitored curfew.

Oh good…

Also, how do they track location when the offender is indoors or otherwise out of line of site of the GPS satellites? (Does it use cell tower triangulation as an assist?) How do the devices report back to the control centre (via the mobile phone network?)? According to the product documentation for the tag that appears to be being used in the pilot:

The 3M Electronic Monitoring units store rules in the device, allowing autonomous tracking and monitoring capability without dependence on wireless signal availability. Offenders are immediately alerted in the event of a rule violation. These alerts notify the offender that corrective action is required and serve to help modify the offender’s behavior.

So maybe there are two alerts – one local on the offender, and one when the device phones home. Presumably, an alert is raised if the tag doesn’t phone home within a specified period? But what if that’s because the offender doesn’t fully appreciate the USP of the The Faraday Cage Cafe where they go for coffee and doughnuts?

The toolkit document further suggests that the pilot is not appropriate for:

  • Offenders of no fixed abode – electronic monitoring is reliant on a fixed supply to charge.
  • Offenders with serious identified mental health or learning disabilities – there may be particular difficulties with an offender’s ability to understand the device i.e. need to charge, purpose behind GPS), which could make GPS unsuitable.
  • Subjects under 18 years of age
  • Anyone subject to an electronically monitored curfew should not be given a condition monitored through a GPS tag.

Wider concerns are also touched upon in in the toolkit document. For example, when making a recommendation to enter an offender into the pilot:

Authors [of pre-sentence reports] must take account of the balance between a right to a private family life and public protection. Application of the requirement should be proportionate to the risks identified and clearly evidenced to ensure that there is no unintentional bias impacting the proposal and subsequently impacting the individual’s liberty.

The device itself is a rather clunky wearable, as shown in the GPS Tagging Handbook

ankletag

(By the by, I wonder if that tattoo is personally identifying…?)

I’m guessing this product was developed for the US, by the plug on the charger?

tagcharger

Looking at the 3M product page, this seems to be their One Piece GPS Tracking System; they also have a  Two Piece GPS Tracking System.

A guidance leaflet suggests the data may be used in various ways…

Relevant information gathered will be used to monitor your compliance with your licence conditions. If you fail to meet any of the conditions you may be recalled to prison custody. Where justified, the information gathered, including your location data, may be shared with Criminal Justice Agencies, including the Police for other purposes such as the prevention and detection of crime.

fair processing notice covers this in legalese:

In the event you have been fitted with a GPS tag as part of the Ministry of Justice’s pilot scheme and in order to give effect to a Court order or condition on your prison licence, your whereabouts will be captured by the system 24 hours a day for the duration of the Order or licence condition. Your personal data, including your location data may be shared with other organisations for example (but not limited to) contractors, probation providers and the Police to give effect to the Order/licence, manage your compliance and enforce the requirements or conditions imposed.

Where it is justified, necessary and proportionate to do so, your data, may be shared with others including Criminal Justice agencies (e.g. the Police), for purposes such as (but not limited to) crime prevention, detection, investigation or to facilitate an arrest. Your data may also be shared with other government departments where necessary, such as in the case of legal proceedings.

When undertaking all of these tasks the Ministry of Justice will comply with the provisions of the Data Protection Act 1998. This will include:
– keeping the personal data up to date;
– storing and destroying them securely;
– protecting personal data from loss, misuse, unauthorised access and disclosure;
– ensuring that appropriate technical measures are in place to protect the personal data processed in line with Her Majesty’s Government standards;

All data captured during this pilot shall be retained securely by the Ministry of Justice for a period of at least six years from the end of the analysis of the pilot. Data that has been shared with stakeholders will be held by them in accordance with their data retention policies which must accord with the Data Protection Act 1998.

You have the right to request your personal data (including certain details about them) processed as part of the pilot by contacting the pilot monitoring team (details are at the end of this notice).

Please note that a payment of £10 will be required if you wish to obtain a copy of your data. Each request will be considered carefully in line with the Data Protection Act 1998. Some data may be covered by an exemption within the Act or other legislation which may prevent it being disclosed to you.

The toolkit documentation sets up the scene for the (desired) chilling effect that the tag is presumably expected to exert on a wearing offender, I wonder why consumer tagging devices (phones, fitbits, wearables, etc) aren’t also subject to the same chilling effect?

The pilots will seek to test how the use of a GPS tag might impact upon the behaviour of offenders and decision makers in the Criminal Justice System and how it might help to improve rehabilitative outcomes. They may also allow us to see what other benefits GPS tagging may bring and identify any potential barriers to wider implementation.

Location monitoring is live and alerts to the monitoring centre in the event of a potential breach are immediate. The monitoring centre will look into the circumstances and where a breach is confirmed the responsible officer will be notified of a breach.

High risk cases can be flagged on the monitoring system and prioritised for an emergency response. This may act as a deterrent against non-compliance for some offenders. An assessment should be made in relevant cases whether this form of monitoring is likely to deter in the particular case.

The monitoring centre will respond immediately to a breach. When a breach occurs it is flagged on the system. The monitoring centre staff will open up the record and investigate the breach. They are able to look at data 30 minutes before the breach and data post breach.

Here, then, are are a couple of reasons why we need to keep tabs on things like the Investigatory Powers Bill on the one hand, and the data collected by service operators who have access to geolocation information on the other: firstly, to try to make sense of the extent to which information collected by those services can be accessed using a a warrant; secondly, the extent to which the data could be used by comparing it to how data specifically collected for the purpose of regulating behaviour (using things like tags) can be used.

The document that perhaps requires the closest reading is the Code of Practice – Electronic Monitoring Data, which opens with a description of where the pilot will run:

annex_j_-_code_of_practice_pdf

To a certain extent, the pilot seems to be a fishing expedition:

4. The pilot will test a range of factors including:

  • how GPS tagging might impact on the behaviour of offenders released from prison on licence, suspects on bail and offenders sentenced by the Courts;
  • how Courts, probation staff, Parole Board members, and prison governors respond when given the option of imposing a location monitoring requirement as part of a Court Order or condition as part of a prison licence;
  • what other benefits GPS tagging might confer; and
  • how GPS might best be implemented in practice, and the challenges of operating GPS tagging.

Note the last two…

11. For the purposes of the pilot the data that will be gathered and processed will be that which is required to:

  • identify and tag suspects and offenders who fall within scope for the pilot and who have been made the subject of an electronic monitoring requirement by way of either a Court Order or prison licence;
  • monitor compliance with and enforce the requirements of such orders;
  • minimise the risk to staff involved in the tagging process e.g. any threatening or violent behaviour by the subject or others at the premises;
  • where justified and only in accordance with legislative provisions, the data captured may be shared with Criminal Justice Agencies and other Government Departments to assist with criminal enquiries or to seek advice/representation. The circumstances in which such data will be shared are set out in the body of this document;
  • assist in the evaluation of the pilot and to inform future policy formation and implementation.

The code seems a bit weaselly to me (my emphasis):

12. Personal and sensitive personal data will be collected and, where required and as permitted by legislation, shared for the purposes of meeting the requirements set out above. The electronic monitoring technical solution will capture the subject’s location 24 hours a day. In some cases (e.g. where location monitoring is only imposed to monitor an exclusion/inclusion zone) some of the location data captured at times of compliance will be extraneous to the purposes of monitoring the terms of the order. The technology available for the pilot does not allow for the monitoring of an exclusion zone in another way that would prevent this data being captured. This will be explained to the subject as part of a Fair Processing Notice (see paragraph 35). However, monitoring staff will only monitor the subject’s compliance with the requirements of the order and will not access the extraneous data unless there is a lawful reason to do so. So, if the order imposes an exclusion zone, the subject’s whereabouts will be monitored if they approach and breach that zone. It will not be actively monitored at other times (see paragraphs 35-47 for further details of how data will be shared).

So they haven’t taken the opportunity to design a certain amount of privacy in that does not collect the extraneous data. (The toolkit mentioned being able to look at data in the period before a breach, so if extraneous information was location data outside an exclusion zone, and the wearer breached by entering the exclusion zone, does the location data outside that area become “traneous”? To what extent are safeguards in place to prevent access to data unless “there is a lawful reason to do so”? NB This is covered in the Code of Practice – see below.

I wonder to what extent the data from several subjects can be merged? For example, are there screens that show the co-location of two people wearing tags?

Regarding datasharing, the Code seems to try to lock it down, but then opens it up again? For example:

Private prisons will provide notifications of an electronic monitoring requirement of those individuals released from their custody on a prison licence. They will not need access to the monitoring data. However, should the subject be recalled and end up back in their custody, information regarding the reasons for the recall will be shared with them via another source (NOMS Public Protection Casework Section). Once electronic monitoring data has been passed to a private prison they will become Data Controllers of the information in their possession.

Why would they need the monitoring data and how extensive will that data be? Data will also be shared outside the police in other ways:

22. The Data Processors of electronic monitoring information will be:

  • The third party contractor appointed to provide the tags and monitoring system;
  • The third party contractor employed to evaluate the outcomes of the pilot; and
  • The Bail Accommodation and Support Services (BASS) contractor [eg as described in this Commons Library Research Briefing: The Bail Accommodation and Support Service], as it is required to encourage compliance of individuals held in their premises with the provisions of relevant orders and report any breaches or concerns to the appropriate body.

I’m not sure who the respective third party contractors are?

The data collected includes personal data and sensitive personal data, as defined by the Data Protection Act, and as such subject to it – though maybe with wriggle room:

31. Furthermore, section 29 of the DPA, provides an exemption from a sub set of the DPA requirements in processing of personal data, if it is for prevention or detection of crime purposes. This is not a blanket exemption and so whether this exemption applies or not, will be considered on a case by case basis. In any event, a Schedule 2 condition and for sensitive personal data, a Schedule 3 condition, will still need to be satisfied.

32. Moreover the processing of personal and sensitive personal information engages Article 8 of the European Convention of Human Rights (i.e. the right to respect for private and family life). However, Article 8 is not an absolute right and public authorities are permitted to interfere with it if it is in accordance with the law, necessary in a democratic society for a legitimate aim and proportionate to do so. Therefore, any proposals for data sharing must be both justifiable and proportionate with the appropriate safeguards in place to ensure that personal data is not arbitrarily disclosed.

I’m not sure if Chinese Walls also apply to separate concerns:

The Police will have routine access to the following data for the specified reasons;

In their capacity as the Monitoring Team

i) All data captured as part of the pilot, to discharge its function as the monitoring body for the pilot project.
ii) All data on a single electronic monitoring requirement order imposed as part of a community order or suspended sentence order, and HDC cases, to meet the obligations bestowed upon them as part of this pilot for such orders (see paragraphs 23-26 above).

In their capacity as the Police

iii) Data on Court ordered bail subjects, as they act as the Responsible Officers in such cases.
iv) Data necessary to assist with managing compliance of other subjects such as MAPPA cases and prolific offenders;
v) Any data necessary to assist in the apprehension of subjects who have breached their Court Order / prison licence and are required to be returned to Court or to prison custody.

On the matter of the extraneous data:

33. The system will capture some extraneous location data as mentioned in paragraph 12 above. Those that are tagged will be informed that the tag will capture their whereabouts 24 hours a day as part of the Fair Processing Notice that will be provided to them on induction. Relevant stakeholders will only be provided with location data that is relevant to monitoring compliance with the conditions of the order. Access to the extraneous data will be restricted as set out in paragraph 43 below.

41. Relevant location tracking data i.e. the location data gathered for the purposes of monitoring compliance with Court Order /licence conditions, will be provided to relevant stakeholders via secure email. Where location tracking is in place solely to monitor exclusion/inclusion zones, the data that will be provided to stakeholders by the monitoring team will usually be restricted to the duration of the non-compliance and 30 minutes either side of it. Allowing a window of 30 minute either side of the non-compliance is considered to be relevant data which is necessary for stakeholders to contextualise any breach and for risk assessment purposes.

And as far as wider sharing goes:

43. During the course of the pilot, should public authorities require access to data for other reasons or other data, including access to extraneous location data, they will need to submit an External Agency Request (EAR) to the monitoring team. The request must explain why access to the information is required and failure to provide sufficient and appropriate justification will lead to it being rejected. By way of example, Code of Practice – Electronic Monitoring Data Code of Practice – Electronic Monitoring Data 13 should access to data for the purposes of detection or prevention of a particular crime, the requestor will need to set out the reasons why they believe that the specific suspect(s) are likely to be, or were likely to have been, involved in the criminal behaviour that is under investigation. The monitoring team will handle the more straightforward requests using guidance issued by the MoJ. Any further requests, including those that seek access to the extraneous location data will be escalated to the Ministry of Justice to consider. However, if request is urgent, arrives out of working hours, and the data is needed to manage a significant risk to the public, then, provided the request is justified as set out above, the monitoring team will release the necessary information and the MoJ will conduct a retrospective check.

Presumably, as art of the pilot is to see what other benefits GPS tagging might confer, external requests may well be looked on favourably as part of that?

As far as the operation of the tags goes:

48. Data transferred from GPS tags to the monitoring centre will be via mobile networks and will be encrypted. All data shared with stakeholders will be via secure email.

so the question arises: what about users who are out of signal range? (Are the devices set up for roaming, and capable of phoning home using all mobile operator networks? Or are the tags limited to using a single network?)

It should also be noted that by connecting to the mobile phone network the mobile operators will be able to track the devices in the same way they track mobile phones. If the operator can identify the tag as a tag, offenders’ identities could well be disclosed to the network if they carry a mobile phone around with them all the time that is persistently colocated with the tag device.

As hinted at above, I think this pilot is interesting for several reasons:

  • it is explicitly about using GPS monitoring information to track – and potentially influence the behaviour of the tracked user because they are aware they’re being tracked (panopticon style);
  • there are practical technical issues associated with the technology (GPS, mobile phone network connectivity and tracking);
  • there are issues around data collection and sharing;

More generally, in terms of system design, I see no reason why third party tracking data (collected from other devices, such as mobile phones or beacons) couldn’t be used as a source of location data, which means the pilot gives us an insight into what the police might be able to use this sort data for as part of a 24 hour surveillance regime.

Of course, if you;ve done nothing wrong, there’s no chilling effect to be afraid of…

Participatory Surveillance – Who’s Been Tracking You Today?

With the internet of things still trying to find its way, I wonder why more folk aren’t talking about participatory surveillance?

For years, websites have been gifting information to third parties that you have visited them (Personal Declarations on Your Behalf – Why Visiting One Website Might Tell Another You Were There), but as more people are instrumenting themselves, the opportunities for mesh network based surveillance are ever more apparent.

Take something like thetrackr, for example. The device itself is a small bluetooth powered device the size of a coin that you attach to your key fob or keep in your wallet:

The TrackR is a Bluetooth device that connects to an app running on your phone. The phone app can monitor the distance between the phone and device by analyzing the power level of the received signal. This link can be used to ring the TrackR device or have the TrackR device ring the phone.

The other essentially part is an app you run permanently on your phone that listens out for the trackr device. Not just yours, but anyone’s. And when it detects one it posts its location to a central server:

[thetrackr] Crowd GPS is an alternative to traditional GPS and revolutionizes the possibilities of what can be tracked. Unlike traditional GPS, Crowd GPS uses the power of the existing cell phones all around us to help locate lost items. The technology works by having the TrackR device broadcast a unique ID over Bluetooth Low Energy when lost. Other users’ phones can detect this wireless signal in the background (without the user being aware). When the signal is detected, the phone records the current GPS location, sends a message to the TrackR server, and the TrackR server will then update the item’s last known location in its database. It’s a way that TrackR is enabling you to automatically keep track of the location of all your items effortlessly.

And if you don’t trust the trackr folk, other alternatives are available. Such as tile:

The Tile app allows you to anonymously enlist the help of our entire community in your search. It works both ways — if you’re running the app in the background and come within range of someone’s lost item, we’ll let the owner know where it is.

This sort of participatory surveillance can be used to track stolen items too, such as cars. The TRACKER mesh network (which I’ve posted about before: Geographical Rights Management, Mesh based Surveillance, Trickle-Down and Over-Reach) uses tracking devices and receivers fitted to vehicles to locate other similarly fitted vehicles as they pass by them:

TRACKER Locate or TRACKER Plant fitted vehicles listen out for the reply codes being sent out by stolen SVR fitted vehicles. When the TRACKER Locate or TRACKER Plant unit passes a stolen vehicle, it picks up its reply code and sends the position to the TRACKER Control Room.

That’s not the only way fitted vehicles can be used to track each other. A more general way is to fit your car with a dashboard camera, then use ANPR (automatic number plate recognition) to identify and track other vehicles on the road. And yes, there is an app for logging anti-social or dangerous driving acts the camera sees, as described in a recent IEEE Spectrum article on The AI dashcam app that wants to rate every driver in the world. It’s called the Nexar app, and as their website proudly describes:

Nexar enables you to use your mobile telephone to record the actions of other drivers, including the license plates, types and models of the cars being recorded, as well as signs and other surrounding road objects. When you open our App and begin driving, video footage will be recorded. …

If you experience a notable traffic incident recorded through your use of the App (such as someone cutting you off or causing an accident), you can alert Nexar that we should review the video capturing the event. We may also utilize auto-detection, including through the use of “machine vision” and “sensor fusion” to identify traffic law violations (such as a car in the middle of an intersection despite a red stop light). Such auto-detected events will appear in your history. Finally, time-lapse images will automatically be uploaded.

Upon learning of a traffic incident (from you directly or through auto-detection of events), we will analyze the video to identify any well-established traffic law violations, such as vehicle accidents. Our analysis will also take into account road conditions, topography and other local factors. If such a violation occurred, it will be used to assign a rating to the license plate number of the responsible driver. You and others using our App who have subsequent contact with that vehicle will be alerted of the rating (but not the nature of the underlying incidents that contributed to the other driver’s rating).

And of course, this is a social thing we can all participate in:

Nexar connects you to a network of dashcams, through which you will start getting real-time warnings to dangers on the road

It’s not creepy though, because they don’t try to relate to number plates to actual people:

Please note that although Nexar will receive, through video from App users, license plate numbers of the observed vehicles, we will not know the recorded drivers’ names or attempt to link license plate numbers to individuals by accessing state motor vehicle records or other means. Nor will we utilize facial recognition software or other technology to identify drivers whose conduct has been recorded.

So that’s all right then…

But be warned:

Auto-detection also includes monitoring of your own driving behavior.

so you’ll be holding yourself to account too…

Folk used to be able to go to large public places and spaces to be anonymous. Now it seems that the more populated the place, the more likely you are to be located, timestamped and identified.

A Loss of Sovereignty?

Over the course of the weekend, rummaging through old boxes of books as part of a loft clearout, I came across more than a few OU textbooks and course books. Way back when, OU course materials were largely distributed in the form of print items and hard media – audio and video cassettes, CD- and DVD-ROMs and so on. Copies of the course materials could be found in college and university libraries that acted as OU study centres, via the second hand market, or in some cases purchased from the OU via OU Worldwide.

Via an OU press release out today, I notice that “[c]ourse books from The Open University (OU) have been donated to an educational sponsorship charity in Kenya, giving old course books a new use for the local communities.” Good stuff…

..but it highlights an issue about the accessibility of our materials as they increasingly move to digital form. More and more courses deliver more and more content to students via the VLE. Students retain access to online course materials and course environments for a period of time after a module finishes, but open access is not available.

True, many courses now release some content onto OpenLearn, the OU’s free open learning platform. And the OU also offers courses on the FutureLearn platform (an Open University owned company that made some share allotments earlier this year).

But access to the electronic form is not tangible – the materials are not persistent, the course materials not tradeable. They can’t really be owned.

I’m reminded of a noticing I had earlier this week about our Now TV box that lets us watch BBC iPlayer, 4oD, youTube and so on via the telly. The UI is based around a “My subscriptions” model which shows the channels (or apps) you subscribe to. Only, there are some channels in their that I didn’t subscribe to, and that – unlike the channels I did subscribe to – I can’t delete from my subscriptions. Sky – I’m looking at you. (Now TV is a Sky/BSkyB product.)

In a similar vein, Apple and U2 recently teamed together to dump a version of U2’s latest album into folks’ iTunes accounts, “giving away music before it can flop, in an effort to stay huge” as Iggy Pop put it in his John Peel Lecture [on BBC iPlayer], and demonstrating once again that our “personal” areas on these commercial services are no such thing. We do not have sovereignty over them. Apple is no Sir Gawain. We do not own the things that are in our collections on these services and nor do we own the collection: I doubt you hold a database right in any collection you curate on youtube or in iTunes, even if you do expend considerable time, effort and skill in putting that collection together; and I fully imagine that the value of those collections as databases are exploited by the recommendation engine mining tools the platform services operate.

And just as platform operators can add things to out collections, so too can they take them away. Take Amazon, for example, who complement their model of selling books with one of renting you limited access to ebooks via their Kindle platform. As history shows – Amazon wipes customer’s Kindle and deletes account with no explanation or The original Big Brother is watching you on Amazon Kindle – Amazon is often well within its rights, and it is well within its capacity, to remove books from your device whenever it likes.

In the same way that corporate IT can remotely manage “your” work devices using enterprise mobile device management (Blackberry: MDM and beyond, Goole apps: mobile management overview, Apple: iOS and the new IT, for example), so too can platform operators of devices – and services – reach into your devices – or service clients – and poke around inside them. Unless we’ve reclaimed it as our own, we’re all users of enterprise technology masked as consumer offerings and have ceded control over our services and devices to the providers of them.

The loss of sovereignty also extends to the way in which devices and services are packaged so that we can’t look inside them, need special tools to access them, can’t take ownership of them in order to appropriate them for other purposes. We are users in a pejorative sense; and we are used by service and platform providers as part of their business models.

Participatory Surveillance

This is an evocative phrase, I think – “participatory surveillance” – though the definition of it is lacking from the source in which I came across it (Online Social Networking as Participatory Surveillance, Anders Albrechtslund, First Monday, Volume 13, Number 3 – 3 March 2008).

A more recent and perhaps related article – Cohen, Julie E., The Surveillance-Innovation Complex: The Irony of the Participatory Turn (June 19, 2014). In Darin Barney, Gabriella Coleman, Christine Ross, Jonathan Sterne & Tamar Tembeck, eds., The Participatory Condition (University of Minnesota Press, 2015, Forthcoming) – notes how “[c]ontemporary networked surveillance practices implicate multiple forms of participation, many of which are highly organized and strategic”, and include the “crowd-sourcing of commercial surveillance”. It’s a paper I need to read and digest properly…

One example from the last week or two of a technology that supports particapatory surveillance comes from Buzzfeed’s misleading story relating how Hundreds Of Devices [Are] Hidden Inside New York City Phone Booths that “can push you ads — and help track your every move”; (the story resulted in the beacons being removed). My understanding of beacons is that they are a Bluetooth push technology that emit a unique location code, or a marketing message, within a limited range. A listening device can detect the beacon message and do something with it. The user thus needs to participate in any surveillance activity that makes use of the beacon by listening out for a beacon, capturing any message it hears, and then doing something with that message (such as phoning home with the beacon message).

The technology described in the Buzzfeed story is developed by Gimbal, who offer an API, so it should be possible to get a feel from that what is actually possible. From a quick skim of the documentation, I don’t get the impression that the beacon device itself listens out for and tracks/logs devices that come into range of it? (See also Postscapes – Bluetooth Beacon Handbook.)

Of course, participating in beacon mediated transactions could be done unwittingly or surreptitiously. Again, my understanding is that Android devices require you to install an app and grant permissions to it that let it listen out for, and act on, beacon messages, whereas iOS devices have iBeacon listening built in the iOS Location Services*, and you then grant apps permission to use messages that have been detected? This suggests that Apple can hear any beacon you pass within range of?

* Apparently, [i]f [Apple] Location Services is on, your device will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple to augment Apple’s crowd-sourced database of Wi-Fi hotspot and cell tower locations. In addition, if you’re traveling (for example, in a car) and Location Services is on, a GPS-enabled iOS device will also periodically send GPS locations and travel speed information in an anonymous and encrypted form to Apple to be used for building up Apple’s crowd-sourced road traffic database. The crowd-sourced location data gathered by Apple doesn’t personally identify you. Apple don’t pay you for that information of course, though they might argue you get a return in kind in the form of better location awareness for your device.

There is also the possibility with any of those apps that you install one for a specific purpose, grant it permissions to use beacons, then the company that developed gets taken over by someone you wouldn’t consciously give the same privileges to… (Whenever you hear about Facebook or Google or Experian or whoever buying a company, it’s always worth considering what data, and what granted permissions, they have just bought ownership of…)

See also: “participatory sensing”Four Billion Little Brothers? Privacy, mobile phones, and ubiquitous data collection, Katie Shilton, University of California, Los Angeles, ACM Queue, 7(7), August 2009 – which “tries to avoid surveillance or coercive sensing by emphasizing individuals’ participation in the sensing process”.

More Digital Traces…

Via @wilm, I notice that it’s time again for someone (this time at the Wall Street Journal) to have written about the scariness that is your Google personal web history (the sort of thing you probably have to opt out of if you sign up for a new Google account, if other recent opt-in by defaults are to go by…)

It may not sound like much, but if you do have a Google account, and your web history collection is not disabled, you may find your emotional response to seeing months of years of your web/search history archived in one place surprising… Your Google web history.

Not mentioned in the WSJ article was some of the games that the Chrome browser gets up. @tim_hunt tipped me off to a nice (if technically detailed, in places) review by Ilya Grigorik of some the design features of the Chrome browser, and some of the tools built in to it: High Performance Networking in Chrome. I’ve got various pre-fetching tools switched off in my version of Chrome (tools that allow Chrome to pre-emptively look up web addresses and even download pages pre-emptively*) so those tools didn’t work for me… but looking at chrome://predictors/ was interesting to see what keystrokes I type are good predictors of web pages I visit…

chrome predictors

* By the by, I started to wonder whether webstats get messed up to any significant effect by Chrome pre-emptively prefetching pages that folk never actually look at…?

In further relation to the tracking of traffic we generate from our browsing habits, as we access more and more web/internet services through satellite TV boxes, smart TVs, and catchup TV boxes such as Roku or NowTV, have you ever wondered about how that activity is tracked? LG Smart TVs logging USB filenames and viewing info to LG servers describes not only how LG TVs appear to log the things you do view, but also the personal media you might view, and in principle can phone that information home (because the home for your data is a database run by whatever service you happen to be using – your data is midata is their data).

there is an option in the system settings called “Collection of watching info:” which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no “balloon help” to describe what it does.

At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.

you can clearly see that a unique device ID is transmitted, along with the Channel name … and a unique device ID.

This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG’s servers and that these filenames were ones stored on my external USB hard drive.

Hmmm… maybe it’s time I switched out my BT homehub for a proper hardware firewalled router with a good set of logging tools…?

PS FWIW, I can’t really get my head round how evil on the one hand, or damp squib on the other, the whole midata thing is turning out to be in the short term, and what sorts of involvement – and data – the partners have with the project. I did notice that a midata innovation lab report has just become available, though to you and me it’ll cost 1500 squidlly diddlies so I haven’t read it: The midata Innovation Opportunity. Note to self: has anyone got any good stories to say about TSB supporting innovation in micro-businesses…?

PPS And finally, something else from the Ilya Grigorik article:

The HTTP Archive project tracks how the web is built, and it can help us answer this question. Instead of crawling the web for the content, it periodically crawls the most popular sites to record and aggregate analytics on the number of used resources, content types, headers, and other metadata for each individual destination. The stats, as of January 2013, may surprise you. An average page, amongst the top 300,000 destinations on the web is:

– 1280 KB in size
– composed of 88 resources
– connects to 15+ distinct hosts

Let that sink in. Over 1 MB in size on average, composed of 88 resources such as images, JavaScript, and CSS, and delivered from 15 different own and third-party hosts. Further, each of these numbers has been steadily increasing over the past few years, and there are no signs of stopping. We are increasingly building larger and more ambitious web applications.

Is it any wonder that pages take so long to load on a mobile phone off the 3G netwrok, and that you can soon eat up your monthly bandwidth allowance!