Shostack + Friends Blog Archive

 

Telephones and privacy

Three stories, related by the telephone, and their impact on privacy:

  • CNN reports that your cell phone is being tracked in malls:

    Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by monitoring the signals from their cell phones.


    Still, the company is preemptively notifying customers by hanging small signs around the shopping centers. Consumers can opt out by turning off their phones.


    The tracking system, called FootPath Technology, works through a series of antennas positioned throughout the shopping center that capture the unique identification number assigned to each phone (similar to a computer’s IP address), and tracks its movement throughout the stores.

    The company in question is Path Intelligence, and they claim that since they’re only capturing IMSI numbers, it’s anonymous. However, the IMSI is the name by which the phone company calls you. It’s a label which identifies a unique phone (or the SIM card inside of it) which is pretty darned closely tied to a person. The IMSI identifies a person more accurately and effectively than an IP address. The EU regulates IP addresses as personally identifiable information. Just because the IMSI is not easily human-readable does not make it anonymous, and does not make it not-a-name.

    It’s really not clear to me how Path Intelligence’s technology is legal anywhere that has privacy or wiretap laws.

  • Kashmir Hill at Forbes reports on “How Israeli Spies Were Betrayed By Their Cell Phones“:

    Using the latest commercial software, Nasrallah’s spy-hunters unit began methodically searching for traitors in Hezbollah’s midst. To find them, U.S. officials said, Hezbollah examined cellphone data looking for anomalies. The analysis identified cellphones that, for instance, were used rarely or always from specific locations and only for a short period of time. Then it came down to old-fashioned, shoe-leather detective work: Who in that area had information that might be worth selling to the enemy?

    This reminds me of the bin Laden story: he was found in part because he had no phone or internet service. What used to be good tradecraft now stands out. Of course, maybe some innocent folks were just opting out of Path Intelligence. Hmmm. I wonder who makes that “latest commercial software” Nasrallah’s team is using?

  • Who’s on the Line? Increasingly, Caller ID Is Duped“, Matt Richtel, The New York Times

    Caller ID has been celebrated as a defense against unwelcome phone pitches. But it is backfiring.

    Telemarketers increasingly are disguising their real identities and phone numbers to provoke people to pick up the phone. “Humane Soc.” may not be the Humane Society. And think the I.R.S. is on the line? Think again.

    Caller ID, in other words, is becoming fake ID.

    “You don’t know who is on the other end of the line, no matter what your caller ID might say,” said Sandy Chalmers, a division manager at the Department of Agriculture, Trade and Consumer Protection in Wisconsin.

    Starting this summer, she said, the state has been warning consumers: “Do not trust your caller ID. And if you pick up the phone and someone asks for your personal information, hang up.”
    ()

    I’m shocked that a badly designed invasion of privacy doesn’t offer the security people think it does.

    When I say badly designed, I’m referring to inline signaling late in the signal, not to mention that the Bells already had ANI. But they didn’t want to risk the privacy concerns with caller-ID impacting on ANI, so they designed an alternative.

One comment on "Telephones and privacy"

  • Aaron says:

    Regarding the first point, Path Intelligence’s technology actually only passively ‘intercepts’ the TMSI (rather than the ISMI), which makes it slightly less privacy-intrusive as it’s not a persistent identifier.

Comments are closed.