Governments around the world are legislating to collect metadata, usually with the excuse that modern crime-fighting and national security efforts require access to records of citizens’ communications.
In many nations that’s sparked what I call “horizontal” scope-creep, in which, as just one example, the Australian Health Practitioner Regulation Agency (AHPRA) wants access to metadata in order to identify and discipline doctors who are having affairs with their patients.
There’s another dimension to scope-creep that has received far less attention to date: the “vertical scope” creep of collecting machine-generated traffic that leaves a growing fingerprint to identify the user.
I’m talking about the Internet of Things, and I’m not first person to notice that its traffic will be of interest to law enforcement. Harvard’s Berkman Center (in conversation with security experts including the intelligence community) recently observed that the growing traffic footprint left by televisions, refrigerators, thermostats, home-automation systems, mobile phones, garage door openers and cars all leave a trail. And that trail is so broad that investigators may not need to worry so much about the increasing prevalence of encryption.
In January, Princeton researchers put their flag in the ground, saying that the ill-secured and chattynature of Internet of Things devices provides a detailed fingerprint of their owners’ behaviours.
In most cases, users have limited or no control over device behaviour. In all-too-many cases, the device won’t function if it can’t talk to its home server.
The snitch on the wall
It’s almost certain that users are at best vaguely aware that the communications fingerprint exists at all. Someone who grabs their phone to dim the lights and adjust the air-con without leaving the lounge probably doesn’t realise that their app might not talk directly to the controller down the hall.
It’s more likely that the app talks to the thing-maker’s cloud services – partly because the vendors are wedded to a business model that demands they harvest even the most trivial user interactions for possible value.
That means the app on the phone will first initiate a DNS query to find the IoT vendor’s cloud service, and communicate directly with it (“Change temperature to 23°C”).
Those communications will traverse either the user’s phone data connection or their broadband router – and in either case, will create the kind of metadata the legislation and its accompanying regulations demand be retained for two years.
The vendor will then connect to the home broadband router and send the control command to the target device – once again, creating metadata that will be stored somewhere.
Every one of the proliferating catalogue of devices working to this model will add to the metadata store.
Now, consider just how informative this data can be:
- Merely knowing which hosts your devices talk to identifies what you own.
- Knowing when your security system contacts its vendor is a good indicator of when your house is empty, especially if you have a separate app-controlled door lock, which calls home when it’s activated or deactivated.
- A smart TV’s fingerprint is probably different to that of a fridge, since the TV might be contacting its home server whenever it hears your voice (in case you want to change channels), and if you’ve installed a third-party electronic programme guide, it’ll contact that server – not to mention any other apps you’ve decided it needs.
This handful of devices presents a pretty detailed picture of the life behind the IP address, and that’s the problem.
Put away the paranoia
Raising these issues isn’t about tinfoil-hattery or paranoia. However, “vertical” scope creep exists in the context of the “horizontal”.
The number and nature of bodies seeking access to retained data goes far beyond how world governments have presented the need for data retention.
The AHPRA example mentioned above illustrates the trend well, because the organisation has identified metadata as a resource to help it probe something that is neither a criminal nor national security matter.
Worse, the retained metadata violates the privacy of a party to the communication – the patient – who might not even be behaving unethically (for example, both doctor and patient may be single, and the patient’s conscience can be clear).
The AHPRA reckons gaining metadata access to phone records will tell it whether doctor and patient are constantly exchanging text messages, making it easier to confront the doctor with evidence. If AHPRA or any other organisation, in any nation, also gains access to IoT metadata it will become possible to build a very detailed breadcrumb trail indeed. Down to an opened door moments after a TV is turned off, in a proximate location to a moving smartphone that grazes a geo-located Wi-Fi hotspot.
Which could add up to a house-call. Or a social call. Or a booty call.
It’s whatever data the legislation-plus-regulations mandate must be retained – which in the case of what emanates from the doctor’s broadband router, includes the kinds of conversations outlined above.
Read more: http://www.theregister.co.uk/2016/02/28/metadata_scope_creep/