Tweet

Cory Doctorow

20 Oct, 15 tweets, 4 min read

It's often said that there is a trade-off between privacy and convenience - while that's often overstated, there are some ways in which it is inarguably true.

1/

For example, it would be convenient to give all your devices radio chips that constantly broadcasted a unique number, and whenever one of our mobile devices encountered a radio beacon, it could log the event and the location.

2/

Then, if we wanted to find something we'd lost, we'd have this great database of where-everything-is.

Likewise, if we wanted to do viral exposure notification, we could set our phones to broadcast a unique ID everywhere we went and log all the unique IDs it encountered.

3/

When someone got a diagnosis, we could figure out who we might have been exposed to.

There's just one problem: privacy. Both of these applications would produce a record of every location you visited and who you went there with. It's a privacy nightmare.

4/

Now, at this point, you may be noticing something curious: both of these services actually exist, and yet privacy advocates haven't been shouting down the heavens about the privacy implications of these things.

There's a good reason for that!

5/

Beacons like Apple's Airtag and contact tracing apps that follow the privacy-preserving protocols established for covid exposure notifications do some INCREDIBLY clever stuff with cryptography.

6/

Rather than sending out unique IDs, they send out encrypted, rotating identifiers that are designed to be opaque to anyone except the person who owns these devices. So no one but you can know that an ID is the tag on your keyring.

7/

The cryptographic protocols have been subjected to rigorous analysis and debate and there's a strong sense among cryptographers that they work as advertised. But there's more than one way to track a radio beacon.

8/

In "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices," presented at the 2022 IEEE Symposium on Security and Privacy, a group of researchers reveal a profound weakness in this system.

computer.org/csdl/proceedin…

9/

The team, from UCSD, describe a means by which these radio beacons can be uniquely identified and tracked - not by decrypting the numbers they transmit, but by cataloguing the differences in their signals caused by minute manufacturing differences in the radios themselves.

10/

You don't need a sophisticated device to do this tracking - a cheap, off-the-shelf software defined radio package has the sensitivity to pick up on these differences. The kinds of gear that only the NSA used to get is now for sale at $150 a pop.

11/

These are problems inherent to Bluetooth radios and their antennas themselves. Even if we figure out how to fix this in future devices, it's unlikely that we can fix it for the billions (tens of billions?) of devices already in the field.

12/

And while all manufacturers' devices share this risk, Apple's devices were observed most prolifically in the field, thanks to market dominance and the frequent handoffs between phones and watches. Apple's devices also send more powerful signals, making them easier to detect.

13/

This is a huge deal, and while it affects billions of devices, it's better that we know about it now, before it affects trillions.

The published paper is paywalled, but the authors have posted an open access preprint:

cseweb.ucsd.edu/~nibhaska/pape…

eof/

If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2021/10/21/sid…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @doctorow

Cory Doctorow

@doctorow

20 Oct

Today's Twitter threads (a Twitter thread).

Inside: Copyleft lawsuit against Vizio will allow anyone to defend the commons; The monopoly strategy behind the Google/Microsoft mobile patent wars; and more!

Archived at: pluralistic.net/2021/10/20/viz…

#Pluralistic

1/

The paperback for Attack Surface - a standalone Little Brother book for adults - is out!

us.macmillan.com/books/97812507…

Signed copies:

darkdel.com/store/p1840/Co…

One-month only audiobook sale with Little Brother and Homeland:

sowl.co/uqT2G

2/

https://twitter.com/doctorow/status/1450852865627418624

Copyleft lawsuit against Vizio will allow anyone to defend the commons: Software Freedom Conservancy realizes the dream of "Community-Oriented GPL Enforcement."

https://twitter.com/doctorow/status/1450852865627418624

Read 22 tweets

Cory Doctorow

@doctorow

20 Oct

@BichlerNitzan

#CapitalAsPower, a framework from @BichlerNitzan, holds that companies don't seek to be as profitable as possible - but rather to accumulate as much POWER as possible. A company doesn't seek to be as big as possible, but rather, as dominant.

capitalaspower.com

1/

If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2021/10/20/viz…

2/

There are two strategies for accumulating power: one is "breadth": to grow the market as much as possible, thus accumulating profits faster than the average competitor, eventually taking a commanding lead over the rest of the field.

3/

Read 21 tweets

Cory Doctorow

@doctorow

20 Oct

When the free software movement started to make headway, proprietary software companies like Microsoft went to war against it, describing the licenses at its core (like the #GPL) as "viral licenses" to scare companies off from using free software.

1/

The GPL is a software license that coders add to their work that says, "You can do anything with this - change it, sell it, copy it, incorporate it into something else, BUT...you have to redistribute the new projects under the same terms."

2/

In other words, we are making a software commons - code that anyone can use and improve, but only if they agree to maintain the commons. Like any shared resource, commons need protection from freeloaders who take but do not replenish.

3/

Read 21 tweets

Cory Doctorow

@doctorow

19 Oct

Today's Twitter threads (a Twitter thread).

Inside: The true, Terry Pratchett-esque origins of the trillion-dollar coin; and more!

Archived at: pluralistic.net/2021/10/19/moi…

#Pluralistic

1/

https://twitter.com/doctorow/status/1450491937954226185

The true, Terry Pratchett-esque origins of the trillion-dollar coin: It's a feature, not a bug.

https://twitter.com/doctorow/status/1450491937954226185

Read 20 tweets

Cory Doctorow

@doctorow

19 Oct

The #DebtCeiling debate is genuinely absurd: Congress authorized the spending of new dollars, so the Treasury has to create them. For Congress to turn around and force the Treasury NOT to create the dollars it ordered the Treasury to create is an obvious political gimmick.

1/

If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2021/10/19/moi…

2/

Hence the #TrillionDollarCoin - a proposal to use a 2000 amendment to 31USC§5112k ("Denominations, specifications, and design of coins") that permits the Treasury Secretary to "mint and issue platinum bullion coins and proof platinum coin [at] the Secretary’s discretion."

3/

Read 31 tweets