Privacy Roundup: Mandatory Data Retention, Smart Meter Hacks, and Law Enforcement Usage of "Silent SMS"
CDT Releases White Paper on Data Retention
The Center for Democracy and Technology has released a memo (PDF) on the economic costs, technical complications, and privacy implications of a data retention mandate. Data retention mandates would force Internet companies such as ISPs to keep records on their historical assignment of IP addresses and make that and other customer data available to law enforcement. CDT’s memo points out the technical issues surrounding IP address assignment, noting that there are a multitude of situations in which IP addresses are shared (such as in coffee shops, work places, and airports) and that they can’t reliably identify an end user. We couldn’t agree more. They also rightly note that "a data retention mandate would require the collection and management of vastly larger quantities of data than seemed necessary even a few years ago, at costs that could be prohibitive, especially for smaller and rural service providers, while yielding data less reliable in identifying end-user devices."
This memo couldn’t come at a better time. Congress is currently considering misguided data retention legislation that could compromise user privacy and burden ISPs. Learn more about the privacy issues surrounding data retention mandates by visiting EFF’s issue page. You should also use the EFF action center to send a letter to Congress telling them not to force Internet companies to spy on users.
Smart Meter Hacking for Privacy
On day four of the 28th Annual Chaos Communication Congress, Smart Hacking for Privacy explored the privacy-intrusive potential of smart meter technology. EFF has articulated the privacy concerns around smart meters – including how this technology can be used to monitor what appliances a consumer uses in the home and exactly when she uses them. According to Network World, Smart Hacking for Privacy went a step further and showed that under certain circumstances, researchers could use smart meters to "determine devices like how many PCs or LCD TVs [were] in a home, what TV program was being watched, and if a DVD movie being played had copyright-protected material." This builds off of research (PDF) by a team at the University of Washington on the electromagnetic interference (EMI) signatures produced by televisions. Smart Hacking for Privacy also demonstrated how smart meters could be hacked so that the readings were incorrect. The entire presentation is available on YouTube.
German Police Using Hundreds of Thousands of “Silent” SMS Messages for Tracking Suspects
The 28th Annual Chaos Communications Congress also featured a presentation from researcher Karsten Nohl on Defending Mobile Phones (click for full YouTube presentation). As both Tomsguide and FSecure pointed out, one of the most interesting facts discussed in the presentation was that German law enforcement was relying on "silent SMS" technology for tracking suspects. SMS is the protocol by which standard text messages are delivered to your cell phone; a “silent” SMS message would deliver a "message" to the phone without the user being aware. In other words, the user wouldn’t see a text message; she wouldn’t see any notice at all on her phone. That "silent" SMS interaction, in turn, leads to the creation of a log with the cell phone company that reveals what cell phone towers the phone was closest to when the SMS was received. German law enforcement apparently likes this technique so much they pinged cell phones with silent SMS over 440,000 times in 2010.
This isn’t the first time we’ve known law enforcement to invisibly ping a mobile phone to hone in on the phone’s location without the user being aware. In United States v. Forest, the police used a similar technique using "silent" telephone calls to generate cell site logs with the provider where there otherwise wouldn’t be any, providing more frequent location fixes to help with tracking.
As this story demonstrates, the cell tower network can provide detailed data about a user’s daily movements based not just on your phone calls but on other communications activities as well. Last year, for example, Malte Spitz demonstrated the precision and breadth of data collected through cell phone tracking when he forced his cell phone carrier to hand over the records they had on him. Those records revealed that the carrier had collected over 35,831 data points about his location - not only his location during phone calls but also when he sent or received SMS messages or used the Internet – in a mere 6 months.