Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, December 1, 2012

Your devices, your behavior, and your permanent record

A couple of days ago, I learned about a new service which seems to be rolling out to some stores. It uses emissions from your phones to figure out who's in the store. I assume it's listening for smart phones sending out 802.11 probes in search of known wireless networks and is then making a note of the MAC address. It might also be looking for discoverable Bluetooth devices. Perhaps they have some way to grovel around inside actual cell signals to get a "station ID" from a nearby transmitter.

At any rate, it's a good bet that a lot of people are going to be carrying around at least one such device which can be detected. Stores are probably going to use this to keep track of shopper visits and try to correlate transactions to observed transmissions. After all, if you hear MAC address X, and then person Y checks out, and then X vanishes a few minutes later, you have some data for the future.

The next time you see X, then look to see if person Y checks out a short time later again. After a couple of visits, I'm sure they could get a pretty decent level of confidence for mapping people to their devices. To make things even more effective, they could have localized listening posts in every checkout lane. Now they'd also be able to correlate the checkout number where person Y's card was seen and signal strength type data for that immediate location.

I think it's a given that we're going to see a lot more of this in the future. There may be complaints and perhaps even attempts at legislation. A few communities may even succeed at banning this technology in law, while others might shun those merchants and get rid of the devices that way.

Still, no matter what happens in terms of community backlash or laws, I'm going to predict that something else will happen. People will start running their own little listeners on their devices while they're out and about. Yes, that's right. Individuals will start using their smart phones and other portable devices to build dossiers on the people around them.

Let's say you're in line at a store and the person in front of you is the type who haggles with the cashier over 25 cents and ties up the entire line. This irritates you, so you whip out your phone and write a short rant about it. People do this already, right? So, why not capture all of the other nearby device IDs when posting such a rant about another person?

A week later, that same person does the same cashier-annoying stuff at a different store with totally different people around. Someone in that line posts a "groan" message to their social service of choice and it also captures the nearby device IDs. Somewhere, something notices that both of these posts have one device ID in common.

This goes on for a while, and slowly, that device ID gets associated with reports of someone who makes life miserable for other people who are waiting on a limited resource. This leads to the next step: alerting.

Some time later, yet another person gets relatively close to our friend the annoyance and picks up this device ID which is associated with this badness. This new person gets an alert on their device which says "you are very close to a person who ties up grocery store lines, reported 10 times in the past 15 weeks". They look ahead, and sure enough, someone seems to be gearing up for a coupon battle. Armed with this information, they change lines and avoid the problem. While in their better line, they acknowledge the alert and thank whoever entered it for a useful tip.

That's a contrived example, but there are so many more situations where this might work. Perhaps you're walking down the street and someone says something incredibly evil, like a racist or sexist remark. You enter a rant and capture any nearby IDs in the process. This same evil person does it again somewhere else and gets captures again by someone else. After a while, it might be possible to pre-emptively alert when that ID is spotted in the vicinity: "warning, evil person nearby!"

Part of my prediction is that this will happen on the sly no matter what people say publicly about it. Most people will probably say they would never do such things since that's creepy and spooky, but in private they would probably run it just for their own uses. Some people would do it to have another source of information about the world around them. Others would probably turn it into a giant distributed "hot or not" system.

I can see entire communities springing up for "people who like X". Any time they see a person with that trait, they throw out a tag. Eventually, the correlation gets going and then others will start receiving alerts when that person comes nearby. "Look lively! There's a hottie coming!"

Yes, people will be creeped out by this, and rightly so. It's still going to happen. Once this horse is out of the barn, it's not going back in.

The only thing which might prevent the coming explosion of such systems would be a marked change in how our devices behave. Anything which travels with us would need to be designed such that it never speaks until spoken to by a properly authenticated device with authorization. Entire packets would need to be encrypted instead of just the payloads so that things like MAC addresses are not visible in the clear. Cellular standards would likewise need to be adjusted to maintain privacy.

Even then, I imagine someone will eventually come up with a usable method of fingerprinting devices for this kind of system based on their RF characteristics. Cell phone companies were apparently using this sort of thing to combat cloning back in the old days. If your phone's ID popped up on another transmitter, they'd know something was up.

At that point, someone might start building RF transmitters which purposely vary a bunch of their characteristics in order to "fuzz" such techniques. Then the "listeners" would find a way around that and the arms race would just keep on going.

If it comes to this, I imagine a lot of people won't care. They'll just shrug and accept it as a part of living in this modern world.

As a stretch, it's possible such a thing will be a net win for humanity. After all, if your reputation starts entering a space before you do, maybe you'll think twice before doing something evil.

This will be noted on your permanent record.