Archive for the ‘Privacy’ Category

Apps for the Paranoid Needed?

Mon, 04 Jan 2010

I can’t let Karsten Nohl‘s presentation at 26C3 go without comment. To be clear, he was only talking about weaknesses that were already known (so headlines like “Secret mobile phone codes cracked” are at best misleading) but his purpose was to demonstrate that those theoretically known attacks are now practical. His point is a very valid one, and holds for most (all?) cryptographic algorithms: researchers will discover more efficient attack techniques, and technology will evolve to make such attacks practical, so you’d better design your cryptographic protocols so you can switch to different algorithms if and when the future need arises.* Happily this is the case for the GSM protocols, and all (!) that is needed is for the phone manufacturers and network operators to deploy the A5/3 algorithm and we can all go about our business.

That said, there is an interesting point made, almost in passing, in the presentation. (more…)

Femtocells and Security

Thu, 25 Jun 2009

The Femtocells World Summit is in London this week; I haven’t attended, but I have seen articles about it that have me wondering whether there are interesting security issues emerging.

First, what’s a femtocell? Essentially, it’s a short-range, miniaturised version of a mobile phone mast. However, instead of being directly plumbed in to the phone network, calls made through a femtocell are routed over broadband Internet connections so they can be used in areas where the normal phone network coverage is poor or non-existent.


Behavioural Targeting

Thu, 21 May 2009

[Sorry, I’m getting a bit behind on things I want to blog about, part 2 of the Symbian Signed story will be up soon!]

On Tuesday I attended a seminar in Westminster on the topic of “Behavioural Targeting, Social Networking and the Challenges of Online Privacy“. “Behavioural targeting” refers to monitoring users’ behaviour online and using the collected data to present them with targeted content (often in the form of advertising).

There was an interesting mix of participants, from government and the civil service (the Home Office had the largest representation of any one organisation) to privacy advocates (Open Rights Group), industry (notably Phorm) and journalists. I wasn’t the only one who thought this might be relevant to mobile – several mobile network operators were present. There is clear potential for monitoring significantly more personal information via a mobile device carried with you, compared to a work or home PC.


What Does Privacy Mean in the Information Age?

Tue, 24 Mar 2009

I have long respected Bob Blakley‘s opinions on security and privacy issues (I don’t actually remember when we first met, but it would have been roughly in the mid-1990s I think).  He often defines privacy as “the ability to lie about yourself and get away with it” (see here for example, but he was saying it years before that too).  Note that his point isn’t that people should necessarily have a right to lie about themselves, but that thinking about whether they can or not is a useful way of measuring the otherwise abstract concept of privacy.

I often ponder whether we (that is, developers of mobile device software) are doing enough to help users look after their privacy.  It’s often stated that end users aren’t interested in privacy, or don’t value it appropriately.  Professor Ed Felten has written an interesting counterpoint to that view, and I think it is important that we provide users with easy-to-understand choices, so they can make rational and informed decisions about sharing their personal information.  I like to use Flickr as an example; their privacy controls are simple, understandable and widely used.  You might use Facebook as a counter-example; they have many different privacy controls and it’s not obvious (even for security professionals!) how to configure them sensibly.

An interesting case study for mobile is Google Latitude (now available in the Google Maps native client for S60 3rd Edition).  Many of my Symbian and Nokia colleagues have signed up recently, and I’ve been wondering how Bob’s definition of privacy might apply to it.   My inclination, as a security professional, is not to sign up; once you do, the fact that you may then choose not to share your location at a particular time, or with a particular person, is itself information about you.  I wonder how much privacy you might lose by implicitly sharing that information.  Think of it as a statement: “Craig is doing something that he doesn’t want you to know about” 🙂

So, this leads me to a question – can I use Google Latitude to lie about my location? It seems there is a manual “set my location” option, which is promising, but then I wonder how easy it will be for Latitude friends to tell the difference between that and GPS or cell ID-derived location. I also wonder if there’s an API I can use to update my Latitude location programmatically (I doubt anyone would ever bother with that, but it would surely be privacy-friendly to have the option).  Maybe I will sign up and have a play with it (or maybe I won’t, so you won’t be surprised if you get no response to a Latitude friend request ;-)).

What other privacy issues might there be on mobile devices (either in the OS or in applications) which we should worry about?