shift change 2024-1

Will

3 min read

Welcome to shift change, reports from the off-going watch to the oncoming on anything (certainly not everything) interesting in privacy, security, or intelligence. Because it is the first day of the week, and month, and year, I'll start with some end of 2024 stories that may have been lost in the holiday shuffle:

1. Tools that track location are targets for stalkers, domestic abusers, and any threat actor who wants location information—they are also great for calling “bullshit” when your airline lies to you about why you flew to California but your bags flew to Romania. Researchers at Johns Hopkins University and the University of California, San Diego worked out a scheme to improve your ability to recognize tags around you that are not yours. 

Apple and other tracking tag manufacturers know this is an issue, and it’s not hard to track down reports of abusive tracking; they threat model likely abusive uses(right?…right?!?). Apple started addressing the risk of abusive tracking by rotating tag identifiers, a generated code that tells your iPhone (or whatever device you are accessing Find My from) what tag identifiers are around you, and whether they recognize them. If your iPhone recognizes the tags around you, no warning, and you can see what is known to you in the app. If your iPhone doesn’t—you get a notification that an unknown tag is nearby. This works because if a tag is near you long term, you are going to get a lot of notifications (every 15 minutes) letting you know that an unidentified tag is nearby. But it also means non-abusive uses, like spending a day at Six Flags with friends who have a tag on their car keys in their pocket, and maybe another in their kids’ day bag just because anything kid related is easily lost, will generate warnings, every 15 minutes, until you do something—either choose to recognize the tag, or mute the warnings, or move away from the tracking tag. Too many notifications for non-abusive uses will de-sensitizes users to what the warning is trying to warn them about—just ask any threat actor who has spammed an MFA system until a target just gives up and smashes the accept login button. 

So, Apple then swung the other way, less notifications by way of a broader time window, and rotated tag identifiers once every 24 hours if a tag is away from a trusted device (like your iPhone). Notifications go down, but if a tag is around you long enough, you still get the awareness to take action. But if a threat actor was tracking you via a tracking tag, would one notification over the course of a day, and all the places and activities that location tag could reveal about you, be enough?

What’s the possible solution? Yeah, it’s math

2. (spoilers for an off-air HBO show, you’ve been warned!) There is an episode of Silicon Valley, Mike Judge’s takedown of the tech industry in, you guessed it, Silicon Valley, where new Pied Piper CEO Dinesh comes face to face with the financial consequences of making sure users on Pied Piper were over 13. COPPA, baby!

Well, now the Federal Trade Commission wants to beef up COPPA with more biometric privacy protections. Biometric protections exist in other areas; thanks, Illinois! And they can be financially devastating, or devastatingly effective, depending on which side of the lawsuit “v” you are on, when each instance of non-compliance can come with a fine (just like Dinesh faced with COPPA.)

Now, this is not coming as an act of Congress (well not a new act of Congress) or via Executive Order, but by the FTC’s rule making authority under COPPA to make rules for how COPPA applies, which can sound weird if you don’t understand that most legislation empowering government agencies also comes with language that allows them to make their own rules under certain processes (notice of proposed rule making, a period where interested parties can comment on the impact of proposed rules, and then a decision).

3. It’s easier to fake being a cop than it should be. Good grief, what the fuck is wrong with you Verizon? A proton mail account was pretty much all it took to convince Verizon that a guy was a cop. The people of the United States desperately need a federal personal privacy law that limits the scope and length of collected data, otherwise companies just become private NSAs, with way less interest in protecting people.

4. It makes sense threat actors will imitate cops, pharmacies also just hand that shit over. HIPAA allows records to be turned over to law enforcement, and the Department of Health and Human Services, which oversees HIPAA compliance (kind of, kind of…not) can impact the review standard of a records request, but lol, they don’t so companies just make it up, usually with no review.

With 2023 behind us, I’m sure 2024 will not have all the same problems in privacy and security, but we’ll see.

Read more