Cell Phone Tracking, Data Creep, and Google (was "Cell Phone Bugging")

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: December 5, 2006 12:46:02 PM EST
To: dave () farber net
Cc: lauren () vortex com
Subject: Cell Phone Tracking, Data Creep, and Google (was "Cell Phone  
Bugging")


Dave,

The cell phone tracking situation (about which concerned observers
including myself have been raising the alarm for many years) is
an example of what I call "data creep" -- information collected
for one (often benign) purpose that ends up being used for other
(frequently not benign) purposes.

It would be difficult to justify the routine collection and storage
of the voice content of all telephone calls (though, this may have
become to a large extent technologically feasible, and in today's
political/intelligence environment is something you can be sure some
spooks and others might advocate -- so this is an issue of concern).

On the other hand, cell phone tracking data (as Phil Karn points
out) has always been routinely collected as part of the normal
operation of cellular systems.  The key question revolves around
what is done with that data after it has fulfilled its network
operation and any related billing functions.

The tendency in most organizations is to hold onto whatever data
they collect on the assumption that it might be useful down the line
(for R&D, legal protection, or other reasons).  After the data has
been gathered (and storing data is cheap these days) it becomes
available for potential internal and/or external abuses unless
specific steps (time-based deletion, anonymization, cryptographic
reduction, and so on) are employed that limit the abuse potential.

The organizations collecting the data don't usually have evil
purposes for that data in mind.  But by holding on to that data horde
when it's not legally required to do so (or when laws are passed
requiring data retention beyond reasonable short-term periods) the
abuse potential goes sky high from outsiders demanding access to
that data for their own ends.

We've seen this happen again and again with everything from cell
phone tracking data to supermarket loyalty cards to automatic toll
payment systems.  DOJ vs. Google is another example, demonstrating
how the mass of user data that Google (and other firms) have
collected (in Google's case for benign internal purposes) was and
will continue to be lusted over by all manner of government agencies
and other entities, all willing to use that data in ways that Google,
et al. did not intend and without their approval.  DOJ vs. Google was
only an initial round in this battle.

There are only two reasonable approaches to limiting these problems.
One is to pass and enforce laws that explicitly prohibit various
forms of data abuse.  Unfortunately, current trends are in exactly
the opposite direction, with government pushing for broad data
*retention* laws.

The other approach is for firms to take steps to minimize the
availability of data that can be easily abused in the first place
(e.g. http://www.vortex.com/google-privacy-initiative ) to the extent
legally permitted.

There should always be a balance between the needs of firms to
collect data, the desire of law enforcement and others to have
access to data for legitimate and reasonable purposes, and the
fundamental privacy rights of individuals.

We are failing to strike that balance today, with individual privacy
rights the big losers.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Founder, CIFIP
   - California Initiative For Internet Privacy - http://www.cifip.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

  - - -

> From: DV Henkel-Wallace <dvhw () talima com>
> Date: December 5, 2006 6:56:02 AM EST
...
> Somehow this tracking information has been immune to such controls
> and has been used in civil and criminal cases for years without any
> discussion.  Are phone taps ever legitimately used in purely civil
> cases (e.g. divorce cases) or misdemeanors (e.g. speeding)?
...


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/