Re: [perpass] privacy implications of UUIDs for IoT devices

Ross Schulman <ross@rbs.io> Fri, 14 October 2016 15:28 UTC

Return-Path: <ross@rbs.io>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229CA1294CD for <perpass@ietfa.amsl.com>; Fri, 14 Oct 2016 08:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X3oCNdMCYPhl for <perpass@ietfa.amsl.com>; Fri, 14 Oct 2016 08:28:47 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 410CE129512 for <perpass@ietf.org>; Fri, 14 Oct 2016 08:28:43 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 874E62080C for <perpass@ietf.org>; Fri, 14 Oct 2016 11:28:42 -0400 (EDT)
Received: from web1 ([10.202.2.211]) by compute1.internal (MEProxy); Fri, 14 Oct 2016 11:28:42 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=K+CnyFnPd2Mpvmi /bCigu0Au/vw=; b=g4/mg6gDRbiS6q9GmmaOgMta/HohtLiiGaJvSb5mYz8MVEb dbPSB6IETlZGOkxTEQLOQ63EXjbxzDvKQgxYIl51wfKDgtwJfnxCyNtmwRDEG81Q pRQKAiVZev/pJuy1ji0GXzlPHBYBIFfoVTShw2/Jfi4t40lnUCQjqTtgLxnI=
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 6537A9F553; Fri, 14 Oct 2016 11:28:42 -0400 (EDT)
Message-Id: <1476458922.146295.756122441.025177B8@webmail.messagingengine.com>
X-Sasl-Enc: HtLLe0z3LiVqgiCMPtYm6XIYD+bUbTTbLXCU6sHcP7Av 1476458922
From: Ross Schulman <ross@rbs.io>
To: perpass@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-cdbff290
In-Reply-To: <8C7F19FB-D521-4979-BEA7-0450AC59D8A6@huitema.net>
References: <5c32e81f-7e43-2bde-b8f4-46f08fecdefb@cs.tcd.ie> <db516334-43ab-e967-cfd5-87d920b65015@filament.com> <CAKr6gn2EjAwqvTXgNyO0Jc3yt9qFRfixXMURHg3wQLe4FcwWWQ@mail.gmail.com> <CY1PR03MB2265659F67817DF02F3FCF29A3C70@CY1PR03MB2265.namprd03.prod.outlook.com> <61bb307c-6186-db01-1664-6ecabc9c21a3@si6networks.com> <c0b89950-268e-a350-cbee-33c35cf92c2d@alum.mit.edu> <539e53e5-12fe-2226-f490-b7fd5b61a4d9@cs.tcd.ie> <8C7F19FB-D521-4979-BEA7-0450AC59D8A6@huitema.net>
Date: Fri, 14 Oct 2016 11:28:42 -0400
Archived-At: <https://mailarchive.ietf.org/arch/msg/perpass/7f7XhFSLJHNiDfR9pJMWDe22654>
X-Mailman-Approved-At: Fri, 14 Oct 2016 08:52:33 -0700
Subject: Re: [perpass] privacy implications of UUIDs for IoT devices
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 15:30:35 -0000

In fairness, the vast majority of people have no such need "at home". I
would wager that 99.9% of people who use networked devices on a daily
basis have no idea what a MAC address is, would be at least somewhat
concerned that that sort of consistent data was leaking from them
constantly, and have no need to take an inventory of devices on a
network, nor any idea how they would do that even if they wanted to.

That "feature" is one that only a small portion of people (consisting of
many people on this list, granted) find important and IMO is outweighed
by the privacy and security implications.

-Ross Schulman

On Fri, Oct 14, 2016, at 11:18 AM, Christian Huitema wrote:
> The MAC address issue is situational. When a device is moving, you want
> it not tracked, and you want the MAC random. At home, you don't care
> about the device privacy, and you want an easy way to do an inventory of
> what is on the network.
> 
> -- Christian Huitema 
> 
> > On Oct 14, 2016, at 8:07 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> > 
> > 
> > 
> >> On 14/10/16 15:55, Paul Kyzivat wrote:
> >> 
> >> When looking at devices seen on WiFi the vendor ID is often displayed
> >> and used to figure out which device is which, to correlate problem
> >> symptoms with likely causes, and many other reasons.
> > 
> > How often? Compared to how often those are uselessly sent?
> > (With the privacy downsides applying in all cases.)
> > 
> > I'm not saying that the "I need to debug stuff" arguments
> > for access to information are baseless, but I do think we
> > (techies) to better consider the privacy implications of
> > things like that.
> > 
> > S.
> > 
> > _______________________________________________
> > perpass mailing list
> > perpass@ietf.org
> > https://www.ietf.org/mailman/listinfo/perpass
> 
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass