Re: [perpass] privacy implications of UUIDs for IoT devices

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 14 October 2016 15:07 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1D52129760 for <perpass@ietfa.amsl.com>; Fri, 14 Oct 2016 08:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.297
X-Spam-Level:
X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iNIbX7cPPCOt for <perpass@ietfa.amsl.com>; Fri, 14 Oct 2016 08:07:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277DD12982B for <perpass@ietf.org>; Fri, 14 Oct 2016 08:07:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7B989BE2C; Fri, 14 Oct 2016 16:07:04 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUdh3hhxPPj1; Fri, 14 Oct 2016 16:07:04 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EA38FBDF9; Fri, 14 Oct 2016 16:07:03 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476457624; bh=gmPVX8pOzhgiN3V5DBul1vH2Ke+k/wdnoicrLaYAE0E=; h=Subject:To:References:From:Date:In-Reply-To:From; b=YTcagyNKktdW9Z51njcQAXLrJUWIlFzPcZ1uoG1MvWFTCsPeiO1MurSSsarl2QUqY Xo90aUttV1tTp+6eNhF9h9+59AOhOjPLuHHbUxVd4/1qVMs2J6m3Blm6g729IbFvxI CVfMrJKfoyxYX2KTfteTIw7LDFefYRtdBICFwtJM=
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, perpass@ietf.org
References: <5c32e81f-7e43-2bde-b8f4-46f08fecdefb@cs.tcd.ie> <db516334-43ab-e967-cfd5-87d920b65015@filament.com> <CAKr6gn2EjAwqvTXgNyO0Jc3yt9qFRfixXMURHg3wQLe4FcwWWQ@mail.gmail.com> <CY1PR03MB2265659F67817DF02F3FCF29A3C70@CY1PR03MB2265.namprd03.prod.outlook.com> <61bb307c-6186-db01-1664-6ecabc9c21a3@si6networks.com> <c0b89950-268e-a350-cbee-33c35cf92c2d@alum.mit.edu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <539e53e5-12fe-2226-f490-b7fd5b61a4d9@cs.tcd.ie>
Date: Fri, 14 Oct 2016 16:07:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <c0b89950-268e-a350-cbee-33c35cf92c2d@alum.mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080009050402090808090600"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perpass/EjwcIK2v7XClxKnRNowb-fr4p9I>
Subject: Re: [perpass] privacy implications of UUIDs for IoT devices
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 15:07:08 -0000


On 14/10/16 15:55, Paul Kyzivat wrote:
> 
> When looking at devices seen on WiFi the vendor ID is often displayed
> and used to figure out which device is which, to correlate problem
> symptoms with likely causes, and many other reasons.

How often? Compared to how often those are uselessly sent?
(With the privacy downsides applying in all cases.)

I'm not saying that the "I need to debug stuff" arguments
for access to information are baseless, but I do think we
(techies) to better consider the privacy implications of
things like that.

S.