Data protection Internet surveillance Privacy Security

Correcting the panoptic vision

Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.

The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!

Internet surveillance Privacy

US now wants your Facebook details when you visit

Lots of chatter today that the US now requires “nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers”. (1) Essentially it requires visitors to give their social media information, phone numbers and e-mail addresses for the past 5 years.

The BBC carried a bit about this back in 2017 (2) which also stated that critics considered that checking up on these “could lead to extended, fruitless lines of inquiry or the collection of personal information not relevant to security checks”. Well, yeah, and I would need several continuation sheets to fill all my information in over that period.

A quick trawl through the visa waiver website suggests (a) that it is out of date because it does not indicate the requirement is now absolute and (b) clearly they will use this information to check up on you i.e. if your Facebook page marks you out as undesirable you’re out of luck. I did not delve further.

So your social media profile may now exclude you from entry. Of course, no undesirable type is capable of creating a fake Facebook profile are they…

So, is a blog social media? I’d argue not, yet I know this blog is spidered by Google (other spiders are available) regularly!

1 –

2 –

Internet surveillance Privacy

The ongoing fight against encryption

Once again there are calls to regulate the Internet and ongoing discussions on forcing providers to install back doors in encryption products, especially those offering end-to-end encryption. Once more mention is made of these evil dark spaces in the Internet. But I wonder if they have stopped to think in real-world terms? I mean, we can have these same ‘dark spaces’ formed simply by people meeting behind closed doors. Perhaps the next step is to be able to monitor speech regardless of the communications path? These dark spaces (rooms with curtains and closed doors for example) are no different really to those created by the Internet, except of course people meet face to face. Now, if the argument is that where people physically meet then can be surveilled, it fails to address the fact that the same targeted surveillance can be applied to the Internet. If you are surveilling someone anyway then why are you not already tapping their communications and why have you not installed a key logger to bypass any attempts at encryption?

As to defeating encryption it is surely too late. It is also surely pointless. Governments may well force providers to install back doors and once known anyone that still wants to remain private will move elsewhere, perhaps to use Tor nodes in jurisdictions that refuse to comply to these backdoor requirements, or perhaps to use their own software to provide end-to-end encryption. Or even to use the good old one time pad.

I wonder what the logical progression is here. I can imaging the thought that if they can coerce providers to install backdoors into all encryption products, then what cannot subsequently be decrypted bust be some nefarious hacker or terrorist and can therefore be blocked. But even so, you cannot get past the fact that pre-arranged wordings can be transmitted in clear text and you will only find the meaning by other methods of surveillance, like acquiring codebooks. Nad we’re back to the fact that if you can do that then surely you can install a key logger anyway!

Data protection Internet surveillance Privacy

Weaknesses in MAC address randomisation

Typical networked devices, including the ubiquitous smartphone have a now well known address – the IP address used to route information across the Internet. But there is another, less well known address which can be far more revealing of the actual device. This is the MAC (Media Access Control) address. Where the IP address is needed to enable end to end communication across the Internet, the MAC address deals with physically addressing devices on the local network. Unlike the IP address which is stamped on every packet of data, the MAC address does not bother with such things. It is a low level address, in Level 2 of the OSI model, or in the physical layer in IP terms. It deals with moving data – whatever that may be – between connected things. Examples include your smartTV and home router, or your smartphone and a wifi hub. Your smartphone passes data to the wifi hub using the wifi hub’s MAC address and vice versa. The wifi hub in turn passes the data onwards to, say your home router using the home router’s MAC address and vice versa. And so on.

MAC addresses are 48-bit addresses broken into two parts. The first 3 bytes (24 bits) are known as the Organisationally Unique Identifier (OUI) and companies purchase and register these with the controlling body, the Institute of Electrical and Electronics Engineers (IEEE). The second half is a unique serial number assigned to a Network Interface Card (NIC) (or most probably these days a chip, not an actual card).

MAC addresses were designed to be globally unique but the first byte contains a one bit flag to indicate if the address truly is global, or local. Local addresses are by definition not globally unique. A second type of identifier, the Company ID is formed from the same first 3 bytes but with the flag set to local.

Now, the first part of the problem is these first three bytes identify the manufacturer or company, so you can see how a MAC address can be used in a useful way by a surveilling agency. Even with such generic data, when faced with a room full of Android owners the one iPhone owner will stick out.

But there is a far more major issue. Although these MAC addresses are meaningless in wider Internet terms they are nonetheless supposed to be globally unique. And there is the issue. Were a global adversary able to inspect every thing in the Internet looking for MAC addresses then a device, a smartphone say could be traced across the planet.

To get round this issue operating systems can randomise the MAC address. This was intended as a privacy enhancing technique but unfortunately researchers have discovered multiple flaws in the various randomisation techniques used by system makers which enabled them to defeat the randomisation of MAC addresses in 96% of Android phones. They too teir work further to examine an attack method which can identify the global MAC address of a device even when it is in a randomised state.


See also and