Privacy issues in emerging tracking systems Mathieu Cunche INSA-Lyon/CITI Lab., INRIA-Privatics

September 10, 2013

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

1 / 21

Figure: Picture taken at Marne La Vall´ee - France.

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

2 / 21

Tracking systems

Features of a tracking system Count individuals Record movements Identify personal characteristics (age, sex, ...)

Existing technologies Video ”protection” (a.k.a. CCTV) Costly infrastructure, computationally intensive processing, not 100% reliable

Dedicated tracking device (GPS tracker, stalking apps, ...) Require cooperating individuals, accuracy depend on geoloc technology

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

3 / 21

Wi-Fi tracking I

Track individuals via their smartphone Smartphones equipped with Wi-Fi can be detected [ME12, BBQL13] Even if not connected to a network or idle

Totally passive and seamless Do not require cooperation nor app Impossible to detect

Estimated coverage: between 30% and 70% of population1 1

Euclid Technology

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

4 / 21

Chatty WiFi devices

Periodical WiFi probing Probe Request Frame: Is there any WiFi AP around ? Probing period < 1 minute

A perfect unique identifier: MAC address Present in each frame emitted by a device Uniquely allocated to a device Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

5 / 21

Wi-Fi tracking systems I

2

Sensor nodes collect signals emitted by Wi-Fi enabled devices Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

6 / 21

Wi-Fi tracking systems II

Collected information sent to a central server 2

Navizon

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

7 / 21

Real world applications I Wi-Fi tracking system already deployed

... and collecting huge amounts of data Euclid claims to have collected data of over 50 millions individuals in only few months ...

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

8 / 21

Real world applications II Road monitoring

Wi-Fi sensor deployed along the road Measure traffic density Detect traffic jam Estimate point-to-point travel time

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

9 / 21

Real world applications III Retail store monitoring

3

Track visitors of a retail store or shopping center Physical analytic: Web-analytics for the physical world Table: Analogy between Physical and Web analytics Website

Shopping center

Nb visitors Nb Page View First Visit Page View Duration Click Path

Nb customers Nb Shop visit First visit Shop visit duration Visit path

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

10 / 21

Real world applications IV Physical Targeted Advertisement The example of London’s Wi-Fi recycle bins

Detect and identify passerby using Wi-Fi (4M devices over a week) Display ads targeted to passerby profile Profile also physically acquired Wi-Fi tracking system deployed in a pub Build consumer profile (frequency and length of visits and even sex !) 3

Libelium

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

11 / 21

Privacy concerns

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

12 / 21

Privacy Concerns : MAC address I ” The MAC address does not disclose the device owner’s real-world identity nor does it contain any personal information.” - Euclid Technology ”The anonymous nature of this technique is due to the use of MAC addresses as identifiers. MAC addresses are not associated with any specific user account or mobile phone number not even to any specific vehicle.” - Libelium

MAC address : not a personal information ? A unique identifier Commonly harvested Mobile apps & profiling companies (see Mobilitics pres.)

Easy to get the MAC@ of an individual [Cun13]

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

13 / 21

Privacy Concerns : MAC address II

OK. MAC@ IS a private information. Let’s take some measures. Anonymize the MAC using a Hash function Store H(MAC @) instead of MAC@ Hash function hard/impossible to reverse

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

14 / 21

Privacy Concerns : MAC address III

Deanonimizing Hashed MAC@4 248 possible values: small enough for bruteforce Full space can be searched in 25 hours of computation

Smart deanonimization

Only 0.1% of MAC@ ranges are allocated Smartphones Wi-Fi interfaces represent an even smaller subset Most Hashed MAC@ can be reversed in seconds [Lev13]

Hash based anonymization of MAC@ is a joke ! 4

Master Internship - Levent Demir

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

15 / 21

Escaping the tracking

5

How to avoid being Wi-Fi tracked Use the Opt-Out mechanism provided by tracking companies Privacy-preserving protocols [LAD+ 09] Used disposable MAC adresses [Gru03] Geolocation-assisted service discovery [CKB13] Turn off Wi-Fi interface 5

The “phonekerchief”, a Faraday cage for smartphones.

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

16 / 21

Future of Wi-Fi tracking

What will be the next steps ?

Link physical identity (MAC@) with online profile and real identity

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

17 / 21

Research challenges

Practical solutions to prevent tracking Geofence-like mobile application Protocol and operating system update

Include PETs in Wi-Fi tracking Efficient anonymization Differential privacy

Study potential privacy breaches Infer even more information Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

18 / 21

Other applications

Surveillance & Spying Hacker have build Wi-Fi tracking systems [DG12, O’C13] Other have probably joined the party Intelligence professional and governemental organizations

A large scale tracking system Free/SFR/Orange = 20 millions boxes Wi-Fi enabled and connected to the Internet Covering populated areas

Smartphones as Wi-Fi sensors ... Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

19 / 21

Bibliography I Bram Bonne, Arno Barzan, Peter Quax, and Wim Lamotte. Wifipi: Involuntary tracking of visitors at mass events. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2013 IEEE 14th International Symposium and Workshops on a, pages 1–6, 2013. Mathieu Cunche, Mohamed-Ali Kaafar, and Roksana Boreli. Linking wireless devices using information contained in Wi-Fi probe requests. Pervasive and Mobile Computing, (0):–, 2013. Mathieu Cunche. I know your mac address: Targeted tracking of individual using wi-fi. In GreHack, 2013. Cuthbert Daniel and Wilkinson Glenn. Snoopy: Distributed tracking and profiling framework. In 44Con 2012, 2012. Marco Gruteser. Enhancing location privacy in wireless lan through disposable interface identifiers: a quantitative analysis. pages 46–55. ACM Press, 2003. Janne Lindqvist, Tuomas Aura, George Danezis, Teemu Koponen, Annu Myllyniemi, Jussi M¨ aki, and Michael Roe. Privacy-preserving 802.11 access-point discovery. In Proceedings of the second ACM conference on Wireless network security, WiSec ’09, pages 123–130, New York, NY, USA, 2009. ACM. Demir Levent. Wi-fi tracking : what about privacy ? Internship report, Grenoble University, 2013.

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

20 / 21

Bibliography II

A. B. M. Musa and Jakob Eriksson. Tracking unmodified smartphones using wi-fi monitors. In Proceedings of the 10th ACM Conference on Embedded Network Sensor Systems, SenSys ’12, pages 281–294, New York, NY, USA, 2012. ACM. Brendan O’Connor. CreepyDOL: Cheap, Distributed Stalking. In BlackHat, 2013.

Mathieu Cunche (INRIA-Privatics)

Privacy & tracking systems

September 10, 2013

21 / 21