Identity Leaks

I'm back home for a short weekend after a very fruitful tour across  California and British Columbia. Among Vancouver meetings was UPF - the UnPlug Fest, a very successful serial event which gathers all sorts of companies implementing Bluetooth products, cross-testing them for interoperability before they hit the market. UPFs are the reason why Bluetooth products can claim real interoperability. It is also a place where many interesting discussions happen.

Automotive head units are significant part of Bluetooth interoperability tests today, as are mobile phones. After all each vendor wants to make sure any phone connects to any car without any problems. Which usually is the case now.

There is one aspect of the traditional electronic gear makers (e.g., autos and cameras - more on the latter next week) that bothers me. They are so behind the curve catching up with the latest digital developments, security and privacy included. Privacy (or lack of it) is one area where this lagging state is clearly exposed.

Every car I rent today has a history of previous owners, as it memorizes the details of previously paired phones. And when attempting to pair, they want you to allow access to messages and address book and call history. They download all that stuff, which remains in the non volatile memory after the car is returned. Cars also typically advertise themselves (a Bluetooth term) using static MAC addresses, so it is very easy to track them with very simple Bluetooth scanners. Bluetooth specifications have many modes that significantly improve privacy, such as non-resolvable or resolvable random addresses, but the auto guys don't bother using them.

That is not to say the leading computer companies are not to blame. Some time ago I had an argument with product people at Apple who very strongly argued why they would never allow iPhones advertise with any static data, so the user could not be traced. Nice mindset. Until you realize all they tell you is false when you turn on the Airdrop feature, which (too) many people do. Ever wondered in an airport lounge who are the people around you? Just scan for airdrop advertisements... (see the attached screenshot).

I think it is time for vendors to realize that privacy is important and it is easy to prevent identity leaks, as long as you think about them for a moment. It is not a technology problem. It is a product design problem, relatively easy to fix. But product people must get serious about it.