
Introducing the ‘right to eavesdrop on your things’ - henrycg
http://www.politico.com/agenda/story/2015/06/internet-of-things-privacy-concerns-000107
======
userbinator
_Encryption is a great way to protect against eavesdropping from bad guys. But
when it stops the devices’ actual owners from listening in to make sure the
device isn’t tattling on them, the effect is anti-consumer._

That reminds me of a comment from when smart TVs were discovered to be sending
filenames and other info, since it was sent in plaintext: "If they had used
HTTPS, this might not have been discovered."

The most important thing to realise is that security can work for you, and it
can also work against you. It's not only a "right to eavesdrop", but users
will need to maintain _control_ over their devices if they want the former.
This is somewhat related to the War on General Purpose Computing, and what I
think is the biggest dilemma is that users need to have a certain level of
knowledge in order to understand what their devices are doing and control
them; but many don't want to; they only see the advantages and don't care
about how something works, whether it "phones home" or what kind of data it's
sending, as long as it makes something in their lives easier.

News stories about how smart TVs phone home have circulated, and yet AFAIK
people are still buying them in great quantities. They just don't care. They
are outraged and shocked when the news appears, but shortly afterwards they
carry on as if nothing happened. That, I think, is the scariest part.

~~~
Sir_Substance
>what I think is the biggest dilemma is that users need to have a certain
level of knowledge in order to understand what their devices are doing and
control them; but many don't want to; they only see the advantages and don't
care about how something works

This is why regulation is important. Most people don't care what their phone
tattles about them to their provider. Similarly, most people don't read the
ingredient list on their food.

But the ingredient list /has/ to be there, by regulation, and because it is,
small numbers of people can post analysis that guides the entire population.

We need similar regulation over computerized devices, and that's everything
from desktop computers through phones to self-driving cars and smart fire
alarms.

~~~
bcg1
Precisely. Especially as these devices start making important legal and
philosophical choices... such as the self driving car that needs to choose
between swerving and hitting an elderly person on the sidewalk vs. running
over a child that has darted out into the road. We HAVE to be able to know
what kind of programming these things have if we are to maintain any semblance
of humanity and morality.

------
kijin
1\. The title gives the wrong impression. It might be better to phrase it as
"right to eavesdrop on _(my|your) own_ things".

2\. I'm not sure that communication transparency is what led to the success of
PCs, smartphones, and the Web. Perhaps the Web, but definitely not
smartphones. People had to fight tooth and nail for the right to root or
jailbreak their own phones!

3\. How do you add the ability to eavesdrop on a device without compromising
TLS or adding a remote back door that anyone could exploit? The only way that
I can think of, and the only way that this has traditionally been done with
PCs, is to give local root to the owner.

If the owner has root, then he can make the device trust his own certificate
and proceed to MITM it with his own router. But an owner with root can also
modify the device's "firmware" to make it behave in ways that the manufacturer
never intended, and manufacturers will do everything in their power to prevent
this. Nobody wants to admit that they're actually selling general-purpose
computers.

If the manufacturers are not going to cooperate (and I don't think they will),
then perhaps what needs to happen is that we should start rooting/jailbreaking
every smart device we can get our hands on, and thereby force them to be
transparent. It can't be that difficult, after all. Where are all the clever
folks who helped root and jailbreak our phones? Let's send them some TVs to
play with, warranties be damned. Perfect security doesn't exist, and we can
use that fact to our advantage.

~~~
keithwinstein
(Author here.) Our thinking is that the protocol would enable a _read-only_
monitor, which would be able to see the plaintext but not modify it without
detection. As the article says, this is what it would take to build a good
IDS/IPS for your things -- something that can audit the communications and
make sure what's going in and out matches what you should expect.

We're _not_ proposing that the IDS/IPS should necessarily be able to MITM the
connections. Then you're just putting all your trust into the IDS/IPS and
making it the single point of vulnerability (just like the device is now). But
if you have a construction that lets you build a read-only IDS/IPS, then you
could in theory buy 100 of them from different manufacturers and have them all
audit each other.

One straw-man way to do this would be to run a stream of "integrity-only TLS"
inside normal TLS. The outer TLS would allow the owner to install their own CA
root certificate on the Thing. The inner TLS would be pinned to the public key
of the cloud provider. The IDS/IPS would MITM the outer connection and would
be able to read the inner stream, but the MAC on the inner stream would
prevent tampering by the IDS/IPS.

~~~
kijin
That's an interesting proposal, but I'm concerned that it sounds a bit like
intentionally crippling TLS. Historically, TLS has had all sorts of subtle
bugs that could bite you in the ass unless you did things just right. It will
take a lot of time and effort to demonstrate that the layered protocol you
propose is no less secure than vanilla TLS.

I'm also not sure whether it's a good idea to make it so easy for typical
users to add their own CA certificates to smart devices. Such a facility could
be easily subverted by criminals and governments to eavesdrop on a large
number of users. (Remember when people would XSS themselves on Facebook by
pasting crap into their browser console?)

It's just as impossible to open a backdoor for the owner and nobody else as it
is to open a backdoor for the FBI and nobody else. So I think there's some
value in making it difficult to eavesdrop on your own devices. Perhaps it
really should require taking off the cover and attaching a serial console.

------
walterbell
Could this be implemented as a user-owned SSL mitm proxy and deep-packet
inspection engine which is accessed by a VPN from all your interactive
devices? Low-power home IoT devices would already be inside the VPN.

~~~
bcg1
I think that's what the author was getting as with the iphone example... users
installed their own root certificates to run a mitm on their device

The point they were making about embedded devices is that you can't update the
certificate being used

------
AgentME
Seems like arguing for open source software on devices would cut closer and
more directly for the point they're trying to make.

~~~
marcosdumay
The problem is tivoisation. Open source is related, but not the same thing.

------
eterm
The UK already has these rights and more:

[https://www.gov.uk/data-protection/find-out-what-data-an-
org...](https://www.gov.uk/data-protection/find-out-what-data-an-organisation-
has-about-you)

[https://www.gov.uk/data-protection/the-data-protection-
act](https://www.gov.uk/data-protection/the-data-protection-act)

~~~
nl
That's not the same thing at all. A company can easily keep non-personally
identifiable information about you and never have to release that information.

This is about device to device communication, not information storage.

------
x5n1
There should be a law against this sort of behavior from devices.

