Well even a completely trustable cell radio is tracked with tower triangulation. The only way I see to fix this is to completely rearchitect the mobile network by getting rid of subscriber IDs, using anonymous payments for tower access, and then a mix network for transit privacy. That is to say, location data is a wash for the foreseeable future..
Surreptitious microphones and other sensors are indeed still a problem, but they seem easy to audit/remove in the short term, and if this model catches on and they become a real threat, the physical audits just have to go deeper.
What you do gain is a processor that can be trusted by the user (in the same way we all trust Intel CPUs), with the Mifi only seeing encrypted communications. Also we've moved the demarc point solidly between two separate physical devices - upgrade your pocket computer without involving your cell provider, and replace your communications ability without affecting your user environment.
Well first you're assuming that those that created the system consider known identity to be a misfeature, even beyond that necessary for payments.
Trustable/trusted doesn't mean trustworthy in the sense of an individual citizen's expectation of privacy, it means that you have given the entity your private information, in trade for service and convenience.
The irony of old spy tradecraft is that we all possess hardware that could conceal in plain sight anything that previously had to be hidden completely, the existence of electronics or recording/transmitting ability (including film) would immediately indicate the role of the person as someone engaged in some kind of espionage. Now we can all carry sophisticated sensors and communication devices in most places, and all but cameras in many others.
What physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup. (Assuming that the capability isn't already in the firmware, or that simple observation of the signal output (including power fluctuations) could reveal the same information to the microprocessor.
The only case I'm aware of where the courts have blocked this kind of surveillance involved an OnStar vehicle system using an analog cellphone which could only serve it's intended purpose or the government's, but not both simultaneously. This is not an issue with digital and IP-based systems, which can easily serve two masters.
Ah, you're use of "trust" again, Intel CPUs have features that actively work against you, such as with vPRO. I would agree that a non-cellular PDA and Mifi are superior to an integrated device from a privacy and personal autonomy perspective.
> you're assuming that those that created the system consider known identity to be a misfeature
No, I'm just speaking from the perspective of system design, for what it would take to actually hide your location data - to put boundaries on the problem we're talking about.
> trusted ... means that you have given the entity your private information
Yes, which is why I used "trustable", which I'll admit isn't necessarily the best word either as I'm currently trusting my phone with call/text data, even knowing how broken it is. On the other hand, I personally don't have my phone setup to access my general files, because I simply don't feel that the thing in my pocket is actually my agent.
> physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup
Well the point is that a Mifi (with untrusted baseband) shouldn't have these sensors.
> Intel CPUs have features that actively work against you, such as with vPRO.
And probably other ones ones that don't show up in marketing materials. Which is why I made an explicit parallel to trusting Intel CPUs to generally run the code we tell them, even if this isn't necessarily true. We have to define a boundary so that we can solve the problem we're talking about with a platonic ideal of a trustable CPU, while separately solving the problem of not having trustable CPUs.
Surreptitious microphones and other sensors are indeed still a problem, but they seem easy to audit/remove in the short term, and if this model catches on and they become a real threat, the physical audits just have to go deeper.
What you do gain is a processor that can be trusted by the user (in the same way we all trust Intel CPUs), with the Mifi only seeing encrypted communications. Also we've moved the demarc point solidly between two separate physical devices - upgrade your pocket computer without involving your cell provider, and replace your communications ability without affecting your user environment.