Loosing your moko
david at electric-spoon.com
Wed Apr 9 17:15:56 CEST 2008
On Wed, April 9, 2008 2:39 pm, Sebastian Billaudelle wrote:
> Yes, i think a "normal" hijacker has no skills to flash the image -
> it is unusual with normal phones. I think nearly all of them don't
> know about a function like the one we are discussing here. But i
> think there is another problem: I don't know if it legal to track the
> position of a person without his/her permission - even if he/she has
> stolen my phone... Will the cops be allowed to use this information?
> There are lots of crazy laws... Is a lawyer here on this list?
Yes, i think a "normal" hijacker has no skills to flash the image - it
is unusual with normal phones. I think nearly all of them don't know
about a function like the one we are discussing here. But i think there
is another problem: I don't know if it legal to track the position of a
person without his/her permission - even if he/she has stolen my
phone... Will the cops be allowed to use this information? There are
lots of crazy laws... Is a lawyer here on this list?
I am not a lawyer, this is my amateur analysis:
As I see it, there are three issues to contend with:
1. Is it legal or ethical for openmoko to keep a database of where
users are and have been without their explicit consent?
2. In what circumstances should law enforcement be granted access to
the database of where users are?
3. In what circumstances should the owner of a phone be able to tell
where it is?
The first issue is about big scary companies keeping big brother like
databases on all their users. We all tend to think of openmoko as a
friendly community effort with no ill intent, but pretend for a moment,
that the phone comes from someone big and scary like Microsoft or
Verzon. Would you be happy about them tracking you by default? Over the
years some tech publications like www.theregister.co.uk have published
scandals and trade conspiracies to reduce consumer choice, invade
privacy and create vendor lock in. I dare say they would have bad
things to say about this plan unless strong safegards are built in, and
we find a way to make this off by default (but still trap anyone who
re-flashes the phone).
My solution to the privacy problem is this: In the box with a new phone
is a card explaining how to create an account with the location DB. The
user would normally setup an account with that DB. If they are paranoid
about privacy, they can throw away the card without doing anything. In
normal operation, the phone contacts the location DB from time to time
with its serial number and current position, however if the phones
owner has not registered, the DB informs the phone that it is not
registered. The phone will store that setting in non volatile memory,
and will never contact the location DB again. That way, for users who
are concerned about their privacy, or who just dont read the
instructions, Only one location will ever be released. If the user
later changes their mind the DB registration site will have
instructions on how to manually flip the send locations parameter
back to true, via a deeply hidden menu or config file. If someone
re-flashes the phone, then the parameter will be automatically reset.
If it is stolen the rightful owner would have to quickly register with
the DB before the phone is re-flashed.
The second issue is about law enforcement access to the database. If a
bad guy such as a drug dealer is using an openmoko equipped phone, then
the police might legitimately want access to the database to find out
where they have been. Likewise if there has been a serous crime such as
a murder, then the police would want to know who was at the crime scene
during the crime. I think that most community members would agree that
a request for information in these circumstances should be granted. On
the other hand, many people are concerned about warantless wiretaps in
the United States at the moment, and worry that the police might make
big dragnet like requests to invade privacy. For example issuing
speeding tickets automatically if the DB showed that you where moving
faster than the posted limit. In some circumstances the owner of the
phone might want access to the database to prove their innocence for
example to establish an alibi, or to prove that they where not
I would suggest that a good compromise would be for the DB admin to
give out to the police information about the movements of any specific
user, or all users who where in a specified area for a specified period
of time, if the request is made by the registered owner or suitably
senor police officer or judge. There is a problem that some law
enforcement agencies might try to bypass any privacy rules we setup,
and try to get a court order for the entire database. To prevent this
we should setup the database in a country with strong privacy laws, and
a strong tradition of police who obey the rule of law. We need to make
sure that the DB admins are based in that country, and that no one else
has root access to the DB, especially anyone based in a country with
weak privacy laws or oppressive law enforcement. I think Germany might
be a good choice for that.
The third issue is about the owner of the phone tracking the person who
is currently in possession of it. In this discussion people are talking
about having their phone stolen, loosing up its location, and then
forwarding that location to the police. Or perhaps loosing their phone,
and using the database to find out where they left it. However we also
need to consider the privacy implications of employers tracking their
staff, spouses tracking each other if they suspect infidelity, and
parents tracking their children, or elderly relatives. An openmoko
owner could easily turn on tracking, and then give the phone to someone
they wish to track without telling them that they will be tracked. This
would be illegal in a lot of places. Obviously there is nothing to stop
someone writing their own program to do that, but I think openmoko
should be careful to ensure that the out of the box tracking software
is legal and has appropriate safeguards.
Unfortunately, I dont think that there is one global solution to this,
as individual privacy laws vary a lot from country to country. Perhaps
the best solution is to gather the data (if the user registers), but
only to allow the owner access to it if the phone is in a country where
such tracking is allowed. Even if tracking is not allowed we would
still allow police access in case of theft. To avoid tracking people
without their knowledge, there should be a pop up at random intervals
(every few days), reminding users that they are being tracked. That way
it would be hard for someone to covertly track another person. The
popup could be disabled if a stolen flag is set in the central DB.
(via a request from the police).
That is my view.
Error compiling committee.c To many arguments to function.
More information about the community