Breaking compartmentalization through sync, shared identities, etc

Discussion in 'privacy general' started by TheWindBringeth, Apr 2, 2014.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    The other day I found myself thinking about the risks posed by sync features. It is convenient to have configuration settings, etc automatically synchronized across devices so that you have the same experience on each of them. However, sync features...

    1) May transfer unique identifiers... cookies, advertising IDs, and/or other GUIDs... across devices. Which would make you vulnerable to cross-device tracking and profiling. If your use of those devices would reveal the same information (example: syncing across two non-mobile devices you use in the same way over the same Internet connection), this might not be a problem. However, if your use of those devices would reveal different information (example: syncing across one desktop and one mobile where there is different types of location tracking, other sensor readings, usage patterns), this might be a big problem. Which could grow larger as we add different devices to the sync mix (example: adding a work related device, or Smart TV, or automobile system, whatever).

    2) Many use sync servers run by others and the syncing mechanism involves each device logging into the same account. Having two devices tied to the same foreign account is bad, but to make matters worse, some of these common accounts are also private messaging accounts and/or marketplace accounts that end up being tied to solid personal information. At least some of these sync mechanisms probably aren't using proper, 100% client-side encryption/decryption mechanisms that reliably protect the synced information from the sync server operator. There is a potential for these aspects to make the consequences of syncing much worse.

    Then today I came across some reports about Microsoft's "Universal Apps" and "shared app identities". A surface glimpse, alone, being enough to make me think again of the cross-device tracking and profiling problem.

    We know, through company statements and media reports, that this is a high priority for the advertising industry, the big tech companies that data mine their users activities, etc. They want to be able to collect and correlate info from every device we use and every aspect of our lives. So we need to watch our backs.

    Although I'm "preaching to the choir" here, I wanted to post something about this. Perhaps it will encourage a visitor to think about the subject and take some steps to increase, rather than decrease, their device/usage compartmentalization and shift towards *private* (sync|cloud|other) servers.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Well then, it's also necessary to compartmentalize syncing :)

    To use syncing at all, I think that it's necessary to compartmentalize on different hardware.
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    That has an odd ring to it, but I think we could put it that way.

    What do you mean by this?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    When I wrote "compartmentalize on different hardware" I was mostly thinking about smartphones. I can't imagine keeping mirimir and my true identity compartmentalized on one smartphone. I don't even do that one one computer, and those computers are on different vLANs ;)

    But it's important even for people who don't use multiple identities. You want your work phone, tablet and office computer on one sync channel, and your private stuff on another. If compartmentalization comes down to different browser profiles, that's weak.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    OK, we're on the same page there.

    I'm fine with NOT syncing work devices with personal devices and would generally encourage that. Assuming it doesn't adversely affect others, I'm also OK with an individual evaluating things and deciding to sync all their work devices together, and separately, sync all their personal devices together. It's the "user hasn't evaluated things properly, including from the POV of others" scenarios that concern me. Even in the work context to some extent, for some companies use and expose their employees to outside services.

    I agree. Which isn't to say that such limited forms can't be of some benefit in certain contexts.
     
Loading...
Thread Status:
Not open for further replies.