Pages

Pages

Monday, June 16, 2014

Welcome to the "Age of Obfuscation" - with Apple as a major catalyst

Something I've expected to happen for a long time is starting to come true. Driven largely by growing global interest in privacy and security, we should expect an ever-greater number of technologies to try to hide or disguise ("obfuscate" - "render obscure, unclear, or unintelligible") both what they are, and what they're doing.

This goes beyond encryption of data, although that is an important part. Obfuscation does not just scramble the content of something, but either tries to hide its existence entirely, inserts random noise to make analytics unreliable, or pretends to be something else.

Obfuscation can be a deliberate action, or a side-effect of something else, such as a security technology, which then has collateral effects elsewhere. A lot of companies and services depend on monitoring and observing data - and are very "fragile" to their main data-source being switched-off or hidden.

Two things that Apple has done recently stand out:


  • iOS8 uses false WiFi IDs when looking for WiFi hotspots ("spoofing MAC addresses"). This means that your device's unique identity is not exposed when your phone/tablet does a scan for available hotspots. It reverts to the real MAC address only when you actually attempt to log onto one of them. This means that various businesses that use "broadcast" MACs will suffer from the obfuscation, for example tracking people walking through retail stores, or other less-salubrious forms of monitoring.
  • Also in iOS8 is something called App Extensions. This essentially allows one app to embed another mini-app. For example, a communications app might include a 3rd-party photo-editing capability, and the option to upload a snapshot from a video-call to another 3rd-party social network. This partly overcomes a longstanding Apple limitation on allowing apps to talk to each other - normally they run in closed silos. Android has something roughly similar too. This then also has some interesting obfuscation effects on the network - it makes defining data traffic "belonging to an app" even harder than it is already. Operator's DPI systems might be able to spot the 3rd-party app-in-app doing something with data, but it will become very hard to correctly allocate it, from the user's perspective. If you sell "$5/month Facebook access", then you have to expect Facebook to use all manner of mashups and integrations either on server or the device. 
 (The latter example is something I discuss in the context of "app-based charging" practical limitations, in my new report on mobile broadband business models).

Other examples of obfuscation are also appearing.

Google seems to be succeeding in getting its SPDY web-acceleration framework adopted as the basis of the forthcoming HTTP2, and in any case it is being used not just in Chrome but also IE and Safari as well. Although its main purpose is to improve web-page loading times, it will have some interesting side-effects. Often, web pages create multiple connections to multiple servers, slowing down as each one's URL gets decoded by DNS servers, as well as scrutinised by other boxes in the network. SPDY combines (multiplexes) the various HTTP requests into ore efficient form. In doing so, it also effectively encrypts them and thus hides them from - you guessed it - DPIs, proxies, caches and the like.

In other words, web traffic accelerated with SPDY will "go dark" to ISPs and telcos in the network path, making it much harder to do fine-grained policy management, or perhaps differential charging. As a result, US-based telecoms industry group ATIS has belatedly woken up and started the "Open Web Alliance" and is vainly hoping for telcos to be allowed to implement "SPDY proxies" to re-intermediate themselves. Given everything that's going on with Net Neutrality at the moment, I'd rate their chances of success as very low.

In general, all forms of encryption are on the rise - partly driven by revelations about national security agencies, but also because processor speeds are getting fast enough to routinely encrypt everything anyway. It's hard to argue against it.

But beyond that, I think we're about to see a pushback against data being collected for marketing and advertising purposes. Consumers - and their "advocates" who create devices or other products - are looking at ways to help improve privacy. It seems that often, legislation doesn't work well - or certainly not fast. So I suspect we'll see moves to hide or disguise meta-data, or "pollute" it to near-uselessness.

Maybe we'll have software that automatically clicks random locations on the web, makes unexpected searches, spoofs locations, or does false "likes". Maybe we'll see more app-in-app usage, or "steganography", hiding data encrypted inside other data. We will get more mixing of data flows - as seen in WebRTC, where voice and video streams can be bundled together. And we will see various methods of anonymisation - again, Apple is a major player leading the way with its use of DuckDuckGo as a search engine.

Looking ahead, I also expect to see a lot of data being sent/received through multiple independent paths - perhaps half of your content (or signalling) via WiFi and the rest through cellular - maybe even to different servers or services. Imagine storing half of a document's words on DropBox, and half on Google Drive, blending them only when necessary, on the device.

Various outcomes are likely:


  • Marketing and advertising, dependent on tracking various data sources, are going to become less reliable, as they will be working with dirty/hidden/partial/fake/unreliable data. Google and Facebook are also exposed here.
  • Governments are going to find interception and interpretation of communications much harder again. 
  • Telcos are going to lose a lot of visibility of user data traffic. A growing amount is already encrypted, but further layers of obfuscation are going to increase the problems faced by DPI boxes. False-positives and false-negatives will likely increase, and the practicalities of application/traffic detection or policy-enforcement will get much worse. App-based charging will introduce plenty of arbitrage opportunities. On the other hand it is also possible that some telcos could offer "obfuscation as a service" to improve privacy to customers - perhaps modifying web cookies, for example, or creating "noise" for search etc.
  • Developers will be able to create apps that are more private and secure - and perhaps cheaper for end-users in terms of data charges. There will be lots of interesting middleware providers or opportunities for "obfuscation enablers"
Welcome to the Age of Obfuscation, where everything online is not necessarily what it seems. And where data might well be Big, but it may also be polluted.

No comments:

Post a Comment