4: Electronic Bread Crumbs

The chapter opens with a recent news item: the governed of New Jersey suffered serious injuries in a high-speed collision. According to some accounts, the vehicle was hit by a reckless driver and the trooper driving the governor's vehicle: "should be commended for his valiant attempt to avoid this catastrophe."

However, when the black box was pulled from the governor's vehicle, the analysis showed otherwise: the governor's driver was driving over ninety miles per hour, the vehicle's flashing lights were not in use, and the governor himself was not wearing a seat belt. This largely exonerated the other driver, and was a PR embarrassment to the governor's office. (EN: the author does not say as much, but other sources suggest it damaged the governor's reputation and credibility, sufficient to suggest it played a part in his loss of the following election.)

The same device exists in many models of vehicles, and most computerized systems have some form of logging capabilities that provide forensic evidence that can be used to discover information about the user's behavior. Perhaps, as in the incident above, it uncovers an embarrassing truth, but there's also the potential for the collected data to lead to a false conclusion.


The purpose of using a "black box" in cars, similar to the one used in aircraft, is to gather forensic evidence that can be used to reconstruct the events leading to a crash. Drivers and their insurance companies seek to avoid the blame by withholding or simply lying about certain facts, and eyewitness accounts are entirely unreliable.

The first black boxes were used by manufacturers to gather data in crash tests, and later were installed in production vehicles to gather information that could be used to defend the company from lawsuits about defective equipment, the PR effects of which are costly even when the company is ultimately exonerated. Being able to prove what actually happened, as quickly as possible, was a method of squelching allegations and mitigating the damage.

Details are provided about how these units were improved over time, and how their use has spread. It's currently up to the manufacturer to choose to install them, but the NHSTA is currently "evaluating the benefits" of making the mandatory in all vehicles.

The counterargument is that doing so is an invasion of privacy that, while presently intended for use in specific situations, might well be abused by authorities. (EN: Given that the government's ability to monitor cell phone conversations was broadened to the point that they can listen in at any time without permission or any due course of law, the suggestions of what abuses "might" occur is no longer panic-mongering, but a justified concern.)

There are positive uses of black boxes, the most obvious of which is to uncover facts that prove what actually occurred and make the judicial process more accurate - convicting who is actually guilty, exonerating who actually innocent. It's also a boon to insurance companies, who could more accurately charge premiums according to a specific driver's pattern of behavior, or charge based on the amount of miles driven, which may ultimately improve behavior of drivers. The same data could also be used to adjust health and life insurance premiums.

Reliability Issues

Whatever the use of black box data, an underlying assumption seems to be that the data is reliable - that it can be trusted. In accident scenarios, we presently assume that the equipment doesn't lie - unlike drivers and witnesses, it has no incentive to conceal the truth, no tendency to confabulate, and no haziness in its memory. But its accuracy is not always inviolable.

In the case of the NJ governor, it was conceded that the motion of tires spinning on an icy road could result in the higher reading on a speed over ninety mph - and traditional forensics at the scene suggested a speed that was closer to seventy miles per hour, the legal limit. The black box also indicated the governor wasn't wearing a seat belt, but physical evidence of his injuries indicated he had been buckled in. However, the majority of the press didn't retract its accusations, and the damage had been done.

The problem is that the black box can only report on internal data, what its sensors tell it, and not on what actually might have happened. Tires spinning on an icy road give sensors a false indication in speed, a defective sensor does not recognize that a seat belt is engaged and suggests that it was not.

This was not the only instance where a false impression was given by sensor data, and people have been convicted of traffic violations, up to and including vehicular homicide, solely on the basis of this evidence and the assumption of accuracy. A few such cases have been later overturned, but the accused is presumed guilty until the faulty data is proven to be incorrect.

Active Monitoring

The original notion of the black box was a passive data-collection unit, whose data could only be retrieved when it is physically accessed, but this is not necessarily so.

One example is the telemetric systems inside of Mercedes vehicles, which collect information from the onboard computers and periodically sends it to a central database, enabling the manufacturer to send the owner a reminder when service is due, or when there's a condition, such as low oil, that would indicate a possible need for maintenance or repair.

The OnStar system, installed in many low-end vehicles, apparently does the same. The author shares an anecdote of an automotive magazine which reviewed a vehicle with the system, and took it around an obstacle course. During the test, the OnStar button lit up, and a representative was contacting them to make sure if everything was all right. The vehicles sensors detected the erratic motion of the vehicle and reported the event immediately to the service.

While the system has limited ability to send commands to the vehicle, the few commands in can send are fairly significant: the ability to unlock the doors, or "kill" the engine even when the vehicle is in motion. The author suggests that the security on the network is adequate, such that it would require a significant investment in resources, and there would be little financial gain in doing so.

Hidden Data in Photographs

With the low cost of digital cameras and the addition of cameras to cell phones and other portable devices, there has been an explosion of digital photography on the Web, and few people are aware of the data that is hidden within their files.

There was a well-known incident in which a reporter - ironically, for a television show that dispensed advice about technology - posted head-and-shoulders images on her Website that contained data that included a thumbnail image of the original photo, before cropping, in which more than her shoulders were exposed.

In addition to thumbnail images, the image file often contains additional data, most of which is fairly harmless (model of camera, settings, date, etc.) but some of which may be revealing. An employee could be fired for calling in sick if he took a picture, or one was taken of him, at a concert on the same day.

Some models of cellular phone will record the name of the device owner and the GPS location at which the photo was taken. Some photo sites read this data to show, on a map, the location at which the photo is taken. A person could be caught cheating (EN": it's implied someone actually was) if he took a photo of his girlfriend inside his house, and the GPS coordinates could be cross-referenced with the address. The same technique could be used to identify people who posted "anonymous" photos to Web sites.

Naturally, the features that store additional data can be disabled on most popular phones - but it's unlikely many people know how to access these settings, or would bother to do so on each gadget they own.

Data Stored on Equipment

The author implies that many people dispose of old computer equipment as casually as they would dispose of an old sofa, without considering the data that may still be stored on it. And while even moderately-informed people know to remove or wipe their hard drives, there's evidence that few do.

In one study, a group purchased used hard drives from eBay, and found that 36% had documents containing sensitive data, such as financial information; 21% had e-mails, 13% had pictures, 11% had "corporate documents; and 11% had files such as Web browsing histories. (EN: No indication of whether this data was "naked" on the drive or recovered forensically from it.)

It's also noted that deleting a file doesn't really delete it. Some users move a file to the "trash" but do not empty it. Even when it is emptied, the file is still on the hard drive, viewable by going to a command prompt to view the contents of the drive, and is not really erased until the computer needs to over-write it. Files from the Enron scandal were uncovered in this manner.

It takes a bit more sophisticated software to recover files that have been partially overwritten - invisible as "files" to the operating system but still resident as raw data on the drive. It takes a purposeful effort, using special software, to "scrub" the unused space on a hard drive to remove all traces of data that was meant to be deleted.

The same is true of media cards and the internal hard drives of devices such as MP3 players and digital cameras, and software that will scrub these devices isn't available in many instances.

There are also hard drives on many models of photocopier that scan documents digitally and before printing copies - a concern for scanning confidential or sensitive documents in an office or in a copy shop - though some manufacturers are now encrypting the data so that it can't be extracted.

Toll-Tag Data

Aside of the "bread crumbs" left behind on equipment, there are also systems we opt into that may collect data that may be accessible to other parties.

One example is of electronic tollbooths, which use an active RFID tag that broadcasts data over short distances. It's a fairly simple matter to read the information broadcast by these tags, a unique ID number, and create a device that sends that information, enabling the hacker to use toll roads and bridges and have it billed to other peoples' accounts. This was later thwarted by adding a device to take a photograph of the license plate, which could be used to identify the hacker when a driver disputed charges.

(EN: The author doesn't mention this, but there were suggestions, though never acknowledged, that key fobs once offered by gas stations to tap-and-pay were also highly vulnerable, and were quickly discontinued.)

Because data on toll tags is not considered particularly sensitive, it is seldom very secure and is easier for an attorney to obtain. Toll-tag evidence has been used in divorce proceedings and to thwart employees who claimed they were unfairly terminated.

It's also implied that tool-tag data may not be very accurate, and that it's entirely possible for these systems to provide false evidence. One example provided suggests an attempt to cover up real evidence, where a woman accused of murdering her husband and dumping the body called to dispute the charges and have them removed - the calls were presented as an attempt to destroy evidence, which was "integral to the conviction."

The author makes the same allegation about RFID tags in employee badges, which are generally scanned to enter secure areas. He sets up a scenario in which lights in a building are activated by RFID tags instead of motion detectors, and suggests that an evil boss could use this data to track the movement about employees and harass them about their bathroom habits. (EN: This is a bit more fear-mongering on a scenario that's technically possible, but highly suppositional.)

Driver's Licenses

In the United States, a person's driver's license is "the closest thing we have to a national identity card" and is used extensively by the private sector as proof of identity. With the addition of a magnetic strip, the driver's license can be scanned as a method of validation - data on the strip corresponds to data printed on the card, making it slightly more difficult to forge, but also making it more convenient to obtain.

The information available from a driver's license varies from state to state, but generally includes he license number, name, address, height and weight, eye and hair colors, and digital versions of an image, fingerprint, and legal signature. Granted, the same information is available on the card itself, but (the author assumes that) people who visually inspect the card don't record this, and even those who photocopy it don't digitize it - but when the card is swiped, the information is stored in a database, where there's not telling what will be done with it or whom it will be shared with.

Increasingly, businesses are using card-canning systems to validate licenses and to compile both aggregated data (number of customers from a given ZIP code) and individual data (shopping habits of a particular person). Some versions of the scanners include software that runs superficial background checks to retrieve even more data.

Only three states (NE, NH, TX) have prohibited the use of licenses for non-government purposes, but even in those locations, there are exceptions. It's also noted that, until 1994 (when concerns about stalking made the federal government step in to discourage sharing information so freely), DMV data was consider to be a public record, available on request to anyone, and many states made revenue by selling their DMV data to marketing companies.

However, there are loopholes in that law and even requirements for licenses to be scanned by businesses. For example, a CA law meant to discourage drug production requires any retailer selling drugs that can be used to make methamphetamine must record a photo ID of the buyer, which can be done on paper or electronically.

The Movement Against Privacy

Current political issues, specifically the "war" on terrorism, drugs, and illegal immigration, have led to widespread advocacy for stronger methods of control that are detrimental to privacy. There is currently a legal trend in collecting, and requiring private enterprise to assist in the collection, or "as much personally identifiable information as possible," to make it more widely available, and to store it for indefinite amounts of time.

Privacy of communications has already been effectively abolished, removing protections that previously prevented government agencies from collecting and compiling private communication - mail, phone calls, and even digital communications can be monitored and stored without due process of law, or any legal requirement - and this is being extended to other sources of information. The amount of data about private individuals is estimated to be in the level of yottabytes (octillion kilobytes).

The author brings mentions the Dutch national registry, began in the 1930's, to collect information about every resident for the purpose of making government planning more efficient. As a result, the Nazi party was highly efficient in exterminating "undesirables" such as Jews and gypsies: the kill rate in the Netherlands was estimated at 75%, as compared to 25% in other European nations.

As such, even those who are indifferent to or in favor of government data collection under the current pretenses should consider what the impact may be in future, when the tide turns against them.