Open pdehaye opened 4 years ago
For the purpose of full documentation ahead of revising the legal analysis, see also examples here of how such tracking attacks for Bluetooth.
Note: There is now an attack PoC shared by @oseiskar at the bottom of #43, leveraging existing BLE meshes. This should now force at the very least a citation in the White Paper of the existence of such a PoC - at least from a data protection standpoint (I don't know if this runs counter the security community culture - but wouldn't think so). Additionally, while from a security perspective the existence of a PoC changes little, it does have an impact on the data protection evaluation of the paper, particularly in light of Recital 26 GDPR.
In #43 I give many examples of deployments of vast meshes of passive Bluetooth antennas, providing easier means of re-identification than relayed in the security analysis.
The deployment of those systems should encourage a more careful assessment around the Breyer test. On page 8 of the Overview of Data Protection and Security, you state:
In light of the BLE deployments of #43, the threat you mention (using covert cameras) is reductive of the full threat landscape, which in its fuller extent actually nullifies the first test of Breyer: these databases already do exist, with a legal basis that is actually considered legitimate by many. In addition, these databases reduce the "efforts in terms of time, cost and man-power" so much that it no longer is true that the "risk of identification appears in reality to be insignificant" (in fact, as described above, there are commercial services performing this task). As for the prohibition by law in the Breyer test, it is a very very very thin line to rely on in the current circumstances, and certainly warrants a lot more detailed discussion in scenarios where the threat comes from state actors fetching additional data from private actors to facilitate reidentification.
It seems ill advised to rely on a gap in jurisprudence for such high stakes protocol and not be more forceful in asserting that this data would indeed consist of personal data in some deployment scenarios.