Dating, Identity and IoT

As I lie in bed some nights, I sometimes am awake with a gazillion ideas revolving around in my brain. One of the things that jumped out at me the other night was how online dating was similar to the Internet of Things (IoT). Bear with me a bit while I explain what I mean. Online dating has changed a lot since it first surfaced in the late 1990’s and has now become almost the de facto goto for those looking for a relationship. Well apart from bars, they are still doing very well as meeting up places. The problem a lot of people have is one of identity with online dating. How to know that person who’s picture you are looking at is the person for you? To fix this information asymmetry most dating sites require you to fill out in some level of detail identifying information about yourself that others can use to assess if they wish to begin a relationship with you.

In the early days of the Internet, we used simple mechanisms to identify people. Passwords worked fine for most people to represent who they are and most importantly if they were allowed access to data. As time has gone on, the limitations of passwords have become apparent. Especially with multiple different places on the Internet holding differing levels of information about us. Dating sites have this issue also, not only in that they need to regulate who can alter the data they have that describes an individual, but also how to verify that the information about that individual is correct, so that potential relationships can establish a level of trust. As more and more people use dating sites, it’s getting much harder to have that verification happen. If we think about how we as human beings establish trust in another individual, it’s built on a series of relationships that we have, both in that we ‘get to know’ someone through our observations over time but also in that we talk to others who know that individual in order to get some third party information about them. Of course I’m oversimplifying a bit here, but my point is that we use many different pieces of information to build a matrix of trust and we judge how much we trust that person based on how we assess and verify that information about them.

So now we have this mass of new devices coming along in the Internet of Things. As they will be so integrated into our everyday lives and performing many individual functions for us how do we verify them even on a very simple level of ‘that one belongs to me, the other one doesn’t’ and then trust it to perform it’s function. I think the only realistic way of doing this without having to remember a huge number of different passwords is for us to build a matrix of trust based on relationships but have this be performed by our devices in an automated way. Let me describe a simple example. How does your intelligent door lock know that you are the owner of this house and it should unlock the door to let you in? First it sees you drove up in a car that it is able to communicate with to verify that you are the owner of that car, based on the car having previously verified you. Next it communicates with your phone and compares your fingerprint you used to access the phone. Finally it uses a small camera to do facial recognition to images previously captured of you to provide a third data point. Each one of these exchanges of data is also verified by using cryptographic communication to also validate the relationship of each device to each other.

So we see that in a similar way to online dating, the IoT needs to establish relationships to be able to verify trust. As more and more data points are added, it becomes possible for our devices to establish higher levels of trust based on the quality of the information and the relationships involved. Identity then and the relationships formed by being able to trust someone’s identity becomes a key enabler of the IoT. We are starting to see this with devices such as smartphones beginning to use fingerprint readers but this is about more than the simple test of ‘is this the correct fingerprint’. What is being built here is a way for our machines to identify us individually using the same methods that we ourselves as humans use to establish trust. In a way I find it comforting that this is so, as it shows that one of the most human behaviors we have, that of relating to each other, applies equally in how we build our machines.

Guest Portal Use Cases

Guest portals are a common occurrence in the WLAN industry. They have been used for many different types of access scenarios with some criticizing their use as getting in the way of people wanting fast and free access to the internet. In this blog I want to contribute to this discussion with the proposition that due to the many different ways captive portals are used, there is some merit both from a business and security point of view for their use.

Starting with looking at WLAN access from a high level, there are several main business uses that are incorporated in designing user access. The most obvious first use case is your standard business user in a corporate network. This is the same user that we have been designing access for through most of the life of wireless technologies. Usually, due to security concerns, most corporations providing WLAN access use strong encryption and authentication methods to control access. There are, however, other types of users in a business environment. Some examples are outside vendors, visitors, subcontractors, temporary workers and most recently corporate employees bringing their personal mobile devices to work. The challenge for corporations providing access for these types of scenarios is that users outside of the traditional controlled access scenario are exploding and that puts pressure on the WLAN infrastructure which must be upgraded to keep up with demand. Until now, most corporations have used captive portals to control access so that only users sanctioned by the business have access to the WLAN.

Another group that has made heavy use of captive portals is large public venues such as stadiums, conference venues, airports, etc. This is distinct from smaller public venues such as coffee shops, restaurants, hotels or even airplanes. The challenge for large public providers is that in many cases the use of captive portals annoys the users and many will resort to alternatives such as MiFis to get around onerous signup forms and costly access plans. Security is less of a concern here than in corporate use cases but there are still concerns around users using the public venue’s access to download illegal content or perform active attacks on other users. Captive portals are often a mechanism here to provide users with notifications that their access is being monitored and that specific acceptable uses of the access are required to be met. The other side of this for large venues is that it costs a lot to maintain the public infrastructure for this access. With this in mind many large airports, for example, began by charging users for access. This has lead to it being common in large airports for users to use their mobile device for access rather than pay the associated fees. It has become apparent in recent years that many large venues have backed away from these fees and begun to see providing Wi-Fi as much more of a general infrastructure cost than something that end users should be charged for. The last challenge to using captive portals for large venues is one of scalability. Having 60,000 users streaming the last replay of a goal they just watched is challenging for the infrastructure to handle and requires a great deal of planning to achieve. I suspect many large venues will look to sponsorship as a way of meeting these costs so that free access becomes part of the experience of attending the game. This is where alternatives such as Hotspot 2.0 could make access for users easier and more secure than utilizing a captive portal as well as more scalable from an infrastructure perspective.

The smaller public venues, especially hotels, have long seen WLAN access as an additional revenue stream to help their overall business model. By charging users for access and using captive portals to collect the fees these businesses have been able to offset drops in revenue from the decline in hotel video rental, room phone charges and the cost of maintaining a high speed network to access the internet. Some business, particularly cafes and lower level business hotels, have begun to provide free access as an incentive for guests to stay but this is most often also accompanied by a terms of use captive portal and the need to obtain an access code. It will be a challenge for the smaller public providers to encourage users to actually use their WLAN, or stay longer in their cafe, with the increase in mobile devices and alternative access methods while finding a way of offsetting the cost to the business of providing that access at an acceptable level for many users. Many users detest captive portals for preventing them being easily able to access the internet and having to sign up multiple times with the different devices they carry. Viewing internet access as a utility provided as a cost of doing business has some value, however it can also be problematic as open access can invite users doing harmful acts that can incur additional costs above simply providing access. A recent report outlined many of these issues for hotels and pointed out that in higher end hotels (which more commonly charge for access) it’s often thought that Wi-Fi is something that has additional costs beyond the base room price as guests expect constant reliable connections beyond what the lower level business hotel’s ‘free’ service offers. Captive portals here are used to control access to the premium levels of service, with some hotels moving to a tiered model where you can get a slower access speed for free with the room price and the ability to pay for higher speed as needed. I believe this model is ripe for disruption where access is made easy for users and tiered connection speeds are still able to be paid for, adding the revenue used to maintain the service. I haven’t seen a compelling business yet offering this service, however.

The final group to look at is people providing location based access services. Although RTLS has been used for a number of years in hospitals and other situations requiring tracking of assets, there was not a huge use case for captive portals for traditional RTLS. In the last few years there has been an emergence of uses around tracking shoppers and other casual users that combines RTLS with a user registering either with a ‘social login’ or with a loyalty program of a retailer to track shopping habits so that physical stores and locations can have a better idea of what interests users in those locations. The value for this is specifically for optimizing the layout of stores for users to easily find what most interests them and for advertising in store displays that are personalized for the interests of the users. This can be done without the user logging in by using the more anonymous MAC addresses of the device However, this is just a modernization of traditional store based tracking that looks at items brought to optimize store layout. There is a privacy aspect to this as well, where an app installed by the user or a captive portal signup means a more positive acknowledgement of consent to be tracked and making the value to the end user more visible. This is similar to loyalty programs that track user purchases in return for offering addition discounts of interest. As usual there is a balance here between the users needs, in this case privacy and transparency into what their data is used for, and the value to the business of getting good info into the likes and dislikes of a customer in their store. Captive portals in this situation can be used to be more open with shoppers about what is being collected and how it is being used.

In this short tour of different use cases for captive portals I have attempted to show that the use or not of captive portals is not simply a matter of a single value to both end users and the businesses using the captive portal. There is friction on both sides as to the differing needs and it’s not an easy definition to say that captive portals have no use at all and just get in the way of users. At best it is a balancing act between the value to those deploying the portals and those who have to use them. At times, the value of making it as frictionless as possible to end users outweighs the business value. In other cases it may provide a much better value to both to have a captive portal.

Wi-Fi Calling with iOS8 and T-Mobile

I was sitting at home watching an Apple oriented video podcast that was discussing how Wi-Fi calling was now available in iOS 8 and that T-Mobile was one of the first carriers rolling this out. I realized that this may help me specifically with some of the dropped call issues I had been experiencing. I then grew curious, T-Mobile was offering a ‘customized’ router to subscribers that professed to offer home users better connectivity than their current gear. How did that work I wondered. With that I set about finding out by switching on Wi-Fi calling in my phone and doing some packet captures with the handy Remote Sniffer provided in my home Aerohive AP-370.

First of all I investigated how Wi-Fi calling actually worked. Digging around on the Internet turned up that it was a form of GAN/UMA that T-Mobile was using. Essentially this sends packets that would normally be sent over the GSM network via the Internet. With a bit more digging, however, I discovered on Reddit that T-Mobile used to use UMA but are now deploying IMS. The essential point for WLAN engineers such as myself is that we now have encrypted voice traffic going over our networks to the Internet which route to whichever provider is allowing their subscribers to use this service. As an aside, this isn’t a new thing as T-Mobile has been doing it since 2007 for Android phones.

Wi-Fi Calling Capture

So lets break down what’s going on here. T-Mobile being focused on the home use case is providing a high end router to customers which essentially provides QoS enabled connectivity so voice packets from their phones using Wi-Fi calling are prioritized properly for home users. That’s a win for them in that they will get great voice calls from their phones on their new router. What happens when those same users bring their phone into work and connect to the enterprise WLAN cause their office ‘just never had good cell reception’? Now we have a lot more devices doing what looks like ESP encrypted traffic that has voice priority (6) set on the packets.

Wi-Fi Calling QoS Capture

I would say as a WLAN designer, you should be taking into account that a lot of BYOD devices, specifically phones, will mean an increase in voice traffic on both your WLAN and the rest of your LAN. Read up on how it works at my pal Andrew’s blog, Revolution WiFi. I especially recommend his series of posts on Voice-Enterprise and Roaming.