Thank you for running BLEMon from RTCL!
BLEMon is an app developed by the Real-time Computing Lab (RTCL) in the University of Michigan, Ann Arbor. It is a part of a larger project aiming at characterizing the privacy threats posed by devices in the context of the Internet of Things (IoT). Some of these devices, that you use, might enable others to track you, profile you, and learn more information about you. For example, if others know you are wearing a glucose monitor or pump, then it might indicate a certain health condition.
In our project, we aim to quantify how much information do these IoT devices leak about an individual. In particular, we need your help to collect information that these devices publicly broadcast. We focus on the devices that are communicate through the BLE (Bluetooth low energy) protocol as it is the most prevalent. As part of this protocol, devices advertise their presence publicly to let others know about them. BLEMon just collects these public advertisements (broadcasts) so that we learn how much information is contained in these advertisements. Below, we describe the exact data that we collect and the safeguards we implement to protect your privacy.
What we collect
We collect the following information:
BLE Device Advertisements:
We collect the public advertisements that the BLE powered devices are publicly broadcasting in your vicinity. It is worth noting that anyone in your vicinity (within 50m) with a smartphone (or any Bluetooth enabled device) can also collect the same information. Also, this information is meant, as part of the protocol, to be broadcasted so that others can learn what devices are close to them. In particular, we record the following information:
- The time BLEMon collected the advertisement (timestamp)
- The device name (device_name)
- The device type, such as: smartwatch, camera, or toy (device_type)
- Received Signal Strength Indicator which indicates how far the device is from the user (rssi)
- The hashed device address; we apply hashing to prevent recording the real device address (bt_addr)
- The advertisement content, usually less than 256 bytes (advertisement)
- Bonding information, whether your smartphone is bonded with the observed device (device_bonded)
This app will record an anonymized version of your location while it is running. Specifically, it will obtain a location update from Android every 3 minutes. However, we are more interested in relative places rather than absolute location samples. As a result, we assign every place you visit a unique numeric ID (place_id), and we keep the mapping between absolute locations and these IDs private in your device (we are not interested in this mapping, and we don’t collect it). This way, we know that you were at some place at different times of the day (and potentially you visited the same place at different times), but we will have no way of telling what that place is.
Every record we log has the following format: (The data we collect is nothing else than a long list of the records shown below)
This is how would a record look like for a Fitbit (Surge) broadcasting its presence at 24 Sep 2015 1:32:11 AM EST while the user was at the place of ID 4. Tbe Fitbit is not bonded to the user and has an original address of E0:46:BA:00:00:00 which is F742E8C67776555A15F00375D5B8E2720FBC4CCE821A8D43CB8C61F73A9FCB67 after hashing it.
What we do with the information we gather
We require this information to perform our research study as described above. We won’t be able to locate your home location, work location, points of interest, or places you frequently visit in general, but we might be able to profile you through the device you might be bonded with. However, since we don’t collect any information of personal nature, we have no method, as far as we can tell, to associate such profiles with your identity. For example, we can tell that the one of the users is wearing a fitbit, but we can’t tell who is this person. Again, we can’t associate any information we collect with you.
As you might have noticed, our app doesn’t request Internet permissions from Android, which means that the app can never communicate with the outside world. The information we are interested in is output in the Android system log, and in a private database on your device. The only way we can get access to the location is through the experiment administrators who have to extract this information from your device and supply it to us. Thus, the process we collect information through is entirely transparent.
Once we receive the information, we keep it at our servers, and we don’t share it with any third-party entity. BLEMon never engages with any communication with any external entity and doesn’t leak any type of information. As part of our development we could have used third-part libraries to perform some functionalities, but they don’t collect or communicate any information to third-party servers.
To be able to perform our study and analysis, we have to store the data at our servers for possibly an indefinite amount of time. We might also use the same data for future research projects. However, we will not share your data with any third-party entity without your clear consent. Currently, we don’t have any plans to share the data with any third party.
We are committed to ensuring that your information is secure. We store your data on our servers that are locked in a room equipped with card access control (only RTCL members have access). Moreover, the server is protected so that only authorized users have access. In particular, only the researches engaged with this project have access to the your information.
Controlling your personal information
If there is a situation when/where you feel uncomfortable with BLEMon recording nearby BLE powered devices, you have the option to stop BLEMon. BLEMon has a “stop” button that will cease all data collection unless you run it again or reboot your phone. Please note that BLEMon runs automatically whenever you boot your device. Although we access your location, but eventually we don’t know what places you visit which won’t pose any significant privacy threat.
Still, you can turn off the location switch from the app to prevent it from accessing your location in the first place.