Security Sense: Security Requires Pragmatism

I bought some Tiles the other day. Not the kind you’ll find in your bathroom, rather the Bluetooth-enabled kind you attach to your keys and put in your luggage so that you can find them again should they go missing. I was particularly interested in the one in my luggage because I was heading off to Europe which meant multiple occasions of my bag entering and exiting various aircraft then hopefully turning up on the carousal at the other end of the trip. If the bag got lost somewhere along the way, in theory, the Tile could be located by someone else. This is where thigs get a bit interesting.

Personal luggage trackers are great, but they’re only effective whilst there are beacons that can identify a bag and let you know where it is. Now your phone can be a great beacon, but you’re obviously limited by range. Tile’s solution is to crowd-source the beacons and use anyone’s phone to find your lost luggage, assuming they’re running the Tile app that is. They describe it as follows:

Every app updates the location of each Tile device it detects. With more than 8 million Tiles sold and over a million items located every day, our network is the largest, fastest and most powerful lost and found community in the world.

And this is where we get to put two different hats on: From an engineering perspective, it’s a genius move because you’re delegating luggage discovery to every single person running the app. So long as there’s a healthy network of devices, you’ve now got a good chance of someone – anyone – seeing your bag. But from a security perspective, you’ve got exactly the same problem in that anyone can see your bag and report its location (although the app is doing this in the background – other people never see your personal info). Plus, the Tile app is regularly reporting your own location back to their service as you wander around with your keys or wallet or any other Tile-enabled thing in sight.

I received exactly the sorts of responses I expected when sharing my experiences on the Tile via Twitter whilst travelling across the world. “But you’re the security guy, how can you take such risks with your privacy?!” I totally get where this is coming from and I’m enormously careful with how I manage the privacy of my information. However, I’m also really fond of my luggage which brings to the whole point about pragmatism.

We make daily trade-offs with our security. How strong the password to logon to our PC is, for example (you can’t really use a password manager in that instance). Whether we check the “remember me” box when logging on to social media. If we use biometric login for our mobile device or not. Each one of these exposes both a security risk and a usability upside, neither of which can be assessed in isolation. Here’s the point of all this as it relates to pragmatism: I don’t really care one way or the other about most security decisions people make so long as they’re balanced. A technology like Tile might not make sense if either the privacy risk is too great or the upside of finding lost luggage is too low. But I really like my luggage and I’m not too concerned if someone knows where I am on a trip I’ve been pretty public about. That’s pragmatism in play!