RFID Tags Located in WSIS Conference Badges

Without participant's knowledge. See this write-up, by these participants: Ass. Prof. Dr. Alberto Escudero-Pascual, Researcher in Computer Security and Privacy, Royal Institute of Technology, Stockholm, Sweden, Stephane Koch, President Internet Society Geneva, Executive Master of Economic Crime Investigations, Geneva, Switzerland and George Danezis, Researcher in Privacy Enhancing Technologies and Computer Security, Cambridge University, UK.

Apparently, these participants took apart their World Summit on Information Society conference badges and discovered RFID tags. Others who attended the conference included Larry Lessig who pointed to this in his blog. Smartmobs also commented on this. An excerpt from the researchers findings:

The official Summit badges, which are plastic and the size of a credit card, hide an "RF smart card" [1 - see the last picture in this series, and look at item #1] - a hidden chip that can communicate its information via radio frequency. It carries both a unique identifier associated with the participant, and a radio frequency tag (RFID) that can be "read" when close to a sensor. These sensors can be located anywhere, from vending machines to the entrance of a specific meeting room allowing the remote identification and tracking of participants, or groups of participants, attending the event.

The data relating to the card holder (personal details, access authorization, account information, photograph etc.) is not stored on the smart card itself, but instead managed by a centralized relational database. This solution enables the centralized system to monitor closely every movement of the participants at the entrance of the conference center, or using data mining techniques, the human interaction of the participants and their relationship. The system can potentially be extended to track participants' movements within the summit and detect their presence at particular session.

There are other threat models: if the WSIS conference organizers were trying to protect their attendees, they might think about securing the system, so that tracking could not be used to find a particular participant, or a random participant, to harm them or violate their privacy. WSIS would also consider that simply being able to detect presence is a threat in itself, as well as knowing particulars such as who, where and what for more directed harm based on that information.

Also, the lack of knowledge about the future use and aggregation of the database of pictures and participants activities and personal information is disconcerting, along with the fact that they tracked people without telling them, and had no privacy or data retention policy, as the researchers have noted.

It's not that using RFID tags is implicitly bad, but we have to think about the way we use this technology to collect information, and build in ways to be considerate of others, protecting privacy, as well as not building sensor systems that can potentially endanger them. This was an international conference with prominent attendants. If the conference organizers are concerned enough for the conference overall and the participants well-being in general to install physical security with metal detectors for all entrants, they must also think about ways they may put people in danger at the conference simply by collecting this kind of information, while leaving RFID tracking computers in plain view.

Security threats to WSIS participants include scenarios where someone might have a reader that could not make sense of tag information, but simply tell that someone was in a particular spot, without knowing who they are, but harm them based on this information. This might occur on the conference premises, or in a store with active readers, or a hotel, or walking down the street.

I think people might be concerned about simply being seen as "live" while in different environments, for their own safety. Right now, with our analog environmental frameworks still implicitly informing our thoughts in this area, we don't contemplate this. We don't think of our persons as trackable except in very particular situations (the airport with security cameras or on certain roads - but these cameras relate back to hopefully secure video systems). But we do need to start thinking about this. I don't want to be the target of a mugger who simply can tell when someone is coming, because of a cheap reader and a tag I unwittingly carry that might betray proximity. Readers are not standardized, but readers can sometimes detect tags they can't "read." And eventually, as readers become more sophisticated, using more powerful detection, the 18" they more typically read now in handheld systems might turn 10' or 50' (yes, I know the manufacturers say the reading range is longer than 18" inches but that's on a lab bench, and talking with users finds 18" is the practical reality).

RFID Generally

RFID is certainly not as dire or apocalyptic as Katherine Albrecht says. Most notably due to the battery issue, because unlike harddrives and processors, batteries are not subject to Moore's Law, and do not double in capacity every 18 months, while reducing in size. Batteries limit what the tags can do, even if they are rechargeable via solar, wind, expanding liquid packets or movement, or some other mechanism, which is also limiting.

Electronic Product Code's (a standard of RFID that are similar to Uniform Product Codes, but instead of scanning them like UPCs, EPCs are RFID, and reflect back to readers the data programmed, though EPC's are not yet entirely standardized, but Walmart has mandated its suppliers use - a couple of months ago) are not battery powered, and so the tag reader must send energy to the tag to wake it up, at which point the tag reflects back information. Walmart's fantasy of having and EPC system in place on shelves within 18 months is just that, a fantasy. I don't believe they will get a system set up, at that point in the supply chain, out on the sales floor, with a tag on every item in the store, because the readers currently can read no more than 20 tags in a minute at around 18" range. Imagine a clerk running around, reading thousands upon thousands of tags, with a reader at 20 per minute. Or imagine shelf readers everywhere. Either way, there will simply be too much noise from other tags to get good readings. And the EPC tags at $.50 cents are currently too expensive to put on every box of Fruit Loops or can opener. Even at $.20 cents, which the EPC makers are shooting for, even that price will be too expensive for most small items at Walmart. But in maybe 8-10 years, it could happen if the price, power and reader issues are worked out. (According to the conference this fall at the Auto-ID centerM/a> at MIT (now AutoIDLab), Texas Instruments and Alien have so far only made about 5,000 EPC tags.) What is more likely is that luxury goods, which are expensive, will have tags soon because the cost will be worth it for them to experiment for a couple of years with this stuff.

The question is, will other stores or other places be able to read the Walmart tags and make sense of the information there, to do something with it? EPC tags have a set format, and without encryption, this does pose privacy threats, preference threats, personal safety threats (if you are detectable, not as you particularly, but simply as a human in a certain space, where you don't know someone is peering at you, you could be in harm's way, with your Prada briefcase...).

In reality, Walmart will implement the EPC tag system in the next 18 months on the part of the supply chain that consumers don't touch, the part where each case of products from a supplier can have a tag, and be tracked to prevent theft, damage, and simply save the company money. And that part poses no threats to customers, however, employees could find themselves tracked in ways they have not been in the past, as well as third parties such as trucking companies and personnel. While most of this is appropriate, again there could be personal safety threats to people.

On the other hand, things are not so casual, that as Larry Downes has said, we should withhold judgment against these kinds of systems. But there is a place somewhere in the middle of Albrecht's and Downes' positions that is more reasonable, realistic, but also requires some action. Obviously, the WSIS situation shows that the tags pose certain threats right now, depending on particular RFID tag and reader usage and capabilities, and the construction of the database and security systems, as well as the life of the data and the future uses and privacy policies. We do need to pay attention, understand the technology realistically, and make reasonable decisions for giving notice to anyone getting a tag in any form, whether in a badge or in a product, and take steps to limit the life of the data and the life of the tag, where appropriate.

Posted by Mary Hodder at December 20, 2003 12:21 PM | TrackBack