RFID Privacy Issues and the ORCA System Steve Shafer (stevensh@microsoft.com) Microsoft Research May 2007
Steve Shafer, Microsoft Research <ul><li>Working in ubiquitous computing a long time </li></ul><ul><li>Working with RFID a...
Today <ul><li>RFID privacy vocabulary & guidelines </li></ul><ul><li>Privacy Survey: How ORCA measures up </li></ul><ul><u...
Vocabulary – Personal Data <ul><li>Personal Data  consists of  Personal ID  and  Activity Records </li></ul><ul><ul><li>Pe...
Vocabulary – Privacy Violations <ul><li>Privacy Violations  include  Privacy Breaches  and  Tracking </li></ul><ul><ul><li...
Vocabulary - Authorization <ul><li>In a  Mandatory  system, authorization is stipulated by the system operator </li></ul><...
Vocabulary - Recap <ul><li>Personal Data </li></ul><ul><li>Personal ID </li></ul><ul><ul><li>Privacy Breach </li></ul></ul...
Guidelines – I – Principles <ul><li>The broadest relevant definition of Personal ID should be applied. </li></ul><ul><ul><...
Guidelines – II – Informed Consent <ul><li>Informed Consent should be obtained before a User enrolls in the system. </li><...
Guidelines – III – Security <ul><li>Personal Data should be made Directional both in storage and communication. </li></ul>...
Guidelines – IV – Data Handling <ul><li>Personal Data should be handled nicely. </li></ul><ul><ul><ul><li>Only use it for ...
Guidelines – IVa – Onward Transfer <ul><li>7f.  Sending Personal Data to a third party: </li></ul><ul><ul><ul><li>Tell the...
Apply These Guidelines to ORCA <ul><li>Some noteworthy points: </li></ul><ul><ul><li>Transit users can elect to pay cash o...
Apply These Guidelines to ORCA <ul><li>Some more noteworthy points: </li></ul><ul><ul><li>In theory, 14443 tags can be ope...
Apply These Guidelines to ORCA <ul><li>Some more noteworthy points: </li></ul><ul><ul><li>ORCA requires card serial number...
 
Stuff I Presented in November 2006 to the UW Law School by Steve Shafer, Microsoft Corp.
 
Worthwhile Web Links <ul><li>http://www.cephas-library.com/nwo/nwo_the_year_of_rfid_legislation.html </li></ul><ul><li>htt...
Issues to Consider <ul><li>What is Privacy? </li></ul><ul><li>What is RFID? </li></ul><ul><ul><li>What are the key initiat...
What is Privacy? <ul><li>One definition: “Giving consumers control over the collection and use of personal data” </li></ul>
The Privacy Community Advocates & Sociologists “ What makes people feel uneasy?” CPOs & Regulators “ What are the rules fo...
Key RFID Technology Variations 32 Kbytes, UI, Sensors, Location, Security, 256 Bytes ID Only 4 inches 10 feet 300 feet Rea...
Key Privacy-Sensitive Forms of RFID <ul><li>EPCglobal:   ID number, 20-foot range </li></ul><ul><ul><li>For supply chain (...
What is Personal Data? <ul><li>Personal Identification </li></ul><ul><ul><li>Details about an individual person </li></ul>...
PII = Personally Identifiable Information <ul><li>Primary category of data protected by “privacy” in US practice </li></ul...
RFID Privacy Breaches <ul><li>Leak of information through radio </li></ul><ul><li>Collecting information not authorized </...
RFID Radio Security <ul><li>Security is to protect data from access by unauthorized parties </li></ul><ul><li>Types of att...
Tracking <ul><li>Activity Records based on pseudonym </li></ul><ul><li>Non-PII Data About Individual </li></ul><ul><ul><li...
“Helen Wears a Hat” <ul><li>Helen buys a hat at store A. </li></ul><ul><li>The hat contains an RFID tag with a unique ID n...
“ Helen Wears a Hat” – Chapter 2 <ul><li>Helen visits store B wearing her hat.  Store B detects it at the door. </li></ul>...
“ Helen Wears a Hat” – Chapter 3 <ul><li>These stores all sell their data to marketer X, who assembles it and looks for pa...
Privacy Breach + Tracking <ul><li>Privacy Breach and Tracking have interactions: </li></ul><ul><ul><li>Breach makes it pos...
Protecting Personal Data <ul><li>Who does what with your personal data? </li></ul><ul><li>Sanctioned: </li></ul><ul><ul><l...
Best Practice Guidelines <ul><li>Most experts agree that the primary basis for RFID Privacy policy should be Fair Informat...
Privacy Policy for PII: Safe Harbor <ul><li>Notice </li></ul><ul><li>Choice & Consent </li></ul><ul><li>Onward Transfer </...
Security Mechanisms <ul><li>Information  Security </li></ul><ul><ul><li>Encryption, Authorization, Dynamic IDs, … </li></u...
Resistance to Tracking <ul><li>Proposed “privacy” measures: </li></ul><ul><ul><li>Clipping (IBM): shorten antenna after pu...
Where is the Action Today? <ul><li>Guidelines:  Industry organizations, standards bodies, privacy advocates </li></ul><ul>...
Common Pitfalls in Proposed RFID Privacy Regulations & Laws <ul><li>Overbroad definition of “RFID” includes cell phones, l...
Policy Recommendations <ul><li>“Trustworthy Computing is Good Business” </li></ul><ul><li>Get good technical guidance! </l...
Issues in RFID Privacy <ul><li>What is Privacy? </li></ul><ul><li>What is RFID? </li></ul><ul><ul><li>What are the key ini...
Additional Material
Solove’s Taxonomy of Privacy Data Holders I. Information Collection Surveillance * Interrogation II. Information Processin...
TRUSTe’s definition (excerpt) <ul><li>“ any information … (i) that identifies or can be used to identify, contact, or loca...
TRUSTe “Associated” Info <ul><li>“ to the extent unique information … [not PII] is associated with PII … [it] will be cons...
Pseudonyms <ul><li>A pseudonym is any constant, unique datum </li></ul><ul><li>Can be an almost-unique datum </li></ul><ul...
Privacy and Security Security = Enforcement of boundary against unauthorized users Privacy = Define / enforce boundary & p...
Directionality in Identity Systems <ul><li>Omnidirectional = accessible to everyone </li></ul><ul><li>Directional = only a...
Security Goals for RFID Privacy <ul><li>Personal ID should always be Directional </li></ul><ul><li>Pseudonyms should alway...
Problems With Tracking Resistance <ul><li>Proposed “privacy” measures: </li></ul><ul><ul><li>Clipping (IBM): shorten anten...
Upcoming SlideShare
Loading in …5
×

r 1 RFID Privacy Issues and the ORCA System

649 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
649
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

r 1 RFID Privacy Issues and the ORCA System

  1. 1. RFID Privacy Issues and the ORCA System Steve Shafer (stevensh@microsoft.com) Microsoft Research May 2007
  2. 2. Steve Shafer, Microsoft Research <ul><li>Working in ubiquitous computing a long time </li></ul><ul><li>Working with RFID at Microsoft </li></ul><ul><ul><li>Microsoft RFID whitepaper on RFID Privacy </li></ul></ul><ul><li>Was member of the CDT RFID Privacy Working Group </li></ul><ul><li>Vice Chair of the Privacy Advisory Council of the NFC Forum </li></ul><ul><li>Presented at UW in November 2006 </li></ul>
  3. 3. Today <ul><li>RFID privacy vocabulary & guidelines </li></ul><ul><li>Privacy Survey: How ORCA measures up </li></ul><ul><ul><li>Note there are both RFID and non-RFID privacy issues in ORCA </li></ul></ul><ul><ul><li>I am only qualified to address RFID issues </li></ul></ul>
  4. 4. Vocabulary – Personal Data <ul><li>Personal Data consists of Personal ID and Activity Records </li></ul><ul><ul><li>Personal ID is data that describes or gives access to a unique individual Subject </li></ul></ul><ul><ul><li>An Activity Record associates a Pseudonym with data about activities, transactions, locations, things, or other people </li></ul></ul><ul><ul><ul><li>A Pseudonym is any unique data associated with a unique individual Subject </li></ul></ul></ul><ul><ul><ul><ul><li>Unique datum, or unique combination of non-unique data </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Unique value, or value drawn from a unique set of values </li></ul></ul></ul></ul>
  5. 5. Vocabulary – Privacy Violations <ul><li>Privacy Violations include Privacy Breaches and Tracking </li></ul><ul><ul><li>A Privacy Breach is a disclosure of Personal ID to an unauthorized party </li></ul></ul><ul><ul><li>Tracking is a disclosure of Activity Records to an unauthorized party </li></ul></ul>
  6. 6. Vocabulary - Authorization <ul><li>In a Mandatory system, authorization is stipulated by the system operator </li></ul><ul><li>In a Voluntary system, the User provides authorization through Informed Consent </li></ul><ul><ul><li>The User is the individual who presents a tag to the system </li></ul></ul><ul><ul><li>Informed Consent includes Notice and Consent (as decribed in the guidelines) </li></ul></ul>
  7. 7. Vocabulary - Recap <ul><li>Personal Data </li></ul><ul><li>Personal ID </li></ul><ul><ul><li>Privacy Breach </li></ul></ul><ul><li>Pseudonym & Activity Record </li></ul><ul><ul><li>Tracking </li></ul></ul><ul><li>Subject & User </li></ul><ul><li>Authorized v. Unauthorized </li></ul><ul><li>Mandatory </li></ul><ul><li>Voluntary </li></ul><ul><li>Informed Consent </li></ul>
  8. 8. Guidelines – I – Principles <ul><li>The broadest relevant definition of Personal ID should be applied. </li></ul><ul><ul><ul><li>How about index data? Non-actionable data? </li></ul></ul></ul><ul><li>Personal ID should be Directional. </li></ul><ul><li>Pseudonyms should be Directional … </li></ul><ul><ul><ul><li>… but frequently they’re not. </li></ul></ul></ul>
  9. 9. Guidelines – II – Informed Consent <ul><li>Informed Consent should be obtained before a User enrolls in the system. </li></ul><ul><ul><ul><li>Notice should include the Personal Data, its purposes, retention & other policies, User actions. </li></ul></ul></ul><ul><ul><ul><ul><li>What about limitations on the “purposes”? </li></ul></ul></ul></ul><ul><ul><ul><li>Consent requires knowing, affirmative indication. </li></ul></ul></ul><ul><li>Informed Consent should be obtained before any transaction or activity. </li></ul><ul><ul><ul><li>Notice may be simply a logo. </li></ul></ul></ul><ul><ul><ul><li>Consent may be simply the presentation of the tag. </li></ul></ul></ul>
  10. 10. Guidelines – III – Security <ul><li>Personal Data should be made Directional both in storage and communication. </li></ul><ul><ul><ul><li>Design security – Minimize Personal Data. </li></ul></ul></ul><ul><ul><ul><li>Physical security – Keep the tag quiet electronically. </li></ul></ul></ul><ul><ul><ul><li>Information security – Make the software smart. </li></ul></ul></ul>
  11. 11. Guidelines – IV – Data Handling <ul><li>Personal Data should be handled nicely. </li></ul><ul><ul><ul><li>Only use it for agreed-upon purposes. </li></ul></ul></ul><ul><ul><ul><li>Have a policy for data expiration. </li></ul></ul></ul><ul><ul><ul><li>Ensure integrity and quality of data. </li></ul></ul></ul><ul><ul><ul><li>Provide Users with access to data about them. </li></ul></ul></ul><ul><ul><ul><li>Provide Users with a complaint mechanism. </li></ul></ul></ul><ul><ul><ul><li>Take responsibility when data is sent to third parties (details on next slide). </li></ul></ul></ul><ul><ul><ul><li>Review policies and practices regularly. </li></ul></ul></ul>
  12. 12. Guidelines – IVa – Onward Transfer <ul><li>7f. Sending Personal Data to a third party: </li></ul><ul><ul><ul><li>Tell the recipient what the data is authorized for. </li></ul></ul></ul><ul><ul><ul><li>Take some steps to ensure the recipient uses the data only for authorized purposes. </li></ul></ul></ul><ul><ul><ul><li>Take some steps to ensure the recipient abides by reasonable principles for data handling. </li></ul></ul></ul><ul><ul><ul><li>If the User appeals your handling of the data, propagate that appeal to the recipient. </li></ul></ul></ul>
  13. 13. Apply These Guidelines to ORCA <ul><li>Some noteworthy points: </li></ul><ul><ul><li>Transit users can elect to pay cash or use ORCA cards without creating an account </li></ul></ul><ul><ul><ul><li>Accounts are for replenishment or for institutions </li></ul></ul></ul><ul><ul><li>Institutional use may be Mandatory </li></ul></ul><ul><ul><li>Personal ID is not on the card … but many Pseudonyms are there </li></ul></ul><ul><ul><ul><li>Should U-Pass # itself considered Personal ID? </li></ul></ul></ul><ul><ul><li>In fact, Personal Data is on the card, in the form of an Activity Record (“ride history” of your last 10 trips [for each agency]) </li></ul></ul>
  14. 14. Apply These Guidelines to ORCA <ul><li>Some more noteworthy points: </li></ul><ul><ul><li>In theory, 14443 tags can be operated up to 10cm. But they can be skimmed at 20-50cm, eavesdropped at 10m, and detected at 20m. </li></ul></ul><ul><ul><li>In ORCA, the Contract Administrator can authorize additional uses for the data!!! </li></ul></ul><ul><ul><li>Cohabiting applications may access ORCA data if authorized by the Contract Admin.!! </li></ul></ul><ul><ul><ul><li>ORCA data is to be encrypted by a key. But where will the key live? </li></ul></ul></ul><ul><ul><ul><li>One key per tag? Agency? User? </li></ul></ul></ul>
  15. 15. Apply These Guidelines to ORCA <ul><li>Some more noteworthy points: </li></ul><ul><ul><li>ORCA requires card serial numbers. It also requires that they be linkable to Personal ID. </li></ul></ul><ul><ul><li>(non-RFID) ORCA mandates Personal ID at central database </li></ul></ul><ul><ul><ul><li>Is this really required for the stated purposes, i.e. replenishment & linkage? </li></ul></ul></ul><ul><ul><li>(non-RFID) ORCA mandates history of at least the last 20 fare payments & transfers in database </li></ul></ul><ul><ul><ul><li>Is this really required for the stated purposes? </li></ul></ul></ul>
  16. 17. Stuff I Presented in November 2006 to the UW Law School by Steve Shafer, Microsoft Corp.
  17. 19. Worthwhile Web Links <ul><li>http://www.cephas-library.com/nwo/nwo_the_year_of_rfid_legislation.html </li></ul><ul><li>http://www.retail-leaders.org/new/resources/RFID_Bill_Summaries_2005_08-31-05.pdf </li></ul><ul><li>http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20050815_amended_asm.html </li></ul><ul><li>http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20060807_amended_asm.html </li></ul><ul><li>http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0751-0800/sb_768_bill_20050902_amended_asm.html </li></ul><ul><li>http://www.cr80news.com/news/2006/10/02/governor-schwarzenegger-vetoes-controversial-antirfid-legislation/ </li></ul><ul><li>http://www.retail-leaders.org/new/rlGovAffairs.aspx?section=GOVEIS&id=5&cid=16 </li></ul><ul><li>http://www.cdt.org/privacy/20060501rfid-best-practices.php </li></ul>
  18. 20. Issues to Consider <ul><li>What is Privacy? </li></ul><ul><li>What is RFID? </li></ul><ul><ul><li>What are the key initiatives of public interest? </li></ul></ul><ul><li>What are the privacy risks from RFID? </li></ul><ul><li>What is happening with RFID privacy policy today? </li></ul><ul><li>What are key issues for policymakers? </li></ul>
  19. 21. What is Privacy? <ul><li>One definition: “Giving consumers control over the collection and use of personal data” </li></ul>
  20. 22. The Privacy Community Advocates & Sociologists “ What makes people feel uneasy?” CPOs & Regulators “ What are the rules for handling data?” Engineers “ How do I give control over information?” Surveys Behavior Studies Security Mechanisms Control UX Fair Information Practices Legislation & Regulation
  21. 23. Key RFID Technology Variations 32 Kbytes, UI, Sensors, Location, Security, 256 Bytes ID Only 4 inches 10 feet 300 feet Read/Write Range Tag Capability EPCglobal Active Tags … dozens of variations … NFC / 14443 / SmartCards
  22. 24. Key Privacy-Sensitive Forms of RFID <ul><li>EPCglobal: ID number, 20-foot range </li></ul><ul><ul><li>For supply chain (pallets and cases) </li></ul></ul><ul><ul><li>What if individual goods are labeled? </li></ul></ul><ul><ul><li>RealID (state drivers licences) is similar to this </li></ul></ul><ul><li>NFC: Lots of data, security, 2-inch range </li></ul><ul><ul><li>Payment cards, cell phones </li></ul></ul><ul><ul><li>Personal data can be involved </li></ul></ul><ul><ul><li>e-Passport uses NFC, also credit card companies </li></ul></ul><ul><li>Active RFID: Idiosyncratic, 300-foot range </li></ul><ul><ul><li>Person-tracking by employers </li></ul></ul><ul><ul><li>License plate tracking in UK </li></ul></ul>
  23. 25. What is Personal Data? <ul><li>Personal Identification </li></ul><ul><ul><li>Details about an individual person </li></ul></ul><ul><ul><li>Primarily in ID documents / badges / cards </li></ul></ul><ul><ul><li>Privacy violation is “Breach” </li></ul></ul><ul><li>Activity Records </li></ul><ul><ul><li>Accumulated based on pseudonym </li></ul></ul><ul><ul><li>Primarily in consumer goods </li></ul></ul><ul><ul><li>Privacy violation is “Tracking” </li></ul></ul>
  24. 26. PII = Personally Identifiable Information <ul><li>Primary category of data protected by “privacy” in US practice </li></ul><ul><li>Many different definitions, here’s one: </li></ul><ul><ul><li>“ any piece of information which can potentially be used to uniquely identify, contact, or locate a single person” </li></ul></ul><ul><ul><li>Wikipedia says it includes name (if not common), govt. ID #, phone #, street address, email address, vehicle plate #, face / biometric, IP address (sometimes) </li></ul></ul><ul><ul><li>Fairly loose and squishy definition </li></ul></ul><ul><ul><li>Different sources have different definitions </li></ul></ul><ul><li>EU “Personal Identification” includes more </li></ul>
  25. 27. RFID Privacy Breaches <ul><li>Leak of information through radio </li></ul><ul><li>Collecting information not authorized </li></ul><ul><li>Retaining information not authorized </li></ul><ul><li>Using information in ways not authorized </li></ul><ul><li>Sending information to third parties who are not authorized </li></ul><ul><li>These apply to all IT systems, not just RFID </li></ul>
  26. 28. RFID Radio Security <ul><li>Security is to protect data from access by unauthorized parties </li></ul><ul><li>Types of attack: </li></ul><ul><li>Not all systems have adequate security designed in </li></ul>Tag Authorized Reader Eavesdropper Spoofer Tamperer Skimmer
  27. 29. Tracking <ul><li>Activity Records based on pseudonym </li></ul><ul><li>Non-PII Data About Individual </li></ul><ul><ul><li>New technologies e.g. RFID, cell phone produce data about things in the world </li></ul></ul><ul><ul><li>You may leave a “trail of breadcrumbs” </li></ul></ul><ul><ul><li>Based on pseudonym, not personal ID </li></ul></ul><ul><ul><li>But the object is yours! </li></ul></ul><ul><li>Actually “trail”  “mountains” </li></ul><ul><li>These data mountains are not considered PII </li></ul>
  28. 30. “Helen Wears a Hat” <ul><li>Helen buys a hat at store A. </li></ul><ul><li>The hat contains an RFID tag with a unique ID number. </li></ul><ul><ul><li>(Even if encrypted it is unique.) </li></ul></ul><ul><li>(The store might record purchase information about Helen, but we will assume they keep it private.) </li></ul><ul><li>Helen keeps the RFID tag in the hat because she has a “smart closet”. </li></ul>Hat #1 Store A Hat #1 Helen Hat #1
  29. 31. “ Helen Wears a Hat” – Chapter 2 <ul><li>Helen visits store B wearing her hat. Store B detects it at the door. </li></ul><ul><li>Helen visits stores C, D, and E, and has lunch with her friend Suzie who has a new sweater. </li></ul>Hat #1 Store B Hat #1 Store C Hat #1 Store D Hat #1 Store E Hat #1 Sweater #9 Hat #1 Cafe Sweater #9 Cafe
  30. 32. “ Helen Wears a Hat” – Chapter 3 <ul><li>These stores all sell their data to marketer X, who assembles it and looks for patterns. This information is available to businesses, and is discoverable in legal proceedings. </li></ul><ul><li>Helen’s name and personal data do not appear in the records. </li></ul><ul><li>The usual “privacy policies” and regulations do not apply to this data! </li></ul>
  31. 33. Privacy Breach + Tracking <ul><li>Privacy Breach and Tracking have interactions: </li></ul><ul><ul><li>Breach makes it possible to track </li></ul></ul><ul><ul><li>Tracking + physical presence can lead to a breach </li></ul></ul><ul><ul><li>More tracking makes it easier to mine to create a breach </li></ul></ul><ul><ul><li>Tracking makes the consequences of a breach more serious </li></ul></ul>
  32. 34. Protecting Personal Data <ul><li>Who does what with your personal data? </li></ul><ul><li>Sanctioned: </li></ul><ul><ul><li>User’s Understanding </li></ul></ul><ul><ul><li>Authorized Use </li></ul></ul><ul><ul><li>“Authorization Creep” </li></ul></ul><ul><ul><li>“Third-Party Freedom” </li></ul></ul><ul><li>Miscreants: </li></ul><ul><ul><li>“Opportunistic” </li></ul></ul><ul><ul><li>“Professional” </li></ul></ul><ul><ul><li>“Conspiratorial” (= “Organized”) </li></ul></ul><ul><ul><li>That Which Must Not Be Named </li></ul></ul>Privacy Policy Privacy & Security
  33. 35. Best Practice Guidelines <ul><li>Most experts agree that the primary basis for RFID Privacy policy should be Fair Information Practices </li></ul><ul><ul><li>Many variants e.g. “Safe Harbor” </li></ul></ul><ul><ul><li>Notice, Choice, Consent, Security, … </li></ul></ul><ul><li>This addresses authorized users </li></ul><ul><li>Not always honored by government </li></ul><ul><ul><li>Identity documents, license plates, etc. </li></ul></ul><ul><ul><li>Unclear meaning, e.g. what is “consent”? </li></ul></ul><ul><ul><li>Unclear decision-making process </li></ul></ul>
  34. 36. Privacy Policy for PII: Safe Harbor <ul><li>Notice </li></ul><ul><li>Choice & Consent </li></ul><ul><li>Onward Transfer </li></ul><ul><li>Access </li></ul><ul><li>Security </li></ul><ul><li>Data Integrity & Quality </li></ul><ul><li>Enforcement & Remedy </li></ul><ul><li>Good reference: Privacy Best Practices for Deployment of RFID Technology , Center for Democracy and Technology, 2006. http://www.cdt.org/privacy/20060501rfid-best-practices.php </li></ul>
  35. 37. Security Mechanisms <ul><li>Information Security </li></ul><ul><ul><li>Encryption, Authorization, Dynamic IDs, … </li></ul></ul><ul><li>Physical Security </li></ul><ul><ul><li>On/off switches, Foil covers, Short range, Multiple modalities, … </li></ul></ul><ul><li>Design Security </li></ul><ul><ul><li>Opt-in v. opt-out, Default settings, No PII on tags, … </li></ul></ul>
  36. 38. Resistance to Tracking <ul><li>Proposed “privacy” measures: </li></ul><ul><ul><li>Clipping (IBM): shorten antenna after purchase </li></ul></ul><ul><ul><li>Killing (EPC): deactivate tag on command </li></ul></ul><ul><ul><li>Erase the Serial Number: leave the SKU intact </li></ul></ul><ul><ul><li>Blocker (RSA): device pretends to be every tag </li></ul></ul><ul><ul><li>Dynamic ID is a new trend in the RFID literature: tag presents apparently random ID </li></ul></ul><ul><ul><ul><li>Cryptographic techniques for generating a sequence of ID numbers that cannot be inverted </li></ul></ul></ul><ul><li>All of the above have major shortcomings! </li></ul>
  37. 39. Where is the Action Today? <ul><li>Guidelines: Industry organizations, standards bodies, privacy advocates </li></ul><ul><ul><li>Center for Democracy and Technology </li></ul></ul><ul><li>State legislatures in the US </li></ul><ul><ul><li>CA, IL, WA, NH, AL, … </li></ul></ul><ul><li>EU, Japan, … </li></ul>
  38. 40. Common Pitfalls in Proposed RFID Privacy Regulations & Laws <ul><li>Overbroad definition of “RFID” includes cell phones, laptops, etc. </li></ul><ul><ul><li>Example: “RFID means electronic devices that broadcast identification number by radio” </li></ul></ul><ul><li>Regulating technology without limiting data or its use </li></ul><ul><ul><li>RFID in 2006, what will it be in 2016? </li></ul></ul><ul><li>Ban on technology (reduces innovation) </li></ul><ul><ul><li>“No RFID until 2010” </li></ul></ul>
  39. 41. Policy Recommendations <ul><li>“Trustworthy Computing is Good Business” </li></ul><ul><li>Get good technical guidance! </li></ul><ul><li>Encourage technology development </li></ul><ul><li>Regulate data and its use, not technology </li></ul><ul><li>Foster responsible use </li></ul><ul><li>Codify best practices based on FIP </li></ul><ul><li>Don’t lock in current technologies </li></ul><ul><li>Sensitive applications need careful planning </li></ul>
  40. 42. Issues in RFID Privacy <ul><li>What is Privacy? </li></ul><ul><li>What is RFID? </li></ul><ul><ul><li>What are the key initiatives of public interest? </li></ul></ul><ul><li>What are the privacy risks from RFID? </li></ul><ul><li>What is happening with RFID privacy policy today? </li></ul><ul><li>What are key issues for policymakers? </li></ul>
  41. 43. Additional Material
  42. 44. Solove’s Taxonomy of Privacy Data Holders I. Information Collection Surveillance * Interrogation II. Information Processing Aggregation * Identification * Insecurity Secondary Use * Exclusion III. Information Dissemination Breach of Confidentiality Disclosure Exposure Increased Accessibility Blackmail Appropriation Distortion IV. Invasions Intrusion * Decisional Interference * Reprinted with permission from: Solove, Daniel J., &quot;A Taxonomy of Privacy&quot;. University of Pennsylvania Law Review, Vol. 154, Fall 2005. http://ssrn.com/abstract=667622 . Risk from PAI * = on previous slide
  43. 45. TRUSTe’s definition (excerpt) <ul><li>“ any information … (i) that identifies or can be used to identify, contact, or locate … or (ii) from which identification or contact information of an individual person can be derived.” </li></ul><ul><li>Includes: name, govt. ID numbers, phone + FAX numbers, street address, email address, financial profiles, medical profile, credit card info. </li></ul><ul><li>Note financial / medical info is “especially sensitive information” </li></ul><ul><li>Source: Jeffrey Klimas v. Comcast Corp, US … </li></ul>
  44. 46. TRUSTe “Associated” Info <ul><li>“ to the extent unique information … [not PII] is associated with PII … [it] will be considered [PII]” </li></ul><ul><li>Includes personal profile, biometric, pseudonym, IP address </li></ul><ul><li>IP address “becomes PII” only if “associated with” PII </li></ul><ul><li>Excludes data collected “anonymously” (“without identification of the individual user”) </li></ul><ul><ul><li>So it seems to exclude Helen’s hat’s data records unless associated with PII </li></ul></ul><ul><ul><li>This data is “pseudonymous”, not really “anonymous” </li></ul></ul>
  45. 47. Pseudonyms <ul><li>A pseudonym is any constant, unique datum </li></ul><ul><li>Can be an almost-unique datum </li></ul><ul><li>Can be a set of common data </li></ul><ul><li>Can be an encrypted datum </li></ul><ul><li>Can be a pseudo-random member of a unique set </li></ul>
  46. 48. Privacy and Security Security = Enforcement of boundary against unauthorized users Privacy = Define / enforce boundary & policy for personal data Privacy Authorized User and Use (policy) Security Security and Privacy Unauthorized User (mechanism) Non-Personal Data Personal Data
  47. 49. Directionality in Identity Systems <ul><li>Omnidirectional = accessible to everyone </li></ul><ul><li>Directional = only accessible to authorized parties </li></ul><ul><ul><li>Also called Unidirectional </li></ul></ul><ul><ul><li>Enforced by security measures </li></ul></ul><ul><ul><ul><li>Authorization of both endpoints </li></ul></ul></ul><ul><ul><ul><li>Encryption of data in storage and in communication </li></ul></ul></ul>
  48. 50. Security Goals for RFID Privacy <ul><li>Personal ID should always be Directional </li></ul><ul><li>Pseudonyms should always be Directional </li></ul><ul><li>Personal ID: this is a no-brainer </li></ul><ul><li>Pseudonyms: usually very difficult to implement! </li></ul>
  49. 51. Problems With Tracking Resistance <ul><li>Proposed “privacy” measures: </li></ul><ul><ul><li>Clipping (IBM): shorten antenna after purchase </li></ul></ul><ul><ul><ul><li>Doesn’t change the information flow </li></ul></ul></ul><ul><ul><li>Killing (EPC): deactivate tag on command </li></ul></ul><ul><ul><ul><li>Prevents after-market use of tags </li></ul></ul></ul><ul><ul><li>Erase the Serial Number: leave the SKU intact </li></ul></ul><ul><ul><ul><li>Combinations of SKUs can create a unique identifier </li></ul></ul></ul><ul><ul><li>Blocker (RSA): device pretends to be every tag </li></ul></ul><ul><ul><ul><li>Denial of Service is a security violation </li></ul></ul></ul><ul><ul><li>Dynamic ID is a new trend in the RFID literature: tag presents apparently random ID </li></ul></ul><ul><ul><ul><li>Every reader has to know the secret for every tag </li></ul></ul></ul>

×