RFID, Surveillance and Privacy: The Sorting Door Project
RFID, Surveillance and Privacy: The Sorting Door Project <ul><li>Stapleton-Gray & Associates, Inc. is engineering the Sorting Door Project as an experimental test bed for the study of RFID, surveillance and privacy. RFID is a technology well-suited to surveillance . </li></ul><ul><li>What you wear or carry, if RFID tagged, can be observed. Many, many more things will be tagged; many, many more readers will be out there. </li></ul><ul><li>The Sorting Door architecture is intended to invite and accept participation from all parties interested in understanding: </li></ul><ul><ul><li>The technological envelope for monitoring RFID-tagged objects; </li></ul></ul><ul><ul><li>How inferences might be made, based on such observations; </li></ul></ul><ul><ul><li>What technology and policy options might prevent abuse of RFID-based surveillance, where necessary. </li></ul></ul>
RFID: Well-Suited to Surveillance <ul><li>RFID is being rapidly and widely deployed, driven primarily be commercial demands (800# gorillas Wal*Mart and DOD) </li></ul><ul><li>Both tags and readers are proliferating. And while they may be deployed initially for isolated applications, tags are “promiscuous talkers” and can be detected by many other readers... readers are “promiscuous listeners,” and can detect many other tags. </li></ul><ul><li>RFID is a technology well-suited to surveillance: </li></ul><ul><ul><li>Can be interrogated at a (limited) distance; </li></ul></ul><ul><ul><li>Does not require line-of-site, but can read through (some) things; </li></ul></ul><ul><ul><li>Undetectable by (most) people. </li></ul></ul>
RFID Forecasts <ul><li>RFID is already in widespread application, especially for: </li></ul><ul><ul><li>Access, e.g., building access badges and car key security </li></ul></ul><ul><ul><li>Toll payments, e.g., E-Zpass, FasTrak, and Mobile Speedpass </li></ul></ul><ul><li>But the larger wave coming is in commercial supply chain, and, eventually, item-level tagging of consumer goods. </li></ul><ul><li>The cost and effectiveness of tags are gating factors: item-level tagging won’t make sense if tags are an appreciable percentage of the value of an item; a 50 ¢ tag makes sense on a pallet of cases of boxes of toothpaste, but not on a tube. The 5¢ tag (in quanitity) is something like the 4-minute mile... something to shoot for. </li></ul><ul><li>Tag manufacturer Alien Technology announced this month that it had shipped a total of 50 million EPC Class I RFID tags over the past year (but compare with 2.5 billion boxes of cereal purchased in the U.S. annually... a ways to go!). </li></ul>
Market Forces Two 800# gorillas have provided enormous demand for RFID deployment: both Wal*Mart and the U.S. Department of Defense have mandated that suppliers employ RFID tags on shipments, starting at the aggregate level (cases and pallets). (Note: for some items, case- and item-level tagging might be equivalent, e.g., microwave ovens.) Many major retailers have followed Wal*Mart’s lead. The U.S. Food and Drug Administration has suggested that RFID tagging may be mandated to allow for counterfeit drug detection, i.e., to be able to track a pharmaceutical’s supply chain history, and flag those which lack an appropriate “pedigree.” Many libraries (including the Berkeley California Public Library) have adopted RFID to better manage collections.
RFID, Surveillance and Privacy: the Threat Model The laws of physics limit the useful range of a passive RFID tag, and, by nature, passive tags can be continually polled by readers but do not allow continuous tracking. But these limitations do not eliminate all threats, they merely help to define the boundaries of the threat model. RFID’s limited useful range suggests that threats will come in constrained spaces. Many early RFID deployments focus on doorways, e.g., RFID-tagged library books are read as patrons pass through detector gates. Doorways are ideal environments for RFID-facilitated surveillance generally: subjects can be isolated, placed in close proximity to easily-hidden readers, and there are opportunities to employ complementary sensor technology (e.g., optical or pressure sensors to isolate specific individuals from among several).
The Threat Model (cont.) RFID will allow for the collection of many, many more data points. These data will be little glimpses into activity – a kind of “point surveillance” – but a lot of little glimpses may reveal a bigger picture. “ Identity binding” can make some of these data points much more valuable, when a unique identifier (i.e., a specific RFID tag) can be mapped to a particular individual. It will be possible to make inferences from the nature of objects seen, i.e., when an RFID-tagged consumer good is detected, one can attribute to its wearer/bearer various characteristics... “Odds are pretty good that the person who just passed us with a size 4 Donna Karan dress isn’t a six-foot-tall man.”
Privacy and Pointillism... (cont.) Georges Seurat’s A Sunday on La Grande Jatte—1884 , at varying levels of abstraction. Even the lower right image is actually an abstraction of an abstraction: while the original work is still composed of distinct points, the image you’re seeing here was produced at far fewer dots per inch by the printer... The message is that data points may become far, far more common, due to RFID. While each, by itself, is next to meaningless, in vast accumulations you’ll start to discern meaningful pictures. Or, as Lenin said, “Quantity is quality.”
Identity Binding Tags can be used to uniquely identify objects (this is why the keen interest in RFID in commercial supply chain) with a vast name space – the Electronic Product Code (EPC) 96-bit value could uniquely identify every object you’d care to, with a lot of space left over. When tags are seen, they’ll often uniquely identify objects: “That same thing passed by this reader just now, Monday morning, and Tuesday evening.” When the wearer/bearer of a tagged object presents additional information, e.g., a driver’s license or passport, that now-revealed identity can be bound to any tags present. The next time we see a given tag, “that’s Alice’s thing... maybe we’re seeing Alice again.” Note #1... This works for historical data: “We know now that that was probably Alice at all these points over the past year.” Note #2... This is an educated guess, and depend on the nature of objects. People tend to borrow umbrellas and books, but not underwear...
Inferences from the Nature of Objects <ul><li>EPCs will be forward/backward compatible, as much as is possible, with legacy product codes like the UPC. (And why not? Why abandon 30 years of industry standardization in product codes?) </li></ul><ul><li>Mapping product codes to product information is well understood, e.g., for converting point-of-sale data to market research insights (“People who buy Widgets ® also buy Gizmos ® ; both are consumer electronics goods”). </li></ul><ul><li>Many objects will permit strong inferences to be made, regarding the individual wearing/bearing them: </li></ul><ul><ul><li>size 4 Donna Karan dress </li></ul></ul><ul><ul><li>man’s size 13 shoe </li></ul></ul><ul><ul><li>first edition copy of “Earth in the Balance” </li></ul></ul><ul><li>NB: this will depend heavily on item-level tagging of objects in commerce... proponents see that coming soon; others of us are a bit skeptical. </li></ul>
The Sorting Door “ A terrified-looking boy Harry had noticed earlier stumbled forwards and put the Hat on his head; it was only prevented from falling right down to his shoulders by his very prominent ears. The Hat considered for a moment, then the rip near the brim opened again and shouted: ‘ Gryffindor!’ Harry clapped loudly with the rest of Gryffindor house as Euan Abercrombie staggered to their table and sat down, looking as though he would like very much to sink through the floor and never be looked at again.” J. K. Rowling, Harry Potter and the Order of the Phoenix Like “Harry Potter’s” Sorting Hat, the Sorting Door will similarly interrogate individuals for – to them – intangible qualities, and make inferences as to their nature and implications
The Sorting Door (cont.) <ul><li>Doors are attractive points for RFID-based surveillance: </li></ul><ul><ul><li>RFID read ranges, for most commonly-encountered tags, are short, but not less than a meter or so; </li></ul></ul><ul><ul><li>Lots of readers already installed in doors, e.g., anti-theft gates in libraries; </li></ul></ul><ul><ul><li>Doors are appropriate places to take actions: bar a potential threat, or welcome a potential friend, ally, or cherished customer. </li></ul></ul><ul><li>Other data collection may also be possible at doors, e.g., presentation of a driver’s license for admission, or biometric data. </li></ul>
The Sorting Door Architecture Sorting Door #1 Sorting Door #N Identification Engine Internet ONS Commercial Data... Databases 8 1 2 3 4 5 7 6
The Sorting Door Architecture (cont.) <ul><li>An instrumented “Sorting Door” </li></ul><ul><li>Communication of observed RFIDs to the Identification Engine and databases </li></ul><ul><li>Presentation of information on RFIDs observed, and inferences made, for educational or other purposes </li></ul><ul><li>Other Door implementations </li></ul><ul><li>Identification Engine </li></ul><ul><li>Databases of RFID tag observations </li></ul><ul><li>Databases of supporting data </li></ul><ul><li>EPCglobal’s Object Naming Service (ONS) and associated electronic product code (EPC)-keyed data </li></ul><ul><li>Multiple Doors share common resources on the back end, though </li></ul><ul><li>any Door’s information might be segregated as desired for </li></ul><ul><li>security/privacy purposes. </li></ul>
Research Questions <ul><li>Research questions arise in the context of each element of the Sorting Door architecture: </li></ul><ul><li>How best to design various forms of instrumented Sorting Doors, acknowledging various environments, supporting technologies and collection interests? </li></ul><ul><li>How should Doors interact with those who encounter them? </li></ul><ul><li>How might the collection of multiple Doors be aggregated and integrated? </li></ul><ul><li>What forms of databases and applications are needed to derive inferences from RFID tags seen by the various Sorting Doors, whether singly, or in collaboration? </li></ul><ul><li>How to acquire and integrate contextual data, e.g., on the nature of consumer products detected? </li></ul>
Sorting Doors While the simplest implementation of a Sorting Door might be, as with library gates, a single-frequency reader monitoring an egress, Doors might vary widely in design, capability and purpose. Any given space, e.g., a lecture room, corridor, or vehicle interior, could be instrumented as a Sorting Door—“Door” is intended to be a very stretchy metaphor. (Note also the similarity to research work on “ smart spaces”—our interest here is in “ non-cooperative RFID,” where surveillance, and not collaborative communication, is the focus.)
Interaction With Test Subjects Some of the users of the Sorting Door system will be to educate and inform audiences, e.g., students of the societal impacts of RFID as a technology of surveillance, or the public in general. Some Doors might be deployed with an accompanying information kiosk, capable of displaying data collected by the associated Door, and explaining the implications of such collection. Did you know that you’re carrying some RFID-tagged items? “ Did you know that you’re carrying some RFID-tagged items? Care to know what we can guess about you, based on what we see?”
Integration of Multiple Doors A single Sorting Door might produce interesting data; integrating several, or numerous, Doors even more so. Privacy concerns should rise as a function of the degree of pervasiveness of both RFID tags and readers in society, as more and more data points are collected by more and more parties, allowing for the construction of rich mosaics of human activity. Some of the Sorting Door research will consider synthetic models, e.g., assuming degrees of pervasiveness of tags in populations, and readers across geographies, to attempt to assess potential futures.
Databases and Inference Engines Data collected by Doors can be pooled in databases and, with other information, used to develop inferences and assertions. This would include the construction of tentative assertions of identity, and the extraction of patterns in large volumes of “point surveillance” data. Doors do not have to share all of the information they collect, given security/privacy concerns. Doors should be able to provide deidentified data as well: “When you see tag #123456, it can be mapped to a unique individual, with some probability. We know who, since s/he presented a credit card, but that’s not something we’re going to tell just anybody! Let’s just call him/her Person #6789.” Keeping track of data, including deidentified data and data with other sharing constraints, will be a challenge.
Contextual Data The largest push in RFID deployment is on the consumer goods front. If item-level tagging of consumer goods becomes significant, the compilation of information about consumer goods—the nature of objects seen—will contribute to the ability to make accurate inferences about the individuals who bear or wear them. EPCglobal, the consortium shepherding the Electronic Product Code (EPC) standard, has defined an Object Name Service (ONS) to allow for anyone encountering an EPC-coded RFID tag to ask, “Who can tell me about this object?,” and get a pointer to its manufacturer. Knowing what an object is allows for stronger inferences: “We’re seeing a man’s jacket, a briefcase, and a PDA. Let’s guess an adult, and probably one with a job...” ONS
Where Are We Heading? We’re only in the infancy of ubiquitous sensing, but RFID seems likely to be broadly pervasive (the voracious demands of consumer goods supply chain applications alone should guarantee that), and it’s a good time to start thinking on the implications for surveillance and privacy. The goals of the Sorting Door Project are to reveal RFID’s potential as a tool for surveillance, to allow for better decisionmaking, both by those deploying RFID, and by policymakers and the public, to define what limits we might wish to apply through policy, law, and practice.
Would You Like to Participate? <ul><li>We believe that, as highly sensitive as research on technologies applicable to human surveillance is, it is critical for government and the private sector to be constrained by the law , technological limits and policy choices , and not by ignorance of technology. Private interests will pursue R&D of RFID as a tool for monitoring, regardless, for applications running the gamut from security awareness to customer relations management—better that we all have a better idea of what they could be up to. </li></ul><ul><li>Please contact us if you might be interested in participating, in various research areas: </li></ul><ul><ul><li>Data mining and analysis; </li></ul></ul><ul><ul><li>Research and development of Sorting Doors (or adaptation of current work, e.g., in “smart spaces”) to tie in to the Sorting Door architecture; </li></ul></ul><ul><ul><li>Inference engine development; </li></ul></ul><ul><ul><li>Policy analysis and development. </li></ul></ul>
Other Publications/Work in Progress Leveraging Product Codes for Internet Commerce , white paper for CommerceNet Labs, November 2004, addressing implications of the Object Name Service (ONS) for electronic commerce applications. http://www.stapleton-gray.com/papers/CN-TR-04-06.pdf Would Macy’s Scan Gimbels? Competitive Intelligence and RFID , research white paper, November 2003, examining competitive intelligence issues around RFID deployment, to appear in “RFID Applications, Security and Privacy,” Addison Wesley, July 2005. http://www.stapleton-gray.com/papers/ci-20031027.PDF “ Cargo Awareness Network/Contents Understanding Network” (CANCUN) , work in progress, examining the application of RFID and inferences from the nature of objects to situational awareness and security in commerce and transportation.
Stapleton-Gray & Associates, Inc. Stapleton-Gray & Associates, Inc. provides information technology and policy consulting services, systems analysis and design, and project management. Our areas of emphasis include security, privacy, surveillance technologies and systems, and unique identifiers, including radio-frequency identification (RFID). P.O. Box 7615 Berkeley CA 94707-0615 http://www.stapleton-gray.com http://www.RFIDredteam.com Ross Stapleton-Gray, Ph.D. Dr. Stapleton-Gray has served as an intelligence analyst with the CIA; in technology research and policy positions in academia, an industry trade association, and with two IT security start-ups; and as a research analyst for Skaion Corp.