Comments for Surpriv: RFID Surveillance and Privacy

Comment on Tagging Prison Inmates by Ross Stapleton-Gray

Ross Stapleton-Gray — Thu, 01 Jan 1970 00:00:00 +0000

While one could use RFID to tag inmates for rather crude monitoring (e.g., still in the facility, tag still functioning…), presumably there are also possibilities to sieve through continually-collected data for “indications and warning” intelligence, e.g., noting certain conditions’ correlation to certain incidents, establishing baseline behavioral models to understand when observed behavior is outside the norm, etc. Presumably this might provide for greater prisoner safety, the primary interest here is in better surveillance, expanding the “panopticon.”

Comment on H.B. 251, Utah House bill re RFID by Watching Them, Watching Us

Watching Them, Watching Us — Thu, 01 Jan 1970 00:00:00 +0000

It looks as if this Bill has run out of time in this Utah State Legislature session, and is therefore defeated.

http://www.le.state.ut.us/~2004/status/hbillsta/HB0251.htm

http://www.rfidbuzz.com/news/2004/utah_no_right_to_know.html

Comment on “The ROI of Privacy Invasion” by Watching Them, Watching Us

Watching Them, Watching Us — Thu, 01 Jan 1970 00:00:00 +0000

Katherine Albrecht has published an open response to the AIM newsletter article’s claims about her position on calling for legislation.

http://www.spychips.com/aimletter.html

The AIM “RFID FAQs, not Fiction” produced by the so called “AIM RFID Privacy Work Group”

http://www.aimglobal.org/technologies/rfid/rfid_faqs.asp

is also full of errors or misrepresentations:

e.g. they mistakenly claim radio frequency hopping as a security measure, when, in fact, just as with GSM mobile phones, the feature is more to deal with interference and reflected signals. An attacker does not have to build their own frequency hopping radio, they just need to buy or steal an EPC compliant reader.

They claim correctly that passive RFID tags do not emit much Radio Frequency energy and so are not a health risk, but they neglect to think about the effect on say shop staff exposed to dozens or hundreds of Readers on Smart Shelves or at every checkout till day in, day out.

“Currently, a court subpoena is required to use private information such as cell phone records and credit card purchases. This information is strictly for use in criminal activities investigations” – no such court order is required in the UK, and in many other countries. The UK tax authorities have already asked for and have been given supermarket loyalty card data.

They neglect the “third party cookie” type RFID tag profiling possabilities, by claiming that other retailers will not be able to read any RFID tags that you are carrying or which are in your clothing.

They claim that RFID tags cannot be duplicated – it is probably not cost effective to do so, but their responses to readers can be faked or simulated as shown by the RSA Labs “blocker tag”:

http://www.spy.org.uk/spyblog/archives/000206.html

Comment on Hiding in All That Noise by Watching Them, Watching us

Watching Them, Watching us — Thu, 01 Jan 1970 00:00:00 +0000

Surely the US or any other military would have to be insane to implement the current EPC Class 1 RFID tag specifications like Wal-mart etc are planning to do ?

http://www.epcglobalinc.com/standards_technology/specifications.html

The likelyhood of consumers checking the movements of pallets or containers full of goods remotely by radio is small, but the likelyhood of spies tracking military supplies is not.

The “kill” capability which has been promised, but not yet implemented in any of the item level trials in supermarkets etc. would, under the current standards not be suitable for military use – a *24bit* “kill” code in 13.56MHz HF tags is very weak, but the *8 bit* “kill” code in the potentially longer range UHF (around the 900MHz cell phone frequency) tags is *trivially* weak i.e. only 255 possible variants.

There are hints about the as yet unpublished Class 1 version 2 specifications which will combine the HF and UHF standards, but there seems to be no proper strong cryptographic authentication handshake planned for this standard either.

Until RFID tags which are much more secure and complicated (and therefore more expensive) than the current “to stupid to kill” smart labels or the the proposed Class 1 tags, are actually cheap enough to deploy en masse, then all the individual consumer item privacy worries will remain, as well as the distinct possability of espionage and sabotage of the military logistics chain, if it relies on this technology.

The pizza delivery type “intelligence leaks therough civilian activity” problem will still remain, even if the military deploys more complicated, more expensive RFID tags.

The *first* RFID tags that the military should deploy is to upgrade the original “Identify Friend or Foe” transponder technology, out of which RFID developed, which has failed to prevent “Friendly Fire” casualties in the recent wars in Iraq and Afghanistan.

Comment on “Discount Cards Help in Mad Cow Recall” by Ross Stapleton-Gray

Ross Stapleton-Gray — Thu, 01 Jan 1970 00:00:00 +0000

I’ve often wondered why retailers haven’t turned purchase records and their analysis into an end-consumer service, frankly. They’ve long collected sufficiently-detailed (i.e., to the item level, via UPC) data to build a useful profile of my purchases, for my use… and their on-line counterparts (such as Amazon.com) do it as a matter of course (and use such data… “Other people who bought Foo liked Bar as well”).

I wonder if fear of evoking privacy concerns hasn’t been the largest argument against, and as those concerns come up any way, with the appearance of RFID, there’ll be less reluctance to test the waters.

I actually prefer to use my BofA business check card in my business work, because it records a detailed transaction log into my bank statements, with more information on the purchases than I get from my credit card statements.

Comment on “Discount Cards Help in Mad Cow Recall” by Watching Them, Watching Us

Watching Them, Watching Us — Thu, 01 Jan 1970 00:00:00 +0000

Will supermarket Loyalty Cards or the RFID EPC “internet of things” be used as evidence in future civil damages claims by victims who only develop long incubation diseases like new variant Creuzfeld Jackob Disease or perhaps cancer or heart disease, several years into the future ?

Or will the database records proving that you bought individual food products from a particular supermarket magically disappear once the litigation lawyers scent money ?

c.f.

http://www.rfidprivacy.org/blog/archives/000079.html

Comment on “Discount Cards Help in Mad Cow Recall” by mary hodder

mary hodder — Thu, 01 Jan 1970 00:00:00 +0000

The way the store handled the notice seems reasonable, if that’s all they did. But the issue with store cards is that they may be selling the information, which can then be aggregated with other info they don’t collect but other’s do. If they information just stayed with QFC, and never went anywhere, I wouldn’t have a problem with their collecting it and using it to improve their processes within their own supply chain.

Comment on Individuals’ Elective Applications of RFID? by Anonymous

Anonymous — Thu, 01 Jan 1970 00:00:00 +0000

Perhaps this will tie in with geo-caching or games of assassin. “Find the RFID at such and such place.” Or people exchanging each others’ RFID numbers to identify each other for when meeting in person for the first time.