We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

RFID and privacy: Debate heating up in Washington

Privacy advocates and some lawmakers are pushing a debate over potential privacy abuses from the growing use of radio frequency identification chips as huge retailers such as Wal-Mart Stores Inc. move toward large-scale use of the technology.

They see the potential for retailers and other companies to be able to track consumers long after a consumer purchases an item – for example, a tennis shoe manufacturer scanning a sporting event for the number of people wearing its product.

Those advantages are why large retailers such as Wal-Mart and Target Corp., as well as government agencies such as the U.S. Department of Defense (DOD), are embracing RFID technology as a way to improve their supply-chain efficiency. Wal-Mart, leading the way on RFID adoption, plans to phase in use of RFID, with major suppliers of its north Texas stores required to use RFID chips on pallets and cases by January 2005. The DOD plans to require suppliers to use RFID tags by early 2005.

But early experiments with RFID haven’t gone smoothly, at least in the public relations arena. In early 2003, Wal-Mart and The Procter & Gamble Co. tested the use of RFID chips on individual packages of lipstick in an Oklahoma store, and the supposedly secret test raised the hackles of privacy advocates everywhere. The RFID chips allowed Wal-Mart to track the customers as they took the lipstick off shelves.

Wal-Mart’s test of RFID chips on individual products also prompted Senator Patrick Leahy, a Vermont Democrat, to suggest that federal legislation may be necessary at some point. He criticized what he called Wal-Mart’s “clandestine” testing of RFID.

In November, a group of privacy advocates, including the American Civil Liberties Union and the Electronic Frontier Foundation (EFF), issued a position statement on the use RFID in consumer products. The statement called for retailers to give notice to consumers when RFID chips are being used, what the purpose is and to have security measures in place verified by third parties.

The statement (pdf) calls on merchants to voluntarily comply with RFID privacy measures, and asks retailers to comply with a moratorium on item-level use of RFID chips until a technology assessment involving consumers and other stakeholders can be completed. The statement asked retailers not to force consumers to buy products with RFID tags and advocated that consumers should be able to remove or disable the tags, but the statement did not advocate federal legislation.

Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), one of the groups signing on to the November privacy statement.

There has to be a way to kill these chips. The question is really what it’s used for and how it’s done, rather than the technology itself. Most of the benefit out there comes on the back end, in the stock room, and most of the privacy concerns come when it leaves the stock room.

Most retail uses of RFID so far are limited to stock rooms, and with retailers and vendors open to privacy discussion, Schwartz doesn’t yet see the need for federal legislation.

The Inevitability of RFID Tags

From this weekend, the adoption of RFID tags in the retailing industry has become a matter of time. At a recent conference, organised by the RFID non profit standards organisation, EPCglobal, both Walmart and Tesco warned their suppliers that they expected takeup of this technology. By forcing the adoption of RFID technology through their purchasing power, RFID will soon become ubiquitous in retail, over the next two years.

Colin Cobain, UK IT director for Tesco, advised suppliers to get involved and take a considered view of the new technology. “Some manufacturers are going down the route of slap-and-ship – I urge you not to do that… If you start of slapping-and-shipping, you’ll get a bad name in your organisation.” He added that the question about RFID was not “whether or not it will make a huge difference in the world: the question is, will you be ready?”

Simon Langford, manager of RFID strategy for Wal-Mart and Asda, said “start engaging in RFID today… don’t sit back and wait for it to happen.” Wal-Mart, remember, were so enthusiastic about the technology that they issued a mandate telling their top suppliers to get the tags in their supply chain by 1 January, 2005, or else.

WalMart began their testing of RFID tags in the supply chain on Friday in the Dallas/Fort Worth area. Their links with EPCglobal are also clear:

EPCglobal is a joint venture of EAN International and the Uniform Code Council. It is the organisation chosen by industry to develop standards for RFID technology in the global supply chain based on user needs and business requirements.

As a charter member of EPCglobal, Wal-Mart fully adheres to its core principles related to privacy issues, including consumer notice, consumer education and consumer choice. Wal-Mart’s Linda Dillman and HP’s Dick Lampman serve on the board of directors of EPCglobal.

To follow the work of EPCglobal, the website setting standards for electronic product codes can be found here, including details of their membership and policies.

The cameras are getting smaller

… and will soon be invisible. Anyone who bases their arguments about the dangers of camera surveillance on the primitiveness of current technology is, unlike the latest cameras, being very short sighted. Take a look, for example, at this:

It sounds like the speeder’s nightmare. A speed camera accurate up to 150mph which can be concealed in road studs as small as a cat’s eye indicator, and which can also – as you’re passing – cast a glance at your tyres to see if they’re a bit bald.

And at you, to see who you are and where you are, and what you’re up to. If not yet, then very soon.

Wake up: this camera exists, and it’s being trialled.

I’m awake already.

But the anti-camera lobby can rest easy for a while. The Department for Transport says that there is no way that these cameras, designed and made by a British company called Astucia, will ever be used for “enforcement” to level fines and penalty points. However, they will start being tested around the country later this year, as part of the wider efforts to encourage motorists to respect speed limits.

So, they will not (yet) do “enforcement”, not “for a while”. But they can already do “encourage”. Sounds like enforcement will be with us very soon.

False records

From the BBC last Friday:

Nearly 200 people have been wrongly accused by the Criminal Records Bureau of having criminal records.

The names of 193 people were mistakenly linked with convictions held on the police national computer (PNC), BBC Radio Five Live has learned.

In some cases the names of those being vetted by the bureau were similar or identical to those of actual criminals.
In others, the criminals had given someone else’s personal details to the authorities to avoid a police record.

The Criminal Records Bureau, which came into operation in March 2002, does background checks on those who work with children or vulnerable people.

They made this number of mistakes (that they already know of) in the criminal record list, which is only a minority of the population. How many would they make if the list contained, or was supposed to contain, everybody?

What is scary about this kind of thing is when the information-that-isn’t starts to really get around, into several different data bases at once. At that point it becomes extremely hard to eradicate. Something like a false reading on sexual perversion (which is what these background checks for working with children and vulberable people are all about) is liable to spring to life again after previously having been eradicated, supposedly. After all, you can’t be too careful, can you?

RFID Pressed Into Service For Roadway Safety

The U.S. Department of Transportation’s Federal Highway Administration is working with four companies to develop new radio-frequency identification technology for roadways. Officials see RFID as a way to warn drivers of, for instance, impending intersection collisions and vehicle rollovers.

Specifically, the government and vendors are investigating technology called dedicated short-range communications, which is related to RFID. The vendors are Mark IV Industries, Raytheon, Sirit, and TransCore.

A prototype system co-developed by the quartet is expected to be ready for testing in about 18 months. The Federal Communications Commission has assigned a block of high-bandwidth radio spectrum for dedicated-communications products–5.850 to 5.925 GHz.

Getting under my skin

The news just goes from bad to worse on the RFID front. Trevor Mendham quoted Tesco CEO Sir Terry Leahy as saying that RFID tracks products, not people, but American tech company Applied Digital Solutions, through it’s subsidiary Verichip Corporation, has already broken through that barrier.

They have developed a RFID product that is implanted in the victim.

The VeriChip minaturized Radio Freqency Identifcation (RFID) Device is the core of all VeriChip applications. About the size of a grain of rice, each VeriChip contains a unique verification number, which can be used to access a subscriber-supplied database providing personal related information. And unlike conventional forms of identification, VeriChip cannot be lost, stolen, misplaced or counterfeited.

Once implanted just under the skin, via a quick, painless outpatient procedure (much like getting a shot), the VeriChip can be scanned when necessary with a proprietary VeriChip scanner. A small amount of Radio Freqency Energy passes from the scanner energizing the dormant VeriChip, which then emits a radio frequency signal transmitting the individuals unique verification (VeriChipID) number. The VeriChip Subscriber Number then provides instant access to the Global VeriChip Subscriber (GVS) Registry – through secure, password protected web access to subscriber-supplied information. This data is maintained by state-of-the-art GVS Registry Operations Centers located in Riverside, California and Owings, Maryland.

It’s a password protected website- anyone with knowlege of the internet knows that password protected websites are not that secure; anyone that says that they can guarantee the security of such a webserver is whistling in the wind.

It’s rather like that dreadful George Lucas film, The Phantom Menace, where the slaves are fitted with a tracking device. Verichip Corp. doesn’t have slaves in their sights as a target market- they have a wider target market in mind.

VeriChip products are being actively developed for a variety of security, defense, homeland security and secure-access applications, such as authorized access control to government and private sector facilities, research
laboratories, and sensitive transportation resources, including the area of airport security.

In these markets, VeriChip is able to function as standalone
personal verification technology or it is able to operate in conjunction with other security devices such as ID badges and advanced biometrics.

In the financial arena, VeriChip has enormous potential as a personal verification technology that could help curb identity theft and prevent fraudulent access to banking and credit card accounts.

In other words, they are after a world where everyone is fitted with these devices. Does Big Blunkett own shares in this company? At the moment, they are working with gun manufacturers. Who will be next?

Affairs of the Heart and Phone

Plenty of people around the world by now know of the allegations of philandering made against the English footballer David Beckham, based on claims made to the media, and also on transcripts of SMS phone messages that are said to have been sent between Beckham and one Rebecca Loos.

The ins and outs of the affair are none of our concern, but what did concern me was this explainatory article in The Advertiser:

He apparently even has offered to produce his mobile phone records to prove his innocence. It may surprise some mobile phone users that some carriers retain details of text messages.

In Australia, Telstra keeps SMS messages for up to 28 days and Optus keeps theirs for three days.

I have three questions here. First, why are telephone companies keeping records of these things at all, and second, why is there such a large difference between Telstra, the dominant company that is still half owned by the government, and Optus (which is now owned by Singtel, the phone arm of the Singaporean government.) And thirdly, why are these messages apparently so insecure?

RFID update

At a recent software conference, Sun Microsystems unveiled new software initiatives in areas related to RFID, 3-D interfaces, game technology and Linux. According to the CTO of Sun, the advances are further proof that “innovation [is] Sun’s DNA.” The article reviews Sun’s upcoming product offerings, noting that the company is actively looking to capitalize on hot new technology trends (e.g. a new RFID test center is on tap for May).

Also, Oracle plans to launch new RFID software offerings in an attempt to give retailers such as Wal-Mart the ability to “handle the deluge of data that RFID systems are expected to produce.” According to Oracle executives, “The IT systems most companies use today are not equipped for a world in which billions of objects report their whereabouts in real-time.” In addition to building in RFID data-processing capabilities in its databases and application servers, Oracle will release new device drivers in its software as well as “device driver frameworks.” Other big-name IT vendors, such as IBM and Microsoft, are also actively exploring new RFID technology offerings.

Finally, Delta Air Lines Inc. starts its second test of radio frequency identification (RFID) technology to track bags today in hopes of improving accuracy over the 96.7% to 99.9% it achieved in a test last year. Delta will write information to the RFID bag tags at the request of the Transportation Security Administration, which has backed both tests, Rary said. That information will include the flight number, passenger name and what Rary called a “license plate” – a serial number that identifies each bag.

The RFID Privacy Scare Is Overblown

Computerworld has an opinion article by Jay Cline about the privacy scare surrounding RFID technology who explains that the RFID hype has outpaced reality. Manufacturers and retailers have yet to agree on a universal electronic product code. RFID scanning is also far from error-free. But more important, RFID signals are so weak that they’re easily blocked by metals and dense liquids. It’s infeasible today for someone driving a vehicle down your street to intercept signals from RFID-tagged goods inside your home.

He also argues that the economics of RFID chips also limit how they’re used. Until the price of RFID chips comes down to about a penny apiece, they’ll mostly be used at the case and pallet level, clear of any personally identifiable activity. So we have several years to identify the privacy controls we want to see in RFID systems. Some companies are already creating these privacy controls. Chip makers and users are discussing how the principles of data privacy could be built into the RFID process. A top priority is notifying customers that certain items are tagged with these transmitters – which could be done by placing a common RFID logo on product packages. To give customers the ability to turn off the transmitters, some companies plan to make them peel-offs. RSA Security Inc. is also developing a chip that could be worn on watches or bags to block nearby RFIDs from transmitting certain information. So the RFID privacy ball is rolling.

Glad to hear that. Nevertheless, I will still be watching the RFID development with interest…

Anti-RFID tags protect privacy

ZDNet.com reports that computer-security software maker RSA Security has developed a new technology for protecting information emitted by radio frequency identification tags.

The RFID cloaking system is intended to guard proprietary data located on chips used to carry product information. The RSA Blocker Tag technology uses a jamming system designed to confuse RFID readers and prevent those devices from tracking data on individuals or goods outside certain boundaries.

The blocker tags work by emitting radio frequencies designed to trick RFID readers into believing that they are being presented with unwanted data, or spam, causing the information collection devices to shun the incoming transmission. RSA claims that by placing an RFID-loaded product into a parcel bearing one of the blocker tags, the system would cause RFID readers to miss any information carried by the product in the bag, thereby protecting consumers.

The company also promised that its cloaking system would not interfere with the normal operation of RFID systems or allow hackers to use security technology to bypass theft control systems or launch denial-of-service attacks.

Roadblocks could slow RFID

CNetnews.com has an article about radio frequency identification that has become a hot concept, promising to streamline how businesses track and stock inventory, warning that companies may need to rethink their software infrastructures in order to make RFID work as advertised, say analysts and technology makers.

Early resistance to RFID adoption has come from civil liberties groups, which fear that the technology could lead to unprecedented surveillance of consumers. But industry watchers and technology vendors have identified a more mundane potential problem for RFID adopters. They warn that in the rush to launch RFID projects, businesses may be overlooking a crucial element necessary to allow the technology to work smoothly: Making sure back-end databases and business applications can handle the massive amounts of information generated by RFID-enabled systems. Kara Romanow, an analyst at AMR Research in Boston said:

Companies are going to have problems when they drop RFID on top of shaky infrastructures. In order to do RFID right, to see a true return, the first thing (a company) needs to do is finish a data synchronization initiative, and do it right.

Romanow believes that there are two popular scenarios among businesses working to develop RFID capabilities today: those doing just enough to keep demanding companies like Wal-Mart as a customer, and those with real long-term vision. According to the analyst, the first group will garner few returns other than short-term bragging rights to getting RFID up and running, while the second group will see true return on investment down the road.

RFID may give “Tag, you’re it!” a whole new meaning

Infoworld’s Ephraim Schwartz paints a picture:

Picture this: You’re sitting in the food court at your favorite mall with the family, munching on greasy kung pao chicken from Panda Express, followed by a warm, sweet Cinnabon, when a cordon of mall police surround your table, guns drawn, screaming at you to “Drop the bun and put your hands up!”

Reluctant as you are to give it up, you comply.

What went wrong? Your wife is wondering if you’ve been leading a secret life, but it’s nothing so exotic. Rather, the clerk at the Gap forgot to deactivate the RFID (radio frequency identification) tag in the sweater you just bought. When you passed an RFID reader, connected to the Wi-Fi enabled network, it sent a message to the security desk, and as you passed each RFID reader along the way, they tracked you down in the food court.

There is no doubt that RFID tags will be sewn into the lining of every item of clothing manufactured. Current RFID prices are about 16 cents each on orders of 10 million tags, with the price expected to reach a nickel a tag in a year or two.

By using RFID in clothing, not only will companies be able to discourage shoplifting, they’ll also be able to spot other frauds, such as counterfeit brand names or buyers who purchase an item at a discount outlet and then try to return it for the retail price at a regular store. Warranties can now also be easily tracked to date of purchase.

With those benefits to the supply chain, the question is, will the store really want to turn off the tag after the item is purchased, and how can you, as a consumer, tell? “What if you have some strange hobbies you’d like kept private?” Etterman asks.

It is certainly a small step from deploying RFID tags, which have a reach of only about three feet, to putting the readers in public places that already have hot spots. The combination is potent. Suddenly, the information in the tag can be transmitted over the Wi-Fi network and associated with all kinds of other data by all kinds of organizations, such as insurance companies. Or, you may be on the Most Wanted list at your local public library. Why shouldn’t they have a piece of you, too?

While these scenarios are not possible today, there is no technological barrier preventing them from becoming reality. Who can really say what’s next?