r 1 rfid privacy issues and the orca system
TRANSCRIPT
1
RFID Privacy Issues and the ORCA System
Steve Shafer ([email protected])Microsoft Research
May 2007
2
Steve Shafer, Microsoft Research
• Working in ubiquitous computing a long time
• Working with RFID at Microsoft– Microsoft RFID whitepaper on RFID Privacy
• Was member of the CDT RFID Privacy Working Group
• Vice Chair of the Privacy Advisory Council of the NFC Forum
• Presented at UW in November 2006
3
Today
• RFID privacy vocabulary & guidelines
• Privacy Survey: How ORCA measures up– Note there are both RFID and non-RFID
privacy issues in ORCA– I am only qualified to address RFID issues
4
Vocabulary – Personal Data• Personal Data consists of Personal ID and
Activity Records– Personal ID is data that describes or gives
access to a unique individual Subject– An Activity Record associates a Pseudonym
with data about activities, transactions, locations, things, or other people
• A Pseudonym is any unique data associated with a unique individual Subject
– Unique datum, or unique combination of non-unique data– Unique value, or value drawn from a unique set of values
5
Vocabulary – Privacy Violations
• Privacy Violations include Privacy Breaches and Tracking– A Privacy Breach is a disclosure of Personal
ID to an unauthorized party– Tracking is a disclosure of Activity Records to
an unauthorized party
6
Vocabulary - Authorization
• In a Mandatory system, authorization is stipulated by the system operator
• In a Voluntary system, the User provides authorization through Informed Consent– The User is the individual who presents a tag
to the system– Informed Consent includes Notice and
Consent (as decribed in the guidelines)
7
Vocabulary - Recap
• Personal Data• Personal ID
– Privacy Breach
• Pseudonym & Activity Record– Tracking
• Subject & User
• Authorized v. Unauthorized
• Mandatory• Voluntary• Informed Consent
8
Guidelines – I – Principles
1. The broadest relevant definition of Personal ID should be applied.
How about index data? Non-actionable data?
2. Personal ID should be Directional.
3. Pseudonyms should be Directional …… but frequently they’re not.
9
Guidelines – II – Informed Consent
4. Informed Consent should be obtained before a User enrolls in the system.
a. Notice should include the Personal Data, its purposes, retention & other policies, User actions. What about limitations on the “purposes”?
b. Consent requires knowing, affirmative indication.
5. Informed Consent should be obtained before any transaction or activity.
a. Notice may be simply a logo.
b. Consent may be simply the presentation of the tag.
10
Guidelines – III – Security
6. Personal Data should be made Directional both in storage and communication.
a. Design security – Minimize Personal Data.
b. Physical security – Keep the tag quiet electronically.
c. Information security – Make the software smart.
11
Guidelines – IV – Data Handling
7. Personal Data should be handled nicely.a. Only use it for agreed-upon purposes.
b. Have a policy for data expiration.
c. Ensure integrity and quality of data.
d. Provide Users with access to data about them.
e. Provide Users with a complaint mechanism.
f. Take responsibility when data is sent to third parties (details on next slide).
g. Review policies and practices regularly.
12
Guidelines – IVa – Onward Transfer
7f. Sending Personal Data to a third party:i. Tell the recipient what the data is authorized for.
ii. Take some steps to ensure the recipient uses the data only for authorized purposes.
iii. Take some steps to ensure the recipient abides by reasonable principles for data handling.
iv. If the User appeals your handling of the data, propagate that appeal to the recipient.
13
Apply These Guidelines to ORCA• Some noteworthy points:
– Transit users can elect to pay cash or use ORCA cards without creating an account
• Accounts are for replenishment or for institutions
– Institutional use may be Mandatory– Personal ID is not on the card … but many
Pseudonyms are there• Should U-Pass # itself considered Personal ID?
– In fact, Personal Data is on the card, in the form of an Activity Record (“ride history” of your last 10 trips [for each agency])
14
Apply These Guidelines to ORCA
• Some more noteworthy points:– In theory, 14443 tags can be operated up to
10cm. But they can be skimmed at 20-50cm, eavesdropped at 10m, and detected at 20m.
– In ORCA, the Contract Administrator can authorize additional uses for the data!!!
– Cohabiting applications may access ORCA data if authorized by the Contract Admin.!!
• ORCA data is to be encrypted by a key. But where will the key live?
• One key per tag? Agency? User?
15
Apply These Guidelines to ORCA• Some more noteworthy points:
– ORCA requires card serial numbers. It also requires that they be linkable to Personal ID.
– (non-RFID) ORCA mandates Personal ID at central database
• Is this really required for the stated purposes, i.e. replenishment & linkage?
– (non-RFID) ORCA mandates history of at least the last 20 fare payments & transfers in database
• Is this really required for the stated purposes?
16
17
Stuff I Presented in November 2006 to the UW Law School
by Steve Shafer, Microsoft Corp.
18
19
Worthwhile Web Links
• http://www.cephas-library.com/nwo/nwo_the_year_of_rfid_legislation.html
• http://www.retail-leaders.org/new/resources/RFID_Bill_Summaries_2005_08-31-05.pdf
• http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20050815_amended_asm.html
• http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20060807_amended_asm.html
• http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0751-0800/sb_768_bill_20050902_amended_asm.html
• http://www.cr80news.com/news/2006/10/02/governor-schwarzenegger-vetoes-controversial-antirfid-legislation/
• http://www.retail-leaders.org/new/rlGovAffairs.aspx?section=GOVEIS&id=5&cid=16
• http://www.cdt.org/privacy/20060501rfid-best-practices.php
20
Issues to Consider
• What is Privacy?
• What is RFID?– What are the key initiatives of public interest?
• What are the privacy risks from RFID?
• What is happening with RFID privacy policy today?
• What are key issues for policymakers?
21
What is Privacy?
• One definition: “Giving consumers control over the collection and use of personal data”
22
The Privacy CommunityAdvocates &Sociologists
“What makes peoplefeel uneasy?”
CPOs &Regulators
“What are the rulesfor handling data?”
Engineers
“How do I give controlover information?”
SurveysBehavior Studies
Security MechanismsControl UX
Fair Information PracticesLegislation & Regulation
23
Key RFID Technology Variations32 Kbytes,UI, Sensors,Location,Security,
256 Bytes
ID Only
4 inches 10 feet 300 feet
Read/Write Range
Tag
Cap
abil
ity
EPCglobalEPCglobal
ActiveActive TagsTags
… dozens of variations …NFC /
14443 /SmartCards
24
Key Privacy-Sensitive Forms of RFID
• EPCglobal: ID number, 20-foot range– For supply chain (pallets and cases)– What if individual goods are labeled?– RealID (state drivers licences) is similar to this
• NFC: Lots of data, security, 2-inch range– Payment cards, cell phones– Personal data can be involved– e-Passport uses NFC, also credit card companies
• Active RFID: Idiosyncratic, 300-foot range– Person-tracking by employers– License plate tracking in UK
25
What is Personal Data?
• Personal Identification– Details about an individual person– Primarily in ID documents / badges / cards– Privacy violation is “Breach”
• Activity Records– Accumulated based on pseudonym– Primarily in consumer goods– Privacy violation is “Tracking”
26
PII = Personally Identifiable Information
• Primary category of data protected by “privacy” in US practice
• Many different definitions, here’s one:– “any piece of information which can potentially be used
to uniquely identify, contact, or locate a single person”– Wikipedia says it includes name (if not common), govt.
ID #, phone #, street address, email address, vehicle plate #, face / biometric, IP address (sometimes)
– Fairly loose and squishy definition– Different sources have different definitions
• EU “Personal Identification” includes more
27
RFID Privacy Breaches
• Leak of information through radio• Collecting information not authorized• Retaining information not authorized• Using information in ways not authorized• Sending information to third parties who are
not authorized
• These apply to all IT systems, not just RFID
28
RFID Radio Security• Security is to protect data from access by
unauthorized parties
• Types of attack:
• Not all systems have adequate security designed in
TagAuthorizedReader
EavesdropperSpoofer TampererSkimmer
29
Tracking• Activity Records based on pseudonym
• Non-PII Data About Individual– New technologies e.g. RFID, cell phone
produce data about things in the world– You may leave a “trail of breadcrumbs”– Based on pseudonym, not personal ID– But the object is yours!
• Actually “trail” “mountains”These data mountains are not considered PII
30
“Helen Wears a Hat”• Helen buys a hat at store A.• The hat contains an RFID tag with a
unique ID number.– (Even if encrypted it is unique.)
• (The store might record purchase information about Helen, but we will assume they keep it private.)
• Helen keeps the RFID tag in the hat because she has a “smart closet”.
Hat #1 Store A
Hat #1 Helen
Hat #1
31
“Helen Wears a Hat” – Chapter 2• Helen visits store B wearing her hat.
Store B detects it at the door.
• Helen visits stores C, D, and E, and has lunch with her friend Suzie who has a new sweater.
Hat #1 Store B
Hat #1 Store CHat #1 Store D Hat #1 Store E
Hat #1 Cafe
Sweater #9 Cafe
Hat #1
Sweater #9
32
“Helen Wears a Hat” – Chapter 3
• These stores all sell their data to marketer X, who assembles it and looks for patterns. This information is available to businesses, and is discoverable in legal proceedings.
Helen’s name and personal data do not appear in the records.
The usual “privacy policies” and regulations do not apply to this data!
33
Privacy Breach + Tracking
• Privacy Breach and Tracking have interactions:– Breach makes it possible to track– Tracking + physical presence can lead to a
breach– More tracking makes it easier to mine to
create a breach– Tracking makes the consequences of a
breach more serious
34
Protecting Personal DataWho does what with your personal data?• Sanctioned:
– User’s Understanding– Authorized Use– “Authorization Creep”– “Third-Party Freedom”
• Miscreants:– “Opportunistic”– “Professional”– “Conspiratorial” (= “Organized”)– That Which Must Not Be Named
Priva
cy P
olicy
Priva
cy &S
ecu
rity
35
Best Practice Guidelines• Most experts agree that the primary basis for
RFID Privacy policy should be Fair Information Practices– Many variants e.g. “Safe Harbor”– Notice, Choice, Consent, Security, …
• This addresses authorized users
• Not always honored by government– Identity documents, license plates, etc.– Unclear meaning, e.g. what is “consent”?– Unclear decision-making process
36
Privacy Policy for PII: Safe Harbor• Notice• Choice & Consent• Onward Transfer• Access• Security• Data Integrity & Quality• Enforcement & Remedy
Good reference: Privacy Best Practices for Deployment of RFID Technology, Center for Democracy and Technology, 2006. http://www.cdt.org/privacy/20060501rfid-best-practices.php
37
Security Mechanisms
• Information Security– Encryption, Authorization, Dynamic IDs, …
• Physical Security– On/off switches, Foil covers, Short range,
Multiple modalities, …
• Design Security– Opt-in v. opt-out, Default settings, No PII on
tags, …
38
Resistance to Tracking• Proposed “privacy” measures:
– Clipping (IBM): shorten antenna after purchase– Killing (EPC): deactivate tag on command– Erase the Serial Number: leave the SKU intact– Blocker (RSA): device pretends to be every tag– Dynamic ID is a new trend in the RFID
literature: tag presents apparently random ID• Cryptographic techniques for generating a sequence
of ID numbers that cannot be inverted
• All of the above have major shortcomings!
39
Where is the Action Today?
• Guidelines: Industry organizations, standards bodies, privacy advocates– Center for Democracy and Technology
• State legislatures in the US– CA, IL, WA, NH, AL, …
• EU, Japan, …
40
Common Pitfalls in Proposed RFID Privacy Regulations & Laws
• Overbroad definition of “RFID” includes cell phones, laptops, etc.– Example: “RFID means electronic devices
that broadcast identification number by radio”
• Regulating technology without limiting data or its use– RFID in 2006, what will it be in 2016?
• Ban on technology (reduces innovation)– “No RFID until 2010”
41
Policy Recommendations
• “Trustworthy Computing is Good Business”
• Get good technical guidance!
• Encourage technology development
• Regulate data and its use, not technology
• Foster responsible use
• Codify best practices based on FIP
• Don’t lock in current technologies
• Sensitive applications need careful planning
42
Issues in RFID Privacy
• What is Privacy?
• What is RFID?– What are the key initiatives of public interest?
• What are the privacy risks from RFID?
• What is happening with RFID privacy policy today?
• What are key issues for policymakers?
43
Additional Material
44
Solove’s Taxonomy of Privacy
Data Holders
I. InformationCollectionSurveillance *Interrogation
II. InformationProcessingAggregation *Identification *InsecuritySecondary Use *Exclusion
III. InformationDisseminationBreach of ConfidentialityDisclosureExposureIncreased AccessibilityBlackmailAppropriationDistortionIV. Invasions
Intrusion *Decisional Interference *
Reprinted with permission from: Solove, Daniel J., "A Taxonomy of Privacy". University of Pennsylvania Law Review, Vol. 154, Fall 2005. http://ssrn.com/abstract=667622.
Risk from PAI* = on previous slide
45
TRUSTe’s definition (excerpt)
• “any information … (i) that identifies or can be used to identify, contact, or locate … or (ii) from which identification or contact information of an individual person can be derived.”
• Includes: name, govt. ID numbers, phone + FAX numbers, street address, email address, financial profiles, medical profile, credit card info.
• Note financial / medical info is “especially sensitive information”
• Source: Jeffrey Klimas v. Comcast Corp, US …
46
TRUSTe “Associated” Info• “to the extent unique information … [not PII] is
associated with PII … [it] will be considered [PII]”• Includes personal profile, biometric, pseudonym,
IP address• IP address “becomes PII” only if “associated
with” PII• Excludes data collected “anonymously” (“without
identification of the individual user”)– So it seems to exclude Helen’s hat’s data records
unless associated with PII– This data is “pseudonymous”, not really “anonymous”
47
Pseudonyms
• A pseudonym is any constant, unique datum
• Can be an almost-unique datum
• Can be a set of common data
• Can be an encrypted datum
• Can be a pseudo-random member of a unique set
48
Privacy and SecurityPersonal Data Non-Personal Data
UnauthorizedUser
(mechanism)
Security
and PrivacySecurity
AuthorizedUser and Use
(policy)Privacy
Security = Enforcement of boundary against unauthorized usersPrivacy = Define / enforce boundary & policy for personal data
49
Directionality in Identity Systems
• Omnidirectional = accessible to everyone
• Directional = only accessible to authorized parties– Also called Unidirectional– Enforced by security measures
• Authorization of both endpoints• Encryption of data in storage and in
communication
50
Security Goals for RFID Privacy
Personal ID should always be Directional
Pseudonyms should always be Directional
• Personal ID: this is a no-brainer
• Pseudonyms: usually very difficult to implement!
51
Problems With Tracking Resistance• Proposed “privacy” measures:
– Clipping (IBM): shorten antenna after purchase• Doesn’t change the information flow
– Killing (EPC): deactivate tag on command• Prevents after-market use of tags
– Erase the Serial Number: leave the SKU intact• Combinations of SKUs can create a unique identifier
– Blocker (RSA): device pretends to be every tag• Denial of Service is a security violation
– Dynamic ID is a new trend in the RFID literature: tag presents apparently random ID
• Every reader has to know the secret for every tag