RFID Privacy Issues and the ORCA System

1
RFID Privacy Issues and the ORCA System

• Steve Shafer (stevensh_at_microsoft.com)
• Microsoft Research
• May 2007

2
Steve Shafer, Microsoft Research

• Working in ubiquitous computing a long time
• Working with RFID at Microsoft
• Microsoft RFID whitepaper on RFID Privacy
• Was member of the CDT RFID Privacy Working Group
• Vice Chair of the Privacy Advisory Council of the
  NFC Forum
• Presented at UW in November 2006

3
Today

• RFID privacy vocabulary guidelines
• Privacy Survey How ORCA measures up
• Note there are both RFID and non-RFID privacy
  issues in ORCA
• I am only qualified to address RFID issues

4
Vocabulary Personal Data

• Personal Data consists of Personal ID and
  Activity Records
• Personal ID is data that describes or gives
  access to a unique individual Subject
• An Activity Record associates a Pseudonym with
  data about activities, transactions, locations,
  things, or other people
• A Pseudonym is any unique data associated with a
  unique individual Subject
• Unique datum, or unique combination of non-unique
  data
• Unique value, or value drawn from a unique set of
  values

5
Vocabulary Privacy Violations

• Privacy Violations include Privacy Breaches and
  Tracking
• A Privacy Breach is a disclosure of Personal ID
  to an unauthorized party
• Tracking is a disclosure of Activity Records to
  an unauthorized party

6
Vocabulary - Authorization

• In a Mandatory system, authorization is
  stipulated by the system operator
• In a Voluntary system, the User provides
  authorization through Informed Consent
• The User is the individual who presents a tag to
  the system
• Informed Consent includes Notice and Consent (as
  decribed in the guidelines)

7
Vocabulary - Recap

• Personal Data
• Personal ID
• Privacy Breach
• Pseudonym Activity Record
• Tracking
• Subject User

• Authorized v. Unauthorized
• Mandatory
• Voluntary
• Informed Consent

8
Guidelines I Principles

• The broadest relevant definition of Personal ID
  should be applied.
• How about index data? Non-actionable data?
• Personal ID should be Directional.
• Pseudonyms should be Directional
• but frequently theyre not.

9
Guidelines II Informed Consent

• Informed Consent should be obtained before a User
  enrolls in the system.
• Notice should include the Personal Data, its
  purposes, retention other policies, User
  actions.
• What about limitations on the purposes?
• Consent requires knowing, affirmative indication.
• Informed Consent should be obtained before any
  transaction or activity.
• Notice may be simply a logo.
• Consent may be simply the presentation of the tag.

10
Guidelines III Security

• Personal Data should be made Directional both in
  storage and communication.
• Design security Minimize Personal Data.
• Physical security Keep the tag quiet
  electronically.
• Information security Make the software smart.

11
Guidelines IV Data Handling

• Personal Data should be handled nicely.
• Only use it for agreed-upon purposes.
• Have a policy for data expiration.
• Ensure integrity and quality of data.
• Provide Users with access to data about them.
• Provide Users with a complaint mechanism.
• Take responsibility when data is sent to third
  parties (details on next slide).
• Review policies and practices regularly.

12
Guidelines IVa Onward Transfer

• 7f. Sending Personal Data to a third party
• Tell the recipient what the data is authorized
  for.
• Take some steps to ensure the recipient uses the
  data only for authorized purposes.
• Take some steps to ensure the recipient abides by
  reasonable principles for data handling.
• If the User appeals your handling of the data,
  propagate that appeal to the recipient.

13
Apply These Guidelines to ORCA

• Some noteworthy points
• Transit users can elect to pay cash or use ORCA
  cards without creating an account
• Accounts are for replenishment or for
  institutions
• Institutional use may be Mandatory
• Personal ID is not on the card but many
  Pseudonyms are there
• Should U-Pass itself considered Personal ID?
• In fact, Personal Data is on the card, in the
  form of an Activity Record (ride history of
  your last 10 trips for each agency)

14
Apply These Guidelines to ORCA

• Some more noteworthy points
• In theory, 14443 tags can be operated up to 10cm.
  But they can be skimmed at 20-50cm, eavesdropped
  at 10m, and detected at 20m.
• In ORCA, the Contract Administrator can authorize
  additional uses for the data!!!
• Cohabiting applications may access ORCA data if
  authorized by the Contract Admin.!!
• ORCA data is to be encrypted by a key. But where
  will the key live?
• One key per tag? Agency? User?

15
Apply These Guidelines to ORCA

• Some more noteworthy points
• ORCA requires card serial numbers. It also
  requires that they be linkable to Personal ID.
• (non-RFID) ORCA mandates Personal ID at central
  database
• Is this really required for the stated purposes,
  i.e. replenishment linkage?
• (non-RFID) ORCA mandates history of at least the
  last 20 fare payments transfers in database
• Is this really required for the stated purposes?

16
(No Transcript)
17
Stuff I Presented in November 2006 to the UW Law
School

• by Steve Shafer, Microsoft Corp.

18
(No Transcript)
19
Worthwhile Web Links

• http//www.cephas-library.com/nwo/nwo_the_year_of_
  rfid_legislation.html
• http//www.retail-leaders.org/new/resources/RFID_B
  ill_Summaries_2005_08-31-05.pdf
• http//info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-
  0700/sb_682_bill_20050815_amended_asm.html
• http//info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-
  0700/sb_682_bill_20060807_amended_asm.html
• http//info.sen.ca.gov/pub/05-06/bill/sen/sb_0751-
  0800/sb_768_bill_20050902_amended_asm.html
• http//www.cr80news.com/news/2006/10/02/governor-s
  chwarzenegger-vetoes-controversial-antirfid-legisl
  ation/
• http//www.retail-leaders.org/new/rlGovAffairs.asp
  x?sectionGOVEISid5cid16
• http//www.cdt.org/privacy/20060501rfid-best-pract
  ices.php

20
Issues to Consider

• What is Privacy?
• What is RFID?
• What are the key initiatives of public interest?
• What are the privacy risks from RFID?
• What is happening with RFID privacy policy today?
• What are key issues for policymakers?

21
What is Privacy?

• One definition Giving consumers control over
  the collection and use of personal data

22
The Privacy Community
Advocates Sociologists What makes people feel
uneasy?
CPOs Regulators What are the rules for
handling data?
Surveys Behavior Studies
Fair Information Practices Legislation
Regulation
Engineers How do I give control over
information?
Security Mechanisms Control UX
23
Key RFID Technology Variations
32 Kbytes, UI, Sensors, Location, Security,
Active Tags
NFC / 14443 / SmartCards
dozens of variations
Tag Capability
256 Bytes
EPCglobal
ID Only
4 inches
10 feet
300 feet
Read/Write Range
24
Key Privacy-Sensitive Forms of RFID

• EPCglobal ID number, 20-foot range
• For supply chain (pallets and cases)
• What if individual goods are labeled?
• RealID (state drivers licences) is similar to
  this
• NFC Lots of data, security, 2-inch range
• Payment cards, cell phones
• Personal data can be involved
• e-Passport uses NFC, also credit card companies
• Active RFID Idiosyncratic, 300-foot range
• Person-tracking by employers
• License plate tracking in UK

25
What is Personal Data?

• Personal Identification
• Details about an individual person
• Primarily in ID documents / badges / cards
• Privacy violation is Breach
• Activity Records
• Accumulated based on pseudonym
• Primarily in consumer goods
• Privacy violation is Tracking

26
PII Personally Identifiable Information

• Primary category of data protected by privacy
  in US practice
• Many different definitions, heres one
• any piece of information which can potentially
  be used to uniquely identify, contact, or locate
  a single person
• Wikipedia says it includes name (if not common),
  govt. ID , phone , street address, email
  address, vehicle plate , face / biometric, IP
  address (sometimes)
• Fairly loose and squishy definition
• Different sources have different definitions
• EU Personal Identification includes more

27
RFID Privacy Breaches

• Leak of information through radio
• Collecting information not authorized
• Retaining information not authorized
• Using information in ways not authorized
• Sending information to third parties who are not
  authorized
• These apply to all IT systems, not just RFID

28
RFID Radio Security

• Security is to protect data from access by
  unauthorized parties
• Types of attack
• Not all systems have adequate security designed in

Authorized Reader
Tag
Eavesdropper
Spoofer
Tamperer
Skimmer
29
Tracking

• Activity Records based on pseudonym
• Non-PII Data About Individual
• New technologies e.g. RFID, cell phone produce
  data about things in the world
• You may leave a trail of breadcrumbs
• Based on pseudonym, not personal ID
• But the object is yours!
• Actually trail ? mountains
• These data mountains are not considered PII

30
Helen Wears a Hat

• Helen buys a hat at store A.
• The hat contains an RFID tag with a unique ID
  number.
• (Even if encrypted it is unique.)
• (The store might record purchase information
  about Helen, but we will assume they keep it
  private.)
• Helen keeps the RFID tag in the hat because she
  has a smart closet.

Hat 1
Hat 1
Store A
Hat 1
Helen
31
Helen Wears a Hat Chapter 2

• Helen visits store B wearing her hat. Store B
  detects it at the door.
• Helen visits stores C, D, and E, and has lunch
  with her friend Suzie who has a new sweater.

Hat 1
Store B
Hat 1
Hat 1
Store C
Hat 1
Store E
Hat 1
Store D
Sweater 9
32
Helen Wears a Hat Chapter 3

• These stores all sell their data to marketer X,
  who assembles it and looks for patterns. This
  information is available to businesses, and is
  discoverable in legal proceedings.
• Helens name and personal data do not appear in
  the records.
• The usual privacy policies and regulations do
  not apply to this data!

33
Privacy Breach Tracking

• Privacy Breach and Tracking have interactions
• Breach makes it possible to track
• Tracking physical presence can lead to a breach
• More tracking makes it easier to mine to create a
  breach
• Tracking makes the consequences of a breach more
  serious

34
Protecting Personal Data

• Who does what with your personal data?
• Sanctioned
• Users Understanding
• Authorized Use
• Authorization Creep
• Third-Party Freedom
• Miscreants
• Opportunistic
• Professional
• Conspiratorial ( Organized)
• That Which Must Not Be Named

Privacy Policy
Privacy Security
35
Best Practice Guidelines

• Most experts agree that the primary basis for
  RFID Privacy policy should be Fair Information
  Practices
• Many variants e.g. Safe Harbor
• Notice, Choice, Consent, Security,
• This addresses authorized users
• Not always honored by government
• Identity documents, license plates, etc.
• Unclear meaning, e.g. what is consent?
• Unclear decision-making process

36
Privacy Policy for PII Safe Harbor

• Notice
• Choice Consent
• Onward Transfer
• Access
• Security
• Data Integrity Quality
• Enforcement Remedy
• Good reference Privacy Best Practices for
  Deployment of RFID Technology, Center for
  Democracy and Technology, 2006.
  http//www.cdt.org/privacy/20060501rfid-best-pract
  ices.php

37
Security Mechanisms

• Information Security
• Encryption, Authorization, Dynamic IDs,
• Physical Security
• On/off switches, Foil covers, Short range,
  Multiple modalities,
• Design Security
• Opt-in v. opt-out, Default settings, No PII on
  tags,

38
Resistance to Tracking

• Proposed privacy measures
• Clipping (IBM) shorten antenna after purchase
• Killing (EPC) deactivate tag on command
• Erase the Serial Number leave the SKU intact
• Blocker (RSA) device pretends to be every tag
• Dynamic ID is a new trend in the RFID literature
  tag presents apparently random ID
• Cryptographic techniques for generating a
  sequence of ID numbers that cannot be inverted
• All of the above have major shortcomings!

39
Where is the Action Today?

• Guidelines Industry organizations, standards
  bodies, privacy advocates
• Center for Democracy and Technology
• State legislatures in the US
• CA, IL, WA, NH, AL,
• EU, Japan,

40
Common Pitfalls in Proposed RFID Privacy
Regulations Laws

• Overbroad definition of RFID includes cell
  phones, laptops, etc.
• Example RFID means electronic devices that
  broadcast identification number by radio
• Regulating technology without limiting data or
  its use
• RFID in 2006, what will it be in 2016?
• Ban on technology (reduces innovation)
• No RFID until 2010

41
Policy Recommendations

• Trustworthy Computing is Good Business
• Get good technical guidance!
• Encourage technology development
• Regulate data and its use, not technology
• Foster responsible use
• Codify best practices based on FIP
• Dont lock in current technologies
• Sensitive applications need careful planning

42
Issues in RFID Privacy

• What is Privacy?
• What is RFID?
• What are the key initiatives of public interest?
• What are the privacy risks from RFID?
• What is happening with RFID privacy policy today?
• What are key issues for policymakers?

43
Additional Material
44
Soloves Taxonomy of Privacy
Data Holders
I. Information Collection Surveillance
Interrogation
II. Information Processing Aggregation
Identification Insecurity Secondary Use
Exclusion
III. Information Dissemination Breach of
Confidentiality Disclosure Exposure Increased
Accessibility Blackmail Appropriation Distortion
IV. Invasions Intrusion Decisional Interference

Reprinted with permission from Solove, Daniel
J., "A Taxonomy of Privacy". University of
Pennsylvania Law Review, Vol. 154, Fall 2005.
http//ssrn.com/abstract667622.
Risk from PAI on previous slide
45
TRUSTes definition (excerpt)

• any information (i) that identifies or can be
  used to identify, contact, or locate or (ii)
  from which identification or contact information
  of an individual person can be derived.
• Includes name, govt. ID numbers, phone FAX
  numbers, street address, email address, financial
  profiles, medical profile, credit card info.
• Note financial / medical info is especially
  sensitive information
• Source Jeffrey Klimas v. Comcast Corp, US

46
TRUSTe Associated Info

• to the extent unique information not PII is
  associated with PII it will be considered
  PII
• Includes personal profile, biometric, pseudonym,
  IP address
• IP address becomes PII only if associated
  with PII
• Excludes data collected anonymously (without
  identification of the individual user)
• So it seems to exclude Helens hats data records
  unless associated with PII
• This data is pseudonymous, not really
  anonymous

47
Pseudonyms

• A pseudonym is any constant, unique datum
• Can be an almost-unique datum
• Can be a set of common data
• Can be an encrypted datum
• Can be a pseudo-random member of a unique set

48
Privacy and Security
Security Enforcement of boundary against
unauthorized users Privacy Define / enforce
boundary policy for personal data
49
Directionality in Identity Systems

• Omnidirectional accessible to everyone
• Directional only accessible to authorized
  parties
• Also called Unidirectional
• Enforced by security measures
• Authorization of both endpoints
• Encryption of data in storage and in communication

50
Security Goals for RFID Privacy

• Personal ID should always be Directional
• Pseudonyms should always be Directional
• Personal ID this is a no-brainer
• Pseudonyms usually very difficult to implement!

51
Problems With Tracking Resistance

• Proposed privacy measures
• Clipping (IBM) shorten antenna after purchase
• Doesnt change the information flow
• Killing (EPC) deactivate tag on command
• Prevents after-market use of tags
• Erase the Serial Number leave the SKU intact
• Combinations of SKUs can create a unique
  identifier
• Blocker (RSA) device pretends to be every tag
• Denial of Service is a security violation
• Dynamic ID is a new trend in the RFID literature
  tag presents apparently random ID
• Every reader has to know the secret for every tag