Privacy Research In the RFID Ecosystem Project

1
Privacy Research In the RFID Ecosystem
Project Evan Welbourne joint work withMagdalena
Balazinska, Gaetano Borriello, Tadayoshi Kohno,
Dan SuciuNodira Khoussainova, Karl Koscher,
Travis Kriplean, Julie Letchner, Vibhor
Rastogi University of Washington,Dept. of
Computer Science Engineering RFID CUSP
WorkshopJohns Hopkins University,
BaltimoreJanuary 24, 2008
2
Defining Security Privacy

• Security
• Protection against unauthorized access, use,
  disclosure, disruption, modification, or
  destruction
• Privacy
• Privacy in the collection and sharing of data
• Roughly two areas of concern
• Security of reader-tag communication
• Security and privacy of collected RFID data

( Rigorously defined and evaluated )
( Definition and evaluation depends on human
perception/interpretation )
3
Outline

• Overview of the RFID Ecosystem
• Organize privacy concerns
• Recent focus Peer-to-Peer privacy
• Designing a default policy
• Implementing the policy
• Extensions for probabilistic data
• Techniques for detecting and preventing violations

4
Today Outside the Supply Chain

• Subpoenas for EZ-Pass data
• Insecurities in first version of e-Passport
• Insecurities in first-generation RFID credit
  cards
• Cloning RFID access control badge
• Dutch transit card hack

5
Tomorrow User-Centered RFID Systems

• User-centered, pervasive RFID Applications

• How do I know if I am wearing a tag?
• How do I know who can see me?
• How can I control who can see me?
• Who owns the data? Can I remove/edit my data?
• What is the lifetime of the data?

6
From the Lab to the Real World
Laboratory
Everyday Life
7
RFID Ecosystem at UW CSE

• Create a microcosm of a world saturated with
  uniquely identifiable objects
• 100s of readers and antennas, 1000s of tags
• Explore applications, systems, and social
  implications
• Do it while there is still time to learn and
  adapt
• Groups Database, Security, Ubicomp, and others
• Participants include

• Magdalena Balazinska
• Yang Li
• Nodira Khoussainova
• Julie Letchner

• Gaetano Borriello
• Dan Suciu
• Karl Koscher
• Vibhor Rastogi

• Tadayoshi Kohno
• Travis Kriplean
• Evan Welbourne

• 14 undergraduate researchers over the past 2 years

8
RFID Ecosystem Video
Show First RFID Ecosystem Demo Video
http//rfid.cs.washington.edu/ OR
http//www.youtube.com/watch?vDxZzDMQ7D4A
9
RFID Ecosystem at UW CSE
10
Outline

• Overview of the RFID Ecosystem
• Organize privacy concerns
• Recent focus Peer-to-Peer privacy
• Designing a default policy
• Implementing the policy
• Extensions for probabilistic data
• Techniques for detecting and preventing violations

Kriplean, Rastogi, Welbourne and others
11
Organizing Privacy Concerns

• Modes of information disclosure
• Institutional
• Organization collects, uses, and shares personal
  data
• Addressed by contracts, federal law, corporate
  practice (e.g. FIPs)
• Peer-to-Peer or Mediated
• Peers and superiors access data through some
  authorized channel
• Mediated by access control policies
• Malicious
• Personal data is compromised by unauthorized
  parties
• Addressed by secure systems engineering

12
Organizing Privacy Concerns

• Modes of information disclosure
• Institutional
• Organization collects, uses, and shares personal
  data
• Addressed by contracts, federal law, corporate
  practice (e.g. FIPS)
• Peer-to-Peer or Mediated
• Peers and superiors access data through some
  authorized channel
• Mediated by access control policies
• Malicious
• Personal information is compromised by un
  authorized parties
• Addresses by secure systems engineering

13
A Key Problem in Peer-to-Peer Privacy

• The Panopticon
• Key problem asymmetric visibility

Image credit Prison building at Presidio Modelo,
Isla De Juventud, Cuba (Wikipedia)
14
A Key Problem in Peer-to-Peer Privacy

• Privacy vs. Utility
• What information to disclose by default?
• Who to disclose information to by default?
• How to support applications and preserve
  privacy?
• How to detect and prevent violations?

Image Paul G. Allen Center for Computer Science
Engineering, Seattle, WA
15
Default Policy Physical Access Control

• Socially appropriate access control - Kriplean
• Concept
• Each user has a personal data store (or personal
  view of the data)
• Store contains events that occurred when and
  where the user was physically present
• Requirements
• Each user carries a personal tag
• Line-of-sight information between each pair of
  antennas is known and static
• Key points
• Provides symmetric visibility
• Models sense of sight
• Enables applications which augment users memory

16
Time
0
1
2
s data store
s data store
s data store
sightings timestamp



sightings timestamp



sightings timestamp



0
0
0
1
1
1
2
2
2
17
Implementing PAC with RFID

• Tag Read Event (TRE) (tag id, antenna id,
  timestamp)
• Mutual Visibility When 2 TREs
  instantaneously share an unobstructed
  line-of-sight

• Practical Definition of Mutual Visibility1)
  TREs occur within some time window ? of each
  other2a) TREs are read by the same antenna
  or2b) The reading antennas are considered
  mutually visible

18
Challenge Inaccurate Model

• Some problems with model
• 360 vision
• Perfect observations in complex/crowded
  situations
• Perfect, everlasting memory
• Second two could be dealt with

19
Challenge Imperfect Deployment

• The physics of a real RFID deployment may not
  match up
• Antenna read-range may not be clearly defined
• In our deployment it works out Kriplean,
  Welbourne, et al. 2007

• Microbenchmarks
• ? 1 sec, mv geometry
• Colocations per second
• Few false positives
• Most colocations detected

• But RFID is noisy and uncertain ? Data is really
  probabilistic!

20
Challenge Uncertain Data

• Uncertainty in data Where did Alice go?

• Each possible location is assigned a probability

?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
- antenna
- Alice
21
Assigning Probabilities Particle Filter

• Particle Filter Movie
• Assigns a probability to each location
• Incorporates prior knowledge
• Sensor model
• Motion Model
• Past behavior

Letchner, Balazinska
22
(Re)defining PAC Data Perturbation

• Let Pr(context) pc
• Let Pr(secret) ps
• Semantics
• pc 1 ? reveal ps
• pc 0 ? deny query
• 0 lt pc lt 1 ? then what??

?
?
?
?

• Reveal partial information in uncertain context
• Perturb ps ps noise(pc)
• Return ps instead of ps
• Compromises soundness
• Answers returned may be wrong
• Justifiable as system is itself uncertain!
• Degree of confidence in answer also returned

Rastogi, Suciu
23
Noise Function

• -0.5 lt noise(pc) lt 0.5

pc 0.5
pc 0
Rastogi, Suciu
24
Challenge Misplaced Tags

• Ex Alice slips her personal tag into Bobs brief
  case
• Ex Bob tapes his tag to Alices office door
• Detection methods
• Detect / report / investigate anomalous behavior
• Two users suddenly together everywhere
• User stays in one place for an unusually long
  time
• Calm reports of another users presence
• Ambient display shows how many users are present
• Prevention methods
• Require personal tag to be present in order to
  make a query
• Add value to personal tag, e.g. use a phone
  instead of a tag

25
Some Extensions

• User-level controls
• Authorize access using other context (e.g. during
  a scheduled meeting)
• Access control w/shared social knowledge
  Facebook plugin Toomim
• An economic model for pricing queries
• Other policies
• Authorize access using other context (e.g. during
  a scheduled meeting)
• Access according to user settings
• Prevention
• Proactive privacy device teaches users about
  their privacy settings

26
Thank you!
Thanks! Questions?