RFID Privacy Issues and the ORCA System

1. r 1 RFID Privacy Issues and the ORCA System Steve Shafer (stevensh@microsoft.com) Microsoft Research May 2007

2. r 2 Steve Shafer, Microsoft Research Working in ubiquitous computing a long time Working with RFID at Microsoft Microsoft RFID whitepaper on RFID Privacy Was member of the CDT RFID Privacy Working Group Vice Chair of the Privacy Advisory Council of the NFC Forum Presented at UW in November 2006

3. r 3 Today RFID privacy vocabulary & guidelines Privacy Survey: How ORCA measures up Note there are both RFID and non-RFID privacy issues in ORCA I am only qualified to address RFID issues

4. r 4 Vocabulary � Personal Data Personal Data consists of Personal ID and Activity Records Personal ID is data that describes or gives access to a unique individual Subject An Activity Record associates a Pseudonym with data about activities, transactions, locations, things, or other people A Pseudonym is any unique data associated with a unique individual Subject Unique datum, or unique combination of non-unique data Unique value, or value drawn from a unique set of values

5. r 5 Vocabulary � Privacy Violations Privacy Violations include Privacy Breaches and Tracking A Privacy Breach is a disclosure of Personal ID to an unauthorized party Tracking is a disclosure of Activity Records to an unauthorized party

6. r 6 Vocabulary - Authorization In a Mandatory system, authorization is stipulated by the system operator In a Voluntary system, the User provides authorization through Informed Consent The User is the individual who presents a tag to the system Informed Consent includes Notice and Consent (as decribed in the guidelines)

7. r 7 Vocabulary - Recap Personal Data Personal ID Privacy Breach Pseudonym & Activity Record Tracking Subject & User Authorized v. Unauthorized Mandatory Voluntary Informed Consent

8. r 8 Guidelines � I � Principles The broadest relevant definition of Personal ID should be applied. How about index data? Non-actionable data? Personal ID should be Directional. Pseudonyms should be Directional � � but frequently they�re not.

9. r 9 Guidelines � II � Informed Consent Informed Consent should be obtained before a User enrolls in the system. Notice should include the Personal Data, its purposes, retention & other policies, User actions. What about limitations on the �purposes�? Consent requires knowing, affirmative indication. Informed Consent should be obtained before any transaction or activity. Notice may be simply a logo. Consent may be simply the presentation of the tag.

10. r 10 Guidelines � III � Security Personal Data should be made Directional both in storage and communication. Design security � Minimize Personal Data. Physical security � Keep the tag quiet electronically. Information security � Make the software smart.

11. r 11 Guidelines � IV � Data Handling Personal Data should be handled nicely. Only use it for agreed-upon purposes. Have a policy for data expiration. Ensure integrity and quality of data. Provide Users with access to data about them. Provide Users with a complaint mechanism. Take responsibility when data is sent to third parties (details on next slide). Review policies and practices regularly.

12. r 12 Guidelines � IVa � Onward Transfer 7f. Sending Personal Data to a third party: Tell the recipient what the data is authorized for. Take some steps to ensure the recipient uses the data only for authorized purposes. Take some steps to ensure the recipient abides by reasonable principles for data handling. If the User appeals your handling of the data, propagate that appeal to the recipient.

13. r 13 Apply These Guidelines to ORCA Some noteworthy points: Transit users can elect to pay cash or use ORCA cards without creating an account Accounts are for replenishment or for institutions Institutional use may be Mandatory Personal ID is not on the card � but many Pseudonyms are there Should U-Pass # itself considered Personal ID? In fact, Personal Data is on the card, in the form of an Activity Record (�ride history� of your last 10 trips [for each agency])

14. r 14 Apply These Guidelines to ORCA Some more noteworthy points: In theory, 14443 tags can be operated up to 10cm. But they can be skimmed at 20-50cm, eavesdropped at 10m, and detected at 20m. In ORCA, the Contract Administrator can authorize additional uses for the data!!! Cohabiting applications may access ORCA data if authorized by the Contract Admin.!! ORCA data is to be encrypted by a key. But where will the key live? One key per tag? Agency? User?

15. r 15 Apply These Guidelines to ORCA Some more noteworthy points: ORCA requires card serial numbers. It also requires that they be linkable to Personal ID. (non-RFID) ORCA mandates Personal ID at central database Is this really required for the stated purposes, i.e. replenishment & linkage? (non-RFID) ORCA mandates history of at least the last 20 fare payments & transfers in database Is this really required for the stated purposes?

16. r 16

17. r 17 Stuff I Presented in November 2006 to the UW Law School by Steve Shafer, Microsoft Corp.

18. r 18

19. r 19 Worthwhile Web Links http://www.cephas-library.com/nwo/nwo_the_year_of_rfid_legislation.html http://www.retail-leaders.org/new/resources/RFID_Bill_Summaries_2005_08-31-05.pdf http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20050815_amended_asm.html http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0651-0700/sb_682_bill_20060807_amended_asm.html http://info.sen.ca.gov/pub/05-06/bill/sen/sb_0751-0800/sb_768_bill_20050902_amended_asm.html http://www.cr80news.com/news/2006/10/02/governor-schwarzenegger-vetoes-controversial-antirfid-legislation/ http://www.retail-leaders.org/new/rlGovAffairs.aspx?section=GOVEIS&id=5&cid=16 http://www.cdt.org/privacy/20060501rfid-best-practices.php

20. r 20 Issues to Consider What is Privacy? What is RFID? What are the key initiatives of public interest? What are the privacy risks from RFID? What is happening with RFID privacy policy today? What are key issues for policymakers?

21. r 21 What is Privacy? One definition: �Giving consumers control over the collection and use of personal data�

22. r 22 The Privacy Community

23. r 23 Key RFID Technology Variations

24. r 24 Key Privacy-Sensitive Forms of RFID EPCglobal: ID number, 20-foot range For supply chain (pallets and cases) What if individual goods are labeled? RealID (state drivers licences) is similar to this NFC: Lots of data, security, 2-inch range Payment cards, cell phones Personal data can be involved e-Passport uses NFC, also credit card companies Active RFID: Idiosyncratic, 300-foot range Person-tracking by employers License plate tracking in UK

25. r 25 What is Personal Data? Personal Identification Details about an individual person Primarily in ID documents / badges / cards Privacy violation is �Breach� Activity Records Accumulated based on pseudonym Primarily in consumer goods Privacy violation is �Tracking�

26. r 26 PII = Personally Identifiable Information Primary category of data protected by �privacy� in US practice Many different definitions, here�s one: �any piece of information which can potentially be used to uniquely identify, contact, or locate a single person� Wikipedia says it includes name (if not common), govt. ID #, phone #, street address, email address, vehicle plate #, face / biometric, IP address (sometimes) Fairly loose and squishy definition Different sources have different definitions EU �Personal Identification� includes more

27. r 27 RFID Privacy Breaches Leak of information through radio Collecting information not authorized Retaining information not authorized Using information in ways not authorized Sending information to third parties who are not authorized These apply to all IT systems, not just RFID

28. r 28 RFID Radio Security Security is to protect data from access by unauthorized parties Types of attack: Not all systems have adequate security designed in

29. r 29 Tracking Activity Records based on pseudonym Non-PII Data About Individual New technologies e.g. RFID, cell phone produce data about things in the world You may leave a �trail of breadcrumbs� Based on pseudonym, not personal ID But the object is yours! Actually �trail� ? �mountains� These data mountains are not considered PII

30. r 30 �Helen Wears a Hat� Helen buys a hat at store A. The hat contains an RFID tag with a unique ID number. (Even if encrypted it is unique.) (The store might record purchase information about Helen, but we will assume they keep it private.) Helen keeps the RFID tag in the hat because she has a �smart closet�.

31. r 31 �Helen Wears a Hat� � Chapter 2 Helen visits store B wearing her hat. Store B detects it at the door. Helen visits stores C, D, and E, and has lunch with her friend Suzie who has a new sweater.

32. r 32 �Helen Wears a Hat� � Chapter 3 These stores all sell their data to marketer X, who assembles it and looks for patterns. This information is available to businesses, and is discoverable in legal proceedings. Helen�s name and personal data do not appear in the records. The usual �privacy policies� and regulations do not apply to this data!

33. r 33 Privacy Breach + Tracking Privacy Breach and Tracking have interactions: Breach makes it possible to track Tracking + physical presence can lead to a breach More tracking makes it easier to mine to create a breach Tracking makes the consequences of a breach more serious

34. r 34 Protecting Personal Data Who does what with your personal data? Sanctioned: User�s Understanding Authorized Use �Authorization Creep� �Third-Party Freedom� Miscreants: �Opportunistic� �Professional� �Conspiratorial� (= �Organized�) That Which Must Not Be Named

35. r 35 Best Practice Guidelines Most experts agree that the primary basis for RFID Privacy policy should be Fair Information Practices Many variants e.g. �Safe Harbor� Notice, Choice, Consent, Security, � This addresses authorized users Not always honored by government Identity documents, license plates, etc. Unclear meaning, e.g. what is �consent�? Unclear decision-making process

36. r 36 Privacy Policy for PII: Safe Harbor Notice Choice & Consent Onward Transfer Access Security Data Integrity & Quality Enforcement & Remedy Good reference: Privacy Best Practices for Deployment of RFID Technology, Center for Democracy and Technology, 2006. http://www.cdt.org/privacy/20060501rfid-best-practices.php

37. r 37 Security Mechanisms Information Security Encryption, Authorization, Dynamic IDs, � Physical Security On/off switches, Foil covers, Short range, Multiple modalities, � Design Security Opt-in v. opt-out, Default settings, No PII on tags, �

38. r 38 Resistance to Tracking Proposed �privacy� measures: Clipping (IBM): shorten antenna after purchase Killing (EPC): deactivate tag on command Erase the Serial Number: leave the SKU intact Blocker (RSA): device pretends to be every tag Dynamic ID is a new trend in the RFID literature: tag presents apparently random ID Cryptographic techniques for generating a sequence of ID numbers that cannot be inverted All of the above have major shortcomings!

39. r 39 Where is the Action Today? Guidelines: Industry organizations, standards bodies, privacy advocates Center for Democracy and Technology State legislatures in the US CA, IL, WA, NH, AL, � EU, Japan, �

40. r 40 Common Pitfalls in Proposed RFID Privacy Regulations & Laws Overbroad definition of �RFID� includes cell phones, laptops, etc. Example: �RFID means electronic devices that broadcast identification number by radio� Regulating technology without limiting data or its use RFID in 2006, what will it be in 2016? Ban on technology (reduces innovation) �No RFID until 2010�

41. r 41 Policy Recommendations �Trustworthy Computing is Good Business� Get good technical guidance! Encourage technology development Regulate data and its use, not technology Foster responsible use Codify best practices based on FIP Don�t lock in current technologies Sensitive applications need careful planning

42. r 42 Issues in RFID Privacy What is Privacy? What is RFID? What are the key initiatives of public interest? What are the privacy risks from RFID? What is happening with RFID privacy policy today? What are key issues for policymakers?

43. r 43 Additional Material

44. r 44 Solove�s Taxonomy of Privacy

45. r 45 TRUSTe�s definition (excerpt) �any information � (i) that identifies or can be used to identify, contact, or locate � or (ii) from which identification or contact information of an individual person can be derived.� Includes: name, govt. ID numbers, phone + FAX numbers, street address, email address, financial profiles, medical profile, credit card info. Note financial / medical info is �especially sensitive information� Source: Jeffrey Klimas v. Comcast Corp, US �

46. r 46 TRUSTe �Associated� Info �to the extent unique information � [not PII] is associated with PII � [it] will be considered [PII]� Includes personal profile, biometric, pseudonym, IP address IP address �becomes PII� only if �associated with� PII Excludes data collected �anonymously� (�without identification of the individual user�) So it seems to exclude Helen�s hat�s data records unless associated with PII This data is �pseudonymous�, not really �anonymous�

47. r 47 Pseudonyms A pseudonym is any constant, unique datum Can be an almost-unique datum Can be a set of common data Can be an encrypted datum Can be a pseudo-random member of a unique set

48. r 48 Privacy and Security

49. r 49 Directionality in Identity Systems Omnidirectional = accessible to everyone Directional = only accessible to authorized parties Also called Unidirectional Enforced by security measures Authorization of both endpoints Encryption of data in storage and in communication

50. r 50 Security Goals for RFID Privacy Personal ID should always be Directional Pseudonyms should always be Directional Personal ID: this is a no-brainer Pseudonyms: usually very difficult to implement!

51. r 51 Problems With Tracking Resistance Proposed �privacy� measures: Clipping (IBM): shorten antenna after purchase Doesn�t change the information flow Killing (EPC): deactivate tag on command Prevents after-market use of tags Erase the Serial Number: leave the SKU intact Combinations of SKUs can create a unique identifier Blocker (RSA): device pretends to be every tag Denial of Service is a security violation Dynamic ID is a new trend in the RFID literature: tag presents apparently random ID Every reader has to know the secret for every tag