Privacy and RFID · 6/25/2007 · T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 10 Consumer Loyalty Cards – The Dark Side The Story of Robert Riveras

T‐Labs Usability Colloquium June 25, 2007

Marc Langheinrich, ETH Zurich 1

Privacy and RFIDIrreconcilable Differences?

Marc LangheinrichInstitute for Pervasive ComputingETH Zurich, Switzerland

C.A.S.P.I.A.N.Consumers against supermarket privacy invasions and numbering

Dr. Katherine AlbrechtC.A.S.P.I.A.N. Founder

June 25, 2007 T-Labs Usability Colloquium 2

„The risk [RFID] poses to humanity is on a par with nuclear weapons.'‘Katherine Albrecht, as quoted in Larry Downes: “Don't fear new bar codes”, USA Today, Sep. 25, 2003. www.interesting‐people.org/archives/interesting‐people/200309/msg00257.html



Public Concern (as seen on TV)


Public Concern (as measured by Google)


Original numbers by Ravi Pappu, RFID Privacy Workshop @ MIT: November 15, 2003



Public Concern (as seen by AmI-Experts)

Optimists: “All you need is really good firewalls.”Self-Regulation: “It's maybe about letting them find their own ways of cheating, you know…”Not my Problem: “For [my colleague] it is more appropriate to think about privacy issues. It’s not really the case in my case.”Hindrance: “Somehow [privacy] also destroys this, you know,


[p y] y , y ,sort of, like, creativity...” Pessimists: “I think you can't think of privacy when you are trying out... it's impossible, because if I do it, I have troubles with finding [a] Ubicomp future”

Marc Langheinrich: The DC-Privacy Troubadour – Assessing Privacy Implications of DC-Projects. DC Tales Conference, Santorin, 06/2003.

Public Concern (as measured by )

~1.5% of Europeans are concerned!~9% of Europeans like RFID!

90% of Europeans don’t care!


Capgemini: RFID and Consumers – what European Consumers Think About Radio Frequency Identication and the Implications for Business. Survey, February 2005. Available from: www.capgemini.com/news/2005/Capgemini_European_RFID_report.pdf.



RFID mini-primer

(for the 82% of Europeans who haven’t heard)


20 bytes > 100 bytes( f 2D d )~ 20 bytesClass of products

Visual line of sight necessaryNeeds reader-tag alignmentLow reading speedMax ~ 50 cm

Read

> 100 bytesIndividual items

May be coveredLargely position independentHigh speedMax ~ 2 m

Read / write

(more for 2D-codes)

ReadSensible to dirt

Low costFraud relatively easy

copying and changing possible

Read / writeSensible to metal/water/…

Higher costFraud more difficult (costly)

optional security circuitry




RFID Tag Form Factors I

Smart Labels

Hitachi Coil-on-Chip

EAS Transponder

Contactless RFID Cards


RFID Operating Principlecoupling

unitRFID "Reader"

RFID Tagunit

RFID Tagdata

comm

ands

RF-Module

Controller


AnalogueCircuitry

DigitalCircuitry

Memory:EEPROMROMRAM

RFID Tag/Transponder

host/application



Privacy mini-primer


What is Privacy?

„The right to be let alone.“Louis Brandeis, 1890 (Harvard Law Review)

„The desire of people to choose freely under what circumstances and to what extent they will expose themselves,

Louis D. Brandeis, 1856 - 1941


y p ,their attitude and their behavior to others.“

Alan Westin („Privacy And Freedom“, 1967)Prof. Emeritus, Columbia University Alan Westin



Why Privacy?

Reasons for PrivacyFree from NuisanceIntimacyFree to Decide for Oneself

By Another Name...


yData Protection Informational Self-Determination

Privacy isn‘t just about keeping secrets –data exchange and transparency are key issues!

Privacy Violations?

Violations Due to Crossings of “Privacy” BordersProf. Emeritus Gary T. Marx, MIT

“Privacy” BordersNatural BordersSocial Borders


Spatial/Temporal BordersEphemeral Borders

RFID-technology makes some of those borders easier to cross



Privacy Implications of Smart Environments

Data CollectionScale (everywhere, anytime)Manner (inconspicuous, invisible)Motivation (unspecified, e.g., context)

Data Types


ypObservational instead of factual data

Data Access“The Internet of Things”

So what difference will RFID make?




Societal Drivers for RFID Acceptance –Collection and Use

Higher Efficiency (Cheaper Stuff!)Rebates! (loyalty cards)Targeted Sales (1-1 marketing)

More ConvenienceGetting information(allergy warnings, meat sources)Simplified handling (ret rn repairs access)


Simplified handling (return, repairs, access)Increased Safety

Crime prevention (ticketing, counterfeiting, CCTV, …)Homeland security (terrorism, child molesters, …)

Example: Loyalty Cards

Emnid Survey Germany (03/2002)50% have at least one loyalty card72% welcome such offers

70 Million Cards in Circulation (DE, 12/03)Average rebate: 1.0-0.5%15% of cons mers estimate rebate being 5 10%


15% of consumers estimate rebate being 5-10% Minding the Fine Print?

Explicit signature allows detailed data miningConsequences?



Consumer Loyalty Cards –The Dark Side

The Story of Robert Riveras (1998)Slipped on spilled yoghurt and hurt kneecap. Sued.Consumer card showed high volume licqour purchasesSettled out of court

Or: Divorce Case


Liking of expensive wines increased alimony payments

Consumer Loyalty Cards –Legal Implications

Arson Near Youth House Niederwangen (Berne)At scene of crime: Migros-toolsCourt ordered disclosure of all 133consumers who bought items on their supermarket card (8/2004)

A i t t t f d ( 6 )


Arsonist not yet found (06/2007)

Who Would Think About This When Buying a Screwdriver?!



Aren’t there laws against this stuff?


Privacy Laws and Regulations

Two Main ApproachesSectorial (“Don’t Fix if it Ain’t Broken”)Omnibus (Precautionary Principle)

US: Sector-specific Laws, Minimal ProtectionsStrong Federal Laws for Government


gSelf-Regulation, Case-by-Case for Industry

Europe: Omnibus, Strong Privacy LawsLaw Applies to Both Government & IndustryPrivacy Commissions in Each Country as Watchdog



US Public Sector Privacy Laws (Federal)

F d l C i ti A t 93 99 (Wi l )Federal Communications Act, 1934, 1997 (Wireless)Omnibus Crime Control and Safe Street Act, 1968Bank Secrecy Act, 1970Privacy Act, 1974Right to Financial Privacy Act, 1978 Privacy Protection Act, 1980


Computer Security Act, 1987Family Educational Right to Privacy Act, 1993Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996Driver’s Privacy Protection Act, 1994, 2000

US Private Sector Laws (Federal)

Fair Credit Reporting Act, 1971, 1997 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Health Insurance Portability and Accountability Act 1996


Act, 1996Children‘s Online Privacy Protection Act, 1998Gramm-Leach-Bliley-Act (Financial Institutions), 1999



EU Data Directive

1995 Data Protection Directive 95/46/EC Sets a Benchmark For National Law For Processing Personal Information In Electronic And Manual FilesFacilitates Data-flow Between Member States And Restricts Export Of Personal Data To „Unsafe“ Non-EU Countries


CountriesApplies to both Public and Private Sector

Data collection illegal, unless consented or authorizedFollows OECD Fair Information Principles (1980)

Fair Information Principles (FIP)

Drawn Up By the OECD, 1980“Organisation for economic cooperation and development”Voluntary guidelines for member statesGoal: ease transborder flow of goods (and information)

Six Principles (simplified)

1. Openness 4. Collection Limitation


Core Principles of Most Modern Privacy LawsImplication: RFID usage must conform to FIP

1. Openness2. Data access and control3. Data security

4. Collection Limitation5. Data subject’s consent6. Use Limitation



Let’s just build secure RFID-Systems

“All you need is really good firewalls.”


Secure From What?

Unauthorized ReadoutsIdentification: „what?“; „who?“Tracking: „where?“ (might imply „who?“)




Identification and Tracking – ImplicationsPassport:Name: John Doe

Embarrassing StuffWearing a Wig? Underwear? Medicine?

Criminal StuffTheft, fraud, murder/terror

WigModell #2342

Material: Polyester

Tiger Tanga: Manufacturer Woolworth

Name: John DoeNationality: USA

Visa for: Isreal

6 Ar

i Jue

ls, R

SA La

bora

torie

s

Wallet:Contents: 370 Euro

Disability Card: #2845

Manufacturer: WoolworthWashed: 736

Viagra: Manufacturer: PfitzerExtra Large Package

Orig

inal

“RFI

D-M

an” A

rtw

ork

(c) 2

006


Identification and Tracking – Implications

Embarrassing StuffWearing a Wig? Underwear? Medicine?

Criminal StuffTheft, fraud, murder/terror

Indirect ControlSubtle influence with detailed profiles

Direct Control“Technology paternalism”, government control

Spiekermann, Pallas: Technology Paternalism – Wider Implications of Ubiquitous Computing. Poiesis and Praxis: International Journal of Technology Assessment and Ethics of Science. Springer-Verlag (Jan 2006), 1–13




Secure From What?

Unauthorized ReadoutsIdentification („what?“, „who?“)Tracking („where?“; might imply „who?“)

Eavesdropping Reader-Tag CommunicationI t d f tt ti th i d d tInstead of attempting unauthorized readouts…

Unauthorized Duplication/GenerationCounterfeitting authentic identifiers


Preventing RFID Cloning

Example: E-Passport (Nov 2005)Digitally sign data on RFID-chipPrevents changig data or creating new chipsDoes NOT prevent duplicating the chip!

Example Contactless Smart CardExample: Contactless Smart CardUse challenge-response protocol w/ randomnumber to verify that card knows a secretSophisticated power analysis may be able toinfer hidden secret (Alternative: PUFs)




Preventing Eavesdropping

Problem: Long Range of Reader FieldHigh-power field transmits reader commands over many meters, which may contain tag IDsSolution: XOR reader commands w/ random number sent from tagAlt ti R d d t IDAlternative: Reader commands use temporary IDs

Better: Encrypt ChannelE-Passport uses key from machine-readable zone (MRZ) to encrypt trafficRequires manual handling (opening)


Preventing Unauthorized Readouts

How do You Prove That You Are Authorized?Something you know (i.e., a password)Something you have (i.e., an access token)Something you are (i.e., biometrics)Something you do (also biometric, e.g., personal habits)Where you are (e.g., your current location)

Which one of these works for RFID?Passwords? Tokens?




Using Passwords to Secure RFID Access

General Principle: Lock/Unlock ID With PasswordTag only replies if correct password/secret is sent

Requires RFID-Owner to Know SecretPassword must be transferred at checkout (where to?)

Requires Owner to Know Which Secret to UseChicken And Egg Problem: If you don‘t know what tag it is, how do you know what password to use?


Kill Command

„Dead Tags Tell No Tales“Permanently deactivate tag at checkout

Hard KillCut tag antenna or „fry“ circuit

Soft Kill Metro RFID De-Activator

Needs password to prevent unauthorized killing

Both Approaches Require Consumer ActionAlso voids any post-sales benefits (returns, services, …)




Deactivation and Password Management…

Does Your Solution Work Here?June 25, 2007 T-Labs Usability Colloquium 40

Alternative: Shamir TagsAn Example for Zero-Managament Privacy Protection

Unknown Tags Take Long Time To Read OutBitwise release, short range (e.g., one random bit/sec)Intermediate results meaningless, since encryptedDecryption requires all bits being readComplicates Tracking & Unauthorized Identification

Known Tags Can be Directly IdentifiedInitial partial release of bits enough for instant identification from a limited set of known tagsAllows owner to use tags without apparent restrictions




Secret Shares (Shamir 1979)


Secret Shares (Shamir 1979)




011010111…1101 Secret s

111000011…101101 101101101…110111 101010011…101101 Shares hi

96‐bit EPC‐Code

106‐bit Shamir Share

318‐bit Shamir Tag

10‐bit x‐value 96‐bit y‐value

111000011101010001010111010101101010100…1010101110101 Shamir Tag318‐bit Shamir Tag

111000011101010001010111010101101010100…1010101110101 Initial Reply

111000011101010001010111010101101010100…1010101110101

me

16‐bit Reply

+1 bit

111000011101010001010111010101101010100…1010101110101

111000011101010001010111010101101010100…1010101110101

111000011101010001010111010101101010100…1010101110101

111000011101010001010111010101101010100…1010101110101

Bit D

isclosure Over T

im+1 bit

+1 bit

+1 bit

+1 bit


More Privacy Through Less Security?

Shamir Tags Require No Consumer EffortDelay upon first use, but no passwords to manage!Not useful for „important“ items (passports, e-money)Does not alleviate user concerns (tags remain active)

Building Block for Comprehensive SolutionStrong crypto for passports, drug-authenticity, …Clipping/killing for concerned consumersUnconcerned consumers get basic protection „for free“




(Well, RFID won’t get accepted otherwise…)


Societal Drivers for RFID Acceptance –Collection and Use

Higher Efficiency (Cheaper Stuff!)Rebates! (Loyalty Cards)Targeted Sales (1-1 Marketing)

More ConvenienceGetting shopping advice (e.g., allergies)Simplified handling (ret rn repairs access)

70 Million Cards! 72% Like it!

Automated Toll-Roads! Skipasses! Remote Car-Keys!


Simplified handling (return, repairs, access)Increased Safety

Crime prevention (Ticketing, counterfeiting, CCTV, …)Homeland security (terrorism, child molesters, …)Survey DE (05/06): 80+% like more CCTV surveillanceSurvey US (08/04): 70+% accept air travel surveillance



Summary

Privacy Is Not (Simply) SecurityIt‘s about transparency and control

RFID Security Only Partial AnswerPassword management cumbersome, impractical

RFID Privacy Requires Novel Approachesy q ppHow to minimize burden to consumers?How to maximize „out-of-the-box“ protection?

Who Is to Design & Build RFID-Privacy Systems?People are already increasingly relying on RFID…


Related Work on RFID Privacy at ETH Zurichsee www.vs.inf.ethz.ch/publ/

M. Langheinrich: RFID and Privacy. In: Milan Petkovic, Willem Jonker (Eds.): Security, Privacy, and Trust in Modern Data Management. Springer, July 2007.M. Langheinrich, R. Marti: Practical Minimalist Cryptogra-phy for RFID Privacy. Submitted for publication, 2007.Ch. Floerkemeier, R. Schneider, M. Langheinrich: ScanningCh. Floerkemeier, R. Schneider, M. Langheinrich: Scanning with a Purpose – Supporting the Fair Information Princi-ples in RFID protocols. In: Proceedings of UCS 2004. LNCS Vol. 3598, Springer, 2005.




Privacy Reads

David Brin: The Transparent Society. Perseus Publishing, 1999Lawrence Lessig: Code and Other Laws of Cyberspace. Basic Books, 2000


Daniel Solove and Marc Rotenberg: Information Privacy Law. Aspen Publ. 2003

Novel services and applications in an Internet of Things (IOT)Emerging IOT business models and process changesCommunication systems and network architectures for IOTTechnologies and concepts for embedding sensing, actuation, g p g gcommunication, and computation into networked thingsExperience reports from the introduction and operation of networked things in areas such as healthcare, logistics & transportSecurity/privacy aspects of IOT infrastructures & applications




September 15, 2007Deadline for Technical Paper submissions

October 20, 2007


October 20, 2007Deadline for Workshop Proposals

March 26-28, 2007www.internet-of-things-2008.org

Documents

Privacy and RFID · 6/25/2007 · T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 10 Consumer Loyalty Cards – The Dark Side The Story of Robert Riveras