[WSIS CS-Plenary] comments - article on RFIDs at the Summit

[Adam Peake]

Story below from the Washington Times about the identity badges we 
were required to used during the Summit. I've annotated with 
comment/additional information in {italics} (if your email only takes 
plain text, just look for the curly brackets).  Thanks to Alberto for 
checking my notes.

Security of course important, but so are the concerns this issue raises.

And a very Happy new year to all!

Thanks,

Adam



Summit group confirms use of ID chip
By Audrey Hudson and Betsy Pisik
THE WASHINGTON TIMES
Published December 18, 2003
<http://www.washingtontimes.com/functions/print.php?StoryID=20031217-115051-5373r>

Organizers of the World Summit on the Information Society yesterday 
confirmed that badges worn by high-level attendees were affixed with 
identification chips some say were unknown to the forum's 
participants.

{That RFIDs were used was not disclosed publicly before the Summit 
began, or to my knowledge, announced during the Summit.}

However, a spokesman for the International Telecommunication Union 
(ITU), which was the host of the three-day event in Geneva last week, 
scoffed at concerns by privacy advocates that the technology could 
monitor an individual's movement or that the data it collects could 
be misused.

{The RFID was in the name badge, and associated with a database that 
contained all the information about the badge owner that the person 
submitted during pre-registration. That information was a minimum of 
name, position, affiliation, email address, nationality and date of 
birth. Much more information was requested as optional, from passport 
number and place of issue, to arrival and departure dates, hotel, and 
so on. Potential then is to associate this information with other 
data: for example the Summit secretariat helped with visa 
applications and applications for fellowships which contain far more 
detail -- note *potential*, not saying it actually happened. When the 
badge was used at a check-point this pre-registered information along 
with a corresponding picture was displayed on the operators screen. 
Of course there were (are?) opportunities for misuse.}

Three European researchers who discovered the chips in their badges, 
first reported by The Washington Times on Sunday, said participants 
were not told about the chips.

{Correct, Summit participants were not told.}

ITU spokesman Gary Fowlie confirmed during an interview from Geneva 
that radio frequency identification chips (RFIDs) were embedded in 
the passes and that data readers were in place to record information 
transmitted by the chip.

Mr. Fowlie disputed that RFIDs have long-range tracking capability, 
and called The Times story "really off base."

"Transmission distance is 1 to 2 centimeters. You have to put your 
badge right up to the screen," he said.

{This comment seems to have the technology back to front. A card was 
analyzed in another country and was found to have a range of 70 cm to 
1 meter. As analysis was made only on a limited number of cards, so 
we can't be sure that all chips had the same properties: ITU 
spokesperson may be correct, however it seems unlikely. The card 
reader at the checkpoint may have required the badge to be pressed 
close against it, the chip itself was much stronger. i.e. it had the 
potential to be read by sensors not obvious to those passing by. *I 
am not saying that such sensors existed* but that they could is the 
point.}

But U.S. and European privacy advocates and critics of RFID 
technology said the story was on target, and that the use of the 
chips at the summit has caused an uproar in the United States and 
Europe.

"It sent off a shot heard round the world," said Katherine Albrecht, 
director of Consumers Against Supermarket Privacy Invasion and 
Numbering (CASPIAN), a leading opponent of RFID technology.

"We're rolling in e-mails on this thing. It's confirmation this is 
real, it is here, and it's being abused already."

Last week's summit, which was partly organized by the United Nations, 
focused on Internet governance and access, security, 
intellectual-property rights and privacy. The badges were worn by 
more than 50 prime ministers, presidents and other high-level 
officials from 174 countries, including a representative from the 
United States, John Marburger, head of the White House Office of 
Science and Technology Policy.

In a lengthy statement to The Times yesterday, summit officials said 
participants were notified some personal information would appear on 
the Internet, but declined to say whether participants were told of 
the embedded technology.

{We were asked during registration if we would like our email 
addresses to be included in the publicly available list of 
participants. It had been usual for WSIS preparatory meetings 
(PrepComs), etc., for participants to be listed both on paper and 
online: name, position and affiliation, with email optional. No 
mention was made of "embedded technology".}

The passes were intended "to facilitate identification by security at 
entry checkpoints," and participants had to swipe the badges across 
the readers to gain access to the summit and meeting rooms, the 
statement said.

{This is correct and the system worked quite well. Although at least 
one person did obtain a govt. card after forging some credentials.}

"Readers were quite prominently displayed and were only placed at 
entry checkpoints," WSIS spokeswoman Francine Lambert said. "The data 
stored on our servers do not and cannot monitor movement."

{Of course the data collected could monitor movement. There was a 
chronological log of when a badge-holder passed through a checkpoint. 
Theses records would show that I went into the hall a number of times 
each day (there was no apparent monitoring on the way out). And 
database could also potentially (and easily) be searched to see who 
went in at the same time as me. Me plus Joe one time: so what. Me 
plus Joe seven times and someone might wonder if they see a pattern?}

U.S. companies use RFID chips to track inventory from the factory to 
stores. Manufactures also are testing a system that tracks products 
leaving the shelves and alerts employees to restock.

EZ Pass, used at toll booths, uses RFID technology. Authorities 
investigating the murder of federal prosecutor Jonathan P. Luna 
learned that he had made repeated trips to Philadelphia during the 
past six months by tracking electronic data gathered at toll booths 
in Pennsylvania and Delaware.

The Defense Department is requiring its top 100 suppliers to 
implement RFID technology by 2005 to track inventory. The remainder 
of its 43,000 suppliers must ship items RFID-ready by 2006.

But privacy advocates say the technology Mr. Fowlie described in use 
at the summit can be used on humans.

"It's going to be used to track us," said Barry Steinhardt, director 
of the technology and liberty program for the American Civil 
Liberties Union in New York.

The ACLU said it has received complaints from Europeans concerned 
about how data collected at the summit will be used at the 2005 
summit, where Tunisia plays host.

"There is a lot of concern this data will be transferred to Tunisia 
and used to punish citizens or residents, or to keep tabs on the 
participants who are coming there, perhaps deny entry," Mr. 
Steinhardt said. "There is a lot of concern that this data will be 
transferred to a less-than-democratic nation."

{This concern was expressed strongly in Geneva. Many are opposed to 
holding a Summit on information society in a country that does not 
respect universal human rights. The problem is not so much in the 
actual data gathered in Geneva, all that happened in Geneva was 
probably harmless. The concern is that data gathered for one 
reasonable purpose could be passed to a regime that might use it in 
ways that could be harmful. e.g. While Geneva may never think to 
track who I stood in line with, another government might be 
interested to identify who associated with a participant they know to 
be hostile to their regime. That "hostile" person might not go to the 
Tunis Summit --for example-- but their previously anonymous 
associates might.}

Ms. Lambert said the data was stored for one day on the readers and 
erased, but did not say how long data was stored on the database or 
if it was ever erased.

{Hard to tell if all the data collected is still in the ITU database. 
I can access the first level of information for people that were in 
GLOCOM's delegation. I cannot make changes. But this is the same 
information that would be in the conference participants list that 
has usually been available. Perhaps the more detailed information has 
already been deleted?}

"The actual data submitted by participants was stored on ITU-secured 
servers that were not accessible by any other party than the [ITU, 
United Nations, and WSIS executive secretariat ], and the data has 
not been communicated to any other party," she said.

The personal data was obtained from visa applications.

"This has tremendous value for intelligence gathering," said Alberto 
Escudero-Pascual, a researcher in computer security and privacy at 
the Royal Institute of Technology in Stockholm.

The chips were discovered by Mr. Escudero-Pascual, Stephane Koch, 
president of Internet Society Geneva, and George Danezis, a 
researcher of privacy-enhancing technologies and computer security at 
Cambridge University.

{Alberto Escudero-Pascual arrived at the Summit a couple of days 
early, had his picture taken while registering and as the operator's 
screen was turned slightly towards him, was able to see his personal 
information flash on the screen as the photo was taken. He realized 
the photo was going to be used to identify him in security checks in 
the halls --of course, it's a high level, head of state Summit, 
strong security is all fine and good. If it is sensibly applied. But 
Alberto wonders how it would work? And so the story of the RFID chip 
and data gathering begins to emerge.}

When the card containing an RFID chip is swiped onto the reader, the 
location information is sent via the chip's antenna to a database 
that contains information on the subject.

Mr. Escudero-Pascual said he witnessed the data collected by the 
summit when his information flashed on a computer screen at an entry 
point. The information included a picture of the participant, name, 
occupation, organization, a time stamp of all main entry points and 
each time the participant passed a line into a room.

The data is stored in chronological order, allowing readers to 
determine when, where and which participants are walking into the 
room.

"They might want to know, 'Who has Alberto been queuing with for the 
last few days?' and they can basically see who Alberto is working 
with or talking to by who he enters with," Mr. Escudero-Pascual said.

"This is not a conspiracy theory. We use these systems in our daily 
lives to open garages, but people are not aware" of other ways the 
technology can be used, he said.

RFID chips are embedded in many "smart card" systems used for access 
to military bases, airports, gated communities, hospitals, state 
parks and country clubs. RFID chips also can alert government 
agencies to a host of law-breaking activities, such as expired 
insurance policies or license plates.

But tagging participants in a political summit raises privacy and 
security issues, and privacy advocates think the summit's organizers 
might have broken laws by not disclosing the chips' presence.

At least one of the researchers said it violates the Swiss Federal 
Law on Data Protection of June 1992.

{Yes, opinion seems to be that it violates Swiss law, and would 
normally be illegal in Geneva. Except the UN is in some cases exempt 
from data protection laws. So while on Swiss soil but under the 
auspices of the UN, it's likely that no violation occurred. However, 
some UN data protection guidelines were ignored 
<http://www.unhchr.ch/html/menu3/b/71.htm> Wonder if the ITU database 
is also protected? ITU has an unusual status in the UN System. 
Alberto Escudero-Pascual has contacted most EU member states' Data 
Protection Agencies and is seeking support from any individuals and 
organizations in order to get a statement from ITU and the Swiss 
Delegation in WSIS concerning the data collection practises and the 
system in Tunisia.}

"They may be exempt from those laws, but they certainly violated the 
spirit of the law by collecting highly personal information without 
their knowledge or consent," Mr. Steinhardt said.

END


-- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman-new.greennet.org.uk/pipermail/plenary/attachments/20040105/67128d00/attachment.html