[WSIS CS-Plenary] WSIS etc.

[Fullsack Jean-Louis]

Hi Wolfgang and all
Just a "bemol" to these news which sound rather well, at least for Wolfgang.
I'm not so enthousiastic upon them
a) because the french version (and probably the spanish too) of CS
Declaration is very bad ;
b) because "handed out to the President" doesn't guarantee that it is a main
official document of the Summit (as are the Declaration of principles and
the Action Plan) and this was fundamental in Bill's address to the Plenary.
c) I happened to meet the President of PrepCom in the Hall and he did the
same statement to me as Mrs Dufborg did. However, the CS had no appropriate
space to meet regularly during the Summit. Just remember the Signal-to-noise
ratio on "our floor" at Palexpo.

However, let's hope that the second phase of the Summit will be more and
really "CS inclusive". That's my wish for the new year.

Jean-Louis Fullsack
CSDPTT

----- Original Message -----
From: <wolfgang at imv.au.dk>
To: "Adam Peake" <ajp at glocom.ac.jp>; <plenary at wsis-cs.org>; <aep at it.kth.se>
Sent: Monday, January 05, 2004 2:06 PM
Subject: [WSIS CS-Plenary] WSIS etc.


> Happy New Yeaer to All
>
> Here are some good news:
>
> 1. The ITU has taken the Civil Society Declaration to the front page of
its official WSIS website and to the list of documents which you can
download (in three languages). It says: "Civil Society Declaration: handed
out to the President of the Summit at the last Plenary meeting on 12
December 2003". This sounds like Bill McIver appearence in the last Plenary
Session a remarkable step forward in the process of recognition of civil
society as an independent political factor.
> see: http://www.itu.int/wsis/
>
> 2. The Swedish Minister for Development, Mrs Astrid Dufborg, member of the
UN ICT Taks Force, has a nice compliment and encouragement for civil society
on the front page of the UN ICT TF Website:  "Extremely important point.
Many of us, belonging to government and who have been fighting for having
civil society along, have seen extremely good results of your efforts around
WSIS - all over the place I hear about the meetings, discussions etc. You
have done a great job. Keep on going! You have much more support than you
know!"
> see: http://www.unicttaskforce.org/wsis/rt3_wk.asp
>
> Best wishes
>
> wolfgang
>
>
>
> -- Original Nachricht--
> Von: Adam Peake <ajp at glocom.ac.jp>
> An: plenary at wsis-cs.org
> Senden: 01:36 PM
> Betreff: [WSIS CS-Plenary] comments - article on RFIDs at the Summit
>
>
>
> Story below from the Washington Times about the identity badges
> we were required to used during the Summit. I've annotated with
> comment/additional information in {italics} (if your email only
> takes plain text, just look for the curly brackets). Thanks to
> Alberto for checking my notes.
>
> Security of course important, but so are the concerns this issue
> raises.
>
> And a very Happy new year to all!
>
> Thanks,
>
> Adam
>
>
>
> Summit group confirms use of ID chip
> By Audrey Hudson and Betsy Pisik
> THE WASHINGTON TIMES
> Published December 18, 2003
>
<http://www.washingtontimes.com/functions/print.php?StoryID=20031217-115051-
5373r>
>
> Organizers of the World Summit on the Information Society
> yesterday confirmed that badges worn by high-level attendees were
> affixed with identification chips some say were unknown to the forum's
> participants.
>
> {That RFIDs were used was not disclosed publicly before the
> Summit began, or to my knowledge, announced during the
> Summit.}
>
> However, a spokesman for the International Telecommunication
> Union (ITU), which was the host of the three-day event in Geneva last
> week, scoffed at concerns by privacy advocates that the technology
> could monitor an individual's movement or that the data it collects
> could be misused.
>
> {The RFID was in the name badge, and associated with a
> database that contained all the information about the badge owner that
> the person submitted during pre-registration. That information was a
> minimum of name, position, affiliation, email address, nationality and
> date of birth. Much more information was requested as optional, from
> passport number and place of issue, to arrival and departure dates,
> hotel, and so on. Potential then is to associate this information with
> other data: for example the Summit secretariat helped with visa
> applications and applications for fellowships which contain far more
> detail -- note *potential*, not saying it actually happened. When the
> badge was used at a check-point this pre-registered information along
> with a corresponding picture was displayed on the operators screen. Of
> course there were (are?) opportunities for misuse.}
>
> Three European researchers who discovered the chips in their
> badges, first reported by The Washington Times on Sunday, said
> participants were not told about the chips.
>
> {Correct, Summit participants were not told.}
>
> ITU spokesman Gary Fowlie confirmed during an interview from Geneva
> that radio frequency identification chips (RFIDs) were embedded in the
> passes and that data readers were in place to record information
> transmitted by the chip.
>
> Mr. Fowlie disputed that RFIDs have long-range tracking capability,
> and called The Times story "really off base."
>
> "Transmission distance is 1 to 2 centimeters. You have to
> put your badge right up to the screen," he said.
>
> {This comment seems to have the technology back to front. A
> card was analyzed in another country and was found to have a range of
> 70 cm to 1 meter. As analysis was made only on a limited number of
> cards, so we can't be sure that all chips had the same properties: ITU
> spokesperson may be correct, however it seems unlikely. The card
> reader at the checkpoint may have required the badge to be pressed
> close against it, the chip itself was much stronger. i.e. it had the
> potential to be read by sensors not obvious to those passing by. *I am
> not saying that such sensors existed* but that they could is the
> point.}
>
> But U.S. and European privacy advocates and critics of RFID technology
> said the story was on target, and that the use of the chips at the
> summit has caused an uproar in the United States and Europe.
>
> "It sent off a shot heard round the world," said
> Katherine Albrecht, director of Consumers Against Supermarket Privacy
> Invasion and Numbering (CASPIAN), a leading opponent of RFID
> technology.
>
> "We're rolling in e-mails on this thing. It's confirmation this
> is real, it is here, and it's being abused already."
>
> Last week's summit, which was partly organized by the United Nations,
> focused on Internet governance and access, security,
> intellectual-property rights and privacy. The badges were worn by more
> than 50 prime ministers, presidents and other high-level officials
> from 174 countries, including a representative from the United States,
> John Marburger, head of the White House Office of Science and
> Technology Policy.
>
> In a lengthy statement to The Times yesterday, summit officials
> said participants were notified some personal information would appear
> on the Internet, but declined to say whether participants were told of
> the embedded technology.
>
> {We were asked during registration if we would like our email
> addresses to be included in the publicly available list of
> participants. It had been usual for WSIS preparatory meetings
> (PrepComs), etc., for participants to be listed both on paper and
> online: name, position and affiliation, with email optional. No
> mention was made of "embedded technology".}
>
> The passes were intended "to facilitate identification by
> security at entry checkpoints," and participants had to swipe the
> badges across the readers to gain access to the summit and meeting
> rooms, the statement said.
>
> {This is correct and the system worked quite well. Although at
> least one person did obtain a govt. card after forging some
> credentials.}
>
> "Readers were quite prominently displayed and were only
> placed at entry checkpoints," WSIS spokeswoman Francine Lambert
> said. "The data stored on our servers do not and cannot monitor
> movement."
>
> {Of course the data collected could monitor movement. There
> was a chronological log of when a badge-holder passed through a
> checkpoint. Theses records would show that I went into the hall a
> number of times each day (there was no apparent monitoring on the way
> out). And database could also potentially (and easily) be searched to
> see who went in at the same time as me. Me plus Joe one time: so what.
> Me plus Joe seven times and someone might wonder if they see a
> pattern?}
>
> U.S. companies use RFID chips to track inventory from the factory to
> stores. Manufactures also are testing a system that tracks products
> leaving the shelves and alerts employees to restock.
>
> EZ Pass, used at toll booths, uses RFID technology. Authorities
> investigating the murder of federal prosecutor Jonathan P. Luna
> learned that he had made repeated trips to Philadelphia during the
> past six months by tracking electronic data gathered at toll booths in
> Pennsylvania and Delaware.
>
> The Defense Department is requiring its top 100 suppliers to implement
> RFID technology by 2005 to track inventory. The remainder of its
> 43,000 suppliers must ship items RFID-ready by 2006.
>
> But privacy advocates say the technology Mr. Fowlie described in use
> at the summit can be used on humans.
>
> "It's going to be used to track us," said Barry Steinhardt,
> director of the technology and liberty program for the American Civil
> Liberties Union in New York.
>
> The ACLU said it has received complaints from Europeans concerned
> about how data collected at the summit will be used at the 2005
> summit, where Tunisia plays host.
>
> "There is a lot of concern this data will be transferred to
> Tunisia and used to punish citizens or residents, or to keep tabs on
> the participants who are coming there, perhaps deny entry," Mr.
> Steinhardt said. "There is a lot of concern that this data will
> be transferred to a less-than-democratic nation."
>
> {This concern was expressed strongly in Geneva. Many are
> opposed to holding a Summit on information society in a country that
> does not respect universal human rights. The problem is not so much in
> the actual data gathered in Geneva, all that happened in Geneva was
> probably harmless. The concern is that data gathered for one
> reasonable purpose could be passed to a regime that might use it in
> ways that could be harmful. e.g. While Geneva may never think to track
> who I stood in line with, another government might be interested to
> identify who associated with a participant they know to be hostile to
> their regime. That "hostile" person might not go to the
> Tunis Summit --for example-- but their previously anonymous associates
> might.}
>
> Ms. Lambert said the data was stored for one day on the readers
> and erased, but did not say how long data was stored on the database
> or if it was ever erased.
>
> {Hard to tell if all the data collected is still in the ITU
> database. I can access the first level of information for people that
> were in GLOCOM's delegation. I cannot make changes. But this is the
> same information that would be in the conference participants list
> that has usually been available. Perhaps the more detailed information
> has already been deleted?}
>
> "The actual data submitted by participants was stored on
> ITU-secured servers that were not accessible by any other party than
> the [ITU, United Nations, and WSIS executive secretariat ], and the
> data has not been communicated to any other party," she
> said.
>
> The personal data was obtained from visa applications.
>
> "This has tremendous value for intelligence gathering,"
> said Alberto Escudero-Pascual, a researcher in computer security and
> privacy at the Royal Institute of Technology in Stockholm.
>
> The chips were discovered by Mr. Escudero-Pascual, Stephane Koch,
> president of Internet Society Geneva, and George Danezis, a researcher
> of privacy-enhancing technologies and computer security at Cambridge
> University.
>
> {Alberto Escudero-Pascual arrived at the Summit a couple of
> days early, had his picture taken while registering and as the
> operator's screen was turned slightly towards him, was able to see his
> personal information flash on the screen as the photo was taken. He
> realized the photo was going to be used to identify him in security
> checks in the halls --of course, it's a high level, head of state
> Summit, strong security is all fine and good. If it is sensibly
> applied. But Alberto wonders how it would work? And so the story of
> the RFID chip and data gathering begins to emerge.}
>
> When the card containing an RFID chip is swiped onto the reader,
> the location information is sent via the chip's antenna to a database
> that contains information on the subject.
>
> Mr. Escudero-Pascual said he witnessed the data collected by the
> summit when his information flashed on a computer screen at an entry
> point. The information included a picture of the participant, name,
> occupation, organization, a time stamp of all main entry points and
> each time the participant passed a line into a room.
>
> The data is stored in chronological order, allowing readers to
> determine when, where and which participants are walking into the
> room.
>
> "They might want to know, 'Who has Alberto been queuing with
> for the last few days?' and they can basically see who Alberto is
> working with or talking to by who he enters with," Mr.
> Escudero-Pascual said.
>
> "This is not a conspiracy theory. We use these systems in our
> daily lives to open garages, but people are not aware" of other
> ways the technology can be used, he said.
>
> RFID chips are embedded in many "smart card" systems used
> for access to military bases, airports, gated communities, hospitals,
> state parks and country clubs. RFID chips also can alert government
> agencies to a host of law-breaking activities, such as expired
> insurance policies or license plates.
>
> But tagging participants in a political summit raises privacy and
> security issues, and privacy advocates think the summit's organizers
> might have broken laws by not disclosing the chips' presence.
>
> At least one of the researchers said it violates the Swiss
> Federal Law on Data Protection of June 1992.
>
> {Yes, opinion seems to be that it violates Swiss law, and
> would normally be illegal in Geneva. Except the UN is in some cases
> exempt from data protection laws. So while on Swiss soil but under the
> auspices of the UN, it's likely that no violation occurred. However,
> some UN data protection guidelines were ignored
> <http://www.unhchr.ch/html/menu3/b/71.htm> Wonder if the ITU
> database is also protected? ITU has an unusual status in the UN
> System. Alberto Escudero-Pascual has contacted most EU member states'
> Data Protection Agencies and is seeking support from any individuals
> and organizations in order to get a statement from ITU and the Swiss
> Delegation in WSIS concerning the data collection practises and the
> system in Tunisia.}
>
> "They may be exempt from those laws, but they certainly
> violated the spirit of the law by collecting highly personal
> information without their knowledge or consent," Mr. Steinhardt
> said.
>
> END
>
>
> --
>
>
>
>
>
>
>
> _______________________________________________
> Plenary mailing list
> Plenary at wsis-cs.org
> http://mailman.greennet.org.uk/mailman/listinfo/plenary