[WSIS CS-Plenary] comments - article on RFIDs at the Summit
Mavic
mavic at isiswomen.org
Wed Jan 7 04:25:17 GMT 2004
Hi Adam and all!
Thanks so much for this valuable information. I think we need to discuss
this very seriously in the light of civil society participation in Tunis.
Talk of privacy and security issues.
I completely agree with Jean-Louis' observation that it was an "obedient"
CS that we saw in the WSIS and its processes. We normally are more
vigilant in other spaces.
Happy New Year everyone,
Mavic Cabrera-Balleza
Isis International-Manila
At 02:44 PM 1/5/04 +0100, you wrote:
>Happy and successful New year Adam and all
>
>A special thank to Adam for this revealing but worrying identity badge story.
>Yet the fundamentals of this non glorious swiss technology achievement was
>known by a number of CS members, especially those very clever in
>"security/internet issues", they used to deal with daily in specialised CS
>circles (caucuses, working groups, lobbying groups). But nobody raised any
>appropriated protest during our CS meetings, nor were there any fears
>transmitted to the CS Secretariate. Instead, some zealous CS members urged
>us to sent the CS Secretariate all our thanks for the "brilliant job" they
>did ! A very obedient and curious CS indeed !
>
>Best regards
>Jean-Louis Fullsack
>CSDPTT
>
>----- Original Message -----
>From: <mailto:ajp at glocom.ac.jp>Adam Peake
>To: <mailto:plenary at wsis-cs.org>plenary at wsis-cs.org
>Cc: <mailto:aep at it.kth.se>aep at it.kth.se
>Sent: Monday, January 05, 2004 1:38 PM
>Subject: [WSIS CS-Plenary] comments - article on RFIDs at the Summit
>
>Story below from the Washington Times about the identity badges we were
>required to used during the Summit. I've annotated with comment/additional
>information in {italics} (if your email only takes plain text, just look
>for the curly brackets). Thanks to Alberto for checking my notes.
>
>Security of course important, but so are the concerns this issue raises.
>
>And a very Happy new year to all!
>
>Thanks,
>
>Adam
>
>
>
>
>
>Summit group confirms use of ID chip
>By Audrey Hudson and Betsy Pisik
>THE WASHINGTON TIMES
>Published December 18, 2003
><http://www.washingtontimes.com/functions/print.php?StoryID=20031217-115051-5373r>
>
>Organizers of the World Summit on the Information Society yesterday
>confirmed that badges worn by high-level attendees were affixed with
>identification chips some say were unknown to the forum's participants.
>
>{That RFIDs were used was not disclosed publicly before the Summit began,
>or to my knowledge, announced during the Summit.}
>
>However, a spokesman for the International Telecommunication Union (ITU),
>which was the host of the three-day event in Geneva last week, scoffed at
>concerns by privacy advocates that the technology could monitor an
>individual's movement or that the data it collects could be misused.
>
>{The RFID was in the name badge, and associated with a database that
>contained all the information about the badge owner that the person
>submitted during pre-registration. That information was a minimum of name,
>position, affiliation, email address, nationality and date of birth. Much
>more information was requested as optional, from passport number and place
>of issue, to arrival and departure dates, hotel, and so on. Potential then
>is to associate this information with other data: for example the Summit
>secretariat helped with visa applications and applications for fellowships
>which contain far more detail -- note *potential*, not saying it actually
>happened. When the badge was used at a check-point this pre-registered
>information along with a corresponding picture was displayed on the
>operators screen. Of course there were (are?) opportunities for misuse.}
>
>Three European researchers who discovered the chips in their badges, first
>reported by The Washington Times on Sunday, said participants were not
>told about the chips.
>
>{Correct, Summit participants were not told.}
>
>ITU spokesman Gary Fowlie confirmed during an interview from Geneva that
>radio frequency identification chips (RFIDs) were embedded in the passes
>and that data readers were in place to record information transmitted by
>the chip.
>
>Mr. Fowlie disputed that RFIDs have long-range tracking capability, and
>called The Times story "really off base."
>"Transmission distance is 1 to 2 centimeters. You have to put your badge
>right up to the screen," he said.
>{This comment seems to have the technology back to front. A card was
>analyzed in another country and was found to have a range of 70 cm to 1
>meter. As analysis was made only on a limited number of cards, so we can't
>be sure that all chips had the same properties: ITU spokesperson may be
>correct, however it seems unlikely. The card reader at the checkpoint may
>have required the badge to be pressed close against it, the chip itself
>was much stronger. i.e. it had the potential to be read by sensors not
>obvious to those passing by. *I am not saying that such sensors existed*
>but that they could is the point.}
>
>But U.S. and European privacy advocates and critics of RFID technology
>said the story was on target, and that the use of the chips at the summit
>has caused an uproar in the United States and Europe.
>"It sent off a shot heard round the world," said Katherine Albrecht,
>director of Consumers Against Supermarket Privacy Invasion and Numbering
>(CASPIAN), a leading opponent of RFID technology.
>
>"We're rolling in e-mails on this thing. It's confirmation this is real,
>it is here, and it's being abused already."
>
>Last week's summit, which was partly organized by the United Nations,
>focused on Internet governance and access, security, intellectual-property
>rights and privacy. The badges were worn by more than 50 prime ministers,
>presidents and other high-level officials from 174 countries, including a
>representative from the United States, John Marburger, head of the White
>House Office of Science and Technology Policy.
>
>In a lengthy statement to The Times yesterday, summit officials said
>participants were notified some personal information would appear on the
>Internet, but declined to say whether participants were told of the
>embedded technology.
>
>{We were asked during registration if we would like our email addresses to
>be included in the publicly available list of participants. It had been
>usual for WSIS preparatory meetings (PrepComs), etc., for participants to
>be listed both on paper and online: name, position and affiliation, with
>email optional. No mention was made of "embedded technology".}
>
>The passes were intended "to facilitate identification by security at
>entry checkpoints," and participants had to swipe the badges across the
>readers to gain access to the summit and meeting rooms, the statement said.
>{This is correct and the system worked quite well. Although at least one
>person did obtain a govt. card after forging some credentials.}
>
>"Readers were quite prominently displayed and were only placed at entry
>checkpoints," WSIS spokeswoman Francine Lambert said. "The data stored on
>our servers do not and cannot monitor movement."
>
>{Of course the data collected could monitor movement. There was a
>chronological log of when a badge-holder passed through a checkpoint.
>Theses records would show that I went into the hall a number of times each
>day (there was no apparent monitoring on the way out). And database could
>also potentially (and easily) be searched to see who went in at the same
>time as me. Me plus Joe one time: so what. Me plus Joe seven times and
>someone might wonder if they see a pattern?}
>
>U.S. companies use RFID chips to track inventory from the factory to
>stores. Manufactures also are testing a system that tracks products
>leaving the shelves and alerts employees to restock.
>
>EZ Pass, used at toll booths, uses RFID technology. Authorities
>investigating the murder of federal prosecutor Jonathan P. Luna learned
>that he had made repeated trips to Philadelphia during the past six months
>by tracking electronic data gathered at toll booths in Pennsylvania and
>Delaware.
>
>The Defense Department is requiring its top 100 suppliers to implement
>RFID technology by 2005 to track inventory. The remainder of its 43,000
>suppliers must ship items RFID-ready by 2006.
>
>But privacy advocates say the technology Mr. Fowlie described in use at
>the summit can be used on humans.
>
>"It's going to be used to track us," said Barry Steinhardt, director of
>the technology and liberty program for the American Civil Liberties Union
>in New York.
>
>The ACLU said it has received complaints from Europeans concerned about
>how data collected at the summit will be used at the 2005 summit, where
>Tunisia plays host.
>"There is a lot of concern this data will be transferred to Tunisia and
>used to punish citizens or residents, or to keep tabs on the participants
>who are coming there, perhaps deny entry," Mr. Steinhardt said. "There is
>a lot of concern that this data will be transferred to a
>less-than-democratic nation."
>{This concern was expressed strongly in Geneva. Many are opposed to
>holding a Summit on information society in a country that does not respect
>universal human rights. The problem is not so much in the actual data
>gathered in Geneva, all that happened in Geneva was probably harmless. The
>concern is that data gathered for one reasonable purpose could be passed
>to a regime that might use it in ways that could be harmful. e.g. While
>Geneva may never think to track who I stood in line with, another
>government might be interested to identify who associated with a
>participant they know to be hostile to their regime. That "hostile" person
>might not go to the Tunis Summit --for example-- but their previously
>anonymous associates might.}
>
>Ms. Lambert said the data was stored for one day on the readers and
>erased, but did not say how long data was stored on the database or if it
>was ever erased.
>{Hard to tell if all the data collected is still in the ITU database. I
>can access the first level of information for people that were in GLOCOM's
>delegation. I cannot make changes. But this is the same information that
>would be in the conference participants list that has usually been
>available. Perhaps the more detailed information has already been deleted?}
>"The actual data submitted by participants was stored on ITU-secured
>servers that were not accessible by any other party than the [ITU, United
>Nations, and WSIS executive secretariat ], and the data has not been
>communicated to any other party," she said.
>
>The personal data was obtained from visa applications.
>
>"This has tremendous value for intelligence gathering," said Alberto
>Escudero-Pascual, a researcher in computer security and privacy at the
>Royal Institute of Technology in Stockholm.
>The chips were discovered by Mr. Escudero-Pascual, Stephane Koch,
>president of Internet Society Geneva, and George Danezis, a researcher of
>privacy-enhancing technologies and computer security at Cambridge University.
>
>{Alberto Escudero-Pascual arrived at the Summit a couple of days early,
>had his picture taken while registering and as the operator's screen was
>turned slightly towards him, was able to see his personal information
>flash on the screen as the photo was taken. He realized the photo was
>going to be used to identify him in security checks in the halls --of
>course, it's a high level, head of state Summit, strong security is all
>fine and good. If it is sensibly applied. But Alberto wonders how it would
>work? And so the story of the RFID chip and data gathering begins to emerge.}
>
>When the card containing an RFID chip is swiped onto the reader, the
>location information is sent via the chip's antenna to a database that
>contains information on the subject.
>
>Mr. Escudero-Pascual said he witnessed the data collected by the summit
>when his information flashed on a computer screen at an entry point. The
>information included a picture of the participant, name, occupation,
>organization, a time stamp of all main entry points and each time the
>participant passed a line into a room.
>
>The data is stored in chronological order, allowing readers to determine
>when, where and which participants are walking into the room.
>"They might want to know, 'Who has Alberto been queuing with for the last
>few days?' and they can basically see who Alberto is working with or
>talking to by who he enters with," Mr. Escudero-Pascual said.
>
>"This is not a conspiracy theory. We use these systems in our daily lives
>to open garages, but people are not aware" of other ways the technology
>can be used, he said.
>
>RFID chips are embedded in many "smart card" systems used for access to
>military bases, airports, gated communities, hospitals, state parks and
>country clubs. RFID chips also can alert government agencies to a host of
>law-breaking activities, such as expired insurance policies or license plates.
>
>But tagging participants in a political summit raises privacy and security
>issues, and privacy advocates think the summit's organizers might have
>broken laws by not disclosing the chips' presence.
>At least one of the researchers said it violates the Swiss Federal Law on
>Data Protection of June 1992.
>{Yes, opinion seems to be that it violates Swiss law, and would normally
>be illegal in Geneva. Except the UN is in some cases exempt from data
>protection laws. So while on Swiss soil but under the auspices of the UN,
>it's likely that no violation occurred. However, some UN data protection
>guidelines were ignored <http://www.unhchr.ch/html/menu3/b/71.htm> Wonder
>if the ITU database is also protected? ITU has an unusual status in the UN
>System. Alberto Escudero-Pascual has contacted most EU member states' Data
>Protection Agencies and is seeking support from any individuals and
>organizations in order to get a statement from ITU and the Swiss
>Delegation in WSIS concerning the data collection practises and the system
>in Tunisia.}
>"They may be exempt from those laws, but they certainly violated the
>spirit of the law by collecting highly personal information without their
>knowledge or consent," Mr. Steinhardt said.
>END
>
>
>
>
>
>
>--
More information about the Plenary
mailing list