Schneier on Security
A blog covering security and security technology.
« Domestic Terrorism (U.S.) |
| Microsoft Builds In Security Bypasses »
July 26, 2005
The Sorting Door Project
From The Register:
A former CIA intelligence analyst and researchers from SAP plan to study how RFID tags might be used to profile and track individuals and consumer goods.
"I believe that tags will be readily used for surveillance, given the interests of various parties able to deploy readers," said Ross Stapleton-Gray, former CIA analyst and manager of the study, called the Sorting Door Project.
Sorting Door will be a test-bed for studying the massive databases that will be created by RFID tags and readers, once they become ubiquitous. The project will help legislators, regulators and businesses make policies that balance the interests of industry, national security and civil liberties, said Stapleton-Gray.
In Sorting Door, RFID readers (whether in doorways, walls or floors, or the hands of workers) will collect data from RFID tags and feed them into databases.
Sorting Door participants will then investigate how the RFID tag's unique serial numbers, called EPCs, can be merged with other data to identify dangerous people and gather intelligence in a particular location.
Posted on July 26, 2005 at 9:31 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I can see this inside a private organization to track employees and such, but I sure hope this doesn't come into the public realm. Say goodbye to even more freedom.
Recently I have been hearing many stories regarding government plans to eventually deploy a system where your personal information is kept on/in your person in the form of an rfid type implant. The idea being to replace passports and medical records, and eventually used to track suspects. The one thing I cannot wrap my head around is the massive amount of information this would generate. Getting/making data is very easy, sorting through it for useful information is the hard part. That is why silly projects like carnivore never bothered me, simply switch all references with bombs to discussions about the health of your grandmother.
Inside a private organization this goes back (for the most part) to the "active badges" and "ubiquitous computing" ideas of the late 80s and early 90s.
I wonder how much the project will actually serve as a testbed for policy development and how much (whether intended or not) as an adertisement for the awesome power of RFID tracking. (The idea of tracking multiple tags on the same person is particularly interesting, since people typically wear different clothes and carry different stuff depending on the activities they have in mind.)
I predict a market in pager-sized RFID active jammers. It wouldn't take much to create a RF generator throwing out binary hash over the RFID frequencies.
Perhaps I'll buy RFID tags in bulk, and eat them like Tic-Tacs!! A random key that "resets" itself every 1 to 3 days.
"...I sure hope this doesn't come into the public realm. Say goodbye to even more freedom."
Can you image? It's a scary thought to think that you could be tracked through public places. What if you gave your card to someone else? What if that placed you at the scene of a crime? - Now I’m really going off on one!
Or tracking individuals shopping habits be scanning them coming through the shop doors?
Unless there is a manual on/off facility on the cards people should leave them at home (this should also give some protection against id theft from compromised/illegitimate scanners)
I wonder how strong an EMP it would take to fry all the RFID tags in a given radius...
If they want to have their database, let them. People like information, it makes them feel good. We want people to feel good just doing their jobs, don't we?
Other people feel good when they do something mischievious. Those people might attend parties where you all put your RFID tags in a bowl and select some new ones at random. For real fun, how hard would it be to duplicate the RFID tags so the unique numbers aren't? It sure would be funny to see data miners come up with conclusions like "on average, everyone traverses the entire country, but doesn't go anywhere in particular with any regularity."
If my location is going to be tracked, I want to be as many places as possible at any given point in time.
Before you lose any privacy/freedom, someone must arrange for matching the RFID-tags in your belogings to yourself. This is not trivial.
It is one thing to know that 12 cans of beer went out of the shop door, and it is another to know that George Bush was carrying them.
Research is good, but technologists often sit around dreaming up how to increase the efficiency and accuracy of tagging and reporting in a vacuum -- the opposite of what the public really want or need. If/when we consider whose assets are really at stake, the security picture becomes a lot clearer.
RFID implementations have to be carefully evaluated so they do not create repositories of information assets that are vulnerable to threats. Take US ranchers, for example, who are getting RFID imposed on them and say they are concerned about their competitors getting access to herd statistics that are compiled faster and more centralized via RFID. That seems like a genuine issue, and we're not even talking about critical threats like organized crime or bio-terrorism (yet).
Until the public and private sector have figured out how to *justly* protect the existing repositories of digital assets (i.e. personal identity information) I do not think they should be allowed to accumulate more, especially retailers. Would you put your savings in a bank in a lawless town that does not have a safe? It seems that the law should actually be used to help stop assets from being deposited into insecure respositories and used for nefarious purposes...something like California's AB1950 that calls for "reasonable" security, and perhaps strengthened to include protection from *unlawful* search even by the CIA.
With that being said, consider that while retailers are under heavy pressure right now from state and federal laws as well as industry regulation to START securing information assets, there are still companies trying to play fast and loose with information assets (e.g. CardSystems).
The Register quotes a rep of the EFF who says "The burden is on the proponents of tracking devices to show that they are not going to contribute to a surveillance infrastructure, but (the retailers) are not willing to have an honest conversation with society." Well, yes because unless there is a competitive advantage to retailers being honest (e.g. demanded by consumers and/or required by law) they are literally under no obligation to their shareholders to do what the EFF might think is in the best interest of the public -- asset protection.
"Can I have your papers please?"
Maybe I'm super-duper paranoid here, but what do they want to do next, implant heart-plugs in each individual so that they can pop them by remote control if somebody just happens to look like a terrorist? (If this doesn't make sense to you then you've never read any of the "Dune" books....) We don't need any of this garbage. George Orwell was right.
US Passports are very valuable. If they start implanting RFIDs that go together with them, then maybe US Citizens together with their passports will be even more valuable.
The Register article was a little lurid... I know it's a sexy lede to use "former CIA analyst," but I've been on to many thing since.
My thoughts on RFID is that it's something of a steamroller coming, though not all that different from a host of other, little marginal enhancements in technology for tracking, visualization, etc., that are going to collectively peck away at privacy like myriad ducks (see for example, this just-awarded NSF grant for improving persistent visual tracking: https://www.fastlane.nsf.gov/servlet/showaward?award=0535324). The purpose of the Sorting Door is in part to more openly demonstrate what's likely happening behind the scenes, and to give some hooks for better research on technologies and policies to mitigate some of the problems.
My thoughts on government and information collection/analysis, as a former fed, is that I don't want to be safe from government because government can't "connect the dots"... that leads to government by the inept and wasteful. I'd like to be safe from government because there's appropriate and rigorous oversight, so that, for example, it's relatively easy for the FBI to collect and assess information on anyone they can get a warrant on, but each and every case they take up can be scrutinized by judges, and aggregate information (e.g., how many wiretaps they carry out) is available to the public, so we can decide just how comfortable we are with how our government works.
We'd welcome interest in participation in the Sorting Door work, and can share some additional papers on RFID, security, surveillance & privacy not available on the public area of the company site (http://www.stapleton-gray.com/papers/) for those with an interest there.
@Matti: ...someone must arrange for matching the RFID-tags in your belogings to yourself. This is not trivial.
It seems to me this is trivial. If Mr. Bush purchased that 12 pack with a credit or debit card then the store (and by extension, the government) now has both the rfid number and a fairly well established identity to link.
Yes, you may have purchased it as a gift, and there are numerous other complications, but with a large enough database it should be doable to track a person via rfid-enabled purchases.
We do need to keep in mind that retail VIP cards have been abused.
Take this firefighter who was charged with arson - some of the evidence - the items used in the fire were purchased with his VIP card:
Five months later - he's cleared of charges not because his VIP card showed the truth, but because someone came forward:
Rule 101, people, it goes both ways
In the UK most people shop at a small number of large Supermarket chains. The major players have loyalty cards that offer a discount (typically about 1%) if you present them at the checkout with your shopping.The discount is in the form of cash like vouchers that are posted to you so you can't avoid linking the card to an address that you can receive mail at. If you want to use a credit or debit card to pay then it would be very suspicious to have a loyalty card in a different name. That's how your identity will get linked to the RFID tags embedded in the goods you bought at those stores.
I'm currently wearing a pair of jeans bought at Tesco (one of those stores) in conjunction with a loyalty card. They don't yet (I hope) include an RFID chip but in the future it is highly likely that they will. Tesco have already trialed RFID chips in packs of razor blades. These were linked to camera surveillence in the stores - if you walked out with a packet of razor blades you got your photo taken. So, they potentially got a photo to go with your loyalty card data that you didn't consent to.
We often attribute our "big brother" fears to governments. It may be that the real risk is big businesses who are subject to less direct public scruitiny than the state.
Here's the key phrase:
"that balance the interests of industry, national security and civil liberties"
In that order. :(
The average Joe will have its information in the open while the terrorists will find it easier to blend in - all they have to do is make sure their RFID transponder responds with the average Joe's readings.
I can imagine a conversation between two agents:
Agent 1: Hey, look at this guy there, what do you think he's doing, loitering in front of that high-security building with a video camera, a directional antenna and a laptop?
Agent 2: Let's check. Hey, mister, come over here.
Joe: Hello, how may I help you?
Agent 1: What are you doing here?
Joe: Just reading my emails
Agent 2: Let's see... log on to RFID network... Oh, sorry to bother you sir, your RFID history shows that your purchasing patterns have a low risk profile, I guess you're okay.
Joe: No problem, I'll just go on collecting intel - oh, I meant - reading my email.
Agent 1: Sure thing, just doing our jobs.
Can anyone point me to some resources on how RFID widgets are made and programmed? (Tried Google, but there was too much noise.)
I'm wondering if it would be a simple thing to produce tags that would generate false positives to the data collectors... glue them to the bottom of shopping baskets, etc etc
In somewhat related news (on the wisdom of amassing RFID data into a hugely vulnerable and valuable information asset), the following SAP vulnerability was announced yesterday:
If exploited, this vulnerability can result in unintended information disclosure.
This is rated as high.
> I'm wondering if it would be a simple thing to produce tags that would generate false positives to the data collectors...
Most tags are quite simple and dumb, about as "smart" as an electronic print bar code, so creating a fake one would be easy (this isn't necessarily the case with more complex, active tags like what's in your FasTrak transponder in your car).
Google on "blocker tag" and "rsa" for some discussion of the idea of masking tags or "spamming" tag readers.
There're a number of discussion threads on RFID for applications like anti-counterfeiting, etc., on our blog (http://www.stapleton-gray.com/surpriv/)
Wanna bet they'll become mandatory in some products: cameras, cellphones, recording devices so you can be searched at the door?
Zapping an RFID intentionally buried deep in a digital camera or cellphone is probably not readily doable.
There should be a security application in forensic reconstruction, like survellience cameras.
I trust the government and industry not to abuse RFID just as far as I trust the TSA to obey Congress: as far as I can comfortly spit a rat.
Now where did I put that link to the DIY RFID reader detector...
That's an interesting question, and one of the reasons behind the whole idea of the Sorting Door... given that RF is effectively invisible to humans, how do we know where tags and readers might? Doors (e.g., with an accompanying information kiosk, which is what's intended to be depicted in the graphics on the Sorting Door web site) could allow one to "scrub" onesself for tags (or other RF-emitting or responding devices); something to detect readers would be the other side of the coin.
Various research projects are examining "augmented reality," e.g., overlaying a scene with data, like closed captioning... one could imagine doing that, with an RF detector feeding data to a visual display, so that if one looked around in a retail store, you'd see the readers as bright blobs, and (some of the) tags as little blobs.
Yep. This is something like Orwell and Philip K. Dick combined. Why is it that every piece of technology has to be used to catch "evildoers" and to monitor everybody? I think it speaks volumes about the society we live in. Everyone is suspect until proven innocent. And we all know that everyone is guilty of something. So eventually everyone will be caught on every minor infringement they have committed. And after that we can proceed to Vanilla Sky type of society.
> So eventually everyone will be caught on every minor infringement they have committed.
This recalls the Panopticon: http://en.wikipedia.org/wiki/Panopticon
It's not that everyone will be caught on every infringement, but that everyone will be aware that they may be under surveillance at all times.
I'm actually something of a skeptic that we'll really need to worry about RFID tags on goods in commerce; I suspect that item-level tagging for many of the proposed applications (such as detecting employee theft) will be something of a bust, either insufficiently effective, or easily subverted. RFID in commerce will work best in highly-controlled environments, i.e., nowhere near the retail store floor, with all those messy customers mucking about. (See our white paper, "Scanning the Horizon," at http://www.stapleton-gray.com/papers/)
On the other hand, there are a lot of RFID-capable items and devices out there already, e.g., access badges, payment devices like Mobil Speedpass, etc., and we'll keep adding to them. And people will choose to start tagging themselves, for various little happy applications like opening their front door automagically or whatnot.
And, on the other hand, there are a lot of non-RF surveillance technologies that will be steadily improving, e.g., machine vision (which seems like it would be much more useful to solve retail store theft problems).
We're going to need to address an increasing number of privacy questions, with or without RFID.
"And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name..." -- Revelation 13:16-17
I'm no Bible-thumping fundamentalist, but in the light of these technological developments those verses from the Apocalypse sound ominously close to becoming reality in the not too distant future.
AFAIK, these RFID tags aren't on a lot of consumer goods though. The article just seems to be doing a lot of fear-mongering about 'when the RFIDs are going to attack!'
Just how durable are these tags anyway? As consumers we beat the heck out of stuff... does anyone here know how much wear-and-tear an RFID tag can take? Can one go through the wash? They can't be indestructible.
In the hypothetical situation that RFIDs become ubiquitous, it could cause for some amusing mischief, e.g. transplanting the tags for "leather trenchcoat" and "holsters" into my shorts pocket just to freak out the scanners.
As I have said in earlier postings the matching is actually not that difficult if the RfIDs are in what you wear.
Lets say your shoes, socks, shirt, pants, jacket, wrist watch, wallet etc have one in (they are going to be ubiquitous after all).
Now let's say you go and buy a tie with your credit card, the EPOS till logs your CC-ID with the RfID id into it's DB, which of course the government will want to see at will...
Now when you walk through the shop door all those little RfIDs "tell a tale on you", it does not take many cross corelations to figure out that it is probably you from the combination of numbers...
The question then is how many numbers to give a better than 90% probability that it's you....
In the scenario where you've got an Electronic Product Code (EPC) tag on your person, that number could be 1. An EPC is (that is to say, one of the standard formats for an EPC is) the code that's in a regular UPC bar code today, plus a unique serial number. So that if you have a particular Eddie Bauer jacket tagged by the manufacturer, it would be uniquely identifiable from every other EB jacket, and if some party matched you with that jacket (e.g., when you presented a credit card, or got carded at a bar), one could be pretty sure that every other encounter of that particular jacket implied you. (It should also be readily knowable when the tag is seen that it's attached to an Eddie Bauer jacket, as all the manufacturers should presumably want to base their EPCs off the UPCs they're already widely using, and there are various providers that can map a UPC to a product, e.g., QRS and GXS, for supply chain interests.)
Obviously some fuzziness... if you sold or donated the jacket; library books, which are now often RFID-tagged, are by definition loaned to numerous individuals; etc.
But again, I wouldn't focus as much on EPC tags on retail goods, as it would seem that they'd be more likely to be embedded in discardable packaging, or (for cheaper goods) too expensive to use. The more interesting area may be all of the other RF-responsive things that people carry today, or which will be invented soon. We'll be small, mobile clouds of RF responsiveness, and some of those signals will be globally-unique IDs that might be used to mark our progress around town, or the world.
(You'll certainly hear, "RFIDs can't be used to *track* people," which is more or less true of passive RFID. We're using "point surveillance" to describe the idea that various readers deployed by various parties in obvious places, such as doorways, will collect little connect-the-dot maps of activity.)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.