Privacy and RFID · 6/25/2007 · T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich,...
Transcript of Privacy and RFID · 6/25/2007 · T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich,...
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 1
Privacy and RFIDIrreconcilable Differences?
Marc LangheinrichInstitute for Pervasive ComputingETH Zurich, Switzerland
C.A.S.P.I.A.N.Consumers against supermarket privacy invasions and numbering
Dr. Katherine AlbrechtC.A.S.P.I.A.N. Founder
June 25, 2007 T-Labs Usability Colloquium 2
„The risk [RFID] poses to humanity is on a par with nuclear weapons.'‘Katherine Albrecht, as quoted in Larry Downes: “Don't fear new bar codes”, USA Today, Sep. 25, 2003. www.interesting‐people.org/archives/interesting‐people/200309/msg00257.html
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 2
Public Concern (as seen on TV)
June 25, 2007 T-Labs Usability Colloquium 3
Public Concern (as measured by Google)
June 25, 2007 T-Labs Usability Colloquium 4
Original numbers by Ravi Pappu, RFID Privacy Workshop @ MIT: November 15, 2003
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 3
Public Concern (as seen by AmI-Experts)
Optimists: “All you need is really good firewalls.”Self-Regulation: “It's maybe about letting them find their own ways of cheating, you know…”Not my Problem: “For [my colleague] it is more appropriate to think about privacy issues. It’s not really the case in my case.”Hindrance: “Somehow [privacy] also destroys this, you know,
June 25, 2007 T-Labs Usability Colloquium 5
[p y] y , y ,sort of, like, creativity...” Pessimists: “I think you can't think of privacy when you are trying out... it's impossible, because if I do it, I have troubles with finding [a] Ubicomp future”
Marc Langheinrich: The DC-Privacy Troubadour – Assessing Privacy Implications of DC-Projects. DC Tales Conference, Santorin, 06/2003.
Public Concern (as measured by )
~1.5% of Europeans are concerned!~9% of Europeans like RFID!
90% of Europeans don’t care!
June 25, 2007 T-Labs Usability Colloquium 6
Capgemini: RFID and Consumers – what European Consumers Think About Radio Frequency Identication and the Implications for Business. Survey, February 2005. Available from: www.capgemini.com/news/2005/Capgemini_European_RFID_report.pdf.
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 4
RFID mini-primer
(for the 82% of Europeans who haven’t heard)
June 25, 2007 T-Labs Usability Colloquium 7
20 bytes > 100 bytes( f 2D d )~ 20 bytesClass of products
Visual line of sight necessaryNeeds reader-tag alignmentLow reading speedMax ~ 50 cm
Read
> 100 bytesIndividual items
May be coveredLargely position independentHigh speedMax ~ 2 m
Read / write
(more for 2D-codes)
ReadSensible to dirt
Low costFraud relatively easy
copying and changing possible
Read / writeSensible to metal/water/…
Higher costFraud more difficult (costly)
optional security circuitry
June 25, 2007 T-Labs Usability Colloquium 8
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 5
RFID Tag Form Factors I
Smart Labels
Hitachi Coil-on-Chip
EAS Transponder
Contactless RFID Cards
June 25, 2007 T-Labs Usability Colloquium 9
RFID Operating Principlecoupling
unitRFID "Reader"
RFID Tagunit
RFID Tagdata
comm
ands
RF-Module
Controller
June 25, 2007 T-Labs Usability Colloquium 11
AnalogueCircuitry
DigitalCircuitry
Memory:EEPROMROMRAM
RFID Tag/Transponder
host/application
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 6
Privacy mini-primer
June 25, 2007 T-Labs Usability Colloquium 12
What is Privacy?
„The right to be let alone.“Louis Brandeis, 1890 (Harvard Law Review)
„The desire of people to choose freely under what circumstances and to what extent they will expose themselves,
Louis D. Brandeis, 1856 - 1941
June 25, 2007 T-Labs Usability Colloquium 13
y p ,their attitude and their behavior to others.“
Alan Westin („Privacy And Freedom“, 1967)Prof. Emeritus, Columbia University Alan Westin
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 7
Why Privacy?
Reasons for PrivacyFree from NuisanceIntimacyFree to Decide for Oneself
By Another Name...
June 25, 2007 T-Labs Usability Colloquium 14
yData Protection Informational Self-Determination
Privacy isn‘t just about keeping secrets –data exchange and transparency are key issues!
Privacy Violations?
Violations Due to Crossings of “Privacy” BordersProf. Emeritus Gary T. Marx, MIT
“Privacy” BordersNatural BordersSocial Borders
June 25, 2007 T-Labs Usability Colloquium 15
Spatial/Temporal BordersEphemeral Borders
RFID-technology makes some of those borders easier to cross
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 8
Privacy Implications of Smart Environments
Data CollectionScale (everywhere, anytime)Manner (inconspicuous, invisible)Motivation (unspecified, e.g., context)
Data Types
June 25, 2007 T-Labs Usability Colloquium 16
ypObservational instead of factual data
Data Access“The Internet of Things”
So what difference will RFID make?
June 25, 2007 T-Labs Usability Colloquium 17
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 9
Societal Drivers for RFID Acceptance –Collection and Use
Higher Efficiency (Cheaper Stuff!)Rebates! (loyalty cards)Targeted Sales (1-1 marketing)
More ConvenienceGetting information(allergy warnings, meat sources)Simplified handling (ret rn repairs access)
June 25, 2007 T-Labs Usability Colloquium 18
Simplified handling (return, repairs, access)Increased Safety
Crime prevention (ticketing, counterfeiting, CCTV, …)Homeland security (terrorism, child molesters, …)
Example: Loyalty Cards
Emnid Survey Germany (03/2002)50% have at least one loyalty card72% welcome such offers
70 Million Cards in Circulation (DE, 12/03)Average rebate: 1.0-0.5%15% of cons mers estimate rebate being 5 10%
June 25, 2007 T-Labs Usability Colloquium 19
15% of consumers estimate rebate being 5-10% Minding the Fine Print?
Explicit signature allows detailed data miningConsequences?
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 10
Consumer Loyalty Cards –The Dark Side
The Story of Robert Riveras (1998)Slipped on spilled yoghurt and hurt kneecap. Sued.Consumer card showed high volume licqour purchasesSettled out of court
Or: Divorce Case
June 25, 2007 T-Labs Usability Colloquium 20
Liking of expensive wines increased alimony payments
Consumer Loyalty Cards –Legal Implications
Arson Near Youth House Niederwangen (Berne)At scene of crime: Migros-toolsCourt ordered disclosure of all 133consumers who bought items on their supermarket card (8/2004)
A i t t t f d ( 6 )
June 25, 2007 T-Labs Usability Colloquium 21
Arsonist not yet found (06/2007)
Who Would Think About This When Buying a Screwdriver?!
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 11
Aren’t there laws against this stuff?
June 25, 2007 T-Labs Usability Colloquium 22
Privacy Laws and Regulations
Two Main ApproachesSectorial (“Don’t Fix if it Ain’t Broken”)Omnibus (Precautionary Principle)
US: Sector-specific Laws, Minimal ProtectionsStrong Federal Laws for Government
June 25, 2007 T-Labs Usability Colloquium 24
gSelf-Regulation, Case-by-Case for Industry
Europe: Omnibus, Strong Privacy LawsLaw Applies to Both Government & IndustryPrivacy Commissions in Each Country as Watchdog
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 12
US Public Sector Privacy Laws (Federal)
F d l C i ti A t 93 99 (Wi l )Federal Communications Act, 1934, 1997 (Wireless)Omnibus Crime Control and Safe Street Act, 1968Bank Secrecy Act, 1970Privacy Act, 1974Right to Financial Privacy Act, 1978 Privacy Protection Act, 1980
June 25, 2007 T-Labs Usability Colloquium 25
Computer Security Act, 1987Family Educational Right to Privacy Act, 1993Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996Driver’s Privacy Protection Act, 1994, 2000
US Private Sector Laws (Federal)
Fair Credit Reporting Act, 1971, 1997 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Health Insurance Portability and Accountability Act 1996
June 25, 2007 T-Labs Usability Colloquium 26
Act, 1996Children‘s Online Privacy Protection Act, 1998Gramm-Leach-Bliley-Act (Financial Institutions), 1999
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 13
EU Data Directive
1995 Data Protection Directive 95/46/EC Sets a Benchmark For National Law For Processing Personal Information In Electronic And Manual FilesFacilitates Data-flow Between Member States And Restricts Export Of Personal Data To „Unsafe“ Non-EU Countries
June 25, 2007 T-Labs Usability Colloquium 27
CountriesApplies to both Public and Private Sector
Data collection illegal, unless consented or authorizedFollows OECD Fair Information Principles (1980)
Fair Information Principles (FIP)
Drawn Up By the OECD, 1980“Organisation for economic cooperation and development”Voluntary guidelines for member statesGoal: ease transborder flow of goods (and information)
Six Principles (simplified)
1. Openness 4. Collection Limitation
June 25, 2007 T-Labs Usability Colloquium 28
Core Principles of Most Modern Privacy LawsImplication: RFID usage must conform to FIP
1. Openness2. Data access and control3. Data security
4. Collection Limitation5. Data subject’s consent6. Use Limitation
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 14
Let’s just build secure RFID-Systems
“All you need is really good firewalls.”
June 25, 2007 T-Labs Usability Colloquium 30
Secure From What?
Unauthorized ReadoutsIdentification: „what?“; „who?“Tracking: „where?“ (might imply „who?“)
June 25, 2007 T-Labs Usability Colloquium 31
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 15
Identification and Tracking – ImplicationsPassport:Name: John Doe
Embarrassing StuffWearing a Wig? Underwear? Medicine?
Criminal StuffTheft, fraud, murder/terror
WigModell #2342
Material: Polyester
Tiger Tanga: Manufacturer Woolworth
Name: John DoeNationality: USA
Visa for: Isreal
6 Ar
i Jue
ls, R
SA La
bora
torie
s
Wallet:Contents: 370 Euro
Disability Card: #2845
Manufacturer: WoolworthWashed: 736
Viagra: Manufacturer: PfitzerExtra Large Package
Orig
inal
“RFI
D-M
an” A
rtw
ork
(c) 2
006
June 25, 2007 T-Labs Usability Colloquium 32
Identification and Tracking – Implications
Embarrassing StuffWearing a Wig? Underwear? Medicine?
Criminal StuffTheft, fraud, murder/terror
Indirect ControlSubtle influence with detailed profiles
Direct Control“Technology paternalism”, government control
Spiekermann, Pallas: Technology Paternalism – Wider Implications of Ubiquitous Computing. Poiesis and Praxis: International Journal of Technology Assessment and Ethics of Science. Springer-Verlag (Jan 2006), 1–13
June 25, 2007 T-Labs Usability Colloquium 33
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 16
Secure From What?
Unauthorized ReadoutsIdentification („what?“, „who?“)Tracking („where?“; might imply „who?“)
Eavesdropping Reader-Tag CommunicationI t d f tt ti th i d d tInstead of attempting unauthorized readouts…
Unauthorized Duplication/GenerationCounterfeitting authentic identifiers
June 25, 2007 T-Labs Usability Colloquium 34
Preventing RFID Cloning
Example: E-Passport (Nov 2005)Digitally sign data on RFID-chipPrevents changig data or creating new chipsDoes NOT prevent duplicating the chip!
Example Contactless Smart CardExample: Contactless Smart CardUse challenge-response protocol w/ randomnumber to verify that card knows a secretSophisticated power analysis may be able toinfer hidden secret (Alternative: PUFs)
June 25, 2007 T-Labs Usability Colloquium 35
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 17
Preventing Eavesdropping
Problem: Long Range of Reader FieldHigh-power field transmits reader commands over many meters, which may contain tag IDsSolution: XOR reader commands w/ random number sent from tagAlt ti R d d t IDAlternative: Reader commands use temporary IDs
Better: Encrypt ChannelE-Passport uses key from machine-readable zone (MRZ) to encrypt trafficRequires manual handling (opening)
June 25, 2007 T-Labs Usability Colloquium 36
Preventing Unauthorized Readouts
How do You Prove That You Are Authorized?Something you know (i.e., a password)Something you have (i.e., an access token)Something you are (i.e., biometrics)Something you do (also biometric, e.g., personal habits)Where you are (e.g., your current location)
Which one of these works for RFID?Passwords? Tokens?
June 25, 2007 T-Labs Usability Colloquium 37
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 18
Using Passwords to Secure RFID Access
General Principle: Lock/Unlock ID With PasswordTag only replies if correct password/secret is sent
Requires RFID-Owner to Know SecretPassword must be transferred at checkout (where to?)
Requires Owner to Know Which Secret to UseChicken And Egg Problem: If you don‘t know what tag it is, how do you know what password to use?
June 25, 2007 T-Labs Usability Colloquium 38
Kill Command
„Dead Tags Tell No Tales“Permanently deactivate tag at checkout
Hard KillCut tag antenna or „fry“ circuit
Soft Kill Metro RFID De-Activator
Needs password to prevent unauthorized killing
Both Approaches Require Consumer ActionAlso voids any post-sales benefits (returns, services, …)
June 25, 2007 T-Labs Usability Colloquium 39
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 19
Deactivation and Password Management…
Does Your Solution Work Here?June 25, 2007 T-Labs Usability Colloquium 40
Alternative: Shamir TagsAn Example for Zero-Managament Privacy Protection
Unknown Tags Take Long Time To Read OutBitwise release, short range (e.g., one random bit/sec)Intermediate results meaningless, since encryptedDecryption requires all bits being readComplicates Tracking & Unauthorized Identification
Known Tags Can be Directly IdentifiedInitial partial release of bits enough for instant identification from a limited set of known tagsAllows owner to use tags without apparent restrictions
June 25, 2007 T-Labs Usability Colloquium 41
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 20
Secret Shares (Shamir 1979)
June 25, 2007 T-Labs Usability Colloquium 42
Secret Shares (Shamir 1979)
June 25, 2007 T-Labs Usability Colloquium 43
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 21
011010111…1101 Secret s
111000011…101101 101101101…110111 101010011…101101 Shares hi
96‐bit EPC‐Code
106‐bit Shamir Share
318‐bit Shamir Tag
10‐bit x‐value 96‐bit y‐value
111000011101010001010111010101101010100…1010101110101 Shamir Tag318‐bit Shamir Tag
111000011101010001010111010101101010100…1010101110101 Initial Reply
111000011101010001010111010101101010100…1010101110101
me
16‐bit Reply
+1 bit
111000011101010001010111010101101010100…1010101110101
111000011101010001010111010101101010100…1010101110101
111000011101010001010111010101101010100…1010101110101
111000011101010001010111010101101010100…1010101110101
Bit D
isclosure Over T
im+1 bit
+1 bit
+1 bit
+1 bit
June 25, 2007 T-Labs Usability Colloquium 44
More Privacy Through Less Security?
Shamir Tags Require No Consumer EffortDelay upon first use, but no passwords to manage!Not useful for „important“ items (passports, e-money)Does not alleviate user concerns (tags remain active)
Building Block for Comprehensive SolutionStrong crypto for passports, drug-authenticity, …Clipping/killing for concerned consumersUnconcerned consumers get basic protection „for free“
June 25, 2007 T-Labs Usability Colloquium 45
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 22
(Well, RFID won’t get accepted otherwise…)
June 25, 2007 T-Labs Usability Colloquium 57
Societal Drivers for RFID Acceptance –Collection and Use
Higher Efficiency (Cheaper Stuff!)Rebates! (Loyalty Cards)Targeted Sales (1-1 Marketing)
More ConvenienceGetting shopping advice (e.g., allergies)Simplified handling (ret rn repairs access)
70 Million Cards! 72% Like it!
Automated Toll-Roads! Skipasses! Remote Car-Keys!
June 25, 2007 T-Labs Usability Colloquium 58
Simplified handling (return, repairs, access)Increased Safety
Crime prevention (Ticketing, counterfeiting, CCTV, …)Homeland security (terrorism, child molesters, …)Survey DE (05/06): 80+% like more CCTV surveillanceSurvey US (08/04): 70+% accept air travel surveillance
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 23
Summary
Privacy Is Not (Simply) SecurityIt‘s about transparency and control
RFID Security Only Partial AnswerPassword management cumbersome, impractical
RFID Privacy Requires Novel Approachesy q ppHow to minimize burden to consumers?How to maximize „out-of-the-box“ protection?
Who Is to Design & Build RFID-Privacy Systems?People are already increasingly relying on RFID…
June 25, 2007 T-Labs Usability Colloquium 59
Related Work on RFID Privacy at ETH Zurichsee www.vs.inf.ethz.ch/publ/
M. Langheinrich: RFID and Privacy. In: Milan Petkovic, Willem Jonker (Eds.): Security, Privacy, and Trust in Modern Data Management. Springer, July 2007.M. Langheinrich, R. Marti: Practical Minimalist Cryptogra-phy for RFID Privacy. Submitted for publication, 2007.Ch. Floerkemeier, R. Schneider, M. Langheinrich: ScanningCh. Floerkemeier, R. Schneider, M. Langheinrich: Scanning with a Purpose – Supporting the Fair Information Princi-ples in RFID protocols. In: Proceedings of UCS 2004. LNCS Vol. 3598, Springer, 2005.
June 25, 2007 T-Labs Usability Colloquium 65
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 24
Privacy Reads
David Brin: The Transparent Society. Perseus Publishing, 1999Lawrence Lessig: Code and Other Laws of Cyberspace. Basic Books, 2000
June 25, 2007 T-Labs Usability Colloquium 66
Daniel Solove and Marc Rotenberg: Information Privacy Law. Aspen Publ. 2003
Novel services and applications in an Internet of Things (IOT)Emerging IOT business models and process changesCommunication systems and network architectures for IOTTechnologies and concepts for embedding sensing, actuation, g p g gcommunication, and computation into networked thingsExperience reports from the introduction and operation of networked things in areas such as healthcare, logistics & transportSecurity/privacy aspects of IOT infrastructures & applications
June 25, 2007 T-Labs Usability Colloquium 67
T‐Labs Usability Colloquium June 25, 2007
Marc Langheinrich, ETH Zurich 25
September 15, 2007Deadline for Technical Paper submissions
October 20, 2007
June 25, 2007 T-Labs Usability Colloquium 68
October 20, 2007Deadline for Workshop Proposals
March 26-28, 2007www.internet-of-things-2008.org