privacy and rfid
play

Privacy and RFID Irreconcilable Differences? Marc Langheinrich - PDF document

T Labs Usability Colloquium June 25, 2007 Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing ETH Zurich, Switzerland C.A.S.P.I.A.N. Consumers against supermarket privacy invasions and


  1. T ‐ Labs Usability Colloquium June 25, 2007 Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing ETH Zurich, Switzerland C.A.S.P.I.A.N. Consumers against supermarket privacy invasions and numbering Dr. Katherine Albrecht C.A.S.P.I.A.N. Founder „The risk [RFID] poses to humanity is on a par with nuclear weapons.'‘ Katherine Albrecht, as quoted in Larry Downes: “Don't fear new bar codes”, USA Today, Sep. 25, 2003. www.interesting ‐ people.org/archives/interesting ‐ people/200309/msg00257.html June 25, 2007 T-Labs Usability Colloquium 2 Marc Langheinrich, ETH Zurich 1

  2. T ‐ Labs Usability Colloquium June 25, 2007 Public Concern (as seen on TV) June 25, 2007 T-Labs Usability Colloquium 3 Public Concern (as measured by Google) Original numbers by Ravi Pappu, RFID Privacy Workshop @ MIT: November 15, 2003 June 25, 2007 T-Labs Usability Colloquium 4 Marc Langheinrich, ETH Zurich 2

  3. T ‐ Labs Usability Colloquium June 25, 2007 Public Concern (as seen by AmI-Experts) � Optimists: “All you need is really good firewalls.” � Self-Regulation: “It's maybe about letting them find their own ways of cheating, you know…” � Not my Problem: “For [my colleague] it is more appropriate to think about privacy issues. It’s not really the case in my case.” � Hindrance: “Somehow [privacy] also destroys this, you know, [p y] y , y , sort of, like, creativity...” � Pessimists: “I think you can't think of privacy when you are trying out... it's impossible, because if I do it, I have troubles with finding [a] Ubicomp future” Marc Langheinrich: The DC-Privacy Troubadour – Assessing Privacy Implications of DC-Projects. DC Tales Conference, Santorin, 06/2003. June 25, 2007 T-Labs Usability Colloquium 5 Public Concern (as measured by ) ~1.5% of Europeans are concerned! ~9% of Europeans like RFID! 90% of Europeans don’t care! Capgemini: RFID and Consumers – what European Consumers Think About Radio Frequency Identication and the Implications for Business. Survey, February 2005 . Available from: www.capgemini.com/news/2005/Capgemini_European_RFID_report.pdf. June 25, 2007 T-Labs Usability Colloquium 6 Marc Langheinrich, ETH Zurich 3

  4. T ‐ Labs Usability Colloquium June 25, 2007 RFID mini-primer (for the 82% of Europeans who haven’t heard) June 25, 2007 T-Labs Usability Colloquium 7 � � � � ~ 20 bytes 20 bytes > 100 bytes > 100 bytes ( (more for 2D-codes) f 2D d ) � Class of products � Individual items � � Visual line of sight necessary May be covered � � Needs reader-tag alignment Largely position independent � � Low reading speed High speed � � Max ~ 50 cm Max ~ 2 m � � � � Read Read Read / write Read / write � � Sensible to dirt Sensible to metal/water/… � Low cost � Higher cost � Fraud relatively easy � Fraud more difficult (costly) � copying and changing possible � optional security circuitry June 25, 2007 T-Labs Usability Colloquium 8 Marc Langheinrich, ETH Zurich 4

  5. T ‐ Labs Usability Colloquium June 25, 2007 RFID Tag Form Factors I Smart Labels EAS Transponder Contactless RFID Cards Hitachi Coil-on-Chip June 25, 2007 T-Labs Usability Colloquium 9 RFID Operating Principle RFID "Reader" coupling unit unit RFID Tag RF- RF Cont ntroller ller Modu Module le commands RFID Tag data Anal Analog ogue ue Memory Mem ry: Circu Cir cuit itry ry EEPROM EEPR ROM ROM Digit Digital RA RAM Cir Circu cuit itry ry RFID Tag/Transponder host/application June 25, 2007 T-Labs Usability Colloquium 11 Marc Langheinrich, ETH Zurich 5

  6. T ‐ Labs Usability Colloquium June 25, 2007 Privacy mini-primer June 25, 2007 T-Labs Usability Colloquium 12 What is Privacy? � „The right to be let alone.“ � Louis Brandeis, 1890 (Harvard Law Review) � „The desire of people to choose freely Louis D. Brandeis, 1856 - 1941 under what circumstances and to what extent they will expose themselves, y p , their attitude and their behavior to others.“ � Alan Westin („Privacy And Freedom“, 1967) Alan Westin Prof. Emeritus, Columbia University June 25, 2007 T-Labs Usability Colloquium 13 Marc Langheinrich, ETH Zurich 6

  7. T ‐ Labs Usability Colloquium June 25, 2007 Why Privacy? � Reasons for Privacy � Free from Nuisance � Intimacy � Free to Decide for Oneself � By Another Name... y � Data Protection � Informational Self-Determination Privacy isn‘t just about keeping secrets – data exchange and transparency are key issues! June 25, 2007 T-Labs Usability Colloquium 14 Privacy Violations? � Violations Due to Crossings of “Privacy” Borders � Prof. Emeritus Gary T. Marx, MIT � “Privacy” Borders � Natural Borders � Social Borders � Spatial/Temporal Borders � Ephemeral Borders RFID-technology makes some of those borders easier to cross June 25, 2007 T-Labs Usability Colloquium 15 Marc Langheinrich, ETH Zurich 7

  8. T ‐ Labs Usability Colloquium June 25, 2007 Privacy Implications of Smart Environments � Data Collection � Scale (everywhere, anytime) � Manner (inconspicuous, invisible) � Motivation (unspecified, e.g., context) � Data Types yp � Observational instead of factual data � Data Access � “The Internet of Things” June 25, 2007 T-Labs Usability Colloquium 16 So what difference will RFID make? June 25, 2007 T-Labs Usability Colloquium 17 Marc Langheinrich, ETH Zurich 8

  9. T ‐ Labs Usability Colloquium June 25, 2007 Societal Drivers for RFID Acceptance – Collection and Use � Higher Efficiency (Cheaper Stuff!) � Rebates! (loyalty cards) � Targeted Sales (1-1 marketing) � More Convenience � Getting information(allergy warnings, meat sources) � Simplified handling (return, repairs, access) Simplified handling (ret rn repairs access) � Increased Safety � Crime prevention (ticketing, counterfeiting, CCTV, …) � Homeland security (terrorism, child molesters, …) June 25, 2007 T-Labs Usability Colloquium 18 Example: Loyalty Cards � Emnid Survey Germany (03/2002) � 50% have at least one loyalty card � 72% welcome such offers � 70 Million Cards in Circulation (DE, 12/03) � Average rebate: 1.0-0.5% � 15% of consumers estimate rebate being 5-10% 15% of cons mers estimate rebate being 5 10% � Minding the Fine Print? � Explicit signature allows detailed data mining � Consequences? June 25, 2007 T-Labs Usability Colloquium 19 Marc Langheinrich, ETH Zurich 9

  10. T ‐ Labs Usability Colloquium June 25, 2007 Consumer Loyalty Cards – The Dark Side � The Story of Robert Riveras (1998) � Slipped on spilled yoghurt and hurt kneecap. Sued. � Consumer card showed high volume licqour purchases � Settled out of court � Or: Divorce Case � Liking of expensive wines increased alimony payments June 25, 2007 T-Labs Usability Colloquium 20 Consumer Loyalty Cards – Legal Implications � Arson Near Youth House Niederwangen (Berne) � At scene of crime: Migros-tools � Court ordered disclosure of all 133 consumers who bought items on their supermarket card (8/2004) � Arsonist not yet found (06/2007) A i t t t f d ( 6 ) Who Would Think About This When Buying a Screwdriver?! June 25, 2007 T-Labs Usability Colloquium 21 Marc Langheinrich, ETH Zurich 10

  11. T ‐ Labs Usability Colloquium June 25, 2007 Aren’t there laws against this stuff? June 25, 2007 T-Labs Usability Colloquium 22 Privacy Laws and Regulations � Two Main Approaches � Sectorial (“Don’t Fix if it Ain’t Broken”) � Omnibus (Precautionary Principle) � US: Sector-specific Laws, Minimal Protections � Strong Federal Laws for Government g � Self-Regulation, Case-by-Case for Industry � Europe: Omnibus, Strong Privacy Laws � Law Applies to Both Government & Industry � Privacy Commissions in Each Country as Watchdog June 25, 2007 T-Labs Usability Colloquium 24 Marc Langheinrich, ETH Zurich 11

  12. T ‐ Labs Usability Colloquium June 25, 2007 US Public Sector Privacy Laws (Federal) � Federal Communications Act, 1934, 1997 (Wireless) � F d l C i ti A t 93 99 (Wi l ) � Omnibus Crime Control and Safe Street Act, 1968 � Bank Secrecy Act, 1970 � Privacy Act, 1974 � Right to Financial Privacy Act, 1978 � Privacy Protection Act, 1980 � Computer Security Act, 1987 � Family Educational Right to Privacy Act, 1993 � Electronic Communications Privacy Act, 1994 � Freedom of Information Act, 1966, 1991, 1996 � Driver’s Privacy Protection Act, 1994, 2000 June 25, 2007 T-Labs Usability Colloquium 25 US Private Sector Laws (Federal) � Fair Credit Reporting Act, 1971, 1997 � Cable TV Privacy Act, 1984 � Video Privacy Protection Act, 1988 � Health Insurance Portability and Accountability Act, 1996 Act 1996 � Children‘s Online Privacy Protection Act, 1998 � Gramm-Leach-Bliley-Act (Financial Institutions), 1999 June 25, 2007 T-Labs Usability Colloquium 26 Marc Langheinrich, ETH Zurich 12

Recommend


More recommend