It looks like RFID panic is percolating a bit again. Wired has an article in the current issue about how easy it will be to hack RFID tags, and Gizmodo recently reported ominously hat Levi’s will be tagging its jeans. Most of the privacy concerns are the same as those I’ve refuted in the past; RFID is not GPS and it won’t let you pinpoint someone’s position. However, I’m curious about one new claim the Wired article raises:
Grunwald has recently discovered another use for RFID chips: espionage. He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target’s E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who’s checking them out.
I’m curious for more information on how this is done. To my knowledge, cookies are just static strings of text that can be used to uniquely identify a browser each time it comes back to a site. In that sense, an RFID chip is itself a cookie. An
HTTP cookie isn’t written to and doesn’t contain a list of all the sites you’ve visited, so how can an RFID cookie tell a stalker all the toll plazas you’ve been to? Also, can all RFID tags take cookies? Beyond those questions, I’m not sure how a stalker is helped by knowing where his target
has been. He would only know which toll plazas were crossed, not what a target’s ultimate destination was, and certainly not their current location. With the library book example, the same questions apply. But assuming that the RFID chip is written to, is the patron’s name inserted into the surreptitious cookie whenever the book is checked out? Why would the library’s software do this? Why would it insert a name and not an ID number? If it’s an ID number, then wouldn’t the stalker need access to the library database to cross-reference the patron’s name? If the stalker has access to that database, why not just look up the check out information there?
At least I’m glad to see that both the Gizmodo and Wired stories acknowledge a privacy threat from government and not just from retailers and other private companies. Privacy activists have concentrated on the perceived threat of commercial RFID use when the real threat is their use in government-mandated IDs.
For those of you who will be in the DC area on Wed., May 10, Progress & Freedom Foundation is hosting a big “Internet Security Summit” at the Hyatt Regency Washington on Capitol Hill from 9:00 – 5:00. The event includes an impressive array of policy experts, corporate representatives and public officials, including keynoter Deborah Majoras, Chairman, Federal Trade Commission.
You can find the complete agenda and register online at: http://www.pff.org/events/upcomingevents/051006internetsecurity.asp
Well it didn’t take long for a young, rebellious punk to turn into a paranoid, condescending parent. I’m already talking to my kids in ways that used to make me resent my own parents. And I’m already beginning to think about how to watch over their every move like a hawk to make sure that they stay out of trouble.
The difference between raising a kid today versus the past, however, is that technology–much to the dismay of independent-minded children–makes this task even easier for parents. In my recent paper discussing how”Parents Have Many Tools to Combat Objectionable Media Content,” I mentioned how new cell phones targeted to kids come embedded not only with a variety of parental controls, but also GPS / geo-location technology. This enables parents to monitor the movements of their children wherever they may go.
Even though my kids are still too young to have their own cell phones, I’ve already begun thinking about how I might use such tracking technologies in the future. Even though both of my kids are under five years of age, I sometimes sit around thinking about what they are doing or exactly where they are at. This is despite the fact that I know exactly where my kids are: My daughter is always at her pre-school and my son is always at home with our nanny. Yet, I’m still paranoid, and sometimes find myself wondering if they are exactly where they should be. Could they have wondered off? Are the teachers or my nanny taking the kids places I don’t know about? Has someone snatched them?!?
I know this is all quite pathetic in one sense, but that’s the sort of paranoid thinking that sometimes goes on in the heads of parents. And in my most paranoid moments, I sometimes think how cool it would be if I could just convert the wi-fi radar on my laptop (which searches for nearby hotspots and maps them on a big radar screen on my computer) into a kid-tracker instead. It could track their cell phones, or their GPS-enable watches or lunchboxes. Or perhaps even the RFID chip I could plant under their skin!
Again, this is the sort of stuff that what have driven me into to hyper-rebellion as a kid, especially as a teenager. The thought of my parents tracking my every move would have driven me nuts, and I my computer-nerd brother and I probably would have worked hard to defeat or trick any geo-location technologies that our parents might have tired to use with us. (My brother would have probably reprogrammed them to trace our cats instead of us.)
Is there a happy balance here? I think so.
Continue reading →
Very exciting things are happening in New Hampshire, where the House has passed a bill to refuse participation in the federal REAL ID Act. REAL ID is a bill that attempts to coerce states into issuing nationally standardized drivers’ licenses and identification cards. It also would have states enter information about citizens and residents into a national database.
I went to New Hampshire Monday to testify to the State Senate Committee on Public and Municipal Affairs, which is considering passing HB 1582 . . . or . . . perhaps it will accept a $3 million grant to comply with REAL ID, which would commit the state to spending ten times that amount in compliance costs.
The reason this is so important is that a national ID will help advance unified record-keeping, particularly by governments, rendering people more susceptible to surveillance and control. A national ID would be a major shift in power from individuals to institutions.
I deal with all these issues in my forthcoming book
Identity Crisis: How Identification is Overused and Misunderstood
. The book also devotes several chapters to the way forward: how we can get the benefits of identification while minimizing the drawbacks. It comes out in May but it’s available for presale right now at Amazon
.
And, yes, I will be plugging my book here on TLF for the next couple of months. It seems shameless, but I’m doing it for you. You need to read this book and learn about the magical, everyday process of identification!
Yesterday, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee approved a report called the “Framework for Privacy Analysis of Programs, Technologies, and Applications.” It is a step-by-step checklist for reviewing security programs in light of their consequences for privacy and related values.
I’m a member of the Committee and worked hard on writing the document and moving it through the Committee. This renders the Privacilla press release about it bizarrely self-congratulatory. But, in it, I’ve said:
“Privacy” is a word used to describe many interests, including confidentiality, anonymity, seclusion, fairness, transparency, accountability, and liberty. These are things that all Americans believe in, want, and enjoy. As privacy advocates, we are asking for good government and pursuing values that most Americans hold dear. The DHS Privacy Committee’s Framework document helps make this clearer.
(With this ‘blog post, you can add bizarrely self-referential to bizarrely self-congratulatory.)
Along with the privacy discussion, the document calls for risk-based explanation of homeland security programs. The things DHS does should directly and logically address genuine risks to national security. It’s time to end the do-anything, do-everything stance that homeland security efforts have taken since 9/11.
Now that the DHS Privacy Committee’s Framework document is out, smart, focused national security can begin! Privacy and civil liberties can be restored! Birds can sing again!
Gene Weingarten, in a column in today’s Washington Post magazine, has some fun with gmail. Google’s e-mail service, as all loyal TLF readers no doubt know, “reads” the text of messages to provide supposedly relevant advertising to the recipient. Weingarten finds this sometimes just doesn’t work the way it’s intented. Example: he says a colleague e-mailed him for his thoughts on the historical accuracy of Jesus. The message arrived with an solicitation to “Become Legally Ordained Today.” So Weingarten decides to have some fun with Google, writing some faux emails to himself with, well, interesting results. Worth reading, especially on a Sunday when you shouldn’t be doing any heavy policy wonk reading anyway.
National Journal’s Drew Clark is looking at the recent spate of Google issues through a different lens. Many folks have suggested that Google is being inconsistent by defending liberty in the U.S. (resisting the Justice Department’s subpoena) while caving to China (installing filters as required by the government there). That’s an oversimplification in many respects and the case that Google is being inconsistent is harder to make than that.
If you want consistency, Clark’s piece shows where it is: The governments of both China and the United States are seeking to censor.
Clark goes into the fundamental problem that makes the subpoena of Google by the Justice Department so concerning: Supreme Court case law holds that people don’t have a reasonable expectation of privacy (for Fourth Amendment purposes) in information about them held by third parties. This notion is flat-out wrong. It is falling further and further out of step with reality with the advance of online life.
Law enforcement has put a lot of investment into this backward state of affairs, though. A constitutional sea-change will have to take place before people can be confident of going online without exposing themselves to the government’s prying eyes.
The Electronic Frontier Foundation has filed a class action lawsuit against AT&T for allowing the NSA to violate its customers’ privacy. I’m not sure what the chances of the lawsuit succeeding are, but Ars has a good explanation for why such data mining schemes are a poor way to battle terrorism. Matthew Yglesias has another.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.