Wednesday, January 5, 2011

Privacy Issues in RFID Technology

RFID, like any other information technology, has inherited security and privacy risks; some, are due to technological limitations while others are a result of a incorrect deployment and usage. Office of the Privacy Commissioner of Canada (2008) believes that “RFID may have dramatic implications for privacy protection and that it is now necessary to identify good practices for organizations subject to the PIPEDA and the Privacy Act.” Regardless, by understanding the risks and applying security best practices, one can significantly reduce the privacy exposure. Tom Karygiannis (2007) concludes that “for RFID implementations to be successful, organizations need to effectively manage that risk, which requires an understanding of its sources and its potential characteristics”. We also need to distinguish between privacy and security concerns; not every security issues is related to information privacy, whereas a proper security of personal and private information is required by privacy laws and Information Fair Usage legislation.
The main privacy concern, ability to track and identify the tag carrier, has it roots in the historical purpose of the RFID tags which is “tagging objects like shipping containers, munitions, automobile parts, or even live cattle” (Juels, Ari, and Stephen A. Weis. 2009) and since it is highly unlikely that a person would be carrying a shipping container or cattle, individual privacy was not considered an issue. By carrying an RFID enable item, a personal identity could be compromised and it could happen without owners knowledge that his/her identity was acquired by a 3rd party.
Furthermore, association could be established between a person and private information such as citizenship, medical prescriptions and personal interests. For example, from 2006 U.S. Department of State issues RFID enabled passport which “contains the name, nationality, gender, date of birth, and place of birth of the passport holder, as well as a digitized photograph of that person” (Grant Gross, 2005). and although the information is encrypted, a simple scan of a crowd in the airport could identify US citizens. Juels, Ari, and Stephen A. Weis. (2009) confirm that “even if the semantic meaning of information on tags is well protected, tags may still be recognizable between appearances, and thus subject to tracking”. Or, by caring a prescribed drug a person could unintentionally leak medical information which could be “picked up” remotely, without owners knowledge.
In addition, by needlessly storing information which is protected by privacy laws, one takes unnecessary risk, even if steps are taken to protect the information. For example, an encryption algorithm employed to protect the digital information of Dutch citizens embedded into e-passport was cracked within 2 hours of it being intercepted “giving full access to the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID tag” (Thomas Ricker 2006). Even more interesting is the fact that the same ISO 14443 RFID tag and encryption scheme is used by the RFID enabled passports issued by the U.S. Department of State.
To address security and privacy concerns, we need to understand the core of the problem. According to Marc Langheinrich (2009) “the core RFID privacy problem is that of unauthorized tag readout: with the help of wireless communication, third parties can in principle read the tags of personal items from large distances, and without any indication that such a readout is taking place” therefore by controlling the remote access to the information has the utmost importance. There are a number of possible approaches to control access to the information including tag deactivation and tag shielding. The first, could be implemented using “kill switch” or “kill command” to permanently deactivate the tag either automatically (command from a RFID reader) or manually, or by using a “sleep command” to temporary disable the attached RFID tag. The second approach is usually implemented using either The Faraday Cage, Jamming and Blocking Tag approaches (Sitlia, Hanan, Habib Hamam, and Sid-Ahmed Selouani. 2009). This approach is used by the U.S. Department of State whereby all issued passports are provided with the "antiskimming" sleeve that reduces the RFID tag effective range.
Furthermore, encryption could be used as a potential technical solition to safeguard the information stored on RFID tags, and although it is often seems as a obvious solution many porposed schemes are ingnord mainly due to difficulties assossiated with the key management. Marc Langheinrich (2009) summarises “consequently, encryption might only work well in controlled systems such as payment cards and identification systems”.
Additional technical solutions to RFID privacy concerns is reader authentication where the interegating party (the reader) has to provide a secret key before RFID tag disclose stored information. In the simples implementation, the tag will hash and compare the value of the provided “challenge response” key known only to the legitimate reaaders. An extention to the authentication scheme was proposed by Weis at al. to reduce the risk assossiated with usage of static hash value (posibility of a brute force attack).
Lastly, a number of policy makers require organizations to assign accountable for privacy compliance who “must be aware of all collections of personal information by the RFID system and all subsequent uses, disclosures and the retention period” (Office of the Privacy Commissioner of Canada, 2008). Furthermore, the accountable individual has to complete the Privacy Impact Assessment (PIA) to ensure that RFID system complies with the privacy laws.

Bibliography

  • Gross, Grant (2005), United States to Require RFID Chips in Passports [online]. PCWorld. Available from: http://www.pcworld.com/article/123246/united_states_to_require_rfid_chips_in_passports.html (accessed January 4, 2011).
  • Juels, Ari, and Stephen A. Weis. 2009. "Defining Strong Privacy for RFID." ACM Transactions on Information & System Security (TISSEC) 13, no. 1: 7-7.23. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
  • Langheinrich, Marc. 2009. "A survey of RFID privacy approaches." Personal & Ubiquitous Computing 13, no. 6: 413-421. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
  • Office of the Privacy Commissioner of Canada (2008). Radio Frequency Identification (RFID) in the Workplace: Recommendations for Good Practices. A Consultation Paper. Available from: http://www.privcom.gc.ca/information/pub/rfid_e.pdf (accessed January 4, 2011).
  • Sitlia, Hanan, Habib Hamam, and Sid-Ahmed Selouani. 2009. "Technical Solutions for Privacy Protection in RFID." European Journal of Scientific Research 38, no. 3: 500-508. Academic Search Complete, EBSCOhost (accessed January 4, 2011).
  • Spiekermann, Sarah. 2009. "RFID and privacy: what consumers really want and fear." Personal & Ubiquitous Computing 13, no. 6: 423-434. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
  • Tom Karygiannis, Bernard Eydt, Greg Barber, Lynn Bunn and Ted Phillips (2007), Guidelines for Securing Radio Frequency Identification (RFID) Systems [online]. National Institute of Standards and Technology (NIST). Special publication 800-98. Available from: http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf (accessed January 4, 2011).
  • Thomas Ricker (2006). Dutch RFID e-passport cracked -- US next? [online]. Available from: http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/ (accessed January 4, 2011).

Sunday, January 2, 2011

Security, Spam and Internet Governance Challenges in Canada

Spam, according to Industry Canada (2005) “has become a significant social and economic issue, affecting the business and personal productivity of citizens and economies around the globe”. Furthermore, spam is used for illegal activities such as distribution of unsolicited marketing materials, phishing and Denial of Service (DoS) attacks, and distribution of viruses and Trojans Horses. Spam affects not only the home user, but Internet Service Providers (ISP) who must invest in the anti-spam technologies and maintain utilize existing bandwidth, commercial retailers whose legitimate messages are being filtered out, and private and public sector organizations whose employees are wasting time and corporate resources.
In 1997, Industry Canada has conducted a study investigating the possibility to regulate the content on the Internet. The report concluded that none of the available technologies would prevent technically savvy Canadians from accessing “content that violates pre-defined rules of acceptability, nor would they ensure that the user would be exposed to any measure of desirable content” (Miller, Gerry et al, 1999). In 2005, Canada has established a task force to analyze and provide recommendations on dealing with spam. The provided report (Industry Canada, 2005) outlines multifaceted measures required to deal with spam including involvement of legislative body (on federal and provincial levels) to provide legislation, regulation and enforcement, involvement of Internet Service Providers (ISP) and other network operators, user education and security awareness. The latest released statistics by the Canada Anti-Fraud Centre indicated that although “Telephone/Fax” is still the most prevalent method of the Mass Marketing Fraud, which include “telemarketing fraud, West African fraud, internet fraud and Identify Theft” (Canadian Anti-Fraud Centre, 2010), the highest financial loss in 2009 is through usage of Email and Internet solicitation methods. Although the number of victims and the total dollar loss from Mass Marketing Fraud schemes has reduced from 2007 from $66M to $59M, there is a slight increase in the Identity Theft victims from 2007 which is accounting for $10,882,279.04 loss in 2009. Following the study, a Bill C-27 (the Electronic Commerce Protection Act) was re-introduced as Bill C-28 (Fighting Internet and Wireless Spam Act, or FISA) and became a law on December 15, 2010. The intent of the legislation is to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help to drive out spammers.
Furthermore, Canada, through Industry Canada Electronic Commerce Branch, is active in promoting a common international policy framework to handle issues such as spam, privacy, identity theft and fraud, through collaboration with international bodies such as Organisation for Economic Co-operation and Development (OECD), Asia-Pacific Economic Cooperation (APEC), International Telecommunication Union (ITU), Messaging Anti-Abuse Working Group (MAAWG) and G8 High-Tech Crime Sub-Group (Industry Canada, 2009).
Data and data privacy are governed on a federal level by Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). On a provincial level, a number of laws and acts exists such as he Personal Health Information Protection Act (Ontario), Freedom of Information and Protection of Privacy Act (Ontario), The Personal Information Protection Act (Alberta) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). Office of the Privacy Commissioner of Canada (OPCC) is consider to be one of the more active in evaluating technologies and the use of these technologies with potential privacy concerns. Furthermore, Canadian Radio-television and Telecommunications Commission (CRTC) is investigating and perusing businesses who break the law, such as recent investigations into Bell Canada and Xentel DM for violated of the National Do Not Call List (CBC News 2010).

Bibliography