Transcript RFID, Surveillance and Privacy: The Sorting Door

RFID, Surveillance and Privacy:
The Sorting Door Project
Stapleton-Gray & Associates, Inc. is engineering the Sorting Door
Project as an experimental test bed for the study of RFID, surveillance
and privacy. RFID is a technology well-suited to surveillance.
What you wear or carry, if RFID tagged, can be observed. Many, many
more things will be tagged; many, many more readers will be out there.
The Sorting Door architecture is intended to invite and accept
participation from all parties interested in understanding:
• The technological envelope for monitoring RFID-tagged objects;
• How inferences might be made, based on such observations;
• What technology and policy options might prevent abuse of RFIDbased surveillance, where necessary.
1
RFID: Well-Suited to Surveillance
RFID is being rapidly and widely deployed, driven primarily be
commercial demands (800# gorillas Wal*Mart and DOD)
Both tags and readers are proliferating. And while they may be
deployed initially for isolated applications, tags are “promiscuous
talkers” and can be detected by many other readers... readers are
“promiscuous listeners,” and can detect many other tags.
RFID is a technology well-suited to surveillance:
• Can be interrogated at a (limited) distance;
• Does not require line-of-site, but can read through (some)
things;
• Undetectable by (most) people.
2
RFID Forecasts
RFID is already in widespread application, especially for:
• Access, e.g., building access badges and car key security
• Toll payments, e.g., E-Zpass, FasTrak, and Mobile Speedpass
But the larger wave coming is in commercial supply chain, and,
eventually, item-level tagging of consumer goods.
The cost and effectiveness of tags are gating factors: item-level
tagging won’t make sense if tags are an appreciable percentage of
the value of an item; a 50¢ tag makes sense on a pallet of cases of
boxes of toothpaste, but not on a tube. The 5¢ tag (in quanitity) is
something like the 4-minute mile... something to shoot for.
Tag manufacturer Alien Technology announced this month that it had
shipped a total of 50 million EPC Class I RFID tags over the past
year (but compare with 2.5 billion boxes of cereal purchased in the
U.S. annually... a ways to go!).
3
Market Forces
Two 800# gorillas have provided enormous demand for RFID
deployment: both Wal*Mart and the U.S. Department of Defense
have mandated that suppliers employ RFID tags on shipments,
starting at the aggregate level (cases and pallets). (Note: for some
items, case- and item-level tagging might be equivalent, e.g.,
microwave ovens.)
Many major retailers have followed Wal*Mart’s lead.
The U.S. Food and Drug Administration has suggested that RFID
tagging may be mandated to allow for counterfeit drug detection, i.e.,
to be able to track a pharmaceutical’s supply chain history, and flag
those which lack an appropriate “pedigree.”
Many libraries (including the Berkeley California Public Library) have
adopted RFID to better manage collections.
4
RFID, Surveillance and Privacy:
the Threat Model
The laws of physics limit the useful range of a passive RFID tag, and, by
nature, passive tags can be continually polled by readers but do not
allow continuous tracking. But these limitations do not eliminate all
threats, they merely help to define the boundaries of the threat model.
RFID’s limited useful range suggests that threats will come in
constrained spaces. Many early RFID deployments focus on doorways,
e.g., RFID-tagged library books are read as patrons pass through
detector gates.
Doorways are ideal environments for RFID-facilitated surveillance
generally: subjects can be isolated, placed in close proximity to easilyhidden readers, and there are opportunities to employ complementary
sensor technology (e.g., optical or pressure sensors to isolate specific
individuals from among several).
5
The Threat Model (cont.)
RFID will allow for the collection of many, many more data points.
These data will be little glimpses into activity – a kind of “point
surveillance” – but a lot of little glimpses may reveal a bigger
picture.
“Identity binding” can make some of these data points much more
valuable, when a unique identifier (i.e., a specific RFID tag) can be
mapped to a particular individual.
It will be possible to make inferences from the nature of objects
seen, i.e., when an RFID-tagged consumer good is detected, one
can attribute to its wearer/bearer various characteristics... “Odds
are pretty good that the person who just passed us with a size 4
Donna Karan dress isn’t a six-foot-tall man.”
6
Privacy and Pointillism...
7
Privacy and Pointillism... (cont.)
Georges Seurat’s A Sunday on La Grande Jatte—1884, at varying
levels of abstraction. Even the lower right image is actually an
abstraction of an abstraction: while the original work is still composed
of distinct points, the image you’re seeing here was produced at far
fewer dots per inch by the printer...
The message is that data points may become far, far more common,
due to RFID. While each, by itself, is next to meaningless, in vast
accumulations you’ll start to discern meaningful pictures.
Or, as Lenin said, “Quantity is quality.”
8
Identity Binding
Tags can be used to uniquely identify objects (this is why the keen interest
in RFID in commercial supply chain) with a vast name space – the
Electronic Product Code (EPC) 96-bit value could uniquely identify every
object you’d care to, with a lot of space left over.
When tags are seen, they’ll often uniquely identify objects: “That same
thing passed by this reader just now, Monday morning, and Tuesday
evening.”
When the wearer/bearer of a tagged object presents additional
information, e.g., a driver’s license or passport, that now-revealed identity
can be bound to any tags present. The next time we see a given tag,
“that’s Alice’s thing... maybe we’re seeing Alice again.”
Note #1... This works for historical data: “We know now that that was
probably Alice at all these points over the past year.”
Note #2... This is an educated guess, and depend on the nature of
objects. People tend to borrow umbrellas and books, but not underwear...
9
Inferences from the Nature of Objects
EPCs will be forward/backward compatible, as much as is possible, with
legacy product codes like the UPC. (And why not? Why abandon 30
years of industry standardization in product codes?)
Mapping product codes to product information is well understood, e.g.,
for converting point-of-sale data to market research insights (“People
who buy Widgets® also buy Gizmos®; both are consumer electronics
goods”).
Many objects will permit strong inferences to be made, regarding the
individual wearing/bearing them:
• size 4 Donna Karan dress
• man’s size 13 shoe
• first edition copy of “Earth in the Balance”
NB: this will depend heavily on item-level tagging of objects in
commerce... proponents see that coming soon; others of us are a bit
skeptical.
10
The Sorting Door
“A terrified-looking boy Harry had noticed earlier stumbled forwards
and put the Hat on his head; it was only prevented from falling right
down to his shoulders by his very prominent ears. The Hat
considered for a moment, then the rip near the brim opened again and
shouted:
‘Gryffindor!’
Harry clapped loudly with the rest of Gryffindor house as Euan
Abercrombie staggered to their table and sat down, looking as though
he would like very much to sink through the floor and never be looked
at again.”
J. K. Rowling, Harry Potter and the Order of the Phoenix
Like “Harry Potter’s” Sorting Hat, the Sorting Door will similarly
interrogate individuals for – to them – intangible qualities, and make
inferences as to their nature and implications
11
The Sorting Door (cont.)
Doors are attractive points for RFID-based surveillance:
• RFID read ranges, for most commonly-encountered tags, are
short, but not less than a meter or so;
• Lots of readers already installed in doors, e.g., anti-theft gates in
libraries;
• Doors are appropriate places to take actions: bar a potential
threat, or welcome a potential friend, ally, or cherished customer.
Other data collection may also be possible at doors, e.g.,
presentation of a driver’s license for admission, or biometric data.
12
The Sorting Door Architecture
8
4
Commercial Data...
ONS
Sorting Door #N
Internet
2
6
7
1
3
5
Identification
Engine
Sorting Door #1
Databases
13
The Sorting Door Architecture (cont.)
1. An instrumented “Sorting Door”
2. Communication of observed RFIDs to the Identification Engine
and databases
3. Presentation of information on RFIDs observed, and inferences
made, for educational or other purposes
4. Other Door implementations
5. Identification Engine
6. Databases of RFID tag observations
7. Databases of supporting data
8. EPCglobal’s Object Naming Service (ONS) and associated
electronic product code (EPC)-keyed data
Multiple Doors share common resources on the back end, though
any Door’s information might be segregated as desired for
security/privacy purposes.
14
Research Questions
Research questions arise in the context of each element of the Sorting
Door architecture:
• How best to design various forms of instrumented Sorting Doors,
acknowledging various environments, supporting technologies and
collection interests?
• How should Doors interact with those who encounter them?
• How might the collection of multiple Doors be aggregated and
integrated?
• What forms of databases and applications are needed to derive
inferences from RFID tags seen by the various Sorting Doors,
whether singly, or in collaboration?
• How to acquire and integrate contextual data, e.g., on the nature of
consumer products detected?
15
Sorting Doors
While the simplest implementation of a Sorting Door might be, as with
library gates, a single-frequency reader monitoring an egress, Doors
might vary widely in design, capability and purpose.
Any given space, e.g., a lecture room, corridor, or vehicle interior, could
be instrumented as a Sorting Door—“Door” is intended to be a very
stretchy metaphor.
(Note also the similarity to research work on
“smart spaces”—our interest here is in
“non-cooperative RFID,” where surveillance,
and not collaborative communication, is the
focus.)
16
Interaction With Test Subjects
Some of the users of the Sorting Door system will be to educate
and inform audiences, e.g., students of the societal impacts of RFID
as a technology of surveillance, or the public in general.
Some Doors might be deployed with an accompanying information
kiosk, capable of displaying data collected by the associated Door,
and explaining the implications of such collection.
“Did you know that you’re carrying some
RFID-tagged items? Care to know what we
can guess about you, based on what we see?”
Did you know
that you’re
carrying
some RFIDtagged items?
17
Integration of Multiple Doors
A single Sorting Door might produce interesting
data; integrating several, or numerous, Doors
even more so. Privacy concerns should rise as
a function of the degree of pervasiveness of both
RFID tags and readers in society, as more and
more data points are collected by more and more
parties, allowing for the construction of rich mosaics of human activity.
Some of the Sorting Door research will consider synthetic models, e.g.,
assuming degrees of pervasiveness of tags in populations, and
readers across geographies, to attempt to assess potential futures.
18
Databases and Inference Engines
Data collected by Doors can be pooled in databases and, with other
information, used to develop inferences and assertions.
This would include the construction of tentative assertions of identity,
and the extraction of patterns in large volumes of “point surveillance”
data.
Doors do not have to share all of the information they collect, given
security/privacy concerns. Doors should be able to provide
deidentified data as well: “When you see tag #123456, it can be
mapped to a unique individual, with some probability. We know who,
since s/he presented a credit card, but that’s not something we’re going
to tell just anybody! Let’s just call him/her Person #6789.”
Keeping track of data, including deidentified data and data with other
sharing constraints, will be a challenge.
19
Contextual Data
The largest push in RFID deployment is on the consumer goods front. If
item-level tagging of consumer goods becomes significant, the
compilation of information about consumer goods—the nature of objects
seen—will contribute to the ability to make accurate inferences about the
individuals who bear or wear them.
EPCglobal, the consortium shepherding the Electronic Product Code
(EPC) standard, has defined an Object Name Service (ONS) to allow for
anyone encountering an EPC-coded RFID tag to ask, “Who can tell me
about this object?,” and get a pointer to its manufacturer.
Knowing what an object is allows for stronger
inferences: “We’re seeing a man’s jacket, a
briefcase, and a PDA. Let’s guess an adult,
and probably one with a job...”
ONS
20
Where Are We Heading?
We’re only in the infancy of ubiquitous sensing, but RFID seems
likely to be broadly pervasive (the voracious demands of consumer
goods supply chain applications alone should guarantee that), and
it’s a good time to start thinking on the implications for surveillance
and privacy.
The goals of the Sorting Door Project are to reveal RFID’s potential
as a tool for surveillance, to allow for better decisionmaking, both by
those deploying RFID, and by policymakers and the public, to define
what limits we might wish to apply through policy, law, and practice.
21
Would You Like to Participate?
We believe that, as highly sensitive as research on technologies
applicable to human surveillance is, it is critical for government and the
private sector to be constrained by the law, technological limits and
policy choices, and not by ignorance of technology. Private interests
will pursue R&D of RFID as a tool for monitoring, regardless, for
applications running the gamut from security awareness to customer
relations management—better that we all have a better idea of what
they could be up to.
Please contact us if you might be interested in participating, in various
research areas:
• Data mining and analysis;
• Research and development of Sorting Doors (or adaptation of
current work, e.g., in “smart spaces”) to tie in to the Sorting Door
architecture;
• Inference engine development;
• Policy analysis and development.
22
Other Publications/Work in Progress
Leveraging Product Codes for Internet Commerce, white paper
for CommerceNet Labs, November 2004, addressing implications
of the Object Name Service (ONS) for electronic commerce
applications.
http://www.stapleton-gray.com/papers/CN-TR-04-06.pdf
Would Macy’s Scan Gimbels? Competitive Intelligence and
RFID, research white paper, November 2003, examining
competitive intelligence issues around RFID deployment, to
appear in “RFID Applications, Security and Privacy,” Addison
Wesley, July 2005.
http://www.stapleton-gray.com/papers/ci-20031027.PDF
“Cargo Awareness Network/Contents Understanding
Network” (CANCUN), work in progress, examining the application
of RFID and inferences from the nature of objects to situational
awareness and security in commerce and transportation.
23
Stapleton-Gray & Associates, Inc.
Stapleton-Gray & Associates, Inc. provides information
technology and policy consulting services, systems analysis and
design, and project management.
Our areas of emphasis include security, privacy, surveillance
technologies and systems, and unique
identifiers, including radio-frequency
identification (RFID).
P.O. Box 7615
Berkeley CA 94707-0615
http://www.stapleton-gray.com
http://www.RFIDredteam.com
Ross Stapleton-Gray, Ph.D.
Dr. Stapleton-Gray has served as an intelligence analyst with the
CIA; in technology research and policy positions in academia, an
industry trade association, and with two IT security start-ups; and
as a research analyst for Skaion Corp.
24