Privacy and RFID Irreconcilable Differences? Marc Langheinrich - - PDF document

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 1

Privacy and RFID

Irreconcilable Differences?

Marc Langheinrich Institute for Pervasive Computing ETH Zurich, Switzerland

C.A.S.P.I.A.N.

Consumers against supermarket privacy invasions and numbering

• Dr. Katherine Albrecht

C.A.S.P.I.A.N. Founder

June 25, 2007 T-Labs Usability Colloquium 2

„The risk [RFID] poses to humanity is on a par with nuclear weapons.'‘

Katherine Albrecht, as quoted in Larry Downes: “Don't fear new bar codes”, USA Today, Sep. 25, 2003.

www.interesting‐people.org/archives/interesting‐people/200309/msg00257.html

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 2

Public Concern (as seen on TV)

June 25, 2007 T-Labs Usability Colloquium 3

Public Concern (as measured by Google)

June 25, 2007 T-Labs Usability Colloquium 4

Original numbers by Ravi Pappu, RFID Privacy Workshop @ MIT: November 15, 2003

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 3

Public Concern (as seen by AmI-Experts)

Optimists: “All you need is really good firewalls.” Self-Regulation: “It's maybe about letting them find their own

ways of cheating, you know…”

Not my Problem: “For [my colleague] it is more appropriate to

think about privacy issues. It’s not really the case in my case.”

Hindrance: “Somehow [privacy] also destroys this, you know,

June 25, 2007 T-Labs Usability Colloquium 5

[p y] y , y , sort of, like, creativity...”

Pessimists: “I think you can't think of privacy when you are

trying out... it's impossible, because if I do it, I have troubles with finding [a] Ubicomp future”

Marc Langheinrich: The DC-Privacy Troubadour – Assessing Privacy Implications of DC-Projects. DC Tales Conference, Santorin, 06/2003.

Public Concern (as measured by )

~1.5% of Europeans are concerned! ~9% of Europeans like RFID! 90% of Europeans don’t care!

June 25, 2007 T-Labs Usability Colloquium 6

Capgemini: RFID and Consumers – what European Consumers Think About Radio Frequency Identication and the Implications for

• Business. Survey, February 2005. Available from: www.capgemini.com/news/2005/Capgemini_European_RFID_report.pdf.

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 4

RFID mini-primer

(for the 82% of Europeans who haven’t heard)

June 25, 2007 T-Labs Usability Colloquium 7

• 20 bytes
• > 100 bytes

( f 2D d )

• ~ 20 bytes
• Class of products
• Visual line of sight necessary
• Needs reader-tag alignment
• Low reading speed
• Max ~ 50 cm
• Read
• > 100 bytes
• Individual items
• May be covered
• Largely position independent
• High speed
• Max ~ 2 m
• Read / write

(more for 2D-codes)

• Read
• Sensible to dirt
• Low cost
• Fraud relatively easy
• copying and changing possible
• Read / write
• Sensible to metal/water/…
• Higher cost
• Fraud more difficult (costly)
• ptional security circuitry

June 25, 2007 T-Labs Usability Colloquium 8

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 5

RFID Tag Form Factors I

Smart Labels Hitachi Coil-on-Chip EAS Transponder Contactless RFID Cards June 25, 2007 T-Labs Usability Colloquium 9

RFID Operating Principle

coupling unit

RFID "Reader" RFID Tag

unit

RFID Tag

data

commands

RF RF- Modu Module le Cont ntroller ller

June 25, 2007 T-Labs Usability Colloquium 11

Anal Analog

• gue

ue Cir Circu cuit itry ry Digit Digital Cir Circu cuit itry ry Mem Memory ry: EEPR EEPROM ROM ROM RA RAM

RFID Tag/Transponder host/application

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 6

Privacy mini-primer

June 25, 2007 T-Labs Usability Colloquium 12

What is Privacy?

„The right to be let alone.“

Louis Brandeis, 1890 (Harvard Law Review)

„The desire of people to choose freely

under what circumstances and to what extent they will expose themselves,

Louis D. Brandeis, 1856 - 1941

June 25, 2007 T-Labs Usability Colloquium 13

y p , their attitude and their behavior to

• thers.“

Alan Westin („Privacy And Freedom“, 1967)

• Prof. Emeritus, Columbia University

Alan Westin

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 7

Why Privacy?

Reasons for Privacy

Free from Nuisance Intimacy Free to Decide for Oneself

By Another Name...

June 25, 2007 T-Labs Usability Colloquium 14

y

Data Protection Informational Self-Determination

Privacy isn‘t just about keeping secrets – data exchange and transparency are key issues!

Privacy Violations?

Violations Due to Crossings of “Privacy” Borders

• Prof. Emeritus Gary T. Marx, MIT

“Privacy” Borders

Natural Borders Social Borders

June 25, 2007 T-Labs Usability Colloquium 15

Spatial/Temporal Borders Ephemeral Borders

RFID-technology makes some of those borders easier to cross

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 8

Privacy Implications of Smart Environments

Data Collection

Scale (everywhere, anytime) Manner (inconspicuous, invisible) Motivation (unspecified, e.g., context)

Data Types

June 25, 2007 T-Labs Usability Colloquium 16

yp

Observational instead of factual data

Data Access

“The Internet of Things”

So what difference will RFID make?

June 25, 2007 T-Labs Usability Colloquium 17

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 9

Societal Drivers for RFID Acceptance –

Collection and Use

Higher Efficiency (Cheaper Stuff!)

Rebates! (loyalty cards) Targeted Sales (1-1 marketing)

More Convenience

Getting information(allergy warnings, meat sources)

Simplified handling (ret rn repairs access)

June 25, 2007 T-Labs Usability Colloquium 18

Simplified handling (return, repairs, access)

Increased Safety

Crime prevention (ticketing, counterfeiting, CCTV, …) Homeland security (terrorism, child molesters, …)

Example: Loyalty Cards

Emnid Survey Germany (03/2002)

50% have at least one loyalty card 72% welcome such offers

70 Million Cards in Circulation (DE, 12/03)

Average rebate: 1.0-0.5%

15% of cons mers estimate rebate being 5 10%

June 25, 2007 T-Labs Usability Colloquium 19

15% of consumers estimate rebate being 5-10%

Minding the Fine Print?

Explicit signature allows detailed data mining Consequences?

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 10

Consumer Loyalty Cards –

The Dark Side

The Story of Robert Riveras (1998)

Slipped on spilled yoghurt and hurt kneecap. Sued. Consumer card showed high volume licqour purchases Settled out of court

Or: Divorce Case

June 25, 2007 T-Labs Usability Colloquium 20

Liking of expensive wines

increased alimony payments

Consumer Loyalty Cards –

Legal Implications

Arson Near Youth House Niederwangen (Berne)

At scene of crime: Migros-tools Court ordered disclosure of all 133

consumers who bought items on their supermarket card (8/2004) A i t t t f d ( 6

)

June 25, 2007 T-Labs Usability Colloquium 21

Arsonist not yet found (06/2007) Who Would Think About This When Buying a Screwdriver?!

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 11

Aren’t there laws against this stuff?

June 25, 2007 T-Labs Usability Colloquium 22

Privacy Laws and Regulations

Two Main Approaches

Sectorial (“Don’t Fix if it Ain’t Broken”) Omnibus (Precautionary Principle)

US: Sector-specific Laws, Minimal Protections

Strong Federal Laws for Government

June 25, 2007 T-Labs Usability Colloquium 24

g

Self-Regulation, Case-by-Case for Industry

Europe: Omnibus, Strong Privacy Laws

Law Applies to Both Government & Industry Privacy Commissions in Each Country as Watchdog

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 12

US Public Sector Privacy Laws (Federal)

F d

l C i ti A t 93 99 (Wi l )

Federal Communications Act, 1934, 1997 (Wireless) Omnibus Crime Control and Safe Street Act, 1968 Bank Secrecy Act, 1970 Privacy Act, 1974 Right to Financial Privacy Act, 1978 Privacy Protection Act, 1980

June 25, 2007 T-Labs Usability Colloquium 25

Computer Security Act, 1987 Family Educational Right to Privacy Act, 1993 Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996 Driver’s Privacy Protection Act, 1994, 2000

US Private Sector Laws (Federal)

Fair Credit Reporting Act, 1971, 1997 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Health Insurance Portability and Accountability

Act 1996

June 25, 2007 T-Labs Usability Colloquium 26

Act, 1996

Children‘s Online Privacy Protection Act, 1998 Gramm-Leach-Bliley-Act (Financial Institutions),

1999

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 13

EU Data Directive

1995 Data Protection Directive 95/46/EC

Sets a Benchmark For National Law For Processing

Personal Information In Electronic And Manual Files

Facilitates Data-flow Between Member States And

Restricts Export Of Personal Data To „Unsafe“ Non-EU Countries

June 25, 2007 T-Labs Usability Colloquium 27

Countries

Applies to both Public and Private Sector

Data collection illegal, unless consented or authorized Follows OECD Fair Information Principles (1980)

Fair Information Principles (FIP)

Drawn Up By the OECD, 1980

“Organisation for economic cooperation and development” Voluntary guidelines for member states Goal: ease transborder flow of goods (and information)

Six Principles (simplified)

1.

Openness

4.

Collection Limitation

June 25, 2007 T-Labs Usability Colloquium 28

Core Principles of Most Modern Privacy Laws

Implication: RFID usage must conform to FIP 1.

Openness

2.

Data access and control

3.

Data security

4.

Collection Limitation

5.

Data subject’s consent

6.

Use Limitation

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 14

Let’s just build secure RFID-Systems

“All you need is really good firewalls.”

June 25, 2007 T-Labs Usability Colloquium 30

Secure From What?

Unauthorized Readouts

Identification: „what?“; „who?“ Tracking: „where?“ (might imply „who?“)

June 25, 2007 T-Labs Usability Colloquium 31

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 15

Identification and Tracking – Implications

Passpor ssport:

Name: John Doe

Embarrassing Stuff

Wearing a Wig? Underwear? Medicine?

Criminal Stuff

Theft, fraud, murder/terror Wi Wig

Modell #2342 Material: Polyester

Ti Tiger T Tanga:

Manufacturer Woolworth Name: John Doe Nationality: USA Visa for: Isreal 6 Ari Juels, RSA Laboratories

Walle llet

:Contents: 370 Euro Disability Card: #2845 Manufacturer: Woolworth Washed: 736

Vi Viagra ra:

Manufacturer: Pfitzer Extra Large Package Original “RFID-Man” Artwork (c) 2006 June 25, 2007 T-Labs Usability Colloquium 32

Identification and Tracking – Implications

Embarrassing Stuff

Wearing a Wig? Underwear? Medicine?

Criminal Stuff

Theft, fraud, murder/terror

Indirect Control

Subtle influence with detailed profiles

Direct Control

“Technology paternalism”, government control

Spiekermann, Pallas: Technology Paternalism – Wider Implications of Ubiquitous Computing. Poiesis and Praxis: International Journal of Technology Assessment and Ethics of Science. Springer-Verlag (Jan 2006), 1–13 June 25, 2007 T-Labs Usability Colloquium 33

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 16

Secure From What?

Unauthorized Readouts

Identification („what?“, „who?“) Tracking („where?“; might imply „who?“)

Eavesdropping Reader-Tag Communication

I t d f tt ti th i d d t

Instead of attempting unauthorized readouts…

Unauthorized Duplication/Generation

Counterfeitting authentic identifiers

June 25, 2007 T-Labs Usability Colloquium 34

Preventing RFID Cloning

Example: E-Passport (Nov 2005)

Digitally sign data on RFID-chip Prevents changig data or creating new chips Does NOT

NOT prevent duplicating the chip!

Example Contactless Smart Card Example: Contactless Smart Card

Use challenge-response protocol w/ random

number to verify that card knows a secret

Sophisticated power analysis may be able to

infer hidden secret (Alternative: PUFs)

June 25, 2007 T-Labs Usability Colloquium 35

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 17

Preventing Eavesdropping

Problem: Long Range of Reader Field

High-power field transmits reader commands over

many meters, which may contain tag IDs

Solution: XOR reader commands w/ random number

sent from tag Alt ti R d d t ID

Alternative: Reader commands use temporary IDs

Better: Encrypt Channel

E-Passport uses key from machine-

readable zone (MRZ) to encrypt traffic

Requires manual handling (opening)

June 25, 2007 T-Labs Usability Colloquium 36

Preventing Unauthorized Readouts

How do You Prove That You Are Authorized?

Something you know (i.e., a password) Something you have (i.e., an access token) Something you are (i.e., biometrics) Something you do (also biometric, e.g., personal habits) Where you are (e.g., your current location)

Which one of these works for RFID?

Passwords? Tokens?

June 25, 2007 T-Labs Usability Colloquium 37

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 18

Using Passwords to Secure RFID Access

General Principle: Lock/Unlock ID With Password

Tag only replies if correct password/secret is sent

Requires RFID-Owner to Know Secret

Password must be transferred at checkout (where to?)

Requires Owner to Know Which Secret to Use

Chicken And Egg Problem: If you don‘t know what tag

it is, how do you know what password to use?

June 25, 2007 T-Labs Usability Colloquium 38

Kill Command

„Dead Tags Tell No Tales“

Permanently deactivate tag at checkout

Hard Kill

Cut tag antenna or „fry“ circuit

Soft Kill

Metro RFID De-Activator

Needs password to prevent unauthorized killing

Both Approaches Require Consumer Action

Also voids any post-sales benefits (returns, services, …)

June 25, 2007 T-Labs Usability Colloquium 39

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 19

Deactivation and Password Management… Does Your Solution Work Here?

June 25, 2007 T-Labs Usability Colloquium 40

Alternative: Shamir Tags

An Example for Zero-Managament Privacy Protection

Unknown Tags Take Long Time To Read Out

Bitwise release, short range (e.g., one random bit/sec) Intermediate results meaningless, since encrypted Decryption requires all bits being read Complicates Tracking & Unauthorized Identification

Known Tags Can be Directly Identified

Initial partial release of bits enough for instant

identification from a limited set of known tags

Allows owner to use tags without apparent restrictions

June 25, 2007 T-Labs Usability Colloquium 41

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 20

Secret Shares (Shamir 1979)

June 25, 2007 T-Labs Usability Colloquium 42

Secret Shares (Shamir 1979)

June 25, 2007 T-Labs Usability Colloquium 43

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 21

011010111…1101 Secret s 111000011…101101 101101101…110111 101010011…101101 Shares hi

96‐bit EPC‐Code 106‐bit Shamir Share 318‐bit Shamir Tag

10‐bit x‐value 96‐bit y‐value

111000011101010001010111010101101010100…1010101110101 Shamir Tag

318‐bit Shamir Tag

111000011101010001010111010101101010100…1010101110101 Initial Reply 111000011101010001010111010101101010100…1010101110101 me

16‐bit Reply +1 bit

111000011101010001010111010101101010100…1010101110101 111000011101010001010111010101101010100…1010101110101 111000011101010001010111010101101010100…1010101110101 111000011101010001010111010101101010100…1010101110101 Bit Disclosure Over Tim

+1 bit +1 bit +1 bit +1 bit June 25, 2007 T-Labs Usability Colloquium 44

More Privacy Through Less Security?

Shamir Tags Require No Consumer Effort

Delay upon first use, but no passwords to manage! Not useful for „important“ items (passports, e-money) Does not alleviate user concerns (tags remain active)

Building Block for Comprehensive Solution

Strong crypto for passports, drug-authenticity, … Clipping/killing for concerned consumers Unconcerned consumers get basic protection „for free“

June 25, 2007 T-Labs Usability Colloquium 45

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 22

(Well, RFID won’t get accepted otherwise…)

June 25, 2007 T-Labs Usability Colloquium 57

Societal Drivers for RFID Acceptance –

Collection and Use

Higher Efficiency (Cheaper Stuff!)

Rebates! (Loyalty Cards) Targeted Sales (1-1 Marketing)

More Convenience

Getting shopping advice (e.g., allergies)

Simplified handling (ret rn repairs access)

70 Million Cards! 72% Like it!

Automated Toll-Roads! Skipasses! Remote Car-Keys!

June 25, 2007 T-Labs Usability Colloquium 58

Simplified handling (return, repairs, access)

Increased Safety

Crime prevention (Ticketing, counterfeiting, CCTV, …) Homeland security (terrorism, child molesters, …)

Survey DE (05/06): 80+% like more CCTV surveillance Survey US (08/04): 70+% accept air travel surveillance

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 23

Summary

Privacy Is Not (Simply) Security

It‘s about transparency and control

RFID Security Only Partial Answer

Password management cumbersome, impractical

RFID Privacy Requires Novel Approaches

y q pp

How to minimize burden to consumers? How to maximize „out-of-the-box“ protection?

Who Is to Design & Build RFID-Privacy Systems?

People are already increasingly relying on RFID…

June 25, 2007 T-Labs Usability Colloquium 59

Related Work on RFID Privacy at ETH Zurich

see www.vs.inf.ethz.ch/publ/

• M. Langheinrich: RFID and Privacy. In: Milan Petkovic,

Willem Jonker (Eds.): Security, Privacy, and Trust in Modern Data Management. Springer, July 2007.

• M. Langheinrich, R. Marti: Practical Minimalist Cryptogra-

phy for RFID Privacy. Submitted for publication, 2007.

• Ch. Floerkemeier, R. Schneider, M. Langheinrich: Scanning
• Ch. Floerkemeier, R. Schneider, M. Langheinrich: Scanning

with a Purpose – Supporting the Fair Information Princi- ples in RFID protocols. In: Proceedings of UCS 2004. LNCS

• Vol. 3598, Springer, 2005.

June 25, 2007 T-Labs Usability Colloquium 65

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 24

Privacy Reads

David Brin: The Transparent

• Society. Perseus Publishing, 1999

Lawrence Lessig: Code and Other

Laws of Cyberspace. Basic Books, 2000

June 25, 2007 T-Labs Usability Colloquium 66

Daniel Solove and Marc Rotenberg:

Information Privacy Law. Aspen

• Publ. 2003

Novel services and applications in an Internet of Things (IOT) Emerging IOT business models and process changes Communication systems and network architectures for IOT Technologies and concepts for embedding sensing, actuation,

g p g g communication, and computation into networked things

Experience reports from the introduction and operation of

networked things in areas such as healthcare, logistics & transport

Security/privacy aspects of IOT infrastructures & applications

June 25, 2007 T-Labs Usability Colloquium 67

T‐Labs Usability Colloquium June 25, 2007 Marc Langheinrich, ETH Zurich 25

September 15, 2007

Deadline for Technical Paper submissions

October 20, 2007

June 25, 2007 T-Labs Usability Colloquium 68

October 20, 2007 Deadline for Workshop Proposals

March 26-28, 2007

www.internet-of-things-2008.org