Over the next decade, systems which create and store digital records of people’s movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.

Here are some examples you might already have used or read about:

• Monthly transit swipe-cards
• Electronic tolling devices (FastTrak, EZpass, congestion pricing)
• Cellphones
• Services telling you when your friends are nearby
• Searches on your PDA for services and businesses near your current location
• Free Wi-Fi with ads for businesses near the network access point you’re using
• Electronic swipe cards for doors
• Parking meters you can call to add money to, and which send you a text message when your time is running out

These systems are marvellously innovative, and they promise benefits ranging from increased convenience to transformative new kinds of social interaction.

Unfortunately, these systems pose a dramatic threat to locational privacy.

And today, the New York Times has an op-ed by Adam Cohen lamenting the threats to locational privacy in our contemporary technological ecosystem:

A little-appreciated downside of the technology revolution is that, mainly without thinking about it, we have given up “locational privacy.” Even in low-tech days, our movements were not entirely private. The desk attendant at my gym might have recalled seeing me, or my colleagues might have remembered when I arrived. Now the information is collected automatically and often stored indefinitely.

It’s good to see this attention to locational privacy, but it’s equally important to recognize that these threats aren’t new: I’ve been blogging and advocating for attention to privacy in public, privacy on the roads, and locational privacy for a number of years now (and I’m certainly not the only one). I’ve also published about particular threats to privacy on the roads (here and here), and tried (with limited success) to engage with designers of new vehicle-technologies to design privacy into the new protocols.

I’m thrilled to see the EFF draw renewed attention to locational privacy. I just hope they’re not too late to start advocating for change…

The article also notes that librarians can “[locate] misshelved items” using the RFID technology. Presumably, the library has some kind of hand-held scanner that librarians can pass over shelves to determine if a book is in the wrong place.

Herein lies a key privacy concern.

Public libraries have traditionally been sites for individuals to enjoy intellectual freedom. Librarians have a longstanding committment to patron privacy, have resisted past efforts by the government to surveill patron activities, and are among the most vocal critics of the USA PATRIOT Act. In fact, many Wisconsin libraries started to destroy patron borrowing records upon learning that the government might be able to gain access to such records without a warrant under the Patriot Act.

The library, then, has traditionally been a place for a person could enter, take a book off a shelf, sit and read it, take notes, put the book back, and leave the library. All the while, there was no systematic monitoring, tracking, or recording of the patron’s activities, what she took off the shelf, what she read, etc.

But the rise of bibliographc-encoded RFID chips, combined with hand-held scanners, complicates this. It becomes increasingly possible for someone armed with a scanner (whether a librarian, or a well-equipped law enforcement agent) to stroll by a patron’s table and passively scann all the books stacked up around her.

You can image the scenarios:

• Patron looks suspicious, stack of books on his table, feverishly taking notes. Paranoid librarian walks by and scans all the titles of the books, checking to see if any relate to terrorism, bomb-making, anti-Americanism, etc.
• Sensors placed on shelves with books about terrorism, nuclear reactors, and bomb-making to notify central authority when any title is removed. Sensors throughout building track the movement of the books. Photocopy machines deactivate when senses these titles nearby, etc.
• Law enforcement is provided the data-format for local library RFID tags. Use own scanners to “read” the titles of books as individuals walk through airports, public parks, subway system. Flag people with particular titles as “of interest” for further scrutiny.

Such scenarios are all the more possible with bibliographic-encoded RFIDs. The article doesn’t mention any privacy concerns, and I need to investigate whether the West Allis Public Library has addressed these issues. Key questions include:

1. Precisely what bibliographic data is encoded on a book’s RFID chip.
2. Is the RFID chip active or passive?
3. What is the power of the RFID’s transmitter?
4. Does the chip use any form of encryption? If so, who has access/authority to decrypt the data?

Wired News summarizes a damning report from four University of Washington researchers that reveals how security flaws in the new RFID-powered Nike + iPod Sport Kit make it easy for tech-savvy stalkers, spouses, thieves, corporations, or governments (oh my!) to track your movements via those nifty shoes. From the report’s overview:

Key industry players are incorporating wireless radio communications capabilities into many new personal consumer products. For example, the new Nike+iPod Sport Kit from Apple consists of two components — a sensor and a receiver — that communicate using a wireless radio protocol. Unfortunately, there can be negative side-effects associated with equipping these gadgets with wireless communications capabilities.

In the case of the Nike+iPod Sport Kit, our research shows that the wireless capabilities in this new gadget can negatively impact a consumer’s personal privacy and safety. As part of our research, we built a number of surveillance tools that malicious individuals could use to track Nike+iPod Sport Kit owners. Our tools can track Nike+iPod Sport Kit owners while they our working out, as well as when they are just casually walking around town, a parking lot, or a college campus. The tracked individuals don’t even need to have their iPods with them.

Our research also shows that there exist simple cryptographic techniques that the Nike+iPod Sport Kit designers could have used to improve the privacy-preserving properties of the Nike+iPod kit.

Our work underscores the need for a broad public discussion about and further research on the privacy-preserving properties of new wireless personal gadgets.

Employing some “simple cryptographic techniques” is all Nike & Apple would need to have done to alleviate these privacy and surveillance concerns. Why didn’t they? The researches speculate that “associated tradeoffs, like sensor battery life, manufacturing costs, and use experience” might have prevented the designers from implementing these privacy-protecting measures.

When should an extra 15% in battery life trump protecting a user’s privacy? Should companies (and consumers?) accept extra costs for privacy protections as a cost-of-business? How can we train technical designers to make ethically-based decisions when creating these kind of products? All vital questions, and significant challenges that must be addressed to successfully engage in value-conscious design in real-world contexts.

(Noëmi Manders-Huits and I have been working on a paper, “Values and pragmatic action: The challenges of engagement with technical design communities,” that confronts these very issues. I’ll post a draft when ready for comments.)

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.

Unbelievable.

My favorite line from the article is this: “The issue of infringement of civil liberties will also be key.” (not really followed up by any substantive discussion)

“Like, yeah, we’re also aware of, you know, those civil liberty things.” Well, thank goodness we have that nasty complication covered. I love how these stories always make mention of civil liberties, but rarely actually engage with the issue. Meanwhile, the “proof of concept” is going forward, and such a system could be live within 2 years.

[BoingBoing and Bruce Schneier have more coverage]

The Daily Mail is featuring a story titled “Young shoppers want to pay with chip in skin”, extolling the fact that teenagers are willing to have microchip implants as a means of paying in stores. But three paragraphs into the story you discover that only around 8 percent of 13 to 19-year-olds are open to the idea of microchip implants.

Wow, 8%. That means 92% don’t want to pay with implanted microchips. Of course, a headline like “Eleven-twelfths of teens don’t want anything to do with becoming digitally-enhanced consumer cyborgs” doesn’t sell papers.

A broader concern here is that when these kind of memes start circulating – that kids think its no big deal to have chips implanted linked to their personal & financial information – general expectations of privacy and informational norms start to change.

[found via Canadian Privacy Law Blog]

CALL FOR PAPERS

Identity and Identification in a Networked World:
A Multidisciplinary Graduate Student Symposium

When: September 29-30, 2006
Where: New York University
Submission deadline: July 5, 2006

Increasingly, who we are is represented by key bits of information scattered throughout the data-intensive, networked world. Online and off, these core identifiers mediate our sense of self, social interactions, movements through space, and access to goods and services. There is much at stake in designing systems of identification and identity management, deciding who or what will be in control of them, and building in adequate protection for our bits of identity permeating the network.

The symposium will examine critical and controversial issues surrounding the socio-technical systems of identity, identifiability and identification. The goal is to showcase emerging scholarship of graduate students at the cutting edge of humanities, social sciences, artists, systems design & engineering, philosophy, law, and policy to work towards a clearer understanding of these complex problems, and build foundations for future collaborative work.

In addition to presenting and discussing their work, students will have the opportunity to interact with prominent scholars and professionals related to their fields of interest. The symposium will feature a keynote talk by Ian Kerr, Canada Research Chair in Ethics, Law & Technology at the University of Ottawa.

Submission Information:

We invite submissions on the function of identity, identifiability and identification in the following general areas:

• Media & communication: DRM systems, e-mail & instant messaging, discussion forums

• Online: Identity 2.0, web cookies, IP logging, firewalls, personal encryption

• Social interaction: online social networks, blogging, meetups

• Consumer culture: RFID product tags, reputational systems, commercial data aggregation

• Mobility: electronic tolls, auto black boxes, RFID passports, SecureFlight, V-ID cards

• Security: video surveillance, facial recognition, biometric identification systems, national ID cards

Please submit abstracts, position pieces, demos or full papers for a 10-15 minute presentation to michael.zimmer@nyu.edu by July 5, 2006. Include contact and brief biographical information with your submission. Notification of submission acceptance will be given by July 17, 2006. Limited travel stipends will be available for presenters. Students in need of travel funds should indicate so with their submission.

Program chairs:

- Tim Schneider, JD Student, NYU School of Law
- Michael Zimmer, PhD Candidate, Dept. of Culture & Communication, NYU

Faculty advisor:

- Helen Nissenbaum, Dept. of Culture & Communication, NYU

Sponsors:

- Coordinating Council for Culture and Communications, Journalism, and Media Studies, New York University
- Department of Culture and Communication, New York University
- Information Law Institute, New York University School of Law

(download PDF version here)

Among other things, the guidelines say that consumers should be notified when goods have radio tags, which can be invisibly buried in labels, packaging or the goods themselves. The guidelines also say that it should be clear to consumers how to disable disposable forms of the tags and that it should be easy to do so once items with such tags have been purchased. Businesses are called on to notify consumers about how information gathered from the tags will be used.

The guidelines were the work of a group of businesses and consumer advocates. Among the participants who are expected to endorse the guidelines are Procter & Gamble, I.B.M., Microsoft, Visa USA and the National Consumers League.

“This is a really good start,” said Susan Grant, vice president for public policy at the National Consumers League, a nonprofit advocacy group in Washington.

Yes, it is a start, and an important one given more and more manufacturers (like Levi’s) are starting to utilize RFID chips in their products. But as the EFF points out, there is much more to do:

Lee Tien, senior staff lawyer for the Electronic Frontier Foundation, said that the new guidelines were a valuable “first step” but that they gave industry too much “wiggle room.”

He also noted that the guidelines ignored government use of RFID and privacy concerns for employees in business-to-business dealings.

Meanwhile, IBM will be demonstrating its design for an RFID tag with a disabling feature that limits – but doesn’t kill – a wireless chip’s ability to broadcast item information.

It probably has been common practice for the government to make all public comments publically available. The difference here is that instead of having them sitting in some file room, where one would have to be very industrious and have a lot of time on her hands to go through them all, having them published on the web makes it much easier for someone to scrub the data in search any usable personal information. Another example of the failure of security through obscurity via the WWW.

[via Boing Boing]