understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border

« November 2005 | Main | January 2006 »

PRIVACY JOURNAL SUPPs

posted by:Ian Kerr // 01:19 PM // December 28, 2005 // Digital Democracy: law, policy and politics

Some of you will be interested to know that the Privacy Journal has just published an 18-page 2005 Supplement to its popular Compilation of State and Federal Privacy Laws (2002). It describes and cites more than 200 laws passed recently, including new laws on "credit freezes," "security breach notifications," Social Security numbers, ID theft, covert videotaping, spam, and more. Laws in Canada re included.

The price is $21 plus $4 shipping, by U.S. mail or e-mail. The 2002 book with the Supplement included costs $31 plus $4. Order from Privacy Journal, PO Box 28577, Providence RI 02908, 401/274-7861, fax 401/274-4747, orders@privacyjournal.net. With a credit card, you can download the text at www.privacyjournal.net.

| Comments (0) |


The Uncertainty over RFID-enabled Passports

posted by:Mohamed Layouni // 07:00 AM // December 20, 2005 // ID TRAIL MIX

trailmixbanner.gif

A number of countries, such as the United States, Sweden, and Pakistan -- to name a few -- are in the process of implementing a global plan to embed Radio-Frequency Identifiers (or RFIDs for short) in all newly issued passports.

Briefly, RFIDs (also know as RFID tags) are small devises that can be attached both to objects and living beings in the purpose of identifying them. RFID tags are equipped with antennas to receive and respond to radio-frequency queries from RFID readers. RFID tags can be queried from a distance and without a line of sight, which gives them a whole spectrum of capabilities, ranging from the localization of a smart-ball in soccer to the real-time monitoring of inmates. We distinguish two main families of RFID tags:

1. Passive tags, they carry no internal source of power, and function on current induced by the electro-magnetic field generated by the RFID reader at the time of query.
2. Active tags, however, are equipped with their own internal power supply, and are therefore capable of more elaborate computations. Active tags could also be permanently sending signals to the outside world, the same way cellphones do to ensure a timely reception of calls.

Both, passive and active RFID tags, may contain a non-volatile memory to store data.

In the following we concentrate on the US passport proposal, but the same line of reasoning may apply to other proposals with similar architectures. The US authorities' goal from implanting RFIDs in passports is presumably to better control borders, speed up lines in airports, and swiftly recognize suspects and counterfeit travel documents. The RFID tag was henceforth set to contain personal data such as name, sex, nationality, date and place of birth, and a digitized photo of the passport holder, as well as information about the passport validity. The US authorities intend, in addition, to store other digitized biometric data into the RFID; data such as fingerprints and iris scans already being collected from foreign nationals under the US-VISIT program.

Now the question that comes to mind is how will the data be stored on the RFID? Is it going to be stored in the clear, as in the Norwegian case, or will it be encrypted? the answer to this question is still not clear yet, and there are even contradictory answers. According to a recent Washington Post article

The [State] department rejected calls to encrypt, or scramble, the data on the passport. Instead, the transmission stream when the data is passing from the passport to the reader will be encrypted.

Elsewhere, it is stated that

[...] the State Department announced it would look once again at Basic Access Control (BAC), a privacy technology it had originally rejected.

Assuming the data is encrypted, how will the decryption keys be stored? Does it make sense to use one single master key for all passports? obviously no; because then the comprise of one single passport will lead to the compromise of all passports in the system. Alternatively, one may store the decryption key (or the data needed to generate it) on the passport itself (as suggested here). Now remember that the main motivation for using RFIDs is the ability to scan them remotely and without a line-of-sight. Therefore, by following the same logic, the decryption key should be also readable from a distance (otherwise the whole design will reduce to the simple traditional barcode technology), which is what indeed the first proposal put forward by the US authorities was. As a consequence, anyone with a proper RFID reader could be roaming around, reading data from passports without their owners' knowledge. Another possible attack would be to intercept the data between the passport and the RFID reader. This kind of attacks is called "skimming".

One of the ideas put forward by experts to fix the first vulnerability is to wrap the passport into a metallic shield playing the role of a Faraday-cage -- a sort of "tinfoil hat" for passports to prevent any (remote) rogue readers from querying the RFID contained in the passport and reading the data. Many see this technique as very inefficient (e.g., see Bruce Schneier's forum) for the following reasons:

1. the passport still needs to be opened for reading, and information can be remotely intercepted while the passport is being scanned by an authorized reader.
2. the passport does not always close very well to protect the data against possible prying radio beams from unauthorized readers.

Another technique that has been proposed to block unauthorized RFID queries consists of responding with a powerful jamming signal whenever the query received does not contain some secret code. The technique has been developed by RSA Security, and is known as the RFID Blocker Tag Technology.

The blocker tag, which can be placed over a regular RFID tag, prevents a receiver from scanning information transmitted by a tag by sending the receiver more data than it can read -- the equivalent of a denial-of-service attack.

This technique, however, has the disadvantage of assuming that some master secret code is known to all authorized RFID readers, a constraint that represents on its own a major security vulnerability!

For now, let's assume the first technique based on the metallic shield works, and that passports cannot be remotely queried by unauthorized rogue readers. In this case, one would ask (and rightly so) why do we need the RFID tag anymore? since a mere traditional barcode would, not only, do the job, but in a much cheaper and safer way. RFID proponents justify their choice by invoking the fact that RFID technology is better suited for future extensions as stated in this ICAO (Internation Civil Aviation Organization) report on "Machine Readable Travel Documents" (MRTD):

The intent [...] is that States adopt as high a capacity as they possibly can and which is operationally feasible and practicable, for the following reasons:
Future-proofing: the data storage medium deployed in an MRTD must last for the life of that MRTD (typically 5 years up to, for some States, 10 years)...
Flexibility: the LDS (Logical Data Structure) has been developed to allow for the storage of all types of biometrics [...] face + finger + iris, and multiple instances of a particular biometric eg 10 fingers, 2 eyes, different face poses (if countries had an interest in such); as well as working towards the development of storage of visa and travel information in the LDS. States, therefore, who choose to do so will be able to add additional biometric data to MRTDs either at issue or subsequent to issue, and, in such cases the chip must provide available additional data capacity to enable this.
[...] the arithmetic is clear: the addition of just two fingerprint images to this data results in a required chip data storage size of 64K (12+5+10+10 > 32). Similarly a 30K facial image results in a required chip data storage size of 64K (30+5 > 32). Add one iris, or a second updated instance, and the size becomes 128K.
[...]
Issuing States should bear in mind that the new-technology, very high capacity chips (> 64K) can have larger overheads in terms of space required for memory management, operating systems and command sets – this can be up to 256K for 512K and 1024K (1MB) capacity chips. Therefore to facilitate future-proofing and flexibility via high capacity (in excess of 64K), it follows that 512K or larger is a chip size for States to target towards, guaranteeing 256K+ of available user data space that can be used over the life of the MRP (Machine-Readable Passport).


RFID opponents, on the other hand, denounce the technology as an attempt by governments to relentlessly collect as much data about them as possible, and argue that 2D barcodes (up to the size of a passport page) provide sufficient space to encode in an encrypted form all the data needed about an individual, including a digitized photo and fingerprints (see this PDF417 code sizing example for instance). In addition, 2D barcode technology seems to have reached some level maturity and robustness. So far, it has been used in a variety of applications involving identification and access control, and is already being used by a number of countries for travel related documents, e.g., Tunisia for passports, and the United States for visa applications.

In summary, what is worth keeping in mind is that 1) there are not one but several electronic passport designs, all with various levels of security and privacy, and 2) that the less invasive 2D Barcode technology is sufficient to convey all the functionalities of a regular passport. Therefore, unless we want to give passports other special functionalities, we dont need to turn them into some sort of "rigged" gadgets. And if so, then those functionalities should be clearly stated, debated, and implemented only after a consensus has been reached.

| Comments (0) |


New PET: Self-destructing SMS

posted by:Chris Young // 02:12 PM // December 16, 2005 // TechLife

Here's a privacy enhancing technology: self-deleting text messages (BBC).

| Comments (0) |


Surveillance

posted by:Leslie Regan Shade // 11:59 PM // December 13, 2005 // ID TRAIL MIX

trailmixbanner[1].GIF

This semester in an Issues in Information Society fourth year undergraduate class at Concordia University’s Department of Communication Studies, one of the assignments I gave students was for them to create a project detailing ‘Surveillance in Everyday Life’: “Students are asked to provide a portfolio of their everyday interactions and how they are impacted by surveillance. Be as creative as possible! This can include photo documentation, monitoring of public discourses on surveillance issues, fiction, a play, podcasting, the creation of a CDROM or….”

Readings by Foucault, Lyon, and O’Harrow Jr., on privacy and surveillance were meant to stimulate the students and add to the other scholars we had been studying: Bell, Castells, Mosco, Huws, Schiller, Black, etc., many in the Frank Webster reader (the course syllabus details the readings). Surveillance was one among many issues we were looking at; other issues included historical and theoretical perspectives on the information society, the digital divide, labor issues, gender issues, ICTD, and the World Summit on the Information Society.

Surveillance Walks
Many of the students presented an analysis of their routine interactions going from their homes to classes to work. They talked about (or documented via photos) the presence of surveillance cameras in their apartment hallways, in Montreal metros, in their corner deppaneur, in hallways in the downtown campus. Many of them were dissuaded from taking photos of surveillance cameras by policeman and security guards.

Wrote one student:

About a block away from my house there was a speed trap set up. The sign was obvious to drivers, what was less obvious was the cop sitting about a block away. I started to photograph the speed monitor, thinking that this is an interesting surveillance issue. For one thing, drivers always slow down when they realize they are being monitored, just as I act differently when I am aware of the presence of a camera. It is also an interesting issue considering that the Quebec government is reassessing the possibility of installing traffic cameras that would automatically issue tickets to cars running red lights. I was thinking about all this when the cop got out of his car and started gesturing for me to put the camera down and go away. I complied; I don't think my constitution would fare well in prison (not even in a holding cell). I am still not clear on why I was not allowed to take these photos but I can think of three possible reasons:
1. I was photographing evidence of cars speeding (including their license plates).
2. I might have been bringing too much attention to the speed trap. Perhaps the cop felt that I was giving cars a heads up that something was going on, thus hindering the ticketing process.
3. The cop, like me, does not like to have his picture taken.

Moving along to the Provigo grocery store, the student wrote that

I took a couple of photos of the eye-in-the-sky. I was being discrete thus I was more than a little surprised when less than two minutes after the first photo I was approached by an employee and asked to stop. Honestly, I only thought those systems were monitored in Vegas. I expected that these cameras were only connected to VCRs, and perhaps they are, I don't know if it was someone from upstairs or an employee on the floor who noticed me. In any case I was asked to stop. The double standard always shocks me – the business can monitor the consumer, but the consumer can not monitor the business. I promptly left, but not before snapping a couple of shots of the stickers that are used to gauge height in the instance of a robbery.

On the Job Surveillance
Another student chronicled her workaday life at the ‘Evil Outpost’ Starbucks, where staff interact (often unknowingly and certainly without their consent) to surveillance practices:

Surveillance begins when I walk into the café: a camera pointed on the floor picks up the presence of anyone walking towards the espresso bar. Next, I walk into the office to hang up my coat and put on my apron. I have now gone past security check number two: the second behind-bar video camera. This surveillance camera is touted as there for protecting staff from robbery or violent customers – it is really there to monitor our behaviour. For example, I was told recently that our manager watched the feed from the camera “only in certain instances.” When I enquired as to what these instances were, I was told that it happened mainly when a customer came in to complain. Our manager could then review the video and “correct the problem”. This got me to thinking: we recently dealt with a serious complaint while I was working – did he “review our performance” then?
Once ready to start working, I go to the cash register – one of two computers located at the centre of the bar and clock-in using my personal employee number. The computer takes note of the hour and minute that I arrive. The same is true for when I leave. Starbucks employees are paid to the minute – not the hour. My last paycheck was for 27 hours and 37 minutes. This is efficient use of money on the part of Starbucks, but it leaves little latitude for the employee. There is no room to arrive late or leave early (or vice versa) without being monitored by the company. To that end, unpaid breaks are also billed to the minute – longer breaks mean less money for the employee. In fact, taking the optional “30-minute unpaid break” is highly discouraged. Of the twelve-or-so employees at outpost 90, only 1 or 2 take their unpaid breaks, most prefer to be paid.
Then comes surveillance of merchandise. Every item is either sold or marked out – this is only good business and good inventory. The same is true for the fairly decent “comps” Starbucks employees get. There is, however, a limit to the amount any one employee can take. Here is a list of the benefits to working at Starbucks:
- 3 free MEZZO drinks per shift. These drinks must be kept out of sight and may only be drunk during breaks or after shifts.
- 1⁄2 lb ground coffee per week. To be supplied by another employee and approved by manager to avoid taking too much.
- 30% discount on certain items.
- Although not truly on the list of perks, employees may take whatever baked good has past its Starbucks expiration date.
Every time an employee takes advantage of these comps, they must enter it into the computer and sign the receipt over to the manager. As part of this project, I tried going above my allowed limits. In consequence, I was reminded of the amount I was allowed to take for myself and told that if it happened again I could be reprimanded. There are of course ways around these rules. One could easily forget to sign out drinks or mark-out pastries. The subject of counter-surveillance and slackerism, however, is addressed in other posts….
Finally, Starbucks outposts are kept on their toes by what is called “snapshots”. These are, in essence, a classic example of secret shopping. In a routine snapshot, a secret shopper comes in and pretends to be a regular customer. When ordering, he or she asks questions about the items they might like to have or what kind of products are available to them. The store is evaluated on the knowledge and friendliness of the staff, the cleanliness of the bars and seating area, and whether or not the store met safety standards. There is never any warning as to when a snapshot might occur – even to store managers. This is one of the most effective ways of controlling staff through surveillance because, unlike the other forms mentioned, the employee has no way of knowing if and when it is happening. Without this knowledge, subverting the system becomes increasingly difficult.
So what do my experiences with employee surveillance say about the work-place culture we have become accustomed to? Is there now such little trust that employees must be monitored and tracked? The problem is that such cultures of fear are being used to the benefit of the corporations we work for or governments we belong to. I feel justified in pondering whether the bomb threats that occurred at my government offices – these regular occurrences - were a way of keeping us on our toes? If we a population perceives itself as constantly under threat, it is more likely to bend to increasing control over their lives. But are there also benefits to these monitors? As the good employee, I benefit greatly from some of them. Free access to a car all summer. Free Internet use. Those extra minutes I came in early and stayed late at Starbucks add up over time – at least I’m getting paid for them right? Who cares if the trade-off for all of these things is a little surveillance? But therein lies the problem: surveillance only benefits conformists. It is made to oppress and subjugate a people, not to help them rise up. The real problem with surveillance is that it tries to eliminate the individual – the thing we all strive so hard to be – and it is individuals that change a culture, not conformists.

Resisting Surveillance

Two students set up a dialogue amongst themselves; in a typical student hangout in Montreal (café), E and D discussed the politics of surveillance, Foucault’s notion of the panopticon, and how to resist surveillance:

E: But what about surveillance on the web? Can we resist it?

D: Data collectors (both human and technological) collect information that users have left about themselves on various internet pages or, in the extreme cases, hack into their home computer. This surveillance ensures that all of the unpaid labour, which individuals everywhere perform for these companies (in the form of audiences for their advertisements and sources of data for their market strategies), does not go to waste. Only so long as there is widespread tracking and identification of consumers, can some of the biggest industries (all kinds of business services) maintain their dominance in our present economy. This massive system requires a great deal of compliance on the part of the ‘‘consumers.’’ If we accept this panoptic scenario than we become demographically compliant (ranging from ‘‘opting in’’ to their marketing lists to buying their product).

E: I guess that the one form of resistance to panoptic practices on the web would be to use a fake persona when navigating the net, thereby diverting the gaze of the panopticon to the trace of a person that does not exist.

D: Yes! Just like the barred shadows projected across the cold, hard floors of the prison, signifying the prisoner’s presence, traces of people on the web are also revealed through light; in the form of fibre optic zeros and ones. Information about millions of people on the internet is gleaned everyday by countless organizations and companies, for marketing, ‘‘security,’’ polling, and countless other purposes. This presence, though, is always verified by a trace of the person in the form of information about them, like their name, email, income bracket, place of residence and commercial preferences, among others. These pieces of information frame the individual along a number of categories, subsequently determining their ‘‘worth’’ economically. One way of resisting these commercial practices is to construct a fake persona.

E: How is a fake persona an effective means of resisting surveillance?

D: Jeremy Foucault is one such fake persona. This ‘‘person’’ has a name, email address, lives in Whitby Ontario, went to high school at Anderson Collegiate and likes technology, sports and baby care products. Jeremy’s email address is panopticpractices@hotmail.com, and his password is ICUpanopticon911.

E: Very clever! [sarcastic tone] I get it. Michel Foucault meets Jeremy Bentham. The password, I guess, relates to the idea of looking back at the panopticon. And the 911, is pretty self-explanatory. [pause] Oh! And, the email address with the password it creates a statement. I love it! [laughs]

D: This persona allows its user to navigate the web, without worries of being targeted as a market demographic and absorbs much of the unwanted advertising that is often incurred when registering for or entering certain domains on the web (like chat rooms or blogs).

The Camera Phone – New Ways of Trendspotting?

Our wandering student above, also expressed her concern with camera phones:

They may be fun and convenient for some but they are also considered a violation of privacy by many, including myself. Many people argue that we are being photographed all the time – and this is largely true. But most of these images are in the form of surveillance video which will not be uploaded to the web or used against us unless we are party to a crime. Cell phone images however can easily be used to degrade and shame the unknowing suspect.They can actually be considered a form of digital harassment. Several television programs have based storylines on picture phone bullying. The one that sticks in my mind is an episode of Joan of Arcadia in which Joan was photographed in the shower in the girls locker room. Perhaps this is an extreme example, but I maintain that my bad hair day is my personal business. I do not want to see it on the web. If you think about it, we all do things every day that we would not want to have caught on tape: picking wedgies (or our noses), stuffing ourselves with gigantic pieces of chocolate cake, or simply wearing an unflattering outfit. These moments happen and I find it outrageous that they may be used against us.
What has been concerning me the most recently is that high tech companies are actually using blackmail stemming from camera phones and pocket sized camcorders as a selling point. Take for example the new Samsung ad in which a young upstart employee takes video footage of the office party. He later shows the recording to a myriad a people higher up on the corporate ladder, receiving a promotion each time he does. The ad seems innocuous because the employee is depicted as a simple, childlike soul. But the underlying message remains.
(If you have not seen the ad you can view it here (sorry I was unable to download it). Follow the link then go to BRAND CAMPAIGN at the bottom of the page (it takes about 15 seconds to pop up), then choose “Summer Picnic”).

But, Creating Beautiful Art with Camera Phones
Another student used the camera phone to create a beautiful video The Mobile Eye. It’s both mesmerizing and poetic….graceful and seductive.

What I Learned…
Other student projects included: a photographic tour of a prison; a Harvey Pekar-like comic about dealing with rogues and cops in Montreal – and whom to trust; recent filmic depictions of surveillance; a tabloid spoof of protecting one’s own personal privacy; the compulsion to record diary-like everyday mundane events and the effect this could have on friends and lovers; moody ‘surveillance’ like music; a surveillance board game; a discussion of recent Canadian policy issues on surveillance; and a clever and sharp film using the Prelinger Archives showing Post WWII industrial footage of nuclear and Commie scares, eerily echoing the Homeland Security zaniness of today.

Young people are concerned about surveillance practices – from web intrusions to cameras – in their everyday lives, and they were very surprised at its prevalence. Perhaps more so than any other issue discussed in class – surveillance (ha!) captivated them and politicized them. Of course none of these issues are on the current election agenda….

Leslie Shade is Associate Professor at Concordia University, Department of Communication Studies
| Comments (0) |


CIRCUMVENTING PRIVACY: WHEN TECHNOLOGICAL MEASURES BECOME SPYWARE

posted by:Greg Hagen // 11:59 PM // December 06, 2005 // ID TRAIL MIX

trailmixbanner[1].GIF

It has become well known by now that if you purchased the Van Zant brothers, Get Right with the Man CD, or any of 51 other recordings from Sony BMG on or after 2003, Sony BMG may have surreptitiously installed spyware incorporated into its Extended Copyright Protection (“XCP”) software onto your computer. “Surreptitious” because XCP and its operations are cloaked using the SecurityRisk.First4DRM rootkit, which is designed to hide system objects and operations that start with $sys$ from diagnostic and security software, including spyware detectors. The implication is that user privacy could be breached not only by XCPs tracking functionality, but by any unwanted malware that begins with $sys$. The fact that the spyware was embedded in XCP should give pause to those who support Bill C-60, which lends legitimacy to technological measures (to protect copyright) that embed spyware.

A number of lawsuits in the U.S., including one commenced by the Electronic Frontier Foundation, complain that Sony BMG did not disclose the possibility that XCP can track the use of Sony BMG CDs, either in its packaging, the installation process, or its End User License Agreement (“EULA”). The EULA merely provides that “a small proprietary software program” will be automatically installed which is “intended to protect the audio files embodied on the CD.” It did not, however, disclose that the “small proprietary software program” increases the risk that third party malware will be hidden by the rootkit. Nor did it disclose that it can “monitor the CD drives in order to enforce any digital rights.” As a result, most information security companies now consider XCP a security risk. Microsoft has accordingly labeled XCP as spyware.

Spyware is considered to be objectionable primarily because of the notorious lack of adequate consent provisions in accompanying EULAs and installation procedures. Suppose, however, that Sony BMG attempted to modify its EULA and installation procedures in order to accord with Canadian privacy legislation. Among other requirements, Sony BMG would have to ensure that, pursuant to the applicable consent provisions such as PIPEDA Principle 4.3, any collection, use and disclosure of personal information of an individual is obtained with the knowledge and consent of the individual. The question that immediately arises is whether the supply of CDs can be conditioned upon such consent, permitting Sony BMG to thereby circumvent privacy protections.

Principle 4.3.3 of PIPEDA requires that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes. Does the collection of personal information by XCP serve a “legitimate purpose?” The Canadian Government’s Spam Task Force recommendation to prohibit spyware suggests that the use of XCP to protect copyright is not legitimate. If that is correct, then consent that is a precondition to the supply of CDs should be considered vitiated, and one should be able to use a spyware uninstaller to remove XCP with impunity.

On the other hand, certain provisions contained in Bill C-60, introduced in Canada’s 38th Parliament but not passed at its dissolution, suggest that XCP serves legitimate purposes. Under section 34.02 of Bill C-60, it is generally forbidden to circumvent technological measures designed to protect works and other subject matter. While that section excepts acts of circumvention in order for persons to exercise rights provided under copyright law, it does not except acts of circumvention to further the exercise of rights, per se, including rights of privacy and expression. Yet, the implicit rationale for excepting acts which do not infringe copyright or moral rights –the recognition that technical measures can interfere with the legitimate exercise of rights - should lead to the conclusion that an exception to the circumvention prohibition should exist in respect of the legitimate exercise of all rights provided by law.

The lack of a broader exception to the anti-circumvention provisions in Bill C-60 is fuelled by a misconception, expressed in a number of cases, that intellectual property interests always trump other interests such as privacy and freedom of expression. For example, in BMG Canada Inc. v. Doe, 2005 FCA 193, the Federal Court of Appeal, considered whether ISPs should reveal the identity of individual peer to peer file sharers who were accused of copyright infringement. The Court stated at paragraph 41 that “[a]lthough privacy concerns must also be considered, it seems to me that they must yield to public concerns for the protection of intellectual property rights in situations where infringement threatens to erode those rights.”

This bias runs counter to the supremacy of the constitutional provisions protecting rights such as privacy and expression over intellectual property rights as provided by s. 52 of the Canadian Constitution Act, 1982. While the rights guaranteed by the Charter of Rights and Freedoms are subject to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society, such limitations - even those designed to provide a just reward for creators - are exceptions to the broad rights guaranteed by the Charter. It follows that, if Bill C-60 is to comply with the Charter, a much broader exception to the anti-circumvention provisions is required. Circumvention should be permitted where it furthers the legitimate exercise of rights guaranteed by the Charter.

Greg Hagen is an Assistant Professor at the Faculty of Law, University of Calgary.

| Comments (1) |


main display area bottom border

.:privacy:. | .:contact:.


This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada