I don't want to say I told you so...but yes I do.
The RFID industry trade groups continue to defend this rediculous technology for use in all of the wrong applications. The two worst? As I've been saying for the past few years - credit cards and passports.
Imagine the ramifacations of this with celebrities, political or public figures. What can be scanned from your daughter's purse or backpack?
It's not what you have to hide, it's what you've got to lose.
Showing posts with label RFID chip. Show all posts
Showing posts with label RFID chip. Show all posts
Tuesday, December 7, 2010
Thursday, February 11, 2010
Religious Right Weighs In On Human Tracking Chips
The religious right is beginning to voice concern of the concept of mandatory human chipping. The practice of forceably installing tracking chips in human beings has been proposed by others on the right, as a means of tracking people who have lost their civil rights, such as certain kinds of convicted criminals.
The State of Virginia has cited religious freedoms in its decision to outlaw the practice:
House Oks Bill Banning Implanted Tracking Devices | WSLS 10
Del. Mark L. Cole (R-Fredericksburg), the bill's sponsor, said that privacy issues are the chief concern behind his attempt to criminalize the involuntary implantation of microchips. But he also said he shared concerns that the devices could someday be used as the "mark of the beast" described in the Book of Revelation in the Christian Bible.
Full story of the run-up to the vote Washington Post
Monday, January 11, 2010
New Hampshire Bars RFID
Leading the nation in what is sure to be a wildfire of similar legislation, NH House votes to bar the unauthorized implants of tracking chips in people and clothing, criminalizes the use of RFID for tracking consumers.
FULL STORY: ASSOCIATED PRESS
In a further sign of things to come, the State is updating its anti-skimming laws to prohibit the closing of data broadcast by RFID-enabled credit and debit cards. The affect may render RFID without value to retailers otherwise supporting its use.
Wednesday, December 23, 2009
Phillippine Supreme Court Wrestles With RFID for DMV
A public transport group has asked the Supreme Court sday to nullify the Land Transportation Office’s radio frequency identification system for being unconstitutional.
FULL STORY
Tuesday, December 22, 2009
Has an RFID tracking chip been smuggled into your implants?
According to presenters of the 2009 RFID Journal's medical proposals, RFID chips have been implemented to track "implantable medical devices."
Questions arise concerning whether or not RFID chips, which broadcast an ID number or other data, remain in the chipped products when they are implanted into patients.
Journal Evidence: http://www.rfidjournal.com/videos/healthcare
The safeguards and disclosures regarding the practice have likely yet to be developed or considered. Potential HIPAA violations, in addition to other likely challenges, are lurking, yet nobody has spoken up. The RFID Journal trade group continues to quietly lobby for zero regulation on the matter.
Sunday, October 11, 2009
Auto License Plates With RFID: Sport-bike Outlaws Cited as National Cause
In one of the strangest, most reaching arguments for promoting RFID contractors, the RFID Journal has printed the argument that speeders riding sports motorcycles across the US are such a menace to society that we all must now broadcast an ID number from our license plates, from 30 feet away, to anyone who wants to read it.
Believe it or not, the article actually makes the case that if the speeding sport bikers across the US only had RFID chips in the license plates, which they routinely remove or "flip" to hide, then the stalwart police would not have to give high speed and winged persuit. The image is one of the officer in his crisp uniform, slowly shaking his head as the biker goes by at mach 2, returning to his latte secure in the knowledge that the biker would get his ticket and summons in the mail.
"Drat!" Says the biker when he gets the later uniformed knock on his door, "foiled again by the RFID chip!"
Needless to say, not only would the bikers remove the entire plate if they want, since the cops can't catch them anyway, they would also buy, borrow or steal other license plates to broadcast the wrong number to the idiot with the latte.
Here's the article: Please comment!
U.S. Department of Transportation Solicits Proposals From Small RFID Companies
In actuality, it doesn't need to be a motorcycle. What do they do when they are outrun by a bicycle?
In a generous handout to what will surely be picked up by both civil libertarians and ultra-right wing conspiracy nuts, the Federal Government has jumped into the fray by having the Departement of Transportation request bids by RFID contractors to submit solution bids.
Believe it or not, the article actually makes the case that if the speeding sport bikers across the US only had RFID chips in the license plates, which they routinely remove or "flip" to hide, then the stalwart police would not have to give high speed and winged persuit. The image is one of the officer in his crisp uniform, slowly shaking his head as the biker goes by at mach 2, returning to his latte secure in the knowledge that the biker would get his ticket and summons in the mail.
"Drat!" Says the biker when he gets the later uniformed knock on his door, "foiled again by the RFID chip!"
Needless to say, not only would the bikers remove the entire plate if they want, since the cops can't catch them anyway, they would also buy, borrow or steal other license plates to broadcast the wrong number to the idiot with the latte.
Here's the article: Please comment!
U.S. Department of Transportation Solicits Proposals From Small RFID Companies
In actuality, it doesn't need to be a motorcycle. What do they do when they are outrun by a bicycle?
In a generous handout to what will surely be picked up by both civil libertarians and ultra-right wing conspiracy nuts, the Federal Government has jumped into the fray by having the Departement of Transportation request bids by RFID contractors to submit solution bids.
Friday, October 9, 2009
RFID SECURITY NIGHTMARE CONTINUES
Our earlier post on RFID security problems (http://privacy-pimp.blogspot.com/2009/07/chips-in-official-ids-raise-privacy.html) has seen the predicted eventuality:
The SunBreak News Business Cyberthieves are Picking Pockets with RFID
The SunBreak News Business Cyberthieves are Picking Pockets with RFID
Saturday, September 19, 2009
FTC Under Heavy Pressure to Establish RFID Safeguards
Washington D.C. based, non-profit Electronic Privacy Information Center (EPIC) sets its successful sights on the FTC to establish RFID safeguards
In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. For more, see EPIC's RFID Privacy page. (Sept. 22, 2008).
Guidelines were issued back in 2004, and are gaining traction due to the new attention given RFID in the press. They would prevent, among other things, "Tracking, Snooping and Coersion" using RFID data.
Guidelines on Commercial Use of RFID Technology
(FINAL VERSION - July 9, 2004)
Introduction
The guidelines are proposed to guide the use of RFID technology in order to protect both
private enterprise interests and consumer privacy interests. This means that these
guidelines do not address protection of consumer privacy from any governmental action.
Rather, they seek to protect consumer privacy from private enterprises. Further, these
guidelines focus on use in the retail and manufacturing industry where retailers and
manufacturers are beginning to implement item-level RFID tagging to facilitate supply
chain efficiency, inventory control, and similar applications.
These guidelines primarily address commercial, private applications which may use
RFID tags to draw conclusions about consumers without their knowledge or consent, or
that might generate data which could be used for entirely different purposes at a later
date.
These guidelines are divided into three parts. Part A addresses the duties of private
enterprises that use RFID technology. It imposes minimum requirements on RFID users,
recognizing the advantages that RFID technology can provide while at the same time
addressing privacy concerns. Part B addresses practices in which the RFID Users
should never engage, including tracking, snooping, and coercing consumers to accept
live RFID tags or associate their personal data with an RFID application. Finally, Part C
states the rights of consumers who are exposed to RFID technology and incorporates
some of the Users' duties stated in Part A.
2
Definitions
"RFID" means Radio Frequency Identification, i.e., technologies that use radio waves to
automatically identify individual items.
"Tag" means a microchip that is attached to an antenna and is able to transmit
identification information, i.e., capable of receiving data from, or transmitting data to, a
Reader.
"Reader" means a device, capable of reading data from a tag or transmitting data to a
RFID tag.
"RFID Subject" or "Individual" means a consumer, customer, or any other such individual
that comes in contact with a product that has attached to it, or contains, an RFID tag.
"RFID User" means an RFID operator, such as a store, warehouse, hospital, and the
like, who employs RFID technology, including RFID readers and tags.
"Premises" means a store, a warehouse, a hospital, or any other such equivalent space
that encompass the tags and the readers that communicate with RFID tags.
"Consent": means the freely given, specific and informed indication of a RFID subject's
wish to have his/her personal information processed by the means of RFID technologies.
RFID Guidelines
A. What RFID Users Must Do:
1. NOTICE. Give notice to a RFID Subject of:
a. Tag presence, whether through labels, logos, or equivalent means, or through
display, either at the place where a tagged item is stored, such as a shelf or counter, or
at point of sale, such as a cash register. The notice shall be reasonably conspicuous to
the individual and contain information that enables the individual to be reasonably aware
of the nature of the RFID system and the data processing in place.
b. Reader presence, whether through labels, logos, or equivalent means, or through
display, whenever tag readers are present. The notice shall be reasonably conspicuous
to the individual and contain information that enables the individual to be reasonably
aware of the nature of the RFID system and the data processing in place.
c. Reading activity. RFID Users must use a tone, light, or other readily observable and
recognized signal whenever a tag reader is in the act of drawing information from an
RFID tag anywhere on the sales floor.
2. REMOVAL. Attach tags to items in such a way as to allow for the easiest possible
removal of tags.
3. ANONYMITY PRIORITY. Any RFID user -- before linking RFID tags to personal
information -- should first consider alternatives which achieve the same goal without
collecting personal information or profiling customers. If personal information must be
collected and associated with tag data, the RFID user must satisfy the following five
requirements:
a. Consent. Obtain written consent from an individual before any personally identifiable
information of the individual, including name, address, telephone number, credit card
number, and the like, is attached to, stored with, or otherwise associated with data
collected via the RFID System.
b. Purpose. Before obtaining written consent, the RFID User must inform the RFID
subject about the purpose of associating gathered data with personal information, and
specify that purpose before such attaching, storing, or association.
c . Use limitation. Before obtaining written consent, the RFID User must inform
individuals about the scope of use of gathered data, whether the use is limited to the
person's own interests or whether the data will be disclosed to third parties. Keep data
only as long as it is necessary for the purpose for which the data was associated with
personal information.
d. No third party disclosure. Not disclose, directly or through an affiliate, to a
nonaffiliated third party an individual's personally identifying information in association
with RFID tag identification information.
e. Data quality. Keep gathered data accurate, complete and up-to-date, as is necessary
for the purposes for which it is to be used.
4. SECURITY. Take reasonable measures to ensure that any data processed via an
RFID system is transmitted and stored in a secure manner, and that access to the data
is limited to those individuals needed to operate and maintain the RFID system.
5. OPENNESS. RFID Users must make readily available to individuals, through the
Internet or other equivalent means, specific information about their policies and practices
relating to its handling of personal information. Any personally identifiable information
itself shall be provided upon written request of the individual in a secure manner.
6. ACCOUNTABILITY. Designate someone who is accountable for the RFID User's
compliance with these guidelines.
B. What RFID Users Must NOT Do:
1. TRACK. Track the movement of RFID subjects at any time without their written
consent to all tag reading events. RFID users shall not track individuals via tagged items
on the premises or outside the premises where an RFID system is employed to obtain
individual shopping habits or any other such information obtainable through tracking,
even upon suspicion of such activities as fraud or shoplifting.
2. SNOOP. Record or store tag data from tags that do not belong to the RFID User for
any reason except for the processing of returns or warranty service and upon the
consumer's request. RFID users shall not collect RFID data from objects on, or carried
by, an individual person for the purpose of generating a consumer profile, even if the
profile is assigned anonymously.
3. COERCE. Coerce or force individuals to keep tags turned on after purchase for such
benefits as warranty tracking, loss recovery, or compliance with smart appliances; and
not require individuals to provide unnecessary personal information as a precondition of
a transaction. RFID Users must allow individuals who so desire to enroll anonymously in
any RFID data-gathering scheme.
C. RFID Subjects' rights:
1. ACCESS. RFID Subjects must have the right to access data containing personally
identifiable information collected through an RFID system, and have the opportunity to
make corrections to that information.
2. REMOVAL. RFID Subjects have the right to get tags removed from tagged items.
3. ACCOUNTABILITY. RFID Subjects have the right to challenge the compliance of
persons employing RFID systems when practice contradicts the guidelines set forth
above.
In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. For more, see EPIC's RFID Privacy page. (Sept. 22, 2008).
Guidelines were issued back in 2004, and are gaining traction due to the new attention given RFID in the press. They would prevent, among other things, "Tracking, Snooping and Coersion" using RFID data.
Guidelines on Commercial Use of RFID Technology
(FINAL VERSION - July 9, 2004)
Introduction
The guidelines are proposed to guide the use of RFID technology in order to protect both
private enterprise interests and consumer privacy interests. This means that these
guidelines do not address protection of consumer privacy from any governmental action.
Rather, they seek to protect consumer privacy from private enterprises. Further, these
guidelines focus on use in the retail and manufacturing industry where retailers and
manufacturers are beginning to implement item-level RFID tagging to facilitate supply
chain efficiency, inventory control, and similar applications.
These guidelines primarily address commercial, private applications which may use
RFID tags to draw conclusions about consumers without their knowledge or consent, or
that might generate data which could be used for entirely different purposes at a later
date.
These guidelines are divided into three parts. Part A addresses the duties of private
enterprises that use RFID technology. It imposes minimum requirements on RFID users,
recognizing the advantages that RFID technology can provide while at the same time
addressing privacy concerns. Part B addresses practices in which the RFID Users
should never engage, including tracking, snooping, and coercing consumers to accept
live RFID tags or associate their personal data with an RFID application. Finally, Part C
states the rights of consumers who are exposed to RFID technology and incorporates
some of the Users' duties stated in Part A.
2
Definitions
"RFID" means Radio Frequency Identification, i.e., technologies that use radio waves to
automatically identify individual items.
"Tag" means a microchip that is attached to an antenna and is able to transmit
identification information, i.e., capable of receiving data from, or transmitting data to, a
Reader.
"Reader" means a device, capable of reading data from a tag or transmitting data to a
RFID tag.
"RFID Subject" or "Individual" means a consumer, customer, or any other such individual
that comes in contact with a product that has attached to it, or contains, an RFID tag.
"RFID User" means an RFID operator, such as a store, warehouse, hospital, and the
like, who employs RFID technology, including RFID readers and tags.
"Premises" means a store, a warehouse, a hospital, or any other such equivalent space
that encompass the tags and the readers that communicate with RFID tags.
"Consent": means the freely given, specific and informed indication of a RFID subject's
wish to have his/her personal information processed by the means of RFID technologies.
RFID Guidelines
A. What RFID Users Must Do:
1. NOTICE. Give notice to a RFID Subject of:
a. Tag presence, whether through labels, logos, or equivalent means, or through
display, either at the place where a tagged item is stored, such as a shelf or counter, or
at point of sale, such as a cash register. The notice shall be reasonably conspicuous to
the individual and contain information that enables the individual to be reasonably aware
of the nature of the RFID system and the data processing in place.
b. Reader presence, whether through labels, logos, or equivalent means, or through
display, whenever tag readers are present. The notice shall be reasonably conspicuous
to the individual and contain information that enables the individual to be reasonably
aware of the nature of the RFID system and the data processing in place.
c. Reading activity. RFID Users must use a tone, light, or other readily observable and
recognized signal whenever a tag reader is in the act of drawing information from an
RFID tag anywhere on the sales floor.
2. REMOVAL. Attach tags to items in such a way as to allow for the easiest possible
removal of tags.
3. ANONYMITY PRIORITY. Any RFID user -- before linking RFID tags to personal
information -- should first consider alternatives which achieve the same goal without
collecting personal information or profiling customers. If personal information must be
collected and associated with tag data, the RFID user must satisfy the following five
requirements:
a. Consent. Obtain written consent from an individual before any personally identifiable
information of the individual, including name, address, telephone number, credit card
number, and the like, is attached to, stored with, or otherwise associated with data
collected via the RFID System.
b. Purpose. Before obtaining written consent, the RFID User must inform the RFID
subject about the purpose of associating gathered data with personal information, and
specify that purpose before such attaching, storing, or association.
c . Use limitation. Before obtaining written consent, the RFID User must inform
individuals about the scope of use of gathered data, whether the use is limited to the
person's own interests or whether the data will be disclosed to third parties. Keep data
only as long as it is necessary for the purpose for which the data was associated with
personal information.
d. No third party disclosure. Not disclose, directly or through an affiliate, to a
nonaffiliated third party an individual's personally identifying information in association
with RFID tag identification information.
e. Data quality. Keep gathered data accurate, complete and up-to-date, as is necessary
for the purposes for which it is to be used.
4. SECURITY. Take reasonable measures to ensure that any data processed via an
RFID system is transmitted and stored in a secure manner, and that access to the data
is limited to those individuals needed to operate and maintain the RFID system.
5. OPENNESS. RFID Users must make readily available to individuals, through the
Internet or other equivalent means, specific information about their policies and practices
relating to its handling of personal information. Any personally identifiable information
itself shall be provided upon written request of the individual in a secure manner.
6. ACCOUNTABILITY. Designate someone who is accountable for the RFID User's
compliance with these guidelines.
B. What RFID Users Must NOT Do:
1. TRACK. Track the movement of RFID subjects at any time without their written
consent to all tag reading events. RFID users shall not track individuals via tagged items
on the premises or outside the premises where an RFID system is employed to obtain
individual shopping habits or any other such information obtainable through tracking,
even upon suspicion of such activities as fraud or shoplifting.
2. SNOOP. Record or store tag data from tags that do not belong to the RFID User for
any reason except for the processing of returns or warranty service and upon the
consumer's request. RFID users shall not collect RFID data from objects on, or carried
by, an individual person for the purpose of generating a consumer profile, even if the
profile is assigned anonymously.
3. COERCE. Coerce or force individuals to keep tags turned on after purchase for such
benefits as warranty tracking, loss recovery, or compliance with smart appliances; and
not require individuals to provide unnecessary personal information as a precondition of
a transaction. RFID Users must allow individuals who so desire to enroll anonymously in
any RFID data-gathering scheme.
C. RFID Subjects' rights:
1. ACCESS. RFID Subjects must have the right to access data containing personally
identifiable information collected through an RFID system, and have the opportunity to
make corrections to that information.
2. REMOVAL. RFID Subjects have the right to get tags removed from tagged items.
3. ACCOUNTABILITY. RFID Subjects have the right to challenge the compliance of
persons employing RFID systems when practice contradicts the guidelines set forth
above.
Tuesday, August 4, 2009
Feds at DefCon Alarmed After RFID’s Scanned | Threat Level | Wired.com
Those following the privacyauthority.org entry http://privacy-pimp.blogspot.com/2009/07/chips-in-official-ids-raise-privacy.html will be interested to in this update.
Feds get a taste of their own Medicine in Las Vegas annual hacker summit.
Feds at DefCon Alarmed After RFID’s Scanned Threat Level : Wired.com
The security risks of RFID use have been visited on the very federal agent proponents of such devices. Fortunately for the feds, this surprise took place in the somewhat safer environment of the DefCon hacker convention in Las Vegas.
The amiable individuals who scanned the feds were nice enough to destroy the data in front of the feds, causing heartbeats to resume their regular rythm.
Another lesson in Las Vegas.
Feds get a taste of their own Medicine in Las Vegas annual hacker summit.
Feds at DefCon Alarmed After RFID’s Scanned Threat Level : Wired.com
The security risks of RFID use have been visited on the very federal agent proponents of such devices. Fortunately for the feds, this surprise took place in the somewhat safer environment of the DefCon hacker convention in Las Vegas.
The amiable individuals who scanned the feds were nice enough to destroy the data in front of the feds, causing heartbeats to resume their regular rythm.
Another lesson in Las Vegas.
Monday, July 27, 2009
Bill Gates Demostrates Lack of Privacy Comprehension
Quotes from Gates make one wonder if the Microsoft founder comprehends the security problems posed by over-tracking of individuals. Indeed, he does not seem to grasp the basic problem of everyone around you knowing your name and health history before you even introduce yourself:
Gates Faults U.S. Policy on Data Privacy and Immigration - NYTimes.com
It is little wonder that privacy advocates shy away from Microsoft. It will be interesting to see how they are able to compete with this inablity to comprehend the need for privacy or to act with best practices.
Privacy comprehension and practice have become a proving ground of international business, on which the US is, at least for now, failing miserably.
Gates Faults U.S. Policy on Data Privacy and Immigration - NYTimes.com
It is little wonder that privacy advocates shy away from Microsoft. It will be interesting to see how they are able to compete with this inablity to comprehend the need for privacy or to act with best practices.
Privacy comprehension and practice have become a proving ground of international business, on which the US is, at least for now, failing miserably.
Saturday, July 11, 2009
Chips in official IDs raise privacy fears - Yahoo! News
Nightmare security issues with the new US Passport and e-Passport (Passport Card) call into question the compliance of these documents with even the most basic security issues.
Chips in official IDs raise privacy fears - Yahoo! News
The Dept. of Homeland Security did much to avoid risk of hackers getting in to the database, by making the number a mere pointer to their own files grounded in DHS computers. But the very function of the RFID chip, broadcasting an ID number, is easily co-opted by the private sector (retailers), and combined with the other information the retailer collects.
No need to obtain the government's data file, just about anyone can buy the data collected by the retailer, including your identity, all of your buying habits and payment options, demographics information, etc. The data then is neatly wrapped up and tied together with your RFID number, then sold, legally, to any number of buyers.
Now you walk through the mall, with your new drivers license, passport or passport card in your wallet, and that Israeli chick at the kiosk with the Dead Sea soap calls you by name - from 30 feet away.
Worse, some creepy guy likes what he sees when you pull up next to him in traffic. He inputs your RFID on his mobile, and gets everything about you, including address. He may even add your license plate number to the database app on his iphone.
Worse again, you can be completely watched on cameras which turn on only when you are within 30 feet, anywhere in the world. You might not be worried about that at home, but what about when you are at a foreign airport, or in a foreign city? How about when you are crossing between two foreign countries?
It seems that RFID has no redeeming value. Please comment.
Chips in official IDs raise privacy fears - Yahoo! News
The Dept. of Homeland Security did much to avoid risk of hackers getting in to the database, by making the number a mere pointer to their own files grounded in DHS computers. But the very function of the RFID chip, broadcasting an ID number, is easily co-opted by the private sector (retailers), and combined with the other information the retailer collects.
No need to obtain the government's data file, just about anyone can buy the data collected by the retailer, including your identity, all of your buying habits and payment options, demographics information, etc. The data then is neatly wrapped up and tied together with your RFID number, then sold, legally, to any number of buyers.
Now you walk through the mall, with your new drivers license, passport or passport card in your wallet, and that Israeli chick at the kiosk with the Dead Sea soap calls you by name - from 30 feet away.
Worse, some creepy guy likes what he sees when you pull up next to him in traffic. He inputs your RFID on his mobile, and gets everything about you, including address. He may even add your license plate number to the database app on his iphone.
Worse again, you can be completely watched on cameras which turn on only when you are within 30 feet, anywhere in the world. You might not be worried about that at home, but what about when you are at a foreign airport, or in a foreign city? How about when you are crossing between two foreign countries?
It seems that RFID has no redeeming value. Please comment.
Subscribe to:
Posts (Atom)
