Rob van Kranenburg on Tue, 8 Jul 2003 01:01:00 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> interesting reading


Subject: CASPIAN Uncovers Gaping Hole in RFID Site Security
From: CASPIAN Newsletter <newsletter@nocards.org>
To: newsletter <newsletter@nocards.org>
Organization:
Date: 07 Jul 2003 14:10:53 -0400

FOR IMMEDIATE RELEASE
July 7, 2003

RFID Site Security Gaffe Uncovered by Consumer Group

CASPIAN asks, "How can we trust these people with our personal data?"

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
says anyone can download revealing documents labeled "confidential" from
the home page of the MIT Auto-ID Center web site in two mouse clicks.

The Auto-ID Center is the organization entrusted with developing a
global Internet infrastructure for radio frequency identification
(RFID). Their plans are to tag all the objects manufactured on the
planet with RFID chips and track them via the Internet.

Privacy advocates are alarmed about the Center's plans because RFID
technology could enable businesses to collect an unprecedented amount of
information about consumers' possessions and physical movements. They
point out that consumers might not even know they're being surveilled
since tiny RFID chips can be embedded in plastic, sewn into the seams of
garments, or otherwise hidden.

"How can we trust these people with securing sensitive consumer
information if they can't even secure their own web site?" asks CASPIAN
Founder and Director Katherine Albrecht.

"It's ironic that the same people who assure us that our private data
will be safe because 'Internet security is very good, and it offers a
strong layer of protection' [see
http://www.autoidcenter.com/new_media/media_kit/questions_answers.pdf]
would provide such a compelling demonstration to the contrary," she
added.

Among the "confidential" documents available on the web site are slide
shows discussing the need to "pacify" citizens who might question the
wisdom of the Center's stated goal to tag and track every item on the
planet [ http://www.autoidcenter.com/media/communications.pdf ], along
with findings that 78% of surveyed consumers feel RFID is negative for
privacy and 61% fear its health consequences
[ http://www.autoidcenter.org/media/pk-fh.pdf ].

PR firm Fleischman-Hillard's confidential "Managing External
Communications" suggests a variety of strategies to help the Auto-ID
Center "drive adoption" and "neutralize opposition," including the
possibility of renaming the tracking devices "green tags." It also lists
by name several key lawmakers, privacy advocates, and others whom it
hopes to "bring into the Center's 'inner circle'"
[ http://www.autoidcenter.com/media/external_comm.pdf ].

Despite the overwhelming evidence of negative consumer attitudes toward
RFID technology revealed in its internal documents, the Auto-ID Center
hopes that consumers will be "apathetic" and "resign themselves to the
inevitability of it" instead of acting on their concerns
[ http://www.autoidcenter.com/publishedresearch/cam-autoid-eb002.pdf ].

Consumer citizens who are not feeling apathetic will be pleased to learn
that the site provides names and contact information for the corporate
executives who oversee the Center's efforts. Since the phone list isn't
labeled "confidential," we're assuming that Auto-ID Center Board members
are open to calls and mail that might help them better understand public
opinion on this important subject.

Anyone interested in speaking with Dick Cantwell, the Gillette VP who
heads the Center's Board of Overseers, for example, can find his direct
office number listed on the Auto-ID Center's website here:
http://www.autoidcenter.com/uploads/226691160-list_board_of_overseers.pdf
mirrored at:
http://cryptome.org/rfid/226691160-list_board_of_overseers.pdf

To experience the Auto-ID Center's security holes firsthand, simply
visit the web site at http://www.autoidcenter.org and type
"confidential" in the site search box. The Center encourages such site
exploration: "Our website has Research Papers and other information that
anyone can download for free. There is also a Sponsors Only area of the
site, which includes information and materials not available to the
public at large. We encourage you to visit our site frequently to stay
up to date with the Center's many activities."

Following are other examples of sensitive documents available at the
site:

February 27, 2003 Board minutes:
http://www.autoidcenter.com/media/feb03_board/joint_minutes_feb03.pdf

ONS server schematics:
http://www.autoidcenter.com/media/feb03_board/oatsystems.pdf

EMS documentation:
http://www.autoidcenter.com/media/software.pdf

Documentation of RFID field tests:
http://www.autoidcenter.com/media/field_test_nov02.pdf

These documents and many more have been mirrored in several places,
including the Cryptome website at:
http://www.cryptome.org/rfid-docs.htm

Note: The Cryptome website contains links to all 68 documents that
appeared when the word "Confidential" was typed into the Auto-ID
Center's search engine the morning of July 7, 2003.


Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
is a grass-roots consumer group fighting retail surveillance schemes
since 1999. With members in all 50 U.S. states and 15 nations across the
globe, CASPIAN seeks to educate consumers about marketing strategies
that invade their privacy and to encourage privacy-conscious shopping
habits across the retail spectrum.

For more information about CASPIAN, visit http://www.nocards.org.

Katherine Albrecht, CASPIAN Founder and Director: kma@nocards.org
Mary Starrett, CASPIAN Media Associate: media@nocards.org

###


=========================================================================

CASPIAN - Consumers Against Supermarket Privacy Invasion and Numbering
A national consumer organization opposing supermarket "loyalty" cards
and other retail surveillance schemes since 1999

http://www.nocards.org

We encourage you to duplicate and distribute this message to others.

==========================================================

To subscribe or unsubscribe to the CASPIAN mailing list, click the
following link or cut and paste it into your browser:

http://www.nocards.org/cgi/mojo/mojo.cgi

If you have difficulty with the web-based interface, you may also
subscribe or unsubscribe via email by writing to:

admin@nocards.org

==========================================================

For CASPIAN's overview of RFID product identification and tracking
technology, please see:  http://www.nocards.org/AutoID/overview.shtml
-- 


web: http://simsim.rug.ac.be/staff/rob
mail: kranenbu@xs4all.nl
mobile:
++32 (0) 472 40 63 72
Call home first 0032 9 2333 853

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net