Security-Challenged Arphids at a Survey Near You
An MBA classmate in my on-line degree program is conducting a survey about RFIDs and he'd like a broad response. The only problem that I found with it is that the surveymonkey.com site raises more than enough privacy concerns for the RFID-wary and demonstrates the level of casualness about all of this that we exhibit in our actual behavior. I didn't complete the survey exercise. If you want to examine it yourself, follow the link in the title of this article. Here's roughly what I had to say when I declined to follow through:
- The survey site requires persistent cookies to be stored. Upon noticing that cookies are being blocked, the site suggests actions on the part of the visitor that can grant more privileges than this visit requires. The advise also fails to recognize that the blocking might be accomplished with a firewall, not a browser. SurveyMonkey wants to store a persistent cookie, not just a session cookie, perhaps to avoid duplicate submissions or to allow people to return and revise a previous or incomplete response. I don't know. They don't say why, they just say "trust us." Maybe the linked privacy policy explains it, I didn't look.
- The site also requires scripts to be enabled for any form to appear (I see no entries that I can fill in except at the bottom). Script blocking isn't detected automatically. At this point, I had the choice to enable scripts or not (I can see the form, but not use it). I chose not to continue.
- The survey enforces a common misconception in its introduction, biasing the reader. The survey describes RFIDs as if the ones being deployed these days are of the active variety. The current supply-chain RFIDs are almost all passive RFIDs and they are not active transmitters -- they passively respond to a scanner, using the energy of the scanning signal for power -- and work at a much shorter range than the 10 meters suggested in the survey introduction. Active RFIDs, with "batteries on board" are too expensive but they have great applications in the transportation industry as in monitoring wear and dangerous overheating of truck tires.
- The hypothetical case of being charged automatically as you leave the store, rather than stopped to pay for your purchase, assumes a legal power and a way to identify you that is beyond the technical capacity of a merchandise-attached RFID to accomplish -- the RFID has no way to report who the bearer of the merchandise is. On the other hand, it would be interesting for a retailer to try this. It should result in some fascinating new case law and in the US at least the Bank Card companies will probably not be happy with those merchants, since repudiations are almost all resolved in favor of the consumer. This will turn into an undesirable cost for merchants who make disputable charges against bank cards. (See the PayPal and eBay practices around this in the US, if you can access those policies from where you are.)
- I find all of this pretty fascinating, and I think surveying for the public perception is fine, though one might want to look at problems of sample choice and whatnot. Relying on a survey of self-selected respondents is about as good as newspaper call-in numbers for conducting automated surveys on the O.J. Simpson trial. It might work for reality TV, but what does it tell us that one can calibrate as useful?
- For a realizable scary case, consider suicide bombers/terrorists/assassins who have RFID scanners on their person and the explosive device is designed to go off automatically when it detects the RFID-coded passport or ID card of a citizen from a particular nation, or even a particular citizen from a particular nation.
- More at http://orcmid.com/blog/2004/11/rfid-privacy-being-ignored.asp, et. seq. [;<).
ACM News Service: RFID's Security Challenge. Meanwhile, this 2004-11-22 blurb points out that the RFID scanning world is subject to surveillance, counterfeiting, and other observations that the users of the devices may find unwanted. Naturally, there are solutions and standards yet to develop, and, I'm sure, people who are willing to hawk solutions. One might begin to consider that this is becoming too complicated for its promised benefits, and it excedes the management capacity of your everyday, bargain-basement giant retail chain (or defenses establishment).
The 2004-11-15 Information Week Article has more juice, giving some insight into the EPCglobal Network that is relied upon for bringing together and collating all of those scans, or at least providing data about the EPC that an RFID returns as part of being scanned. There's also more on how the programmable chips coming into the product stream are not write-protected and will be easily hacked. Hey, I'm not a shiny new maxed-out iPod, I'm a mere $20 bill (to borrow from another urban legend)!
posted by orcmid
at 12/7/2004 10:11:14 AM