RFID, Surveillance and Privacy: The Sorting Door Project

1
RFID, Surveillance and Privacy  The Sorting
Door Project

• Stapleton-Gray Associates, Inc. is engineering
  the Sorting Door Project as an experimental test
  bed for the study of RFID, surveillance and
  privacy. RFID is a technology well-suited to
  surveillance.
• What you wear or carry, if RFID tagged, can be
  observed. Many, many more things will be tagged
  many, many more readers will be out there.
• The Sorting Door architecture is intended to
  invite and accept participation from all parties
  interested in understanding
• The technological envelope for monitoring
  RFID-tagged objects
• How inferences might be made, based on such
  observations
• What technology and policy options might prevent
  abuse of RFID-based surveillance, where
  necessary.

2
RFID Well-Suited to Surveillance

• RFID is being rapidly and widely deployed, driven
  primarily be commercial demands (800 gorillas
  WalMart and DOD)
• Both tags and readers are proliferating. And
  while they may be deployed initially for isolated
  applications, tags are promiscuous talkers and
  can be detected by many other readers... readers
  are promiscuous listeners, and can detect many
  other tags.
• RFID is a technology well-suited to surveillance
• Can be interrogated at a (limited) distance
• Does not require line-of-site, but can read
  through (some) things
• Undetectable by (most) people.

3
RFID Forecasts

• RFID is already in widespread application,
  especially for
• Access, e.g., building access badges and car key
  security
• Toll payments, e.g., E-Zpass, FasTrak, and
  Mobile Speedpass
• But the larger wave coming is in commercial
  supply chain, and, eventually, item-level tagging
  of consumer goods.
• The cost and effectiveness of tags are gating
  factors item-level tagging wont make sense if
  tags are an appreciable percentage of the value
  of an item a 50 tag makes sense on a pallet of
  cases of boxes of toothpaste, but not on a tube.
  The 5 tag (in quanitity) is something like the
  4-minute mile... something to shoot for.
• Tag manufacturer Alien Technology announced this
  month that it had shipped a total of 50 million
  EPC Class I RFID tags over the past year (but
  compare with 2.5 billion boxes of cereal
  purchased in the U.S. annually... a ways to go!).

4
Market Forces
Two 800 gorillas have provided enormous demand
for RFID deployment both WalMart and the U.S.
Department of Defense have mandated that
suppliers employ RFID tags on shipments, starting
at the aggregate level (cases and pallets).
(Note for some items, case- and item-level
tagging might be equivalent, e.g., microwave
ovens.) Many major retailers have followed
WalMarts lead. The U.S. Food and Drug
Administration has suggested that RFID tagging
may be mandated to allow for counterfeit drug
detection, i.e., to be able to track a
pharmaceuticals supply chain history, and flag
those which lack an appropriate pedigree. Many
libraries (including the Berkeley California
Public Library) have adopted RFID to better
manage collections.
5
RFID, Surveillance and Privacythe Threat Model
The laws of physics limit the useful range of a
passive RFID tag, and, by nature, passive tags
can be continually polled by readers but do not
allow continuous tracking. But these limitations
do not eliminate all threats, they merely help to
define the boundaries of the threat model. RFIDs
limited useful range suggests that threats will
come in constrained spaces. Many early RFID
deployments focus on doorways, e.g., RFID-tagged
library books are read as patrons pass through
detector gates. Doorways are ideal environments
for RFID-facilitated surveillance generally
subjects can be isolated, placed in close
proximity to easily-hidden readers, and there are
opportunities to employ complementary sensor
technology (e.g., optical or pressure sensors to
isolate specific individuals from among several).
6
The Threat Model (cont.)
RFID will allow for the collection of many, many
more data points. These data will be little
glimpses into activity a kind of point
surveillance but a lot of little glimpses may
reveal a bigger picture. Identity binding can
make some of these data points much more
valuable, when a unique identifier (i.e., a
specific RFID tag) can be mapped to a particular
individual. It will be possible to make
inferences from the nature of objects seen, i.e.,
when an RFID-tagged consumer good is detected,
one can attribute to its wearer/bearer various
characteristics... Odds are pretty good that the
person who just passed us with a size 4 Donna
Karan dress isnt a six-foot-tall man.
7
Privacy and Pointillism...
8
Privacy and Pointillism... (cont.)
Georges Seurats A Sunday on La Grande
Jatte1884, at varying levels of abstraction.
Even the lower right image is actually an
abstraction of an abstraction while the original
work is still composed of distinct points, the
image youre seeing here was produced at far
fewer dots per inch by the printer... The
message is that data points may become far, far
more common, due to RFID. While each, by itself,
is next to meaningless, in vast accumulations
youll start to discern meaningful pictures. Or,
as Lenin said, Quantity is quality.
9
Identity Binding
Tags can be used to uniquely identify objects
(this is why the keen interest in RFID in
commercial supply chain) with a vast name space
the Electronic Product Code (EPC) 96-bit value
could uniquely identify every object youd care
to, with a lot of space left over. When tags are
seen, theyll often uniquely identify objects
That same thing passed by this reader just now,
Monday morning, and Tuesday evening. When the
wearer/bearer of a tagged object presents
additional information, e.g., a drivers license
or passport, that now-revealed identity can be
bound to any tags present. The next time we see
a given tag, thats Alices thing... maybe were
seeing Alice again. Note 1... This works for
historical data We know now that that was
probably Alice at all these points over the past
year. Note 2... This is an educated guess, and
depend on the nature of objects. People tend to
borrow umbrellas and books, but not underwear...
10
Inferences from the Nature of Objects

• EPCs will be forward/backward compatible, as much
  as is possible, with legacy product codes like
  the UPC. (And why not? Why abandon 30 years of
  industry standardization in product codes?)
• Mapping product codes to product information is
  well understood, e.g., for converting
  point-of-sale data to market research insights
  (People who buy Widgets also buy Gizmos both
  are consumer electronics goods).
• Many objects will permit strong inferences to be
  made, regarding the individual wearing/bearing
  them
• size 4 Donna Karan dress
• mans size 13 shoe
• first edition copy of Earth in the Balance
• NB this will depend heavily on item-level
  tagging of objects in commerce... proponents see
  that coming soon others of us are a bit
  skeptical.

11
The Sorting Door
A terrified-looking boy Harry had noticed
earlier stumbled forwards and put the Hat on his
head it was only prevented from falling right
down to his shoulders by his very prominent ears.
The Hat considered for a moment, then the rip
near the brim opened again and shouted Gryffindo
r! Harry clapped loudly with the rest of
Gryffindor house as Euan Abercrombie staggered to
their table and sat down, looking as though he
would like very much to sink through the floor
and never be looked at again. J. K. Rowling,
Harry Potter and the Order of the Phoenix Like
Harry Potters Sorting Hat, the Sorting Door
will similarly interrogate individuals for to
them intangible qualities, and make inferences
as to their nature and implications
12
The Sorting Door (cont.)

• Doors are attractive points for RFID-based
  surveillance
• RFID read ranges, for most commonly-encountered
  tags, are short, but not less than a meter or so
• Lots of readers already installed in doors,
  e.g., anti-theft gates in libraries
• Doors are appropriate places to take actions
  bar a potential threat, or welcome a potential
  friend, ally, or cherished customer.
• Other data collection may also be possible at
  doors, e.g., presentation of a drivers license
  for admission, or biometric data.

13
The Sorting Door Architecture
Commercial Data...
8
4
ONS
Sorting Door N
Internet
2
7
6
1
3
5
Identification Engine
Sorting Door 1
Databases
14
The Sorting Door Architecture (cont.)

• An instrumented Sorting Door
• Communication of observed RFIDs to the
  Identification Engine and databases
• Presentation of information on RFIDs observed,
  and inferences made, for educational or other
  purposes
• Other Door implementations
• Identification Engine
• Databases of RFID tag observations
• Databases of supporting data
• EPCglobals Object Naming Service (ONS) and
  associated electronic product code (EPC)-keyed
  data
• Multiple Doors share common resources on the back
  end, though
• any Doors information might be segregated as
  desired for
• security/privacy purposes.

15
Research Questions

• Research questions arise in the context of each
  element of the Sorting Door architecture
• How best to design various forms of instrumented
  Sorting Doors, acknowledging various
  environments, supporting technologies and
  collection interests?
• How should Doors interact with those who
  encounter them?
• How might the collection of multiple Doors be
  aggregated and integrated?
• What forms of databases and applications are
  needed to derive inferences from RFID tags seen
  by the various Sorting Doors, whether singly, or
  in collaboration?
• How to acquire and integrate contextual data,
  e.g., on the nature of consumer products
  detected?

16
Sorting Doors
While the simplest implementation of a Sorting
Door might be, as with library gates, a
single-frequency reader monitoring an egress,
Doors might vary widely in design, capability and
purpose. Any given space, e.g., a lecture room,
corridor, or vehicle interior, could be
instrumented as a Sorting DoorDoor is intended
to be a very stretchy metaphor. (Note also the
similarity to research work on smart
spacesour interest here is in non-cooperative
RFID, where surveillance, and not collaborative
communication, is the focus.)
17
Interaction With Test Subjects
Some of the users of the Sorting Door system will
be to educate and inform audiences, e.g.,
students of the societal impacts of RFID as a
technology of surveillance, or the public in
general. Some Doors might be deployed with an
accompanying information kiosk, capable of
displaying data collected by the associated Door,
and explaining the implications of such
collection.
Did you know that youre carrying some
RFID-tagged items? Care to know what we can
guess about you, based on what we see?
Did you know that youre carrying some
RFID-tagged items?
18
Integration of Multiple Doors
A single Sorting Door might produce interesting
data integrating several, or numerous, Doors
even more so. Privacy concerns should rise as
a function of the degree of pervasiveness of
both RFID tags and readers in society, as more
and more data points are collected by more and
more parties, allowing for the construction of
rich mosaics of human activity. Some of the
Sorting Door research will consider synthetic
models, e.g., assuming degrees of pervasiveness
of tags in populations, and readers across
geographies, to attempt to assess potential
futures.
19
Databases and Inference Engines
Data collected by Doors can be pooled in
databases and, with other information, used to
develop inferences and assertions. This would
include the construction of tentative assertions
of identity, and the extraction of patterns in
large volumes of point surveillance data. Doors
do not have to share all of the information they
collect, given security/privacy concerns. Doors
should be able to provide deidentified data as
well When you see tag 123456, it can be mapped
to a unique individual, with some probability.
We know who, since s/he presented a credit card,
but thats not something were going to tell just
anybody! Lets just call him/her Person
6789. Keeping track of data, including
deidentified data and data with other sharing
constraints, will be a challenge.
20
Contextual Data
The largest push in RFID deployment is on the
consumer goods front. If item-level tagging of
consumer goods becomes significant, the
compilation of information about consumer
goodsthe nature of objects seenwill contribute
to the ability to make accurate inferences about
the individuals who bear or wear them. EPCglobal,
the consortium shepherding the Electronic Product
Code (EPC) standard, has defined an Object Name
Service (ONS) to allow for anyone encountering an
EPC-coded RFID tag to ask, Who can tell me about
this object?, and get a pointer to its
manufacturer. Knowing what an object is allows
for stronger inferences Were seeing a mans
jacket, a briefcase, and a PDA. Lets guess an
adult, and probably one with a job...
ONS
21
Where Are We Heading?
Were only in the infancy of ubiquitous sensing,
but RFID seems likely to be broadly pervasive
(the voracious demands of consumer goods supply
chain applications alone should guarantee that),
and its a good time to start thinking on the
implications for surveillance and privacy. The
goals of the Sorting Door Project are to reveal
RFIDs potential as a tool for surveillance, to
allow for better decisionmaking, both by those
deploying RFID, and by policymakers and the
public, to define what limits we might wish to
apply through policy, law, and practice.
22
Would You Like to Participate?

• We believe that, as highly sensitive as research
  on technologies applicable to human surveillance
  is, it is critical for government and the private
  sector to be constrained by the law,
  technological limits and policy choices, and not
  by ignorance of technology. Private interests
  will pursue RD of RFID as a tool for monitoring,
  regardless, for applications running the gamut
  from security awareness to customer relations
  managementbetter that we all have a better idea
  of what they could be up to.
• Please contact us if you might be interested in
  participating, in various research areas
• Data mining and analysis
• Research and development of Sorting Doors (or
  adaptation of current work, e.g., in smart
  spaces) to tie in to the Sorting Door
  architecture
• Inference engine development
• Policy analysis and development.

23
Other Publications/Work in Progress
Leveraging Product Codes for Internet Commerce,
white paper for CommerceNet Labs, November 2004,
addressing implications of the Object Name
Service (ONS) for electronic commerce
applications. http//www.stapleton-gray.com/papers
/CN-TR-04-06.pdf Would Macys Scan Gimbels?
Competitive Intelligence and RFID, research white
paper, November 2003, examining competitive
intelligence issues around RFID deployment, to
appear in RFID Applications, Security and
Privacy, Addison Wesley, July 2005. http//www.st
apleton-gray.com/papers/ci-20031027.PDF Cargo
Awareness Network/Contents Understanding Network
(CANCUN), work in progress, examining the
application of RFID and inferences from the
nature of objects to situational awareness and
security in commerce and transportation.
24
Stapleton-Gray Associates, Inc.
Stapleton-Gray Associates, Inc. provides
information technology and policy consulting
services, systems analysis and design, and
project management. Our areas of emphasis include
security, privacy, surveillance technologies and
systems, and unique identifiers, including
radio-frequency identification (RFID). P.O. Box
7615 Berkeley CA 94707-0615 http//www.stapleton-g
ray.com http//www.RFIDredteam.com
Ross Stapleton-Gray, Ph.D.
Dr. Stapleton-Gray has served as an intelligence
analyst with the CIA in technology research and
policy positions in academia, an industry trade
association, and with two IT security start-ups
and as a research analyst for Skaion Corp.