[ASRG] Re: public relations hole in RFID web site

Mon Jul 7 17:23:05 EDT 2003

If I may be so bold as to follow-up:

1. Katherine Albrecht is correct to point out that the Auto-ID center  
should not post "confidential" information on its website.

2. However, Katherine Albrecht seems to have glossed over the fact that  
the Auto-ID center is not going to be building any databases of  
anything. The Auto-ID center is an industry consortium. The databases,  
if they even exist, would be created by the individual manufacturers  
and members of the supply chain.

On Monday, July 7, 2003, at 02:18  PM, Adam D Smith wrote:

>
> It is no secret that plans to make RFID ubiquitous have concerned  
> (indeed,
> frightened) many consumer groups, who are waging a mini public  
> relations
> war against RFID. The press release is high on hype and low on content,
> but the point about databases is clear.
>
> There was a session on RFID security at CFP (Computers, Freedom and
> Privacy) this year. Simson Garfinkel pointed out that the Auto-ID  
> project
> has people working on security and privacy issues, but Katherine  
> Albrecht
> (see below) seemed to doubt how real the commitment was at the level of
> the project leaders and sponsors.
>
> More info on the autoid center page and on CASPIAN's page (both linked
> below).
>
> adam
>
>
>
> ----------------------------------------------
> Subject: CASPIAN Uncovers Gaping Hole in RFID Site Security
> From: CASPIAN Newsletter <newsletter at nocards.org>
> To: newsletter <newsletter at nocards.org>
> Date: 07 Jul 2003 14:07:58 -0400
>
> FOR IMMEDIATE RELEASE
> July 7, 2003
>
> RFID Site Security Gaffe Uncovered by Consumer Group
>
> CASPIAN asks, "How can we trust these people with our personal data?"
>
> CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
> says anyone can download revealing documents labeled "confidential"  
> from
> the home page of the MIT Auto-ID Center web site in two mouse clicks.
>
> The Auto-ID Center is the organization entrusted with developing a
> global Internet infrastructure for radio frequency identification
> (RFID). Their plans are to tag all the objects manufactured on the
> planet with RFID chips and track them via the Internet.
>
> Privacy advocates are alarmed about the Center's plans because RFID
> technology could enable businesses to collect an unprecedented amount  
> of
> information about consumers' possessions and physical movements. They
> point out that consumers might not even know they're being surveilled
> since tiny RFID chips can be embedded in plastic, sewn into the seams  
> of
> garments, or otherwise hidden.
>
> "How can we trust these people with securing sensitive consumer
> information if they can't even secure their own web site?" asks CASPIAN
> Founder and Director Katherine Albrecht.
>
> "It's ironic that the same people who assure us that our private data
> will be safe because 'Internet security is very good, and it offers a
> strong layer of protection' [see
> http://www.autoidcenter.com/new_media/media_kit/questions_answers.pdf]
> would provide such a compelling demonstration to the contrary," she
> added.
>
> Among the "confidential" documents available on the web site are slide
> shows discussing the need to "pacify" citizens who might question the
> wisdom of the Center's stated goal to tag and track every item on the
> planet [ http://www.autoidcenter.com/media/communications.pdf ], along
> with findings that 78% of surveyed consumers feel RFID is negative for
> privacy and 61% fear its health consequences
> [ http://www.autoidcenter.org/media/pk-fh.pdf ].
>
> PR firm Fleischman-Hillard's confidential "Managing External
> Communications" suggests a variety of strategies to help the Auto-ID
> Center "drive adoption" and "neutralize opposition," including the
> possibility of renaming the tracking devices "green tags." It also  
> lists
> by name several key lawmakers, privacy advocates, and others whom it
> hopes to "bring into the Center's 'inner circle'"
> [ http://www.autoidcenter.com/media/external_comm.pdf ].
>
> Despite the overwhelming evidence of negative consumer attitudes toward
> RFID technology revealed in its internal documents, the Auto-ID Center
> hopes that consumers will be "apathetic" and "resign themselves to the
> inevitability of it" instead of acting on their concerns
> [ http://www.autoidcenter.com/publishedresearch/cam-autoid-eb002.pdf ].
>
> Consumer citizens who are not feeling apathetic will be pleased to  
> learn
> that the site provides names and contact information for the corporate
> executives who oversee the Center's efforts. Since the phone list isn't
> labeled "confidential," we're assuming that Auto-ID Center Board  
> members
> are open to calls and mail that might help them better understand  
> public
> opinion on this important subject.
>
> Anyone interested in speaking with Dick Cantwell, the Gillette VP who
> heads the Center's Board of Overseers, for example, can find his direct
> office number listed on the Auto-ID Center's website here:
> http://www.autoidcenter.com/uploads/226691160- 
> list_board_of_overseers.pdf
> mirrored at:
> http://cryptome.org/rfid/226691160-list_board_of_overseers.pdf
>
> To experience the Auto-ID Center's security holes firsthand, simply
> visit the web site at http://www.autoidcenter.org and type
> "confidential" in the site search box. The Center encourages such site
> exploration: "Our website has Research Papers and other information  
> that
> anyone can download for free. There is also a Sponsors Only area of the
> site, which includes information and materials not available to the
> public at large. We encourage you to visit our site frequently to stay
> up to date with the Center's many activities."
>
> Following are other examples of sensitive documents available at the
> site:
>
> February 27, 2003 Board minutes:
> http://www.autoidcenter.com/media/feb03_board/joint_minutes_feb03.pdf
>
> ONS server schematics:
> http://www.autoidcenter.com/media/feb03_board/oatsystems.pdf
>
> EMS documentation:
> http://www.autoidcenter.com/media/software.pdf
>
> Documentation of RFID field tests:
> http://www.autoidcenter.com/media/field_test_nov02.pdf
>
> These documents and many more have been mirrored in several places,
> including the Cryptome website at:
> http://www.cryptome.org/rfid-docs.htm
>
> Note: The Cryptome website contains links to all 68 documents that
> appeared when the word "Confidential" was typed into the Auto-ID
> Center's search engine the morning of July 7, 2003.
>
>
> Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
> is a grass-roots consumer group fighting retail surveillance schemes
> since 1999. With members in all 50 U.S. states and 15 nations across  
> the
> globe, CASPIAN seeks to educate consumers about marketing strategies
> that invade their privacy and to encourage privacy-conscious shopping
> habits across the retail spectrum.
>
> For more information about CASPIAN, visit http://www.nocards.org.
>
> Katherine Albrecht, CASPIAN Founder and Director: kma at nocards.org
> Mary Starrett, CASPIAN Media Associate: media at nocards.org
>
> ###
>
>
> ======================================================================= 
> ==
>
> CASPIAN - Consumers Against Supermarket Privacy Invasion and Numbering
> A national consumer organization opposing supermarket "loyalty" cards
> and other retail surveillance schemes since 1999
>
> http://www.nocards.org
>
> We encourage you to duplicate and distribute this message to others.
>
> ==========================================================
>
> To subscribe or unsubscribe to the CASPIAN mailing list, click the
> following link or cut and paste it into your browser:
>
> http://www.nocards.org/cgi/mojo/mojo.cgi
>
> If you have difficulty with the web-based interface, you may also
> subscribe or unsubscribe via email by writing to:
>
> admin at nocards.org
>
> ==========================================================
>
> For CASPIAN's overview of RFID product identification and tracking
> technology, please see:  http://www.nocards.org/AutoID/overview.shtml
>