Computers, Privacy & the Constitution

In Defense of RFID

-- By DanielHarris - 8 Mar 2009


RFID and related technologies in the form of the contactless smart card have taken a beating, often literally. Smart cards were also part of my daily life a year before it found its way into our CUIDs. At any given time in Hong Kong, I typically had three “smart” cards on my person: the HKID (a contact smart card), the Lingnan ID (functionally identical to the CUID), and the Octopus. Fond memories of the Octopus in particular make me want to make sure we don’t throw out the baby with the bath water.

What “Baby” is This?

The Octopus is a contactless RFID stored-value card, available in anonymous and personalized versions. Operated by a consortium of Hong Kong transport operators (and therefore, like the MTR Corporation, effectively controlled by the HKSAR government), the Octopus began its life in 1997 as a common stored-value card for public transport. It is now used by 95% of Hong Kong’s adult (16-65) population and accepted not just on all scheduled public transport, but also in numerous retail settings: grocery stores, drugstores, ubiquitous convenience stores, parking meters, vending machines, and prominent fast-food restaurants. At my university, the student canteen (cafeteria) and library copying machines and printers accepted Octopus, too. The retail network is a powerful argument for Octopus use even just on transport, as any staffed retail location accepting Octopus can accept cash to load onto the card.

Why is it so popular? Time. The transaction time for transport is 300ms--quick enough to tap one’s closed wallet while moving through a turnstile at full rush hour speed--with a leisurely 1 sec. allowed for retail transactions. Even without considering the difficulties of fumbling around with small coins, worth as little as a US penny, to make exact change for a bus, this speed lets passengers tap their cards for distance-based fares and intermodal interchange discounts without clogging the series of underground tubes. Anyone who’s had the misfortune of riding a NYCT bus, or who makes a habit of outpacing cross-town buses on foot, can see the implications: buses become downright usable when they aren’t daintily reading Metrocards for five minutes at every stop. An on-the-honor paper ticketing system has this advantage, but still requires queuing beforehand to purchase tickets.

Contactless smart cards are also more durable than their alternatives: I occasionally had to clean the contacts on my rarely-employed HKID with a pencil eraser, and have had my share of demagnetized or scratched magnetic stripes.

Privacy Protections

The most important privacy protection for the Octopus is that it need not be registered or personalized. Only students need provide their personal data, and then only if they desire the student discounts available on some of the transportation networks. Secondly, the Octopus is a cash card system--although a credit-card-based auto-replenishment system is available, the vast majority of passengers will buy and refill their Octopus with Hong Kong Dollar banknotes. Nothing stops one from exchanging cards (as long as one is eligible for any discounts on the card) or maintaining multiple cards: in fact, Octopus encourages buying limited-edition “sold” cards (or chip-containing products) with, for example, holiday designs or cartoon characters on the card. Although anonymous cards still have identifying serial numbers, the possibility for correlation with personal identity is far lower than with credit or debit cards.

But What About the Howling?

Of course, given the substantial presence of surveillance cameras at transport facilities, it should be fairly easy to correlate an anonymous Octopus serial number with the face (and perhaps identity) of its user. The same, though, applies to the $4 Metrocard you can buy from a newsstand, or to a credit or debit card.

We’ve heard a lot about cards “howling” (which refers to the replies of cards to readers close enough to reach them and hear back). The howling nature of the Octopus (or the CUID) and the ability to use it through a bag or wallet is part of what makes it successful, but there are countermeasures available for things we’re more worried about: contactless US passports are allegedly shielded when closed, and contactless “enhanced” driver licenses/passport cards sometimes ship with a protective sleeve. The RFID's lack of an off switch is mitigated by this sort of easy countermeasure--it's no harder to apply such than to definitively disable, say, a mobile phone (requiring battery removal: it has no "hard" power switch either).

I Saw the Best Minds of My Generation

Don’t forget that mobile phone--in more civilized cities it works underground, too--and it actively howls. If you would not turn off your phone or leave it at home to avoid being tracked, you gain little from smashing your RFID chips. It's probably fair to say that most of us in this class, aware of the bargain, choose the convenience of a mobile over location privacy.

You might still be worried about your cash cards--even if your rogue reader can’t crack the encryption, she’s still picking up a unique identifier. There's no technical solution to this problem, though: going out in public without disguising your appearance and gait may soon be just as treacherous, as video biometric recognition is likely to progress as fast as the technology required to build out a network of long-range RFID scanners even approaching the existing surveillance camera network's ambit. Broadcasting a unique identifier is a fact of life in modern society--this, not any specific technology, is the problem.

What’s the Real Issue?

I suspect that opposition to contactless smart cards stems from the idea that, when used for identification, they make life too easy. The user wants to be able to get through his day; the privacy advocate might rather see cumbersome identification technology hassle the user out of his complacency. The question is whether we should be requiring identification at all (or using payment cards rather than cash). Fighting that question on the merits would take more than 1,000 words, but going by Octopus’s uptake and our use of mobile phones we can assume that convenience is a compelling, perhaps deciding factor. The energies of privacy advocates will be better spent educating people about their exposure to privacy-invasion and lobbying for a legal framework protective of privacy: it’s too easy to look like an irrelevant Luddite when you’re smashing chips and playing with tinfoil.

Daniel, I find the first half of your paper particularly compelling. RFID cash cards, like the Octopus, seem to me to have traits that protect both privacy and convenience. In fact, they seem like a great compromise.

However, the second half confuses me a bit. I read your argument to say, basically, with so many other privacy concerns (cameras, cellphones, etc., etc.) we should not be concerned about RFID. Instead, you argue, privacy activists should "lobby[] for legal protections." To me this position is contradictory. How do you convince people that privacy matters if you ignore a source of its decline? People need a reason to take action. Political lobbying needs feet or dollars to make it go, and people worried about RFID privacy adds both.

Another problem with your position is that it is equally true of any and every privacy concern. Don't worry about cameras-you carry a cellphone, right? Don't worry about your cellphone-you pay with a credit card, right? Privacy is eroded by many different technologies. Arguing that we should ignore one simply because beneficial uses exist for it that do not invade our privacy as much misses the point that it is the aggregate effect which erodes privacy.

-- JustinColannino - 01 Apr 2009

My position isn't equally true of every privacy concern -- I'm making a specific comparison between the information provided by howling IDs and mobile phones. One can get exactly the same information -- a unique identifier and its position -- from your mobile phone as from RFID, but we already have a perfectly good mobile-tracking infrastructure built out and in use. It just doesn't make sense, I argue, to worry about the government tracking your e-passport while you leave your mobile phone on, because they're exactly the same type of threat. In contrast, cameras (for now) capture different information (someone who looks like X was at Y) than do credit cards (someone paid for Z with X's credit card) than do mobile phones (someone with SIM card U was at S series of places). I make the mobile-RFID comparison specifically because I suspect that even in our class, very few of us have regular second thoughts about leaving our phones on.

I agree that raising the profile of RFID privacy concerns generates attention, but I worry that many people's worries about RFID privacy are subtracting respectability from a movement that's already vulnerable to accusations of paranoia rather than adding significant resources.

-- DanielHarris - 07 Apr 2009

Daniel, I take your point about the hide-the-ball nature of focusing on RFID rather than on other technologies which essentially raise the same privacy concerns. But I do wonder whether you may be a bit off base when you say: "I worry that many people's worries about RFID privacy are subtracting respectability from a movement that's already vulnerable to accusations of paranoia rather than adding significant resources." It seems to me, as a bit of a newcomer to this arena, to be the opposite--- that is, that the focus on RFID makes sense because its less immediate nature may make arguments around it seem more plausible and thus respectable.

This may be only my own experience, but I suspect someone na´ve to the problem of technology and privacy may be more willing to hear about technologies that are less familiar to them, like RFID. A person unsophisticated to your arguments still has a cellphone, which they probably like, and Facebook, which they probably don’t want to give up, and credit cards which they can’t imagine living without. I wonder if focusing on RFID (which undoubtedly runs a bit into the tin-foil hat problem you write about) at least has the effect of allowing listeners who might turn off a more mainstream argument, precisely because it was mainstream, and thus reached them in ways they’d rather not think about, to get some grounding in the idea that technology can and does impinge on our privacy in all sorts of devious and subterranean ways. Of course, it’s also quite possible the same people who would hear “cellphone privacy invasion” and immediately switch off because, hey, who’s going to give up their cell phone, are the same people who hear “RFID” and immediately begin looking for the roll of Reynolds. Either way, it’s just something to think about as a possible (small) counterpoint to your argument.

-- DanaDelger - 08 Apr 2009

Daniel, I think that we are talking past each other a little bit when we compare privacy violating technologies. I perceived your argument in the section labeled 'I saw the greatest minds of my generation' as arguing: don't worry about your mobile cash cards, unless you wear a disguise or turn your phone off people can still get the same information (your location) from you. I object to that argument because it can be made the other way: don't worry about your cellphone, unless you wear a disguise or do not carry anything with RFID people can still get the same information (your location) from you.

You respond that you "make the mobile-RFID comparison specifically because I suspect that even in our class, very few of us have regular second thoughts about leaving our phones on." I think that you are trying to make the more nuanced point that for all the hoopla about RFID, people don't give a second thought to carrying a cellphone and that maybe they should be more consistent in their fears? Is this right? If so, I had a hard time distilling that excellent point from the text.

As for the point about lobbying, I agree that the smashing chips and playing with tin-foil problem (hilarious, by the way) is a real concern for privacy advocates. However, I think the solution is thinking about more effective ways to communicate RFID (and other privacy) issues to the general public, not to abandon speech about technologies that do indeed pose a threat to privacy. But perhaps this is what you mean by the word "lobbying", in which case we are on the same page.

-- JustinColannino - 08 Apr 2009

Dana, interesting counterpoint -- but, admitting it for the sake of the argument, I don't think there's much time left for it. EZ-Pay and its brethren have been in wide use for a while now, and that's a logical, familiarizing, and accurate analogy for prospective payment providers to use. I still think (granting that my perceptions of Joe the Public's values may be completely off base) that it might be easier to gin up fear of pervasive CCTV, with the aid of red-light/speed cameras.

Justin, yes, I'm not actually suggesting not to worry. I'm suggesting that we temper our worries about any one of these issues with an awareness of we're already willing to give away, which I think my (severely in need of distillation) mobile example drives home. Those of us in class, at least, have a clear choice between giving up or crippling our handy gadgets or living life under constant tracking.

Thanks for the feedback -- I will think about this some more and try to come up with some changes.

-- DanielHarris - 09 Apr 2009

I think the argument about the functional equivalency of howling RFID cards and cellphones where privacy is concerned highlights another important point: piecemeal solutions to the privacy concerns with particul Which suggests that we need a solution--again, either legislative or technological--that encompasses all vectors for privacy invasion. Recognizing a constitutional right is a plausible first step, since the right can influence cultural expectations about how technology should preserve rather than erode privacy. This can in turn influence technology architects and hopefully meta privacy-protecting legislation along the lines of the Civil Rights Act of 1964.

-- AndreiVoinigescu - 10 Apr 2009

  • I think this essay is convincing on the points it argues. I also think, however, that the action is elsewhere.

  • I believe your argument that tracking by RFID is much harder than tracking by cellphone, which everyone more or less now accepts risk of. But the point about RFID is how cheaply someone can plant something on you that could be detected later: browser cookies in the real world. And, just as it may be especially problematic when A can see a cookie given you by B, ....

  • I think the problems posed by chatty RFID tags are more from the effects on identity-based security than about tracking. The CUID scheme turns out to be easy to break, for example, despite the "encryption" features, because you can pretend to be a door lock and spend all day having brief conversations with passing ID cards. After a surprisingly small number of such challenge/response pairs, you are ready to open any door in the place, or to pretend to be anyone you please to impersonate. I agree that one can shield cards most of the time so that their tendency to make excess noise can be confined, though many people will be careless thus enabling various forms of fraud and abuse.

  • Your position seems to be that there are good reasons for having stored wireless money that anonymously pays rapidly and at a distance. I entirely endorse that view, and would be happy to carry such a card myself. Remove the anonymity, however, and I don't want it at any price. So it's obviously not about radio frequency ID technology, it's about carrying a bunch of automated database record tags around with me covering my entry in other people's databases.



Webs Webs

r14 - 05 Jan 2010 - 22:30:15 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM