LuminousVoid

Avi Rubin of Johns Hopkins, who has in the past critiqued electronic voting systems, has with a team of colleagues cracked the encryption on the Mobil Speedpass and Automobile security RFID chips (these auto RFIDs are in keys, and prevent a car from starting unless they are present).

As they describe, the problem appears to be more a function of the weak encryption than any RFID related problem. But there is one particular RFID angle to this: the environmental promiscuity of the RFID chips. The chips will answer any scan within range without the “aid” of the owner — like how you swipe a credit card, but just need to stand there with this one. Though their chips’ range is short, a couple of inches, they have a video demostrating a scan of a person sitting next to them.

Some people tell us not to worry about ubiquitous and promiscuous (meaning always broadcasting/responding to any read) RFID tags. One of the arguments is usually the relative inacessibility of RFID readers, and the fact that they will be priced above levels attractive to anyone but institutions interested in supply chain or other sorts of management uses of RFID.

But RFID is not going to be a one-way technology built on some rigid hierarchy of ubiquitous consumer and individual level tags at the bottom being read by legitimate institutional readers at the top. Its going to be a web of ubiquitous tags in a sea of readers.

Perhaps the clearest wrench in the works of the neat hierarchical model is this plan to include RFID readers into individual cell phones.

While helping a friend brainstorm a paper for our Multinational IP class, he mentioned to me his bright idea: Iraqi IP law. But it didn’t quite have the multinational angle. So then we had the idea to compare it to our bilateral treaties. The way I understand things, there is a world minimum for protection of IP: the TRIPS standard. However, when the US negotiates a trade agreement with someone, the US usually demands something more than TRIPS. They demand TRIPS+ or ‘TRIPS-plus’. But we have to bargain to get that, people don’t give it up, and aren’t jumping to impose it.

You can guess not just the question but also the answer: Which way is Iraqi IP law going? TRIPS or TRIPS+? I think we can safely guess the latter. I wonder if you could even do some economics and come up with a ‘valuation’ for TRIPS+ (from the treaties) and see what it comes out to in Iraq. What it is that we’re getting for free. Well. Not free, but in exchange for running their country.

Wish I had thought of it myself. Right now I’m between the database treaty and the broadcasting treaty. From cursory google searches, it looks like the database treaty is dead, with Europe protecting DB’s and the US not. I guess the paper topic would be to compare these two and look for a multinational solution.

Hewelett-Packard plans to add RFID tags to a million printers, handheld computers and other products over the next year. Time to check their Privacy Policy. The article doesn’t make clear what sort of consumer tracking the chip will do. I’ve sent them an email and will post any response.

Source:Hewlett-Packard to accelerate ID tagging

Update: HP kindly emailed me back. They say the chip will contain information equating to model and serial number of the unit. They say that the intent of the chip is for pre-sale inventory control — the chips will be on the product package, not the product itself. Lastly, they also add that readers will not be in the costumer entrance, but loading dock type entrance of their store. This appears to me to be a very privacy conscious approach to RFID deployment for inventory purposes.

This term the Supreme Court will hear arguements in Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd.

Procedurally, this is an appeal from a 9th Circuit opinion upholding a CA district court’s grant of summary judgment for the defendants, Grokster and Kazaa.

The question in the Cert Petition is whether the 9th circuit misapplied the principles of secondary liability when it found that Grokster and the other defendants weren’t liable for the infringement of their users.

Specifically, the question is of the Ninth Circuit’s application of the Sony Doctrine. The Sony doctrine comes from a case in which the content industry sued Sony for their Betamax video recorder. The Supreme Court ruled that Sony was not secondarily liable for the infringement of VCR owners, and any such technology could not be liable if it was “capable of substantial non-infringing use.”

For the Ninth Circuit, being capable of substantial non-infringing use doesn’t completely save you. If you still have knowledge of specific infringement — such as Napster did when someone searched their servers — and you fail to act on that information, you are therefore liable for that infringement.

Thus the Grokster/Kazaa technology becomes important. Napster kept central servers of all the files shared, Grokster/Kazaa don’t know what is being shared in their network, because searching for files is decentralized among the participants.

I think i’m going to get myself a Hipster PDA. via BoingBoing.

A few months ago I purchased a DC Metro Smartrip card. The cards cost $5, and from then on you can add value to the cards at just about any station or bus. They don’t offer any discount, but they are more convenient than the paper farecard alternative. One real nice convenience is people keep them in their purse or wallet and simply swipe the purse/wallet on the turnstyle. Smartrip is, however, the only way to pay for parking at the Metro stations that have parking lots. Like farecards, you have to use the same card to enter and exit, and there is a maximum of 1 rider per card — the DC Metro doesn’t just charge per ride, but charges different rates depending on the length of the ride.

You can own the card anonymously — you can buy them online via credit card or with cash at the Metro Center station, or the various vending machines in the parking lots. However, if you register your card to your name and address, a replacement value card can be issued to you when it is reported lost or stolen — provided you remembered the password you gave when registering as well as the card’s serial number. This tells me the RFID chip on the card doesn’t store the value of the card, its just an identifier.

Supposedly one doesn’t need to use a real name or address, but my guess is this is the address that they send the replacement to. They also charge $5 for the replacement, and you probably can’t pay that with cash. The registration page contains this disclaimer:

This information may be used for current or future WMATA programs. WMATA will disclose information pursuant to applicable laws or law enforcement purpose. WMATA will not share or sell this information for any other purpose.

Of course, the real interesting stuff isn’t on the website. How long do they keep the trip data for? How long do they associate it with my serial number? I’ll write to them monday and try to find out.

Update: WMATA Responds.

The US government is planning on issuing RFID enabled passports holding your picture and other information in the chip beggining next spring. This article highlights how the previously discussed promiscuous environmental scanning feature of RFID poses a privacy problem:

Before the end of the year, the first U.S. biometric passport will be issued with a tiny computer chip and antenna embedded inside it. The chip will contain a digital image of the person’s face, along with other information such as name, birth date and birthplace. The data on the chip can be picked up wirelessly using a radio signal.

When the traveler enters the United States, border-control officials will snap a digital photo of the person, scan the data from the passport and run a facial-recognition software program to compare the two images.

The system is designed to prevent forged passports by making sure the original passport holder and the person standing at the immigration counter are one and the same.

The problem, security and privacy experts say, is that the technical standard chosen for the system leaves passport data unprotected.

The technology allows data on the chip to be read remotely using radio frequency identification or RFID.

That means the passport does not have to be opened or even come in contact with a scanning device. Its contents can be read remotely — some estimates claim as far away as 30 feet — without the passport holder knowing anything about it.

The article notes that the system is to promote border security, but that encryption was discounted as harmful to the interoperability required with other countries. Apparently the difficulty of obtaining and creating blank chips is expected to make this new passport more secure than the supposedly easier to falsify paper and photograph ones.

Will Americans fearful of identity thieves catch on to the new trend?

One simple but effective solution may deter unwanted snoops . . . Cover the passport with aluminum foil. Radio frequencies have a hard time penetrating metal.