[Dave Birch] I enjoyed Scott Silverman's talk about privacy and security at ID World. Scott (the devil, according to CASPIAN) is the CEO of Verichip, the company that developed the first FDA-approved RFID chip for human implantation. (It's just a passive RFID chip containing a 16-bit identification number). Apparently, they had had some 900 emergency rooms across the US signed up for the service before the "privacy backlash" started. Opponents of the system told the newspapers that the chips caused cancer, and that was that.

Now, to be honest, I'm very sympathetic to Scott. A couple of years ago, I contacted Verichip because I thought it would be fun to have a Verichip implanted in my arm ready for the Digital Identity Forum, but they said no (spoilsports). My cat has one, and I'm jealous.

Anyway, the point is that the privacy backlash was so great that the stock price collapsed and the company — which was reduced to a shell — has now been restructured as PositiveID with Scott as the majority shareholder. They have a number of initiatives, one of them being "PatientID" which will link high-risk patients (eg, Alzheimer patients) to their medical records. Now, as far as I can see (and I'm speaking from the point of view of someone with an Alzheimer's sufferer in the family) this is a splendid idea. I'm pretty privacy sensitive, but this is an application that makes absolute sense to me. If I had Alzheimer's, I'd want a chip so that if I get lost or confused, a doctor can instantly find out who I am and what my conditions and medications are. You could do it by fingerprinting me, or iris scanning or whatever. But it appears to quick and simple to use the chip instead.

Scott also mentioned their "HealthID" initiative that will link sensors to the chip: so, for example, you could have a glucose-sensing chip for some types of diabetes so that when the chip is read to identify the patient it will also report glucose levels. If I had diabetes, I would much rather have one of these than prick my finger and test drops of blood. I wouldn't want everyone to be able to read it though, and this is where the problem comes: we need to have some form of standard privacy-enhancing infrastructure that sits above the "chip layer" to make this all work properly.

Scott also said that the debate about RFID and privacy is ill-informed, and he's certainly correct. In fact tt's one of my personal bugbears: the conflation of "dumb" RFID with contactless "smart" cards and NFC interfaces. I keep trying to correct people (particularly journalists) about the difference, but it's like trying to turn back the tide. Look at how the technologies, and any risk analysis that might be associated with them, gets jumbled up even in trade publications.

Radio frequency identification technology is becoming increasingly common and sophisticated. But some worry that it's also increasingly susceptible to hackers, who could steal personal information during seemingly innocuous transactions such as credit-card payments and the use of RFID-enabled passports

[From Does RFID present privacy risks? — Federal Computer Week]

Fair enough.

Nicole Ozer, technology and civil liberties policy director at the American Civil Liberties Union of Northern California [said] that an RFID-enabled passport issued by the Homeland Security and State departments, called a U.S. Passport Card, is vulnerable to wireless attacks.

[From Does RFID present privacy risks? — Federal Computer Week]

Sounds worrying. But what is the "wireless attack" that they are talking about?

"The new tags have extreme read ranges," Ozer said. "They can be read up to 30 feet away, and copied and cloned, without people ever knowing."

[From Does RFID present privacy risks? — Federal Computer Week]

You see how the threat to "credit-card payments" is connected with "extreme read range", when the contactless payment technology used the world over is not the same technology as is used in RFID and cannot be read from 30 feet away. And even if you could read some data in transit, you couldn't use it to create a clone card because the key used to sign the data that you are reading does not leave the card. Anyway, if I wanted to get lots of passport details I wouldn't mess about like that.

A low-level State Department employee pleaded guilty in federal court Wednesday to charges of accessing hundreds of confidential passport files, including those of celebrities, actors, athletes, politicians and family members -– and he likely faces little to no jail time.

[From State Department Passport Snoop Faces Little or No Jail Time | Threat Level | Wired.com]

Much easier, and much quicker. Anyway, I'm wasting my time with this ranting, of course, because the media does not understand the basic issues.

In some organizations, RFID cards aren’t just for entering doors; they’re also used to access computers. And in the case of RFID-enabled credit cards, RFID researcher Chris Paget, who gave a talk at DefCon, says the chips contain all the information someone needs to clone the card

[From Feds at DefCon Alarmed After RFIDs Scanned | Threat Level | Wired.com]

You can't "clone" a contactless card (usch as an Amex ExpressPay card) with this information, but what you can do is create a counterfeit magnetic stripe card. Stop blaming contactless for the hopelessness of magnetic stripes!

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: