Computers, Privacy & the Constitution

In Defense of RFID

-- By DanielHarris - 8 Mar 2009

Introduction

RFID and related technologies in the form of the contactless smart card have taken a beating, often literally. Smart cards were also part of my daily life a year before it found its way into our CUIDs. At any given time in Hong Kong, I typically had three “smart” cards on my person: the HKID (a contact smart card), the Lingnan ID (functionally identical to the CUID), and the Octopus. Fond memories of the Octopus in particular make me want to make sure we don’t throw out the baby with the bath water.

What “Baby” is This?

The Octopus is a contactless RFID stored-value card, available in anonymous and personalized versions. Operated by a consortium of Hong Kong transport operators (and therefore, like the MTR Corporation, effectively controlled by the HKSAR government), the Octopus began its life in 1997 as a common stored-value card for public transport. It is now used by 95% of Hong Kong’s adult (16-65) population and accepted not just on all scheduled public transport, but also in numerous retail settings: grocery stores, drugstores, ubiquitous convenience stores, parking meters, vending machines, and prominent fast-food restaurants. At my university, the student canteen (cafeteria) and library copying machines and printers accepted Octopus, too. The retail network is a powerful argument for Octopus use even just on transport, as any staffed retail location accepting Octopus can accept cash to load onto the card.

Why is it so popular? Time. The transaction time for transport is 300ms--quick enough to tap one’s closed wallet while moving through a turnstile at full rush hour speed--with a leisurely 1 sec. allowed for retail transactions. Even without considering the difficulties of fumbling around with small coins, worth as little as a US penny, to make exact change for a bus, this speed lets passengers tap their cards for distance-based fares and intermodal interchange discounts without clogging the series of underground tubes. Anyone who’s had the misfortune of riding a NYCT bus, or who makes a habit of outpacing cross-town buses on foot, can see the implications: buses become downright usable when they aren’t daintily reading Metrocards for five minutes at every stop. An on-the-honor paper ticketing system has this advantage, but still requires queuing beforehand to purchase tickets.

Contactless smart cards are also more durable than their alternatives: I occasionally had to clean the contacts on my rarely-employed HKID with a pencil eraser, and have had my share of demagnetized or scratched magnetic stripes.

Privacy Protections

The most important privacy protection for the Octopus is that it need not be registered or personalized. Only students need provide their personal data, and then only if they desire the student discounts available on some of the transportation networks. Secondly, the Octopus is a cash card system--although a credit-card-based auto-replenishment system is available, the vast majority of passengers will buy and refill their Octopus with Hong Kong Dollar banknotes. Nothing stops one from exchanging cards (as long as one is eligible for any discounts on the card) or maintaining multiple cards: in fact, Octopus encourages buying limited-edition “sold” cards (or chip-containing products) with, for example, holiday designs or cartoon characters on the card. Although anonymous cards still have identifying serial numbers, the possibility for correlation with personal identity is far lower than with credit or debit cards.

Of course, given the substantial presence of surveillance camera at major transport facilities, it should be fairly easy to correlate an anonymous Octopus serial number with the face (and perhaps identity) of its user. The same applies to the $4 Metrocard you can buy from a sidewalk newsstand, or to a credit or debit card, though.

But What About the Howling?

We’ve heard a lot about cards “howling” (which, to be clear, refers to the replies of cards to readers close enough to reach them and hear back). The howling nature of the Octopus (or the CUID) and the ability to use it through a bag or wallet is part of what makes it successful, but there are countermeasures available for things we’re more worried about: contactless US passports are allegedly shielded when closed, and contactless “enhanced” driver licenses/passport cards sometimes ship with a protective sleeve.

I Saw the Best Minds of My Generation

You might still be worried about your cash cards--even if your rogue reader can’t crack the encryption, she’s still picking up a unique identifier. Going out in public with neither a balaclava over your face nor a variety of artificial limps should worry you almost as much: video biometric recognition is likely to progress just as fast as whatever technology is required to build out a network of long-range RFID scanners even approaching the existing surveillance camera network's ambit. Everything about the way you look and move is howling to every camera that can see you.

Don’t forget your mobile phone--in more civilized cities it works underground, too--it actually, actively howls. If you would not turn off your phone or leave it at home to avoid being tracked, you gain little from smashing your RFID chips.

What’s the Real Issue?

I suspect that opposition to contactless smart cards stems from the idea that, when used for identification, they make life too easy. The user wants to be able to get through his day; the privacy advocate might rather see cumbersome identification technology hassle the user out of his complacency. The question is whether we should be requiring identification at all (or using payment cards rather than cash). Fighting that question on the merits would take more than 1,000 words, but going by Octopus’s uptake we can assume that convenience is a compelling, perhaps deciding factor. The energies of privacy advocates will be better spent lobbying for legal protections: it’s too easy to look like an irrelevant Luddite when you’re smashing chips and playing with tinfoil.


Daniel, I find the first half of your paper particularly compelling. RFID cash cards, like the Octopus, seem to me to have traits that protect both privacy and convenience. In fact, they seem like a great compromise.

However, the second half confuses me a bit. I read your argument to say, basically, with so many other privacy concerns (cameras, cellphones, etc., etc.) we should not be concerned about RFID. Instead, you argue, privacy activists should "lobby[] for legal protections." To me this position is contradictory. How do you convince people that privacy matters if you ignore a source of its decline? People need a reason to take action. Political lobbying needs feet or dollars to make it go, and people worried about RFID privacy adds both.

Another problem with your position is that it is equally true of any and every privacy concern. Don't worry about cameras-you carry a cellphone, right? Don't worry about your cellphone-you pay with a credit card, right? Privacy is eroded by many different technologies. Arguing that we should ignore one simply because beneficial uses exist for it that do not invade our privacy as much misses the point that it is the aggregate effect which erodes privacy.

-- JustinColannino - 01 Apr 2009

 

Navigation

Webs Webs

r4 - 01 Apr 2009 - 21:43:19 - JustinColannino
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM