At Fri, 11 Sep 2009 07:57:02 -0700 (PDT),
Ole Jacobsen wrote:
Inline.
On Fri, 11 Sep 2009, Eric Rescorla wrote:
At Thu, 10 Sep 2009 12:23:31 -0700 (PDT),
* Each attendee will be issued an RFID card at the registration desk.
The information stored on the card is ONLY a number, no personal
data is stored on the card. (Note: the attendee can opt out at any
time, including not collecting the card, see below).
Note that removing your name from the database doesn't remove the
ability of someone to track you via the tag.
If this is a great concern I would suggest either returning the card
or not collecting it in the first place. Also, the type or readers
used require close proximity to trigger, you literally have to touch
the reader with your card to make it work. So nobody from the host
organization at least will be tracking you. I am also not sure what
value there is in knowing that 3478273983421 spent 10 minutes in trill
and then moved on to behave (pun intended).
Well, I think it's important to distinguish two different threat
scenarios:
1. Tracking via the sensors that IETF has emplaced.
2. Tracking via sensors that others emplace [it's important to
note that just because the readers you have are low power
and can only work at close range, that doesn't mean it's not
possible to have readers that work at longer ranges.]
In the first scenario, it's probably true that you can only
gather limited amounts of information, but in the second scenario,
the amount of information that can be gathered is limited primarily
by the number of sensors you're willing to emplace. I can
imagine a number of scenarios where it would be attractive
to know where a given individual is at all times (for starters,
people often have private side meetings with customers at IETF
and if you had positional information you might be able to learn
about this). I certainly would not want to be tracked everywhere
I went.
This brings us to the question of the identifiers: it's certainly
true that systems which are anonymous but linkable offer a higher
level of privacy than those which do not. However, it's often
possible to determine which identifier a given person has
(e.g., by observing a specific persons card being read), then
you can of course track them by name. In addition, if the
identifier->person mapping isn't generated securely and kept
confidential, then you may be able to quickly determine a
large fraction of the mapping.
* The "information" (number) on the card is not encrypted and could be
read by any RFID reader, but again, it's only a number.
How are the numbers assigned?
Don't know, but I have asked. I am guessing they are pre-assigned in
the sense that each card has a unique ID that is later mapped to the
database.
OK, but the details matter here. For instance, if you have a stack
of cards with sequential serial numbers and you assign them in
sequence to the people in the attendee list (e.g., at the time
right before the meeting), you wouldn't need to know too many
mappings to determine most of the database.
I'm not trying to make an argument for or against this experiment:
I don't even expect to be in Hiroshima, so it doesn't really
matter to me one way or the other. However, given that the IETF has
extensive experience in this kind of secure systems design and
in fact has an entire WG (GEOPRIV) devoted to thinking about the
dissemination and privacy of positional information, it seems like
it would be nice to get a little more clarity about the security
of the proposed system.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf