On Sun, 13 Sep 2009, Eric Rescorla wrote:
That seems like a good start. As Richard and I have both indicated,
however, this system seems to have substantial residual privacy
risk, even if the identifiers are assigned completely unpredictably
(and note that non-sequential and unpredictable are not at all the
same thing).
I will leave it to the local organizers to disclose and explain the
experiment further. I am no privacy and security expert, but it seems
to me rather unlikely that anyone needs to be concerned about being
"tracked" when the practical distance from reader to card is about
18 inches. In having these discussions we've probably highlighted a
number of *potential* risks much more than what the average credit
card or cell phone customer is informed of. I suppose we could do what
the Fastrak people did when they sent me the RFID gizmo for bridge
tolls: They included a foil-lined bag and explained that the system
was being used to monitor traffic (as well as collect tolls) and if
I didn't want to participate I could put the gizmo in the bag.
I'm not trying to be difficult, but I'm not overly impressed with the
defense that people keep offering that this is an experiment and
people can opt out. If this were being done as an experiment at a
university, you would be expected to go in front of a human subjects
committee and demonstrate that your subjects had given informed
consent, probably wouldn't be harmed, etc.
What about a "commercial" or "business" setting? The hotel in
Stockholm where many (most?) of the IETFers stayed had RFID cards for
key entry to the hotel rooms.
Now, obviously, this isn't an academic setting, but I think it's
fair to say that the people running this experiment haven't done
anything like full disclosure of the relevant risks--and it's not
even clear that they understand them themselves. [It would also be
consistent with common practice for people to specifically opt in,
not out.]
Effectively that's what will happen. At registration, you will be
offered the card, you can obviously refuse to accept it. As for
full disclosure of relevant risks, having this discussion is hopefully
leading to a set of observations that can be supplied to each
attendee. And yes, it isn't fully designed yet, but I am sure the
organizers never expected this amount of feedback either, particularly
not since the technology has been in regular use in Japan for many
years.
Ole
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf