I was fortunate to participate in the RFID CUSP workshop at Johns Hopkins University last week. The goal of the workshop was to bring together a broad cross-section of the RFID community in an effort to shape research agendas in service of pressing, real-world problems.About half the speakers had government and/or industry backgrounds; the rest were RFID researchers. Among the government speakers was Hugo Teufel III, the CPO of the U.S. Department of Homeland Security, who spoke about his office’s work on authoring Privacy Impact Assessments for RFID-related issues such as WHTI and the EDL; he also said that he or someone from his office will go anywhere to speak on matters of privacy and homeland security (good to keep in mind!). Randy Vanderhoof of the Smart Card Alliance also gave an interesting presentation on his organization’s work with privacy – this included a note on their strong opposition to the use of EPC Gen 2 technology for WHTI.

The research portion of the program included presentations from Ari Juels and Ravi Pappu on practical key management techniques for crypto in real-world RFID applications. Christof Paar reviewed some lightweight crypto techniques which his group had developed for RFID, while Melanie Rieback and Karsten Nohl discussed their past and current success in breaking RFID security – including the recent Dutch transit card hack!. I concluded the workshop with a talk that focused on our work with the higher-level privacy concerns which arise when managing stored RFID data for user-centered RFID applications; my slides are available here.

Overall, the workshop was great! The final consensus seemed to be that everyone would like to meet more often and that there should be a more active dialogue between researchers, government, and industry. Attendees from all backgrounds seemed very serious and enthusiastic. This said, I think the workshop could have been even better if representatives from privacy advocate groups such as the ACLU or the CDT had been in attendance. Getting all these diverse groups (academia, government, industry, and privacy advocates) to the table can be a challenge, but it may also be the best way to work out successful long-term solutions for RFID security and privacy.

– Evan Welbourne