Prof. Magdalena Balazinska testified at a public hearing today in the Washington State House Committee on Technology, Energy & Communications. The hearing was on House Bill 2729, which addresses “the reading and handling of certain identification documents” and is sponsored by Rep. Deborah Eddy among others. This is an especially timely bill in that it addresses privacy concerns raised by emerging public RFID systems such as the U.S. Passport Card, the Enhanced Driver’s License (EDL), and the new Puget Sound area transit pass, the ORCA card. The bill essentially limits the reading of RFID licenses and identicards as well as the use of the information contained on them. From the bill:

“[...] Washington state recognizes the importance of protecting the confidentiality and privacy of an individual’s personal information contained in drivers’ licenses and identicards.”

“[...] A nongovernmental entity may only electronically read an individual’s driver’s license or identicard to verify the authenticity of the document or verify the individual’s age or identity. [...] When a nongovernmental entity electronically reads a driver’s license or identicard for one of the purposes permitted in (a) of this subsection, and except as otherwise permitted in subsection (3) of this section, the entity may not store, sell, or share personal information collected from the driver’s license or identicard without written consent of the individual.”

Magda provided expert testimony on the privacy risks of such systems. Using examples from our research in the RFID Ecosystem project, Magda described how the lack of security features…
(Read complete post >>)

I was fortunate to participate in the RFID CUSP workshop at Johns Hopkins University last week. The goal of the workshop was to bring together a broad cross-section of the RFID community in an effort to shape research agendas in service of pressing, real-world problems.

About half the speakers had government and/or industry backgrounds; the rest were RFID researchers. Among the government speakers was Hugo Teufel III, the CPO of the U.S. Department of Homeland Security, who spoke about his office’s work on authoring Privacy Impact Assessments for RFID-related issues such as WHTI and the EDL; he also said that he or someone from his office will go anywhere to speak on matters of privacy and homeland security (good to keep in mind!). Randy Vanderhoof of the Smart Card Alliance also gave an interesting presentation on his organization’s work with privacy – this included a note on their strong opposition to the use of EPC Gen 2 technology for WHTI.

The research portion of the program included presentations from Ari Juels and Ravi Pappu on practical key management techniques for crypto in real-world RFID applications. Christof Paar reviewed some lightweight crypto techniques which his group had developed for RFID, while Melanie Rieback and Karsten Nohl…
(Read complete post >>)