Basic Questions
What is RFID?
Radio frequency identification (RFID) is a generic term describing a system that uses radio waves to identify an object or person. There are three fundamental components in a passive RFID system: a passive RFID tag, an RFID reader, and a database. A passive RFID tag is a battery-less device that consists of a radio antenna attached to a microchip which stores a unique identifier (i.e. a unique number). An RFID reader is a device equipped with one or more antennas that emit radio waves and receive signals back from nearby passive RFID tags. Specifically, an RFID reader’s antenna emits radio waves that energize one or more passive RFID tag(s) in front of that antenna; that energy is in turn used by those tag(s) to send their unique identifier(s) back to the antenna. Finally, a database in an RFID system contains a table that maps tag identifiers to information about the tagged items. The database also contains the list of all tags detected by antennas and the time when they were detected.
Where did RFID come from and why do I hear so much about it?
RFID technology has existed in one form or another since WWII (originally as part of IFF systems). Many advances in radio and silicon technology over the last 30 years have made it possible to create smaller, cheaper, and more effective RFID technology. Recent interest and investment from the supply chain industry have driven further technological advances and cost reductions to the point where many consider the vision of "an RFID-saturated world" to be just on the horizon. This is a vision in which many very useful RFID-based applications and services could emerge. At the same time, it is a vision which raises serious concerns about the privacy and security of individuals using RFID-based applications. The increasing popularity and ubiquity of RFID technology combined with a rising awareness of RFID security and privacy concerns has attracted a great deal of recent media attention.
What are active and passive RFID tags?
Active RFID tags are equipped with a battery that allows them to broadcast their ID cotinuously, whether an RFID reader is present or not. In contrast, passive RFID tags have no battery and must be interrogated by an RFID reader before they are able to transmit information. Passive RFID tags receive their power from the radio signals emitted by RFID readers. The RFID deployment in the RFID Ecosystem project uses only passive RFID tags.
From how far away can an RFID tag be read?
The read range for an RFID tag depends on many factors. First, if the tag is passive it will have a shorter read range (typically between 1cm to 4m on average); active tags can be read from a much greater distance (e.g. upwards of 20m). Secondly, the materiality of the tagged object has an affect on the read range. For example, a tag attached to a metal object may have a much shorter read range than a tag attached to a plastic object. The size and power of the RFID reader's antenna also has a large impact, though it is practically impossible to build an antenna which will read tags at a distance greater than ten times the standard read range.
What kind of information can be stored on a tag?
A tag can store any information that can be represented by a number. In addition to a unique ID, many tags can store additional data which in some cases can be written and re-written. The most commonly used types of tags contain around 256 bits of storage, about the equivalent of 6 phone numbers.
Can RFID tags be disabled?
RFID tags and readers often implement a "kill" command that permanently disables a tag. Some tags implement other levels of the kill functionality such as "kill recycle", which destroys all information stored on the tag except for the information needed to recycle the tagged object. RFID tags can also be permanently disabled by physically destroying the tag in a certain way (e.g. microwaving it, hammering it).
The RFID Ecosystem Project
What is the RFID Ecosystem Project?
The RFID Ecosystem is a large-scale project with participants from various research groups at the University of Washington's Department of Computer Science and Engineering. The project investigates user-centered RFID systems in connection with technology, business, and society. Past research on user applications of RFID has been limited to short-term technology and user studies in restricted scenarios. In contrast, the RFID Ecosystem provides a living laboratory for long-term, in-depth research in applications, databases, privacy, security, and systems.
What is the purpose of this research?
A central question in this research is in the balance between privacy and utility. Are there user-centered RFID applications that are truly useful? If so, how can they be designed to minimize loss of privacy? Finally, if these applications are indeed useful, does the utility outweigh the potential loss of privacy? We seek to answer these questions through careful, long-term user studies in which participation is optional and participants have control over their data and may opt out at any time.
The overarching goal of the project is to inform the community (including businesses and policy makers) of the risks, benefits, and challenges of user-centered RFID systems while proposing technological solutions whenever possible - and to do so before such systems become commonplace.
Do the potential benefits of this research outweigh the risks?
The primary benefit of this research to society is an improved understanding of the utility, usability, privacy concerns, and technical challenges presented by existing and future conusmer applications of RFID. It is our hope that this research will better inform businesses, policy-makers, researchers, and the general public of the risks, benefits, and challenges of RFID systems. We also hope our work will encourage responsible design of and decisions regarding consumer-oriented RFID applications.
The RFID-enabled personal data store will be deployed in a setting with strict data access controls that ensure inter-subject privacy while still allowing subjects to have complete, transparent access to their own data which they may delete at any time. Furthermore, subjects are free to withdraw from the study at any time without explanation and without penalty. As such we feel the anticipated benefits of this research greatly outweigh the potential risks.
Where does the funding for the RFID Ecosystem come from?
The RFID Ecosystem is funded by National Science Foundation (NSF) Award Titled “RFID Ecosystem” (grant number 0454394) and in part by the University of Washington's College of Engineering.
When did the project start and how did it develop?
Answer as of February 27, 2008:
The project started in 2006. The first 6 months were spent investigating various RFID technologies in order to identify those that best suited our needs. We were looking for an RFID reader and tags that could be used to track people and their belongings in everyday environments. For example, we wanted our system to be able to track tags embedded in participants' textbooks, backpacks, or cell phones while they walked through the Allen Center. After many tests we decided to use EPC Gen 2 technology. The next two months were spent deploying the RFID readers. In the following year we developed the initial system software in parallel with our baseline privacy policies and internal review board applications. We are currently preparing for a first round of user studies with RFID applications that provide simple tracking and logging services.
Is there a way for non-participants to view the experiment?
Answer as of February 27, 2008:
Our privacy policy forbids the public disclosure of any part of a participant's data. This said, we will probably post a web-based demo sometime in the next week or two and continue to update it as our applications evolve. The first demo will publish data collected on one or more of the researchers and will probably be simple, e.g. the real-time location of researcher(s) overlaid on a map of the building.
Security and Privacy
How will study participants carry the RFID tags, will they be implanted beneath the skin?
Those who choose to participate after the informed consent process (in which any questions will be answered as clearly and precisely as possible) will be asked to carry one or more EPC Gen 2 RFID tags. The tags to be used are paper thin and about the size of a credit card, participants will carry these tags in whatever way suits them. No tags will be implanted beneath the skin.
What do you hope to learn in terms of privacy?
In a phrase: the balance between privacy and utility. We'd like to evaluate whether user-centered RFID systems can be built to be useful and secure enough to justify the potential loss of privacy. In slightly greater detail, we are investigating privacy at roughly 4 different levels and we hope to evaluate the effectiveness of our work with user studies and with quantitative metrics whenever appropriate. The 4 (rough) levels are:
1. The design of privacy controls and feedback mechanisms for users
2. The design of privacy policies for a community of users
3. The implementation of privacy policies using data privacy techniques
4. The detection and prevention of privacy violations using security techniques
What do you hope to learn from user studies?
Privacy is a very complex and individual thing which is as much a dynamic and evolving process as it is a set of baseline assurances which must be provided. Careful user studies in naturalistic settings are a very good way (and sometimes the only way) to research privacy for next generation applications such as those we're evaluating in the RFID Ecosystem. An important point in this connection is that our user studies will collect not only user opinions but evidence of user behavior (e.g. anonymized logs of how and when an application is used).
Our hope is that the qualitative and quantitative data we collect in our user studies will help us to: 1) Acquire an in-depth understanding of the blaring privacy issues; 2) Uncover and study more subtle privacy issues; 3) Evaluate and iteratively improve the effectiveness of our feedback and control mechanisms, data privacy techniques, and methods for detection and prevention; and 4) Finally, to inform the wider community (including
businesses and policy makers) of the privacy-utility trade-offs inherent in emerging RFID systems before such systems become commonplace.
-- An additional note is that the data we collect in our user studies will be helpful for much more than privacy-related research. It can be used to evaluate other aspects of the project such as: system performance, precision and recall of event detection and inference algorithms, usability, etc.
What are your findings regarding privacy thus far?
Answer as of February 27, 2008:
At a high level our experience has shown that privacy is a very complex and individual thing which is as much a dynamic and evolving process as it is a set of baseline assurances which must be provided. Furthermore, privacy is inextricably linked with a system’s utility. That is, a very useful system may be worth some loss of privacy while a system which is not useful is not worth any loss of privacy - and RFID systems must be designed and evaluated with that in mind. So one conclusion is really more of an emerging research goal: To investigate system designs that allow individual users to choose a comfortable spot in the privacy-utility space; allow each user to choose and configure applications according to his or her personal comfort zone with respect to level of information disclosure.
Another challenge here is to narrow the research space to something manageable, we try to do that by focusing on privacy for specific applications and by constructing careful arguments and proofs when the research is theoretical.
A second conclusion has been about the stigma that seems to surround RFID and privacy. RFID technology is often billed as dangerously insecure and an enabler for Big Brother. However, a lot of headway has been made in the research community toward improving the security of RFID, and for the most part the technology itself may be no more risky than many other existing technologies such as mobile phones. One point we've come to through many discussions and investigations is that RFID technology itself is not an inherent risk to privacy, or at least not in any way that may not eventually be fixed through emerging techniques in RFID security and cryptography. The greater privacy concerns seem to stem from the system which collects and stores the RFID data: Who owns the data and who may access it? Who manages the data and how is it managed? What policies and regulatory framework(s) apply to the data? What is the lifetime of the data?
Is there a written privacy/security policy?
We wrote a privacy and security policy which we will adhere to during our user studies as part of our application to UW's internal review board (IRB). All our study proposals are subjected to a rigorous evaluation process by our IRB and we must obtain approval before recruiting any study participants. We are also required to present participants with a copy of our privacy and security policy during the recruitment process.
In the design of our recruitment message, consent form, and privacy preserving measures we followed the “Best Practices for Deployment of RFID Technology” presented by the Center for Democracy and Technology’s (CDT) working group on RFID. This group includes representatives from various consumer groups and commercial enterprises, all working under the leadership of the CDT. These guidelines are the result of an extensive analysis of current and near-term applications of RFID, the ways in which those applications do or do not implicate privacy, and the manner in which companies can address them. The guidelines are intended to provide guidance for policymakers, developers and users about privacy in the context of RFID technology and can be found online at: http://www.cdt.org/privacy/20060501rfid-best-practices.php
What is your internal policy or protocol regarding access to a user's data?
Only members of the research team will have access to the all of the raw RFID data. Participants will have access only to their own data and may delete any or all of it at any time using a simple web interface; a participant may also request that a researcher perform such an operation on his or her behalf. Fully anonymized, aggregate (e.g. sum, average, max, min) information that cannot be traced to a particular individual may be reported in research publications. Any identifiable information from the RFID data or questionnaires will be removed (e.g. each subject’s name and location will be replaced with a non-identifying numerical codes and the data traces will consist of a sequence of numbers from which exact location information about an individual can not be recovered). If necessary, we will also offset time-stamps on longitudinal data to avoid matching persons with roles, activities, or subgroups that may identify participants.
Where can participants access applications? Is there a central kiosk?
There is no central kiosk. We have intentionally designed our applications to avoid the asymmetric visibility that a central monitoring station would provide. Our applications are all peer-to-peer in nature (i.e., they do not allow for users with special privileges). The applications can be accessed both from secure mobile and secure web-based interfaces. Thus at any time, any participant can access any application from any web browser or through his or her phone*, he or she has only to login with a user name and password.
It should also be added that although our applications are peer-to-peer, we do have several system administrators who may access data to test and debug applications or to extract statistics that support our research. System administrators are members of the RFID Ecosystem research team who are approved to access collected data by directly interfacing with the database. Before deciding whether or not to participate in one of our studies, each prospective participant will be presented with a list that names the system administrators. Furthermore, our use of the data is strictly governed by our IRB approval. For example, the link between a user’s name and his or her data must be destroyed within 60 days after that user’s period of participation ends, we can only publish anonymized aggregate statistics (e.g. 70% of users queried for lost objects at least twice per week), and we cannot share the collected data with researchers outside our group.
* We provide users with WiFi-enabled mobile phones.
Is there any part of the Allen Center in which participants will not be tracked?
Yes, RFID readers are only deployed in the hallways of the Allen Center and will eventually be deployed at the entrances and exits of the building. The elevators, restrooms, and atrium are considered "off limits" so as to provide added privacy for study participants (especially regarding restroom activity). The areas covered by the elevators, restrooms, and the atrium constitute one large, continuously connected space. By not deploying any RFID readers in this space we preserve a measure of ambiguity in our users’ activities while they are in this space. For example, when Bob enters the “elevator-restroom-atrium zone”, he could be headed to the first floor to get a coffee, he could be meeting a friend in an atrium break-out area, or he could be using the restroom – the space encompasses many possibilities, so Bob has some privacy.
We recognize that some inference regarding a user’s activities in this space may still be possible and moreover that not all deployment sites are designed with a large continuously connected space surrounding the restroom(s). However, we made a design decision early on not to capture RFID data in these areas so as to provide an added physical level of privacy assurance.
If participants can manage their own data and privacy settings, won't this detract from the privacy experiment?
The privacy controls for an application are indeed (along with the rest of that application’s functions) accessible at any time via secure mobile and web-based interfaces. Moreover, users can erase any or all of their data at any time, detach or destroy their RFID tags (which only cost a few cents), or opt out of the study at any time.
Past research at UW CSE and in the wider community has identified a variety of privacy concerns that arise in systems which rely on data from RFID or other location sensing technologies such as GPS or GSM. Accordingly, there is actually an emerging set of techniques for addressing some of the more glaring privacy issues (e.g. allow a user to control who has access to her data, show a user who has queried or is querying her data, reduce the precision of location information to increase privacy). We are doing our best to incorporate these privacy “feedback and control” techniques into our applications from the outset so as to minimize loss of privacy for study participants. Nevertheless, we expect that additional more subtle privacy issues are inevitable. For example, an application’s privacy interface may undergo several design iterations before it is shown to be effective.
Thus, the idea regarding privacy research in our user studies is definitely not to provoke privacy violations, but rather to: 1) start with the best privacy assurances we know how to provide, 2) study how effectively our privacy assurances work through regular user surveys and interviews, 3) iteratively improve our privacy preservation techniques in response to user opinions and experiences, 4) report on our findings with special attention to the perceived privacy loss an application may cause in comparison to the perceived utility of that application. -- We of course are also surveying and interviewing users on their perceptions regarding the utility of each application.
What are some examples of RFID systems being deployed too quickly?
There are quite a few instances of RFID technology being deployed without enough prior research. Many recent instances include the rapid deployment of insecure RFID technology in highly sensitive settings. For example, both first generation RFID credit cards and the first version of the U.S. e-Passport lacked even the most basic access control and security protections (such as protective sleeves). The Washington State Enhanced Driver’s License (EDL) also includes EPC Gen 2 RFID technology which can be read at a significant distance and has practically no security features. Another more recent example is in the ov-chipcaart hack which compromised the Netherlands’ $2 billion smart card system for transit.
Other examples include the use of RFID data for unintended or unanticipated purposes. There have been several instances in which data from EZ-Pass (an RFID transit system in New York) has been used to prove a person’s whereabouts in a divorce case. Another example is the increasing use of Oyster card (an RFID-based transit card) data by law enforcement in London.
What type of end-to-end security is used? Can I tap into the Ethernet coming out of the reader and get all the reads?
We use SSL connections between all system components (including readers). As such, it is not possible to tap the Ethernet connection coming out of a reader to learn what tags a reader reads.
Do some readers use WiFi? If so, what additional information about me is leaked over WiFi? Hypothesis: If I have tags, you can identify me from the number of tags and how they respond, even if you can't see the IDs.
Yes, some readers use WiFi to make the connection to the rest of the RFID Ecosystem. The reader generates one packet per tag per antenna per second when a tag is sighted within the reader's range - so indeed there is probably some information leaked. This said, it is unlikely that the number of tags carried by a person is enough to positively identify that person, two main reasons are:
1) Most people carry either exactly 2 or exactly 3 tags and there are more than 60 people carrying tags. So there is some degree of K-anonymization for the common user.
2) The tags are pretty unreliable and the data from our current study (12/08) shows that most tags have a pretty low read rate. Thus the number of tag reads transmitted for a particular user on a trip past a reader box (even for people with many tags) is quite low can vary from trip to trip (e.g., often
1 is read, sometimes 0, sometimes 2).
From what I know about RFID, it sounds like you can't easily prevent a tag from being read. If a tag that it not registered with your study (e.g. someone's enhanced driver's license) enters the building, how can you prevent the RFID Ecosystem from tracking this person?
Correct, you can't really prevent an EPC Gen 2 RFID tag from being read unless you cover it in foil or something like that. So for example, an enhanced driver's license which is not one of the tags we're using in our study is could be read while its owner walks through the building. To deal with this, we explicitly "register" each tag we plan to use in the study - this creates an entry in the database that indicates "it is ok to store data on the tag having EPC 'X'". The software on the reader will throw out reads for any tags whose EPC is not in this database table.
An important note in connection with this question is that RFID at the hardware level is an inherently insecure technology. There are many attacks (e.g. cloning, spoofing) that will work if you have the expertise and the right equipment. Our stance here is that:
1) We feel these attacks are relatively unlikely to occur during the course of our study.
2) CSE systems are not entirely secure anyway (some argue that no system is ever entirely secure) and the amount of time, money and effort we'd have to spend to secure the RFID Ecosystem as best as we know how is not proportional to the risk.
3) We've actually had both the RFID deployment and the current study approved by UW's Human Subjects Division after a long and rigorous review process in which we discussed these (and many other) risks and weighed them against the potential benefits of the research.
System-Related
Does the term "RFID Ecosystem" refer to the RFID middleware, or is it more than that?
The term "RFID Ecosystem” is overloaded, it is the name for an umbrella project which contains many system components - from low-level filtering software, to data management infrastructure, to security and privacy modules, to stream processing and event detection, to applications. It is also the name for the project as a whole which covers all the aspects of the research
How much of the EPCGlobal stack are you using?
We actually don’t use any of the EPCGlobal stack, we have intentionally built everything from the ground up. One reason for this is that privacy preservation has been a major goal for our project and we feel strongly that privacy measures must be built into the system from the ground up. This is not to say that the EPCGlobal stack has flaws with respect to privacy, but we have very different applications in mind and have designed the RFID Ecosystem to support these applications in a privacy-oriented way.
What does the system architecture look like?
We have developed our system in Java; we use both PostgreSQL and Microsoft SQLServer as backend database management systems. We use Apache MINA for secure non-blocking network communications, and we use both Apache and Tomcat for application web services. The architecture features RFID readers at the lowest level. We run some special code on the readers which performs low-level, time-based filtering to increase the reliability of the RFID data itself. The readers then forward their data “up” to a hierarchical network of server nodes which may do additional filtering. A root gateway server then forwards the filtered RFID data to the data management component. The data management component stores the filtered RFID data and processes it to extract higher level information. This process includes running the data through a particle filter to obtain probabilistic estimates of a particular tag’s location (this allows us to estimate where a tag is, even if it is out of range of any particular antenna), processing the particle filter output with PEEX, our probabilistic event detection engine, and storing the results in a database or forwarding them to applications. There is an Event Manager and an API which constitutes the glue between the data management component and applications. We also have a few user-level tools which can help users specify places of interest (e.g. “my office”, “student lounge”, “classroom”) or events of interest (e.g. “going to lunch”, “chatting with a friend”, “having a group meeting”).
Where can your middleware be used?
The most appropriate place for our middleware is probably in hospitals, large corporations, or any other organization with a large campus and an interest in tracking both assets and people. At the same time we try to model other scenarios (e.g. RFID in the digital home) in our labs.
Are there any companies currently using your middleware?
No companies use our software as it is currently very much an experimental research project.
|