RFID) That Can Be "Read" When Close to a Sensor

RFID) That Can Be "Read" When Close to a Sensor

PRESS RELEASE, Immediate distribution__ We are working on a new release of materials that includes the audio files of the press conference. Thanks to all the people interested in following up the case, we will keep you informed. We are translating the report to different languages, we have translated already to english, spanish and swedish. Mail us if you can translate the information presented in this website. Thanks! THE PHYSICAL ACCESS SECURITY TO WSIS: A PRIVACY THREAT FOR THE PARTICIPANTS. [IN PICTURES] PRESS RELEASE, Immediate distribution URL: http://www.contra.info/wsis | [email protected] PRESS CONFERENCE Friday 12th December 2003 at 11.30 am à « La Pastorale », Route de Ferney 106 à Genève http://www.pressclub.ch/archives/events_2003/event_121203_1130.htm [Press Release English PDF] - [Nota Prensa en Castellano] - Ass. Prof. Dr. Alberto Escudero-Pascual, Researcher in Computer Security and Privacy, Royal Institute of Technology, Stockholm, Sweden (EN, SP) Tel: + 41786677843 , +46 702867989 - Stephane Koch, President Internet Society Geneva, Executive Master of Economic Crime Investigations, Geneva, Switzerland. (FR, EN) Tel: +41 79 607 57 33 - George Danezis, Researcher in Privacy Enhancing Technologies and Computer Security, Cambridge University, UK. (FR, EN, GR) GENEVA, 10th DEC 2003 An international group of independent researchers attending the Word Summit on the Information Society (WSIS) has revealed important technical and legal flaws, relating to data protection and privacy, in the security system used to control access to the UN Summit. The system not only fails to guarantee the promised high levels of security but also introduces the very real possibility of constant surveillance of the representatives of the civil society. During the course of our investigation we were able to register for the Summit and obtain an official pass by “just” showing a fake plastic identity card and being photographed (via a webcam), with no other document or registration number required to obtain the pass. The limited personal data required to produce the fake ID and thus register was easily obtained - a name from the WSIS website of attendees. However this is only half of the story. http://www.nodo50.org/wsis/ (1 of 4)15.03.2004 19:07:32 PRESS RELEASE, Immediate distribution__ More photos of the WSIS Access Control The official Summit badges, which are plastic and the size of a credit card, hide a “RF smart card” [1] - a hidden chip that can communicate its information via radio frequency. It carries both a unique identifier associated with the participant, and a radio frequency tag (RFID) that can be "read" when close to a sensor. These sensors can be located anywhere, from vending machines to the entrance of a specific meeting room allowing the remote identification and tracking of participants, or groups of participants, attending the event. The data relating to the card holder (personal details, access authorization, account information, photograph etc.) is not stored on the smart card itself, but instead managed by a centralized relational database. This solution enables the centralized system to monitor closely every movement of the participants at the entrance of the conference center, or using data mining techniques, the human interaction of the participants and their relationship. The system can potentially be extended to track participants' movements within the summit and detect their presence at particular session. Because all of the personal data is stored in a centralized database, any part of the database can be replicated locally, or transferred to future events - for example the next WSIS Summit hosted by the Tunisian authorities in 2005. During the registration process we requested information about the future use of the picture and other information that was taken, and the built-in functionalities of the seemingly innocent plastic badge. No public information or privacy policy was available upon our demands, that could indicate the purpose, processing or retention periods for the data collected. The registration personnel were obviously not properly informed and trained. Our main concern is not only that the Summit participants lack information about the functionalities of this physical access system implemented, or that no one was able to answer questions of how the personal data would be treated after the Summit. The big problem is that system also fails to guarantee the promised high levels of security while introducing the possibility of constant surveillance of the representatives of civil society, many of whom are critical of certain governments and regimes. Sharing this data with any third party would be putting civil society participants at risk, but this threat is made concrete in the context of WSIS by considering the potential impact of sharing the data collected with the Tunisian government in charge of organizing the event in 2005. That a system like this gets implemented without a transparent and open discussion amounts to a real threat for the participants themselves, and for our Information Society as a whole. More information is available at: http://www.contra.info/wsis [email protected] NOTES TO EDITORS http://www.nodo50.org/wsis/ (2 of 4)15.03.2004 19:07:32 PRESS RELEASE, Immediate distribution__ • The World Summit of Information Society has contracted SportAccess, a Company of Kudelski Group, as the main responsible of an integrated solution for physical access control solution during the United Nations Summit of Information Society. The MultiSAK system has already been deployed in other meetings as the World Economic Forum in previous years and was globally designed and developed by NagraCard and NagraID. • The procedures of how personal data is being handled during WSIS break the principles of the Swiss Federal Law on Data Protection of June 1992 [2], the European Union Data Protection Directive 95/46/EC [3] and the United Nation guidelines concerning Computerized personal data files adopted by the General Assembly on December 1990. • The Electronic Privacy Information Center [1] has an extensive news archive and background material on the subject of privacy threats and RFtags. Usage of RFtags in supermarkets, to tag products for purposes of stock management and security, has already attracted oppositions on privacy grounds by CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) [5] and has lead to campaigns for customer boycott of tagged products [6]. REFERENCES [1] Electronic Privacy Information Center Website about RFID Identification http://www.epic.org/privacy/rfid/ [2] Swiss Federal Law on Data Protection, http://www.edsb.ch/e/gesetz/schweiz/index.htm [3] European Union Data Protection Directive, http://europa.eu.int/comm/internal_market/privacy/index_en.htm [4] Guidelines for the Regulation of Computerized Personal Data Files, http://www.unhchr.ch/html/menu3/b/71.htm [5] - http://www.nocards.org/AutoID/overview.shtml [6]The Boycott Gillette Campaign - http://www.boycottgillette.org/ RELATED NEWS News in the following languages: Spanish, English, French, Dutch, German, Portuguese, Catalan, Galego... http://www.nodo50.org/wsis/ (3 of 4)15.03.2004 19:07:32 PRESS RELEASE, Immediate distribution__ ● 2003-12-10 [SP] WSIS hackeado ● 2003-12-10 [GA, PT] O WSIS foi hackeado!! ● 2003-12-10 [SP] El WSIS ha sido hackeado!! ● 2003-12-11 [SP] Burlada la seguridad de la Cumbre Mundial de la Sociedad de la Información ● 2003-12-11 [EN] What summit security? ● 2003-12-12 [EN] WSIS Physical Security Craked - Slashdot ● 2003-12-12 [EN] WSIS Security system violtes the data protection guidelines ● 2003-12-12 [EN] More info and pictures of the physical security at WSIS ● 2003-12-12 [CAT] Han hackejat la WSIS ● 2003-12-12 [FR] La sécurité du forum mondial sur la société de l'information aurait été piratée ! ● 2003-12-12 [SP] Amenaza a la privacidad de los participantes ● 2003-12-13 [NL] Inbraak in toegangssysteem WSIS-conferentie ● 2003-12-13 [SP]Entrevista con Alberto Escudero-Pascual, investigador de seguridad de ordenadores del Instituto Politécnico de Estocolmo, Suecia y miembro fundador del portal telemático Nodo50. 3609 KB MP3 (Red con Voz) ● 2003-12-13 [FR] La sécurité de l'accès physique au SMSI ● 2003-12-14 [EN] MIT's Furd Log ● 2003-12-14 [EN] Officials secretly RFID'd at Internet Summit - Slashdot ● 2003-12-14 [EN] Bug devices track officials at summit - Washington Times ● 2003-12-14 [EN] Officials bugged at international summit ● 2003-12-15 [EN] Why did WSIS bug delegates? - The Feature ● 2003-12-16 [IT] WSIS, i delegati erano spiati ● 2003-12-18 [EN] Summit group confirms use of ID chip - Washington Times ● 2003-12-23 [FR] RFID: les badges du sommet de Genève avaient des effets seconds More related articles ● RFID: les badges du sommet de Genève avaient des effets seconds AFNET. Association Francophone des Utilisateurs du net http://www.nodo50.org/wsis/ (4 of 4)15.03.2004 19:07:32 OBTAINING A WSIS BADGE IN PICTURES THE PERSONAL DATA COLLECTION AT WSIS VIOLATES THE SWISS, EU AND UN DATA PROTECTION GUIDELINES Here we describe the process we followed to obtained a secure badge of one of the participants. A high resolution of the pictures is available here Every participant to WSIS follow the signs to the registration desk. The participants were requested to carry the LETTER OF INVITATION that includes a REGISTRATION NUMBER and an IDENTITY CARD. The participants stand in a queue and provide a REGISTRATION NUMBER. The REGISTRATION NUMBER is checked against a database. The participants show an ID Card and a picture is taken of them via a Webcam. In our case we "only" provided the name of an existing participant that we obtained from the WSIS website and show a plastic card (as a secure ID Card) that contain the name of the participant and our picture. http://www.nodo50.org/wsis/pictures/ (1 of 5)16.03.2004 02:20:36 OBTAINING A WSIS BADGE IN PICTURES While we asked about the WSIS PRIVACY POLICY concerning the collection of personal data and what the badge contained, we did even have time to picture all the cameras.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    136 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us