Story URL: http://news.medill.northwestern.edu/chicago/news.aspx?id=187163
Story Retrieval Date: 10/24/2014 6:51:55 PM CST

Top Stories
Features

What is RFID and can it be tricked? System engineers from Argonne National Laboratory explain RFID:101.


Digital privacy: Are you ever alone?

by Ashley Cullins and Brian Warmoth
June 03, 2011


RFID AC CHART

Ashley Cullins/MEDILL

Roger Johnston and Jon Warner, of Argonne National Laboratory's vulnerability assessment team, compare the difficulty of beating inventory technologies used as security systems.

RFID - Warmoth

Brian Warmoth/MEDILL

A 2010 Pew study showed that 7 percent of those who use Internet on their cell phones also use location-based services.

AC USweekly

Ashley Cullins/MEDILL

Google Goggles doesn't recognize Justin Timberlake...

MR CLEAN RFID CULLINS

Ashley Cullins/MEDILL

...but it does know Mr. Clean.

Taking a midday break from work to run an errand and grab a quick cup of coffee can feel like a solitary experience. A solo trip to a drugstore and Starbucks can leave a trail of personal information and data behind, however, potentially making the excursion more public than it seems.

Consumers today carry pockets and purses full of technology that communicates information silently—both by active and passive means—and as those devices become more entrenched in casual habits and activities, being aware of what you broadcast is more important than ever. In many cases, the technology that companies use to track and identify you can be inefficient and unreliable, but that does not mean that no one is listening.

RFID: What are you doing?

For starters, your credit card and security badge for entering your office are likely to contain Radio-Frequency Identification (RFID). These RFID chips emit signals that other devices recognize, and can be useful across a number of industries.

“The big areas of growth are in apparel retail,” said Mark Roberti, editor and founder of the online news source RFID Journal. “That's mainly because apparel retailers have problems tracking items.”

By attaching small tags to stock items, business owners can wirelessly count their inventory without rummaging through piles and shelves.

Big national retailers, including Walmart, use RFID tech to keep track of inventory, according to Roger Johnston, a security vulnerability expert working at Argonne National Laboratory near Chicago. And RFID tech can be ideally suited for handling such tasks, Johnston said. He cautions against relying on badge technologies for security, though.

“This isn’t a security strategy,” he said.

Johnston and his colleague, systems engineer Jon Warner, regularly test and bypass security tech in order to understand where flaws exist, and they discourage the use of RFID as a means of securing doors.

Johnston said these scanners merely provide the illusion of security. “They’re giving customers what they want – security theater,” he said.

With nothing more than a magnet, and glue affixing it to a fake ID card, the two of them demonstrated how a standard panel can be tricked into thinking that the most recent card to gain access has been used a second time.

Johnston explained that simple techniques can be used to read badges’ access codes for the purposes of manufacturing cloned cards.

Similar vulnerabilities could allow perpetrators to steal information from RFID-enabled credit cards, though an RFID transponder alone cannot be used to create a true clone. Some information, including a card’s number, owner’s name and expiration date can be read from a few inches away.

"Even if you get that information, it's no different that what you would be giving a waiter by handing him your card," Roberti said.

In some cases, the information accessible from an RFID chip can be even less useful than what a waiter sees.

“What most people don't understand is the CVV [Card Verification Value, typically a three or four-digit security code] that's on the RFID card is different than the one on the card,” he stated.

Johnston and Warner agreed that RFID signals should not be reasons for card owners to get paranoid about their data. Neither was aware of any cases where card data has actually been stolen using an RFID transponder. However, Johnston pointed out that identity theft victims might not be able to identify from where their card number was taken if it is used for unauthorized transactions.

“They wouldn’t necessarily know,” he said.

Ultimately, consumers can take simple steps to safeguard they RFID signals by storing them in sleeves made to block transmissions.

Facial recognition: Who are you?

Facial recognition also introduces cutting edge technologies that are becoming more and more ubiquitous. Google Goggles is a visual search application that uses a smartphone’s camera, scans and analyzes the photo and then searches the Internet for the object.

According to a Google spokeswoman, Goggles was developed because people interact with information visually. “We think computers should also be able to search for visual information, so we built the largest image recognition system in existence,” she said. “It currently recognizes tens of millions of objects, and we hope to grow this over time.”

Users can scan barcodes to search for items on sale, take pictures of text and translate it to dozens of languages and identify products by their logos.

The application itself states that it won’t work on people or pets. “Visual search is still in its early stages,” the spokeswoman said. “It works best on things like artwork, landmarks, business cards or wine bottles, but doesn't work well yet on things like food, cars, plants or animals.”

Goggles didn’t recognize Justin Timberlake or Jessica Biel from the cover of “US Weekly,” but it did recognize another familiar face: Mr. Clean. Using no text, only the image of the bald icon, the application was able to identify the photo as the Mr. Clean logo.

If cartoon people can be identified, can facial recognition of actual people be that far off?

When users upload photos to Facebook, the site now suggests people you should tag based on the faces in the pictures. Combining that technology with a program such as Goggles would appear to open the door for facial recognition via cell phone.

Google claims that won’t happen before it’s prepared to handle the privacy implications.

“As we've said for more than a year, we will not add facial recognition to Goggles unless we have strong privacy protections in place,” the spokeswoman said. “We're still working on them. We have nothing to announce at this time.”

Geolocation: Where are you?

Location-based technology can be a source of concern as well. In April, Apple prompted customer and Congressional concern after software hackers Peter Warden and Alasdair Allen identified an unencrypted file titled “consolidated.db.” After looking into file’s purpose they discovered that Apple’s iPhones and iPads had been storing location data about their users.

Much of that data is necessary for using functionality in popular applications such as Google Maps, foursquare and Yelp. However, toggling an option to turn off location services does not always prevent devices from passively communicating where their users have traveled.

Eventually, a Senate subcommittee called upon both Apple and Google to answer questions about their practices in front of congressional leaders.

Apple responded by releasing an operating system update to correct that problem, but the situation attracted attention from citizens and senators alike about how the data was being used.

"Companies are collecting a lot more information than they need to," said Marc Rotenberg, the executive director at the Electronic Privacy Information Center in Washington, D.C. "What happened with the Apple iPhone is a really good example of this."

Rotenberg’s research center focuses on civil liberties and privacy issues that deal with digital data.

"I think the real challenge is to ensure that we do get the benefits of new technologies, but at the same time we need to safeguard privacy," he explained.

A Pew Internet and American Life Project survey from 2010 showed that 7 percent of adults who go online with their mobile device use a location-based service. Hispanics in particular showed wide interest, with 10 percent of those online using geolocation applications.

Additionally, men are significantly more likely to use the services, according to Kathryn Zickhur, the web coordinator at the Pew Research Center’s Internet and American Life Project.

A world in which every person leaves a digital trail of his or her daily life may seem like something out of a George Orwell novel, but as technology advances electronic footprints will inevitably do the same.

As Winston Smith, the protagonist in Orwell’s “1984,” became aware of the repercussions of constantly being monitored, people using modern technology should pay attention to ways they may be making themselves vulnerable.

Johnston said the key to developing better security is thinking like the bad guy. Although “Big Brother” is a fictional enemy, people can learn to protect their digital identity by thinking like those who seek to cause them harm.

This way they still can enjoy their grande latte in solitude.