Rob Schuurman, Nedap

[Dave Birch] Rob Schuurman is the general manager of Nedap Healthcare, based in the Netherlands. They have developed award-winning products that use mobile phones and NFC to deliver practical, convenient security to a mass market. In this podcast, he talks about his practical experiences getting an NFC-based service into operation and shares some thoughts about the future of the technology in that sector.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Air side

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

Touch and gone

[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU's publication of their recommendations on the "identity of stuff" last week. They've published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them - the so-called "internet of things".

[From EU lays out plans for the "internet of things" - V3.co.uk - formerly vnunet.com]

These are real issues, and although I'm not making any comment on the value or otherwise of the specific recommendations, there's no doubt that the subject deserves more attention. There's an "identity of things" problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It's the same problem that we looked at before, and it's worth reviewing because there's been no industry progress toward a solution.

A little background. The NFC Forum have announced their "N mark" which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can "tap" their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven't seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

At whose fingerprints?

[Dave Birch] I went to the Social Market Foundation chat about biometrics sponsored by the Identity and Passport Service (IPS). The speakers -- Jim Wayman from San Jose State University, Peter Hawks and Hugh Carr Archer (Aurora) from our friends at IAFB, Farzin Deravi from the University of Kent and forum friend Toby Stevens from EPG -- got a good discussion going although personally I thought it was a little too short. I was very interested in some of the points being raised from the floor and would have appreciated more time for expert reflection from the panel.

Jim started his talk by referring to the "colourful" history of the future of biometrics, which appealed to my current obsession with paleo-futures at the CSFI, and made a couple of points that I think are worth opening up for discussion here. First of all, he made the key point that biometrics doesn't solve the problem of identification but once you have identified someone then you can use biometrics to link them to that identity. Biometrics is easy, identification isn't, and biometrics do not guarantee the validity of non-biometric data in database (this is why I keep promoting the "biometric only" plan from the UK National Identity Register). Secondly, he made me reflect on the difference between schemes where the "users" care about multiple uses or not. So, if I have a season ticket for the London underground, I don't care about my brother using it on the days that I'm not. But I don't want him using my credit cards on days that I do not. So why would you need a biometric for a bank card? Good point. I think that the answer is that if we want to use cards for larger transactions then we can't use PINs because PINs are too easily snaffled, but I'm going to think some more about this and post in the future.

The China syndrome

[Dave Birch] A couple of days ago and I again mentioned the government's "break the glass" plan for a national identity scheme. In other words, what is the emergency plan to be followed should the integrity of the system itself fail. The point about the "break the glass" plan is a serious one. While I have no evidence that the government has such a plan, I'm sure they must do. If hackers, mafia extortionists or opposition MPs get into the database then someone has to be able to press a button to sound the alarm, to raise the drawbridge to other government systems and to initiate the meltdown process of re-issuing keys (or whatever else needs to be done).

What kind of meltdown might require the government to break the glass? Well, just for amusement purposes (since it could never happen, because the Home Security said that the ID card system will use "military" security) let's suppose that a disgruntled member of staff steals the entire biographical database. Let's say a fifty million individual records (5 x 10^7). Each individual record comprises 50 data items -- actually in the UK Identity Cards Bill it was slightly more than 50 -- so that's 5 x 10^1. Let's say each data item is 1KB. They're not, but whatever. So now we have a database of 5 x 5 x 10 x 10^7 or 25 x 10^8 or a couple of terabytes. That's it, a couple of a terabytes. I can buy a 2TB USB hard drive on Amazon right now for a couple of hundred quid and by the time the database is up and running, it will be fifty quid. So I can store the entire database for next to nothing, chuck it in my car and zoom off with it.

When they come in in the morning and notice it missing, there needs to be a big red button on the wall that they can smash the glass and press. Ah, you might say, it seems unlikely that a vetted civil servant will deliberately and flagrantly break the data protection act or whatever. Well I imagine that's what they thought in Chile, before a civil servant started publishing their national identity register on the Internet. We shouldn't let this kind of thing stop us from building a better identity infrastructure, but we should use it to help us build a better one, by which I mean one that depends on open peer review for its security.

Hazel Lacohee, BT

[Dave Birch] Dr Hazel Lacohée joined BT in 1998 and is a Principal Researcher undertaking qualitative social research for BT Innovate. She is responsible for investigation of the commercial, socio-economic and customer impact of ICT applications and systems and providing thought leadership on the social and market implications of communications technology. She is currently focused on issues concerning privacy, security, trust, data collection and public surveillance and is lead author of the Trustguide report. Hazel Lacohée obtained an ESRC funded PhD in Psychology from the University of Bristol in 1996. She is author of a diverse range of publications and has contributed to a number of patents at BT. In this podcast, she talks about some of public perception issues around personal identity and data, introducing some ideas of shared and community responsibility.

Karsten Nohl, University of Virginia

[Dave Birch] Dr. Karsten Nohl is a researcher at the University of Virginia. A cryptographer, who was researching some aspects of RFID and privacy, he was part of the team that attracted widespread industry interest when they reverse-engineered the NXP MiFare Classic smart card. Some two billion MiFare Classic cards have been sold around the world, where they are widely used in transit systems (where they have an 85% market share), access control, ticketing and other applications. The reverse-engineering mean that the team could break the CRYPTO-1 stream cipher used in the products and therefore create bogus cards at will. In this podcast, Karsten explains what the team did and what some of the lessons might be for the designers of secure identification systems.

Metro-politan

[Dave Birch] Down at the European Technology Standards Institute (ETSI), I saw a good presentation by Jens Kungl from the 64 billion euro METRO Group, which operates 2,400 retail locations in 31 countries. He knows a bit about retail, and Metro have been experimenting with RFID for some time, so his opinions need to be taken seriously. He began by making (strongly) the point that the best way to scupper an RFID project in retail is to begin tracking people instead of goods. In my opinion, one of the dangers here (and there are genuine privacy concerns that need to be addressed) is the regulatory response, which may be over-anxious, mis-targetted or plain wrong. For example

The Washington legislation outlaws the use of RFID "spy technologies" to collect consumer information without the owner's consent. The only problem is, heavy corporate lobbying narrowed the scope of the law (before Governor Gregoire signed it) to cover only criminal acts such as fraud, identity theft, or "some other illegal purpose" (making it a Class C felony to do so). Collecting information from consumer RFID chips for marketing purposes in Washington—with or without the owner's consent or even knowledge—is still fair game.

[From Washington State passes RFID privacy law; where's Uncle Sam?]

Surely, collecting information for anything but the purpose for which is was intended is just wrong, and it doesn't matter why it's being collected. Anyway, the point of this post is that Jens said that the trigger for item-level tagging is the five euro cent tag and this has arrived sooner than they were planning, so they are going to begin item-level tagging earlier than they had originally planned (they are already rolling out pallet-level tracking). He also said something about two Watts at 868MHz, but he was losing me a bit there...

NFC, privacy and identity infrastructure

[Dave Birch] I've had a few e-mails from people about this paper by Colin Mulliner. This paper describes vulnerabilities in NFC implementations using "smart posters". It's the nature of the attacks, rather than exposure levels, that are worth looking at since, as Colin says,

 

The attacks demonstrated are trivial due to the manufacturer time to market (TTM) obsession, thereby shipping devices with trivial vulnerabilities, in Mulliner’s research they orbit around passive tags which are mostly abused as vectors for the any of the attacks demonstrated.

[From Attacks on NFC mobile phones demonstrated | Zero Day | ZDNet.com]

The attacks fall, broadly, into two categories. There are attacks on the implementation of the NFC tag standard in a current handset -- these remind us of a useful lesson about implementing new standards, but are not that significant in the long run -- and attacks on the way that tags work in the current NFC standards. The problem that Colin has focussed on here is that there is no way of knowing whether a tag is "real" or not: you wave your phone at a Royal Bank of Scotland advert at the train station, but the tag has been tampered with (shielded by a bogus tag, for example) so that your phone is redirected to a web site in the Ukraine which looks like RBS but is just going to use your entered username/password to log in to your account for nefarious purposes. Unfortunately, that's the way tags work: there is no way of preventing this and Colin is right to highlight both modifying original tags and replacing them with malicious tags as interesting security questions.

These questions relate to the better understood issue of product vs. provenance in the RFID world and, as we know, one way to solve that problem is by using digital identity: it's just that it's the identity of stuff in question, not the identity of people.

Faking it

[Dave Birch] I was in a discussion about this "internet of things" again today. It reminded me about my recent visit to the Automatic Identification and Data Capture (AIDC) European Centre of Excellence, which is in Halifax. They have a super facility with a shop, bank, hospital, town hall, library and main street set up on one floor of what I imagine to be a disused mill building. Their vision is to be able to demonstrate AIDC technologies (including some of our favourites such as biometrics and RFID) in "real" environments. During my tour, I came across a notable use of RFID tagging that flagged up -- once again -- just how widespread the use of RFID is likely to become and just how many niches there are for it to fill. I'm not skipping over the privacy issues. Nor, for that matter, are the European Commission...

One source told me that a requirement from the EU for consumers to positively opt-in to RFID in-store and for RFID tags to be decommissioned at the point-of-sale would kill RFID at item-level in Europe. Such a move, the source added, would put us internationally behind the curve, cost thousands of jobs in the RFID industry and be a terrible waste of a very useful opportunity.

[From Is the EU about to publish RFID privacy proposals? (Tune into RFID)]

Some form of RFID code of conduct -- such as the one that Toby Stephens wrote for Digital Identity Management -- is a good thing, but the opt-in and decommissioning ideas are not the right way forward.

contactless, privacy, rfid