There have been a couple of thought provoking IT privacy stories that have appeared over the past few days. Over the weekend, for instance, there was another story about RFID snooping.
This particular story by the Associated Press told of a California security consultant who, by purchasing an antenna and RFID reader on eBay for under $200, was able earlier this year to detect and then download to his laptop the unique serial numbers from two people carrying their new US passports that use RFID chips in about 20 minutes. Within an hour, he had been able to find by cruising the streets of San Francisco four such passports and also download their serial numbers.
While passport serial numbers by themselves are not overly useful to a "run-of-the-mill" hacker (at least at the moment), the consultant's experiment showed that it wouldn't be that difficult for a government (or private) organization to track someone carrying an RFID tagged passport; something the US government has been downplaying as a potential problem.
Furthermore, as the AP story noted, the opportunity to track someone by RFID tags is quickly increasing:
"On June 1, it became mandatory for Americans entering the United States by land or sea from Canada, Mexico, Bermuda and the Caribbean to present identity documents embedded with RFID tags, though conventional passports remain valid until they expire."
In addition, US states including Washington, Vermont, Michigan and New York already embedded RFIDs into their automobile licenses, and other states are considering following suit.
US state and federal officials maintain, however, that the American public should not worry about RFIDs being embedded in their government documents and later being used for tracking purposes. After all, "... in this day and age ... there are a lot of other ways to access personal information on people," like via cell phone that are easier, the AP story quotes one government official as saying.
I don't find that to be a reassuring mindset.
What's more, RFID tracking capability is expected to grow tremendously in the next few years. When added to other forms of individual tracking, like that using credit card purchases, cell phone usage, Internet usage, etc. which are also getting better, a person will be able to be monitored 24-7 fairly easily and inexpensively by governments and private companies alike.
Adding to the mix of technologies for tracking someone is that of vehicle license plate recognition (LPR) systems. The UK government is a major user of such systems, created originally in response to IRA activities in Northern Ireland and the British mainland during the 1980s and 1990s, and now in routine use for traffic control such as congestion pricing in London.
In the US, license plate recognition systems have been used more by local and state police departments to check for stolen vehicles, vehicles with unpaid parking tickets or unpaid taxes, or vehicles running red lights and the like.
Now, the San Francisco Chronicle reports, the town of Tiburon, California wants to go a step further. The town wants to spend $100,000 to set up a license plate recognition systems that will record every vehicle entering and leaving the town as a way to thwart criminals.
Not that there are many criminals in Tiburon, a town of 8,800. The Chronicle story says that:
"In all of 2007 and 2008, Tiburon recorded 196 thefts, 37 burglaries and a dozen stolen cars."
The Chronicle story goes on to say that:
"City leaders promise to prevent abuses. Information on which cars enter and leave town will not be available to the public, they said, and will be erased within 60 days. Police officers will be granted access to the information only during an investigation."
Of course, once such a system is installed, I doubt it will be long before that 60 days turns in 90 or more. Governments everywhere hate to erase information that they have already collected.
The next big (or maybe small) slice away of privacy will be when law enforcement drone information is inevitably connected to databases containing information from LPR, RFID reader systems, etc.
At least the current US Administration has decided against allowing law enforcement access to spy satellite information. However, I suspect that will only be a temporary reprieve.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
