Tiny Trackers: Protecting Privacy in an RFID World

Thankfully this RFID session was much warmer than the experts panel at the Hotel Intercontinental the previous day. Interestingly, I found it to be less well attended. About half of the seats in the ballroom were filled up. I suspect that the LITA top technology trends program drew a lot of potential audience members away.

Overall I found the panelists — Jim Lichtenberg, Jackie Griffin, and David Molnar — to be entertaining and informative. I was familiar with much of the content but learned there is still work to be done as privacy issues have not yet been completely resolved in library RFID.

Lichtenberg, a library technology consultant and regular Library Journal contributor, provided an overview of the technology. We’re still at a point where many librarians don’t fully understand how the technology operates and so this explanation was welcome even if it was a bit repetitive for the more RFID experienced members of the audience.

Lichtenberg used Alice in Wonderland — to much humorous effect — to explain how using RFID is like “going down the rabbit hole.” He says the technology is truly transformative and although we don’t really know what the result will look like at the bottom of the well it will be a wonderland when we arrive.

People are simultaneously excited by and terrified of RFID because it is the leading edge of a much more profound transformation of society, says Lichtenberg. He predicts we will experience more intense change in the next 20 to 25 years than we did with the advent of the Internet. The reason? Rapid advances in nanotechnology, biotechnology, information technology and the cognitive Sciences (NBIC). Lichtenberg discussed current research which could lead to nano robots being surgically implanted into humans to repair tissue and biotechnology that could lead to the reversal of the effects of aging.

Accelerated technological change IS frightening. The key issue is the creative tension between the benefits of the technology and the need to protect privacy. At this point Lichtenberg listed the advantages (widely available, relatively inexpensive, better inventory control, increased self-check etc.) and disadvantages (high start up costs, indirect return on investment, immaturity of middleware, lower than expected accuracy and immature standards). Lichtenberg says that libraries considering implementation need to focus on supporting their clients and better understand their needs. Normally we think of RFID data-flow in libraries in only one direction. Information passes from tag to reader to middleware to library systems. The backwards flow of information, says Lichtenberg, will actually provide more important business intelligence for libraries. He reminded me very much of Lawrence McCrank from the Saturday RFID program with his call for intelligent and creative applications for library RFID which better serve our users needs. RFID can be used to push information to people.

Lichtenberg wrapped up his presentation with a metaphor of a glass bottomed boat. As time goes by the muddy waters will clear and RFID will allow us to understand exactly what’s going on in the library. It’s not about tags and readers but transparency. What can we learn with the data?

The next panelist was Jackie Griffin, director of the Berkeley Public Library. The Berkeley Library has come under much public scrutiny during their implementation of RFID. Griffith explained the history of the local movement protesting the installation and provided advice to librarians considering RFID so that they could avoid making the similar mistakes.

Berkleyans, says Griffin, have a long tradition of protecting free speech issues. The Board of Library Trustees (BOLT) approved the library’s purchase of RFID over a year ago but the protesting didn’t begin until after the San Francisco Public Library proposed their implementation. Groups such as the Electronic Frontier Foundation, the American Civil Liberties Union, and Berkleyans Organized for Library Defense (BOLD) have weighed in against RFID in libraries. The most recent protest was only a week ago. A small number of protesters went to Berkeley City Hall to request that funding allocated to the library be removed if they continue with RFID.

At this point, most of the conversion has been completed and it’s unlikely that RFID won’t be used at Berkeley. Griffin says she is very comfortable with the decision to go with RFID. The library has had enormous expenses for repetitive strain injuries. These expenses were enumerated by a consultant hired by the City of Berkeley to analyze costs. In addition, the library had capital funding to double the size of their building but they had no corresponding increase in operating budget. In order to serve more people with the same number of staff they needed to turn to technological solutions.

During the course of investigating RFID Griffin was very involved in work outside the library protesting the Patriot Act. Griffin has a long history working with the intellectual freedom committee of the California Library Association. She is aware of privacy issues and government interference with freedom to read but says it didn’t occur to her at the time that RFID would be a risk. She cautioned the audience to be very aware of the potential consequences of any action they may take with technology.

Once she was aware of the risk she had Lee Tien of the EFF come and speak to llibrary committee managing the project. She also consulted with authoritative experts such as David Molnar, a UC Berkeley doctoral engineering student, and the Samuelson law clinic (which specializes in the legal implications of emerging technology). These experts helped Griffin and her staff to draft their RFP and to develop best practices (which are posted on their public web site). They interviewed five vendors and selected they felt best addressed the issues.

Griffith says that a bigger intellectual freedom issue is access to information. Many public schools in Berkeley lack media specialists and 30% of Berkleyans do not have a computer at home. If there is such a concern that library rfid tags may be used by the government to interfere with things people read then the real question is what the government is doing. Griffith says that RFID has allowed the Berkeley Public Library to reopen on Sundays and to return their book purchasing budget to near normal levels.

The final speaker was David Molnar. Molnar continues to be interested in RFID security issues and he provided the nitty gritty details about how a library RFID system could be compromised. These risks are outlined in his paper, “Privacy and security in Library RFID” (http://www.cs.berkeley.edu/~dmolnar/library.pdf) and they include: hotlisting, denial of service attacks, and vandalism. He discussed questions for librarians to consider in order to evaluate the risk to their constituencies.

The first question is determining what is on the tag. Every library implementation that he has seen only uses barcode information and possibly, depending on the vendor, a security bit. Limiting the information on the tag limits what an adversary can do. Some might argue that it’s just a barcode which can’t be mapped to a book title without information from the integrated library system. Although libraries secure their ILS, it is now even more important to do so.

Older library RFID tags which use the ISO 15693 have a static identifier burned on at time of manufacture. Some libraries have unique prefixes in their barcodes which can be used to make inferences. Any persistent identifier enables tracking via hotlisting, which is the creation of a separate database of items you know in advance. For example, you could read the tags of every copy of Osama Bin Ladin’s biography. Then you could use your reader and preexisting database list (the hotlist) to identify scholars of the middle east.

The second question is who can read the tags? Anybody can obtain a reader that can detect the 13.56 Mhz frequency. The largest observed range he’s aware of is 3 feet, but getting a read from that distance requires a specialized antenna. Most reads are only viable in the range of inches. t’s the ubiquity of readers which will be a problem. When readers are installed at every Starbuck’s then those people carrying the Bin Laden book can possibly be tracked.

The third question is who can write the tags? If a tag is re-writable then it needs to be locked against vandals in a security bit denial of service attack. Vandals can write their own information to the tag and lock it against any further writes effectively destroying the tag for library applications. Tag writing issues can also affect future upgrades to the system if a proprietary read/write protocol can’t be handled by another vendor’s system. Rewriting the tag at checkout could fix the hotlisting issue by removing the barcode as the item is removed from the library. Nobody sells such a solution yet and there are robustness issues. If the item is not checked back into the library properly than it won’t have the barcode information anymore.

The final question is what type of encryption does the wireless communication between tag and reader have? Most systems are not securely encrypted and can be sniffed. There can be several meanings to the term encryption and you must understand what your vendor is doing if they say their product has it. If they encrypt using proprietary encoding that each library that uses the same vendor will have the same type of coding. Since it’s not different per library it can be reverse engineered. Some vendors encrypt the barcode information with a per-library key. This leads to static data and brings back the hotlisting and data tracking concerns. Finally some encrypt by pass wording the ability to read tags. How does the reader know which password to use? Is it the same for all tags or for each tag? The answer has serious implications. If it’s the same, then you’re back to the static identifier problem.

RFID security is a multilayer problem, says Molnar, and you need to include privacy issues and the appropriate questions in your RFP. He recommends that libraries minimize the amount of data they put on a tag and that they test out vendors products in real-world settings. Tag readers are relatively inexpensive and can be used with open source software called RF-Dump (http://www.rf-dump.org/). Can you crack the system you’re interested in?

There was a question and answer session between the audience and the panel members. Most of the questions were addressed to Jackie Griffin regarding the size of the collection and the protests in Berkeley. There had been reports in the news which conflated the purchase of RFID with library layoffs. Griffin says that they received a better budget than they anticipated and the layoffs didn’t happen. Library staff is getting more enthusiastic about RFID now that they feel it isn’t a threat to their livelihood.

One audience member asked the panelists to comment on Lee Tien’s published remarks regarding the library as a moral compass regarding the use of RFID (if it’s ok for a library, then it must be ok everywhere). Lichtenberg says libraries are going to be far, far, far from the only place using RFID. The technology is so pervasive that libraries aren’t going to dictate its mind-share. Griffin says that what the profession is doing to discuss RFID is amazing. She is not aware of other communities raising and discussing these issues. Molnar says that the economics of RFID will improve with the tags becoming cheaper and increasingly used by industry.

In sum, the panel was informative and a great review of the many questions librarians should consider if they purchase RFID. RFID security is still a research issue but the technology will not go away. Librarians are doing an excellent job raising awareness and discussing the issues but there is a need for more creativity in designing applications for library RFID that truly serve the library user.

Radio Frequency Identification Technology in libraries: meeting with the RFID experts

I came expecting yet-another-panel-of-experts. I left psyched up about creative uses for RFID which I hadn’t considered before. In other words, I got something new from the LITA International Relations committee sponsored discussion about RFID. Considering it was 8:30 in the godforsaken morning, that says something. I also nearly got frostbite since the Hotel Intercontinental has the coldest ballroom this side of Antarctica. Word to the wise — take a heavy sweater if you find yourself going there. My wee cardigan was no match for air-conditioning gone awry.

The details:

The panel was introduced by Nancy John from the University of Illinois at Chicago. Pat Harris, executive director of NISO batted lead. The big news from that corner is that NISO is sponsoring a workshop on RFID standards integration Oct.25-26 at the Texas Center for Digital Knowledge. Mark your calendars. I intend to attend if I can save my pennies. The workshop will include publishers, book sellers, librarians and industry knowledge managers. This is cool because there needs to be cooperation from stakeholders at every point in the publication cycle. Why tag your books if they can come that way from the publisher or book jobber? Speakers, agendas, sponsor information, registration and hotel information will be posted on the NISO web site after 7/15 (http://www.niso.org).

Harris began with a general introduction and overview of RFID technology which was totally appropriate for the mixed audience of RFID neophytes, nay-sayers, and veterans.
She explained the advantages of RFID use in libraries: circulation, self-service, workflow management, security, inventory, usage, and better work place (less repetitive strain injury). She briefly touched on the privacy controversy as a disadvantage.

NISO has been following RFID for at least 10 years and Harris says she believes RFID may be the trigger for the next round of major changes in libraries which will allow us to compete with the Barnes & Nobles of the world. There are many challenges, however, to RFID deployment at the global level due to interoperability issues. There are over 70 international standards pertaining to RFID says Harris. In order for libraries to strategically integrate RFID the profession needs to think about ways that RFID can help us manage rights expression and to gather new information on how people actually use libraries (this did get my spidey privacy senses tingling). Overall Harris says the market is maturing and librarians will need to embrace the technology as it evolves and that groups such as LITA will play a key role in determining how it plays out. Our community needs to focus on the emerging standards.

Harris finished her presentation a little early and introduced a surprise speaker, Leif Anderson from the Danish National Library Authority. The Danes have been working on RFID in libraries for some years and have recently developed functional requirements for the use of the technology in Danish libraries. The Authority started this work by setting five objectives for RFID use:

1 – it must support interlibrary loan
2 – it should have a full standards-based interface to any integrated library system
3 – It should assure reliance of information from several sources
4 – it should use the information from current bar code systems
5 – it should comply with existing international standards

Based on this the Danish representatives to NISO set up a meeting and invited all printers in the Danish market to participate. They set up a working group of vendors which included 3M, Bibliotheca and several European and Danish vendors. They have been working for several years to figure out how they can meet the objectives. Their report detailing the technical specifications necessary for a vendor to meet the objectives will be released next month.

The next speaker was Vinod Chandra, CEO of VTLS. He discussed some implementation issues a library might face after choosing RFID and provided a glimpse of future trends. He went through the typical workflow of a conversion and illustrated some operational issues that librarians might encounter during the process: incremental implementation, minimizing expenses, check station failures, gate issues and privacy concerns. If a library does implement RFID incrementally (one branch or collection at a time) then the system must continue supporting bar codes. Use volunteers or purchase pre-tagged books to minimize labor costs of converting. Use a test suite for the SIP protocol during the initial implementation to ensure that the response between readers and tags and integrated library systems can reconnect in case of power failure. Discuss privacy issues with your constituency in order to educate users and avoid problems. In the future systems will be more affordable and there will continue being multiple vendors innovating quickly. Minimize your risk of obsolescence by ensuring your equipment interoperates with other systems and has backward compatibility. Chandra says another future trend will be RFID software which is hardware independent — it can work with all tags.

Shai Robkin of Integrated Technology Group discussed the “real world” of RFID by listing constraints to implementation — financial, physical, political, existing infrastructure, personnel — and suggesting questions librarians should ask themselves before beginning a conversion project. In the financial realm there is usually a separation between a library’s capital and operational budgets. A change in operational budgets might affect your ability to maintain RFID. In the physical realm do you have a high percentage of A/V in your collections? Metal causes interference for the radio signals and can hinder the effectiveness of your implementation. Also consider how much metal shelving you may have. In the political realm ask yourself if you have buy-in from all stake-holders. Ensure that your technical infrastructure the is capable of handling RFID. Is your integrated library system compatible with your RFID vendor? Robkin says that not all vendors implement the SIP protocol as its written. Finally, doing a conversion can be labor intensive. How will you staff it? You need to educate your staff as well as your constituents. How will you manage self-check stations? They will require some employee oversight during the first few months.

Lynne Jacobson discussed her library’s experience by outlining their decision for changing to RFID, explaining their vendor selection process, showing a video of their automatic sorting system in action (that was pretty darn nifty), and entertaining audience questions. We learned that her library had problems initially with jewel cases breaking in the sorting bins but using a stronger brand alleviated the issue.

The session ended with a presentation by Lawrence McCrank which rocked my socks. The man, as Michael Stephens is wont to say, “gets it.” I think he scared some of the more conservative members of the audience. Nancy John mentioned something about rabble-rousing and alternating between feeling excited and irritated by McCrank’s prophecies when she provided the post-speaker summary.

Rather than discuss the same ol’ same ‘ol this-is-how-RFID-works-and-this-is-how-we-done-good thing he talked about how to use RFID to be user directed instead of collection centered. McCrank has used something called immersion theory to design the library of the future and it’s all about the ubiquitous computing baby. He’s creating this visionary playground at Chicago State University but he was careful to let us know that political and economic reality enforces a great deal of compromise. The real deal won’t look exactly like the dream.

CSU is using the Pareto principle to their advantage. They have closed stacks utilizing an automated sorting and retrieval system (ASRS) where 80% of their lower circulating items reside. The 20% in more active use is retained on the shelves as a browsing collection. RFID provides a double layer of security for them because it’s used when an item leaves the retrieval system and once again when a patron checks it out.

McCrank says that RFID can be used as an integration point in the information environment. Using a smart card to gain access to the library can help mediate copyright and intellectual property issues. The smart card can retrain an individual’s preferences to make an entirely personalized library environment. Imagine that you and your card’o’customization enter the library with a backpack full of books you’re using for a research project. The card could signal the OPAC, retrieve the MARC heading and use the LCSH headings to create a metasearch that t navigates all of the library’s A&I databases, the OPAC, and recall all the necessary physical items from the ASRS.

I found myself intrigued despite the glaringly obvious privacy concerns with this scenario. McCrank also mentioned the possibilities of integrating course management software and e-reserves into the mix. This is consistent with the top technology trends — people aren’t going to come to the library web site to retrieve things, we’ll need to push content out where its needed.

Ultimately McCrank was not dismissive of the privacy issues but that is a sociopolitical issue which requires sociopolitical solutions. He asked the audience to deeply consider that the benefits of RFID may outweigh the drawbacks. Given that RFID will be included on everything from refrigerators and passports there may be bigger things to worry about than tracking books.

I’m still not convinced that the benefits will override the potential erosion of my civil liberties but McCrank made an appealing pitch by shifting the focus of RFID in libraries from collections to users. I do agree with McCrank when he says that in order to remain relevant librarians will have to accept that ubiquitous computing will be part and parcel of our environment. We need to come up with intelligent solutions to the problems so we can derive the advantages of RFID.

After an audience Q&A Nancy John summarized what the speakers said. In short: we learned about how RFID is used, the concerns, and the need for interoperability. Our colleagues in Europe are doing excellent work. We got practical answers to thorny questions about work flows and conversion. The real world does differ from the potential we see. We have lots of possibilities to consider but librarians are thoughtful in how they select RFID systems and will continue to keep alive the dialog about abuses.