Tiny Trackers: Protecting Privacy in an RFID World

Thankfully this RFID session was much warmer than the experts panel at the Hotel Intercontinental the previous day. Interestingly, I found it to be less well attended. About half of the seats in the ballroom were filled up. I suspect that the LITA top technology trends program drew a lot of potential audience members away.

Overall I found the panelists — Jim Lichtenberg, Jackie Griffin, and David Molnar — to be entertaining and informative. I was familiar with much of the content but learned there is still work to be done as privacy issues have not yet been completely resolved in library RFID.

Lichtenberg, a library technology consultant and regular Library Journal contributor, provided an overview of the technology. We’re still at a point where many librarians don’t fully understand how the technology operates and so this explanation was welcome even if it was a bit repetitive for the more RFID experienced members of the audience.

Lichtenberg used Alice in Wonderland — to much humorous effect — to explain how using RFID is like “going down the rabbit hole.” He says the technology is truly transformative and although we don’t really know what the result will look like at the bottom of the well it will be a wonderland when we arrive.

People are simultaneously excited by and terrified of RFID because it is the leading edge of a much more profound transformation of society, says Lichtenberg. He predicts we will experience more intense change in the next 20 to 25 years than we did with the advent of the Internet. The reason? Rapid advances in nanotechnology, biotechnology, information technology and the cognitive Sciences (NBIC). Lichtenberg discussed current research which could lead to nano robots being surgically implanted into humans to repair tissue and biotechnology that could lead to the reversal of the effects of aging.

Accelerated technological change IS frightening. The key issue is the creative tension between the benefits of the technology and the need to protect privacy. At this point Lichtenberg listed the advantages (widely available, relatively inexpensive, better inventory control, increased self-check etc.) and disadvantages (high start up costs, indirect return on investment, immaturity of middleware, lower than expected accuracy and immature standards). Lichtenberg says that libraries considering implementation need to focus on supporting their clients and better understand their needs. Normally we think of RFID data-flow in libraries in only one direction. Information passes from tag to reader to middleware to library systems. The backwards flow of information, says Lichtenberg, will actually provide more important business intelligence for libraries. He reminded me very much of Lawrence McCrank from the Saturday RFID program with his call for intelligent and creative applications for library RFID which better serve our users needs. RFID can be used to push information to people.

Lichtenberg wrapped up his presentation with a metaphor of a glass bottomed boat. As time goes by the muddy waters will clear and RFID will allow us to understand exactly what’s going on in the library. It’s not about tags and readers but transparency. What can we learn with the data?

The next panelist was Jackie Griffin, director of the Berkeley Public Library. The Berkeley Library has come under much public scrutiny during their implementation of RFID. Griffith explained the history of the local movement protesting the installation and provided advice to librarians considering RFID so that they could avoid making the similar mistakes.

Berkleyans, says Griffin, have a long tradition of protecting free speech issues. The Board of Library Trustees (BOLT) approved the library’s purchase of RFID over a year ago but the protesting didn’t begin until after the San Francisco Public Library proposed their implementation. Groups such as the Electronic Frontier Foundation, the American Civil Liberties Union, and Berkleyans Organized for Library Defense (BOLD) have weighed in against RFID in libraries. The most recent protest was only a week ago. A small number of protesters went to Berkeley City Hall to request that funding allocated to the library be removed if they continue with RFID.

At this point, most of the conversion has been completed and it’s unlikely that RFID won’t be used at Berkeley. Griffin says she is very comfortable with the decision to go with RFID. The library has had enormous expenses for repetitive strain injuries. These expenses were enumerated by a consultant hired by the City of Berkeley to analyze costs. In addition, the library had capital funding to double the size of their building but they had no corresponding increase in operating budget. In order to serve more people with the same number of staff they needed to turn to technological solutions.

During the course of investigating RFID Griffin was very involved in work outside the library protesting the Patriot Act. Griffin has a long history working with the intellectual freedom committee of the California Library Association. She is aware of privacy issues and government interference with freedom to read but says it didn’t occur to her at the time that RFID would be a risk. She cautioned the audience to be very aware of the potential consequences of any action they may take with technology.

Once she was aware of the risk she had Lee Tien of the EFF come and speak to llibrary committee managing the project. She also consulted with authoritative experts such as David Molnar, a UC Berkeley doctoral engineering student, and the Samuelson law clinic (which specializes in the legal implications of emerging technology). These experts helped Griffin and her staff to draft their RFP and to develop best practices (which are posted on their public web site). They interviewed five vendors and selected they felt best addressed the issues.

Griffith says that a bigger intellectual freedom issue is access to information. Many public schools in Berkeley lack media specialists and 30% of Berkleyans do not have a computer at home. If there is such a concern that library rfid tags may be used by the government to interfere with things people read then the real question is what the government is doing. Griffith says that RFID has allowed the Berkeley Public Library to reopen on Sundays and to return their book purchasing budget to near normal levels.

The final speaker was David Molnar. Molnar continues to be interested in RFID security issues and he provided the nitty gritty details about how a library RFID system could be compromised. These risks are outlined in his paper, “Privacy and security in Library RFID” (http://www.cs.berkeley.edu/~dmolnar/library.pdf) and they include: hotlisting, denial of service attacks, and vandalism. He discussed questions for librarians to consider in order to evaluate the risk to their constituencies.

The first question is determining what is on the tag. Every library implementation that he has seen only uses barcode information and possibly, depending on the vendor, a security bit. Limiting the information on the tag limits what an adversary can do. Some might argue that it’s just a barcode which can’t be mapped to a book title without information from the integrated library system. Although libraries secure their ILS, it is now even more important to do so.

Older library RFID tags which use the ISO 15693 have a static identifier burned on at time of manufacture. Some libraries have unique prefixes in their barcodes which can be used to make inferences. Any persistent identifier enables tracking via hotlisting, which is the creation of a separate database of items you know in advance. For example, you could read the tags of every copy of Osama Bin Ladin’s biography. Then you could use your reader and preexisting database list (the hotlist) to identify scholars of the middle east.

The second question is who can read the tags? Anybody can obtain a reader that can detect the 13.56 Mhz frequency. The largest observed range he’s aware of is 3 feet, but getting a read from that distance requires a specialized antenna. Most reads are only viable in the range of inches. t’s the ubiquity of readers which will be a problem. When readers are installed at every Starbuck’s then those people carrying the Bin Laden book can possibly be tracked.

The third question is who can write the tags? If a tag is re-writable then it needs to be locked against vandals in a security bit denial of service attack. Vandals can write their own information to the tag and lock it against any further writes effectively destroying the tag for library applications. Tag writing issues can also affect future upgrades to the system if a proprietary read/write protocol can’t be handled by another vendor’s system. Rewriting the tag at checkout could fix the hotlisting issue by removing the barcode as the item is removed from the library. Nobody sells such a solution yet and there are robustness issues. If the item is not checked back into the library properly than it won’t have the barcode information anymore.

The final question is what type of encryption does the wireless communication between tag and reader have? Most systems are not securely encrypted and can be sniffed. There can be several meanings to the term encryption and you must understand what your vendor is doing if they say their product has it. If they encrypt using proprietary encoding that each library that uses the same vendor will have the same type of coding. Since it’s not different per library it can be reverse engineered. Some vendors encrypt the barcode information with a per-library key. This leads to static data and brings back the hotlisting and data tracking concerns. Finally some encrypt by pass wording the ability to read tags. How does the reader know which password to use? Is it the same for all tags or for each tag? The answer has serious implications. If it’s the same, then you’re back to the static identifier problem.

RFID security is a multilayer problem, says Molnar, and you need to include privacy issues and the appropriate questions in your RFP. He recommends that libraries minimize the amount of data they put on a tag and that they test out vendors products in real-world settings. Tag readers are relatively inexpensive and can be used with open source software called RF-Dump (http://www.rf-dump.org/). Can you crack the system you’re interested in?

There was a question and answer session between the audience and the panel members. Most of the questions were addressed to Jackie Griffin regarding the size of the collection and the protests in Berkeley. There had been reports in the news which conflated the purchase of RFID with library layoffs. Griffin says that they received a better budget than they anticipated and the layoffs didn’t happen. Library staff is getting more enthusiastic about RFID now that they feel it isn’t a threat to their livelihood.

One audience member asked the panelists to comment on Lee Tien’s published remarks regarding the library as a moral compass regarding the use of RFID (if it’s ok for a library, then it must be ok everywhere). Lichtenberg says libraries are going to be far, far, far from the only place using RFID. The technology is so pervasive that libraries aren’t going to dictate its mind-share. Griffin says that what the profession is doing to discuss RFID is amazing. She is not aware of other communities raising and discussing these issues. Molnar says that the economics of RFID will improve with the tags becoming cheaper and increasingly used by industry.

In sum, the panel was informative and a great review of the many questions librarians should consider if they purchase RFID. RFID security is still a research issue but the technology will not go away. Librarians are doing an excellent job raising awareness and discussing the issues but there is a need for more creativity in designing applications for library RFID that truly serve the library user.