At Fri, 11 Sep 2009 07:57:02 -0700 (PDT), Ole Jacobsen wrote: > > > Inline. > > On Fri, 11 Sep 2009, Eric Rescorla wrote: > > > At Thu, 10 Sep 2009 12:23:31 -0700 (PDT), > > > > * Each attendee will be issued an RFID card at the registration desk. > > > The information stored on the card is ONLY a number, no personal > > > data is stored on the card. (Note: the attendee can opt out at any > > > time, including not collecting the card, see below). > > > > Note that removing your name from the database doesn't remove the > > ability of someone to track you via the tag. > > If this is a great concern I would suggest either returning the card > or not collecting it in the first place. Also, the type or readers > used require close proximity to trigger, you literally have to touch > the reader with your card to make it work. So nobody from the host > organization at least will be tracking you. I am also not sure what > value there is in knowing that 3478273983421 spent 10 minutes in trill > and then moved on to behave (pun intended). Well, I think it's important to distinguish two different threat scenarios: 1. Tracking via the sensors that IETF has emplaced. 2. Tracking via sensors that others emplace [it's important to note that just because the readers you have are low power and can only work at close range, that doesn't mean it's not possible to have readers that work at longer ranges.] In the first scenario, it's probably true that you can only gather limited amounts of information, but in the second scenario, the amount of information that can be gathered is limited primarily by the number of sensors you're willing to emplace. I can imagine a number of scenarios where it would be attractive to know where a given individual is at all times (for starters, people often have private side meetings with customers at IETF and if you had positional information you might be able to learn about this). I certainly would not want to be tracked everywhere I went. This brings us to the question of the identifiers: it's certainly true that systems which are anonymous but linkable offer a higher level of privacy than those which do not. However, it's often possible to determine which identifier a given person has (e.g., by observing a specific persons card being read), then you can of course track them by name. In addition, if the identifier->person mapping isn't generated securely and kept confidential, then you may be able to quickly determine a large fraction of the mapping. > > > * The "information" (number) on the card is not encrypted and could be > > > read by any RFID reader, but again, it's only a number. > > > > How are the numbers assigned? > > Don't know, but I have asked. I am guessing they are pre-assigned in > the sense that each card has a unique ID that is later mapped to the > database. OK, but the details matter here. For instance, if you have a stack of cards with sequential serial numbers and you assign them in sequence to the people in the attendee list (e.g., at the time right before the meeting), you wouldn't need to know too many mappings to determine most of the database. I'm not trying to make an argument for or against this experiment: I don't even expect to be in Hiroshima, so it doesn't really matter to me one way or the other. However, given that the IETF has extensive experience in this kind of secure systems design and in fact has an entire WG (GEOPRIV) devoted to thinking about the dissemination and privacy of positional information, it seems like it would be nice to get a little more clarity about the security of the proposed system. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf