Privacy Research In the RFID Ecosystem Project Evan Welbourne joint work with Magdalena Balazinska, Gaetano Borriello, Tadayoshi Kohno, Dan Suciu Nodira Khoussainova, Karl Koscher, Travis Kriplean, Julie Letchner, Vibhor Rastogi University of Washington, Dept. of Computer Science & Engineering RFID CUSP Workshop John’s Hopkins University, Baltimore January 24, 2008

Defining Security & Privacy  Security: Protection against unauthorized access, use, disclosure, disruption, modification, or destruction  Privacy: Privacy in the collection and sharing of data  Roughly two areas of concern: 1) Security of reader-tag communication 2) Security and privacy of collected RFID data ( Rigorously defined and evaluated ) ( Definition and evaluation depends on human perception/interpretation )

Outline  Overview of the RFID Ecosystem  Organize privacy concerns  Recent focus: Peer-to-Peer privacy  Designing a default policy  Implementing the policy  Extensions for probabilistic data  Techniques for detecting and preventing violations

Today: Outside the Supply Chain  Subpoenas for EZ-Pass data  Insecurities in first version of e-Passport  Insecurities in first-generation RFID credit cards  Cloning RFID access control badge  Dutch transit card hack

Tomorrow: User-Centered RFID Systems  User-centered, pervasive RFID Applications  “How do I know if I am wearing a tag?”  “How do I know who can see me?”  “How can I control who can see me?”  “Who owns the data? Can I remove/edit my data?”  “What is the lifetime of the data?”

Laboratory Everyday Life From the Lab to the Real World

 Create a microcosm of a world saturated with uniquely identifiable objects  100s of readers and antennas, 1000s of tags  Explore applications, systems, and social implications  Do it while there is still time to learn and adapt  Groups: Database, Security, Ubicomp, and others  Participants include: RFID Ecosystem at UW CSE Magdalena Balazinska Yang Li Nodira Khoussainova Julie Letchner Gaetano Borriello Dan Suciu Karl Koscher Vibhor Rastogi Tadayoshi Kohno Travis Kriplean Evan Welbourne 14 undergraduate researchers over the past 2 years

RFID Ecosystem Video [ Show First RFID Ecosystem Demo Video ] [ ] OR [ ]

RFID Ecosystem at UW CSE

Outline Overview of the RFID Ecosystem  Organize privacy concerns  Recent focus: Peer-to-Peer privacy  Designing a default policy  Implementing the policy  Extensions for probabilistic data  Techniques for detecting and preventing violations [Kriplean, Rastogi, Welbourne and others] }

 Modes of information disclosure:  Institutional  Organization collects, uses, and shares personal data  Addressed by contracts, federal law, corporate practice (e.g. FIPs)  Peer-to-Peer or “Mediated”  Peers and superiors access data through some authorized channel  Mediated by access control policies  Malicious  Personal data is compromised by unauthorized parties  Addressed by secure systems engineering Organizing Privacy Concerns

 Modes of information disclosure:  Institutional  Organization collects, uses, and shares personal data  Addressed by contracts, federal law, corporate practice (e.g. FIPS)  Peer-to-Peer or “Mediated”  Peers and superiors access data through some authorized channel  Mediated by access control policies  Malicious  Personal information is compromised by un authorized parties  Addresses by secure systems engineering Organizing Privacy Concerns

A Key Problem in Peer-to-Peer Privacy  The Panopticon  Key problem: asymmetric visibility Image credit: Prison building at Presidio Modelo, Isla De Juventud, Cuba (Wikipedia)

 Privacy vs. Utility:  What information to disclose by default?  Who to disclose information to by default?  How to support applications and preserve privacy?  How to detect and prevent violations? A Key Problem in Peer-to-Peer Privacy Image: Paul G. Allen Center for Computer Science & Engineering, Seattle, WA

Default Policy: Physical Access Control  “Socially appropriate access control” - Kriplean  Concept:  Each user has a personal data store (or personal view of the data)  Store contains events that occurred when and where the user was physically present  Requirements:  Each user carries a personal tag  Line-of-sight information between each pair of antennas is known and static  Key points:  Provides symmetric visibility  Models sense of sight  Enables applications which augment user’s memory

sightingstimestampsightingstimestampsightingstimestamp Time:0 ’s data store

Implementing PAC with RFID  Tag Read Event (TRE): (tag id, antenna id, timestamp)  Mutual Visibility: When 2 TREs instantaneously share an unobstructed line-of-sight  Practical Definition of Mutual Visibility: 1) TREs occur within some time window Δ of each other 2a) TREs are read by the same antenna or 2b) The reading antennas are considered mutually visible

Challenge: Inaccurate Model  Some problems with model:  360° vision  Perfect observations in complex/crowded situations  Perfect, everlasting memory  Second two could be dealt with…

Challenge: Imperfect Deployment  The physics of a real RFID deployment may not match up  Antenna read-range may not be clearly defined  In our deployment it works out… [Kriplean, Welbourne, et al. 2007]  But RFID is noisy and uncertain  Data is really probabilistic!  Microbenchmarks  Δ = 1 sec, mv = geometry  Colocations per second  Few false positives  Most colocations detected

- antenna Challenge: Uncertain Data ? ? ?? ??? ??? ? ? ? ?  Uncertainty in data: Where did Alice go? - Alice  Each possible location is assigned a probability ? ? ?

Assigning Probabilities: Particle Filter  [Particle Filter Movie]  Assigns a probability to each location  Incorporates prior knowledge:  Sensor model  Motion Model  Past behavior [Letchner, Balazinska]

 Reveal partial information in uncertain context  Perturb p` s = p s + noise(p c )  Return p` s instead of p s  Compromises soundness  Answers returned may be wrong  Justifiable as system is itself uncertain!  Degree of confidence in answer also returned (Re)defining PAC: Data Perturbation ? ? ? ?  Let Pr(context) = p c  Let Pr(secret) = p s  Semantics:  p c = 1  reveal p s  p c = 0  deny query  0 < p c < 1  then what?? [Rastogi, Suciu]

 -0.5 <= noise(pc) <= 0.5 p c = 0.5p c = 0 Noise Function [Rastogi, Suciu]

 Ex: Alice slips her personal tag into Bob’s brief case  Ex: Bob tapes his tag to Alice’s office door  Detection methods:  Detect / report / investigate anomalous behavior: Two users suddenly together everywhere User stays in one place for an unusually long time  “Calm” reports of another user’s presence  Ambient display shows how many users are present  Prevention methods:  Require “personal tag” to be present in order to make a query  Add value to “personal tag”, e.g. use a phone instead of a tag Challenge: “Misplaced Tags”

 User-level controls:  Authorize access using other context (e.g. during a scheduled meeting)  Access control w/shared social knowledge: Facebook plugin [Toomim]  An economic model for pricing queries  Other policies:  Authorize access using other context (e.g. during a scheduled meeting)  Access according to user settings  Prevention:  “Proactive privacy” – device teaches users about their privacy settings Some Extensions

Thank you! Thanks! Questions?