RFIDs at tech summit

[J.A. Terranson]

Bug devices track officials at summit


By Audrey Hudson
THE WASHINGTON TIMES



    Officials who attended a world Internet and technology summit in
Switzerland last week were unknowingly bugged, said researchers who attended
the forum. 
    Badges assigned to attendees of the World Summit on the Information
Society were affixed with radio-frequency identification chips (RFIDs), said
Alberto Escudero-Pascual, Stephane Koch and George Danezis in a report issued
after the conference ended Friday in Geneva. The badges were handed out to
more than 50 prime ministers, presidents and other high-level officials from
174 countries, including the United States. 
    The trio's report said they were able to obtain the official badges with
fraudulent identification only to be stunned when they found RFID chips . a
contentious issue among privacy advocates in the United States and Europe
. embedded in the tags. 
    Researchers questioned summit officials about the use of the chips and
how long information would be stored but were not given answers. 
    The three-day WSIS forum focused on Internet governance and access,
security, intellectual-property rights and privacy. The United States and
other countries defeated an attempt to place the Internet under supervision
of the United Nations. 
    RFID chips track a person's movement in "real time." U.S. groups have
called for a voluntary moratorium on using the chips in consumer items until
the technology and its effects on privacy and civil liberties are addressed. 
    Mr. Escudero-Pascual is a researcher in computer security and privacy at
the Royal Institute of Technology in Stockholm. Miss Koch is the president of
Internet Society Geneva, and Mr. Danezis studies privacy-enhancing
technologies and computer security at Cambridge University. 
    "During the course of our investigation, we were able to register for the
summit and obtain an official pass by just showing a fake plastic identity
card and being photographed via a Web cam with no other document or
registration number required to obtain the pass," the researchers said. 
    The researchers chose names for the fake identification cards from a list
printed on the summit's Web site of attendees. 
    The hidden chips communicate information via radio frequency when close
to sensors that can be placed anywhere "from vending machines to the entrance
of a specific meeting room, allowing the remote identification and tracking
of participants, or groups of participants, attending the event," the report
said. 
    The photograph of the person and other personal details are not stored on
the chip but in a centralized database that monitors the
movement. Researchers said they are concerned that database will be used for
future events, including the next summit to be hosted by Tunisian
authorities. 
    "During the registration process, we requested information about the
future use of the picture and other information that was taken, and the
built-in functionalities of the seemingly innocent plastic badge. No public
information or privacy policy was available upon our demands that could
indicate the purpose, processing or retention periods for the data
collected. The registration personnel were obviously not properly informed
and trained," the report said. 
    The lack of security procedures violates the Swiss Federal Law on Data
Protection of June 1992, the European Union Data Protection Directive, and
United Nations' guidelines concerning computerized personal-data files
adopted by the General Assembly in 1990, the researchers said. 
    "The big problem is that system also fails to guarantee the promised high
levels of security while introducing the possibility of constant surveillance
of the representatives of civil society, many of whom are critical of certain
governments and regimes," the report said. 
    "Sharing this data with any third party would be putting civil-society
participants at risk, but this threat is made concrete in the context of WSIS
by considering the potential impact of sharing the data collected with the
Tunisian government in charge of organizing the event in 2005," it said. 
    The organization Reporters Without Borders was banned from attending the
summit and launched a pirate radio broadcast to protest the ban and detail
press-freedom violations by some countries attending the meetings, including
Tunisia. 
    "Our organization defends freedom of expression on the Internet on a
daily basis. Our voice should therefore be heard during this event, despite
this outrageous ban," said Robert Menard, secretary general of Reporters
Without Borders. 
    Tunisia is among several countries Reporters Without Borders has accused
of censoring the Internet, intercepting e-mails and jailing cyber-dissidents.