What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

1. Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

1. Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
2. Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

• Product Integrity – to ensure that products are authentic and untampered with
• Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
• Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
• ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
• Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
• Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

• Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

• If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

• RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

• Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

• RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

1. Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
2. Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
3. Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
4. Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
5. Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

1. Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
2. Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
3. Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
4. Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
5. Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

• If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
• If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
• Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• CSA Model Code for the Protection of Personal Information (II.A.a.i.)
• Radio Frequency Identification (RFID) (V.A.a.5.)
• Security threats and vulnerabilities (V.A.b.)
• Information management (V.c.i.)

The ISO standards work to facilitate trade; provide a basis for development, production and assessment of products; and to safeguard consumers who use products and services. The ISO produces standards for a wide range of industrial and commercial subjects. This article explores two ISO standards that are especially relevant to privacy professionals.

ISO 27000 Series & ISMS

The ISO 27000 standards series refers to information security matters. Since October 2005, the ISO has published six of these standards:

• ISO 27001: this is a model for creating information security management systems (ISMS).
• ISO 27002: this is a code of practices governing information security.
• ISO 27003: this focuses on the PDCA (plan-do-check-act) problem solving method for ISMS. It has been proposed, but not yet published.
• ISO 27004: this standard guides the development and assessment of ISMS, in alignment with the ISO 27002.
• ISO 27005: this soon to be published standard discusses information security risk management.
• ISO 27006: this regulates the accreditation of organizations that certify and register ISMS.

The ISO 27000 series is closely linked to other standards, including:

• ISO 17021: this standard discusses the requirements for auditing and certifying management systems of various types. It is closely related to the ISO 27006.
• ISO 13335: this discusses the management of information and communications technology security.  It is closely linked to the ISO 27005.
• ISO 24760: when it is published, this standard will offer a framework for identity management. It is most related to the ISO 27002.

Together, the ISO 27000 series of standards are used to plan, implement, certify and operate an ISMS. An ISMS, or information security management system, is a term unique to the ISO 27000 series. The term refers to a systematic approach for managing an organization’s sensitive information. An ISMS includes people, processes and information systems. Developing an ISMS ensures the following:

• The organization’s information assets are listed and secured.
• Information security risks are managed and mitigated.
• The organization’s security policies are implemented.
• The organization is regularly assessed to ensure adherence to security measures.

Information security involves three main components: confidentiality, integrity and availability. Confidentiality refers to the level to which information is accessible to authorized individuals only. Integrity refers to the level of accuracy and completion of information. Integrity of information also ensures that it is not modified without knowledge and authorization. Availability or accessibility of information to authorized individuals is also necessary for information security.

ISO 27001

The ISO 27001, formally referred to as “Information Technology – Security Techniques – Information Security Management Systems – Requirements,” was published in October 2005. It replaces the former BS7799-2 standard. The previous standard was created in 1995 by the BSI (British Standards Institute), which helped to ensure that information security measures were effective. The BS7799-2 standard was developed as a technology-neutral and vendor-neutral system. This standard was taken as a Code of Practice, rather than as specific standards.

The standard outlines the specific requirements involved in establishing, implementing, monitoring, reviewing and improving a management system. It does not discuss information security-specific requirements, but offers a framework for management systems in various types of organizations, from commercial enterprises, to public service agencies and non-profit groups. The ISO 27001 uses the OECD principles which govern security of information and other network systems.

The ISO 27001 standard demands that an organization’s management carry out the following:

1. Examine information security risks, paying attention especially to threats, vulnerabilities and impacts.
2. Develop and implement a complete set of information security controls and other protocols for dealing with risk.
3. Commit to an overarching management process to ensure that the information security controls adapt and grow with the organization.

The ISO 27001 involves a number of PDCA cycles. The PDCA cycle is a statistical process for problem solving. It is applied within improvement programs to ensure that action is effective. The cycle involves:

1. PLAN: identify the problems that are being faced. Brainstorm solutions to these problems.
2. DO: test problem-solving actions on a limited, experimental scale first. This will ensure that disruptions to regular operations are kept at a minimum.
3. CHECK: determine if the experimental actions are achieving a desired result. Monitor the quality of output continually to ensure that new problems are identified immediately.
4. ACT: once experimental actions are deemed effective, the changes should be implemented on a larger scale. This may mean that the new actions are integrated into daily routines and/or expanded to involve other individuals or departments in the organization.

In order for an organization to be certified compliant with the ISO 27001, it must go through the following process. Initially, the organization must decide to start the certification process. During this stage, management must commit to the project and delegate responsibilities. Management would then develop and publish an organizational policy regarding the standards certification.

The organization then undertakes a scoping process, in which specific parts of the organization are covered by the ISMS. This determines which locations, assets or technologies will be included in the certification.

After the scoping process, the organization must carry out a risk assessment to identify strengths and means of addressing weaknesses, in terms of risk exposure. As a result, the organization produces a document outlining the method for managing risks. The procedures and policies are then implemented throughout the organization. Auditors from certification or registration bodies then carry out the verification of compliance.

ISO 27002

The ISO 27002, formally referred to as “Information Technology – Security Techniques – Code of Practice for Information Security Management,” was published in 2005. The standard is based on the UK standard, BS7799. The ISO 27002 and ISO 27001 are meant to be used together.

The objective of the ISO 27002 standard is to establish requirements and basic principles for implementing or changing an ISMS within an organization. The contents of this standard address the requirements of a risk assessment. It represents more of an advisory document, rather than a standard or formal specification. As such, any organization that adopts the ISO 27002 must identify their own information security risks and create appropriate controls, using the document as a framework.

The standard outlines thirty-nine control objectives that specify functional requirements. These control objectives form a basis for an organization to create principles for its own information security policies. The main sections or categories under which the control objectives fall are as follows:

1. Risk management
2. Policy
3. Organization
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Software development
10. Incident management
11. Business continuity
12. Compliance

While the ISO 27003 offers some guidance for implementation, a number of critiques regarding the ISO 27002 standard have surfaced since its publication. A few potential areas for revision include:

• The standard does not adequately address risk assessment. It ought to suggest more risk assessment activities.
• The standard does not clearly define what an organization’s security policy should be.
• The standard should assist organizations in ensuring business continuity, for instance facilitating recovery or planning to cope with incidents that may arise.
• The standard should be more in depth in terms of its section on IT auditing. It may want to cover the value of auditing and improvement.

Increasing Certification

There are a number of reasons for increasing certification to ISO 27000 series standards. Two important causes are the increase of threats to information and the increase of regulatory and statutory requirements for information protection. Over the past decade, formal ISMS are seen as necessities for organizational best practices.

According to international reports, ISO 27001 certifications have steadily been increasing by approximately one thousand organizations per year. Concurrently, global information security threats are becoming more and more visible. These threats target any organization or individual who relies on the use of electronic information. At the same time, personal data may also be at risk of natural disasters, external attack, internal corruption or theft. This has led to increasing demand for compliance from suppliers, business partners and consumers.

Summary

This article introduces the ISO 27001 and the ISO 27002 standards. It discusses the ISO 27000 series of standards, which regulate information systems management from a privacy perspective. The ISO 27001 aims to help organizations to improve their ISMS (information security management system) by providing a model for design and implementation. The ISO 27002 lists some guidelines for managing the life cycle of information security within an organization. It is comprised of a number of control objectives. The article finally discusses the important role of ISO standards in an organizational ISMS context.

Foundations Exam Preparation

In preparation for the Certification Foundation exam, a privacy professional should be comfortable with topics related to this post, including:

• Business risk management (I.C.a.)
• Information security standards (II.A.d.)
• Information security management (II.C.a.)

The PlayStation 3 cluster at the École Polytechnique Fédérale used in breaking 112bit Elliptic Curve Cryptography

A so called np-hard problem, elliptic curve cryptography is based on the Discrete Logarithm Problem (DLP), or the ease of calculating the next value of a curve over a finite field.  Essentially, it’s easy to calculate the next value, but very hard to find the previous.  ECC is a type of public key crypto, and the DLP problem it is based on is the same mathematical issue used in RSA cryptography.

While this is a so-called brute force attack, where a computer tries all 2⁶⁰ key combinations to break the encryption, it still demonstrates the processing power to perform this sort of attack is available, and not that far from accessible.  The researchers used a bank of 200 Playstation 3s over one year, but estimate the computations would have taken only 3 months with optimizations they made throughout the experiment.  As Moore’s Law dictates computing power doubles every 18 months, so too must cryptographic methods.  The weakest ECC standard currently used is 160 bits, which is 1 million times stronger in terms of complexity than that broken by the Swiss researchers.  By 2010, the National Institute of Standards and Technology, the governing body for cryptography, will replace the 160 bit version with a higher strength, 224 bit version.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Information Security (Foundations: II.C) including: Encryption (data-at-rest) and Threats & Vulnerabilities

MV – Sir, did you have a question?

Man – What I would like to touch on, is not really a question but a topic: the human traceability inside Paris. It would be related to automated identification with RFID and biometrics.

MV – SL, isn’t it a topic you’re interested in?

SL – Indeed, this matters a lot to me. This kind of device, like a RFID chip in a biometric passport, comes from security needs. Since the 2001 attacks, it’s clearly all about protecting our countries from international terrorism so security measures are strengthened, particularly concerning our ids and at the borders. Does cropping our privacy guarantee our safety? There are very generic answers, clever surveys from philosophers, etc. about this issue. I’m not getting further into it but basically what we encounter very quickly is that these devices that are supposed to bring us safety are producing security risks. For instance, this is especially flagrant with RFID chips within passports. There are endless security issues, which means we don’t know how to secure these electronic devices properly. These issues exist because of lots of technical reasons and economic reasons as well. The technology is not mature enough presently for offering a satisfying result. On this point, we could accept the situation, as traveling documents have never really been fully secure even when it was only about a piece of paper. Convincing oneself about it would just require checking out how often the formats of such documents are renewed, for adding additional security assets. In this current configuration, we are forcing the introduction of a device which encompasses vulnerabilities and we don’t necessarily look for how to fix them because these agreements made about adding RFID chips in passports are agreements made at an international level and the United States of America was not insisting on a satisfying level of security. Another reason is that adequate investments in cryptology were not accepted. Such investment would have enabled securing these passports, or securing them further anyway. All this might look circumstantial, but the truth is that offering security means at the expense of security itself, is still annoying.

Woman – Excuse-me, just a short question… What exactly do you call vulnerability?

SL – Well, I’m going to provide you with a basic example with regards along with passports: two or three months ago, Elvis Presley crossed the Netherlands border.

JMM – I have another instance: two years ago, computer scientists created a bomb prototype which explodes exclusively nearby American passports. If you’re American and you’ve got the passport, the bomb explodes, if you’re not and you don’t own such passport, nothing happens.

MV – IFP, what about about RFID chips as we’re referring to it in the frame of Paris, as our guest was probably thinking of the Navigo pass and the occasions we have of using it?  What does the CNIL say about the data which are embedded in these chips?

IFP – Before talking about RFID I just would like to react in relation to the passports and to confirm that all discussions we have about them are not national. Of course, some decisions of standardization were taken at the international level and France had to take part in these discussions and to adapt its own (transport) titles. We made choices which are more maximalist than the ones made on the international scene, which is absolutely true but every country is heading to this kind of traveling documents. On another hand, in response to SL, I would like to mention that the market is not only originated by the state. There is a global market, there is a market of fear and technologies are there to respond to this market. All of us (individuals, states, companies) are accomplices of this market. Here is an example: the CNIL was recently seized about an organization taking care of disabled seniors with extremely reduced mobility. There is a bus picking up these people and some of them lose themselves because of being disoriented. Their families asked us about providing them with electronic tagging, instead of employing someone who would make sure each individual gets off the bus exactly at the place where he or she is supposed to. As things are kept simple this way, without worries, we would be automatically warned each time something would go wrong, each time someone would accidentally leave a perimeter of movement. We must realize, all of us are sustaining this market one way or another from our different fears. As a result, if in our opinion this market is too broad, we all (and the state particularly) have to assess our real needs about RFID.

MV - At the local level…

IFP – At the local level, of course, the CNIL is extremely vigilant relatively to this new technology allowing smart labeling. We might find it anywhere. It would allow theoretically any item communicating with you. You are in the street, you go before a poster and this poster sends you a message onto your phone asking you if you’d like to receive an advertisement or you walk before a shop, a chain store, you receive a short message and you might be interested in opting in for some services since you might get some discount in this shop… These technologies are obviously attractive for the general public. The CNIL doesn’t have a general solution for RFID but case-by-case answers depending on the variety of existing applications.

MV -Fine! We are about to see what is linked to citizen rights with SL concerning personal data in this chips. JMM, you had a reaction to share before moving forward with the next question?

JMM -About traceability at the level of Paris, there are camcords but they are not “smart” currently, not in the public area, at least. They are not paired with software capable of individual identification. But the RATP (Autonomous Operator of Parisian Transports) also has camcords belonging to its realm including buses, that are connected to a face recognition system, which is officially not activated yet. When will they activate it? Will they activate it? I don’t know. Anyway, you were referring earlier to the state of the art in terms of biometric recognition with video surveillance. It is not perfect yet. There are still many failures but many researchers are working on it. The other issue consists in the RFID chip contained in the Navigo pass which was imposed on everybody without any explanation. As a journalist, I was wondering why and I never received any answer. Nobody is telling why it was enforced. The Navigo pass stores the three last distances you have traveled. The data are deleted after 48 hours or 24 hours whereas the CNIL permits keeping them for 3 days at most. Each time the CNIL asks for some data on behalf of the police, the RATP needs an approval from a rogatory commission. The time needed to transfer this approval lets the data be deleted. Therefore, officially the RATP cannot reply positively to any police request. Today the infrastructure exists and it is all about making decisions for more traceability, keeping the data longer, activating the smart video surveillance systems and transforming the public RATP area into an even more totalitarian sphere. I said it is just about making decisions as the FNEG (National DNA File) was originally created for fighting against multi-recidivist sexual criminals and pedophiles, highly violent people. In few years, this file was extended to nearly all the crimes and derelicts. I believe that there are presently 125 or 135 crimes or derelicts which are concerned with the FNEG. So few years are enough for extending something dedicated to multi-recidivist criminals to the entire population. Maybe a particularly odious crime in the RATP area would trigger the activation of the smart video surveillance system and the traceability of anybody. It’s perhaps a political decision which might come from a news item and it depends also on the business. It’s a bit expensive. The technology is already inside the RATP anyway.

Guests :
Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)
Stéphanie Lacour (SL) – CNRS researcher
Meryem Marzouki (MM) – CNRS researcher
Jean-Luc Dugelay (JLD) – EURECOM researcher
Jean-Marc Manach (JMM) - internetactu.net

MV – Are there topics you are particularly interested since the scope is extremely large ?

Woman in audience - I would like to know about the “1000 camcorders in Paris” project (actually concerning 1226 camcorders in Paris implanted in addition to the ones already deployed today).
Is it possible for the CNIL to self-refer on this issue and call the government and the Paris Town Hall? We know the latter approved the project which is very expensive and poorly efficient. At least, this kind of information circulates at the League of Human Rights. Furthermore, do we have figures about financial fallout for companies offering these technologies, not only the political benefits but also the economic benefits for all these companies?

MM – So IFP, on behalf of the CNIL:

IFP – Indeed these surveillance devices are literally blowing up (confirmed by the referral of CNIL statistics). The CNIL is only competent for a subset of them, located in private areas (in this case, probably not those pointed out), or using biometrics and processing techniques justifying the CNIL mediation. Regarding the surveillance devices on public thoroughfares, the law of 1995 states a prefectural authorization is required to set up the devices making the global legal architecture quite opaque in the eyes of the citizens. As many of them direct apprehensions to the CNIL about video surveillance and video protection, the institution made a proposal to the government for reconsidering these questions, providing with more transparency and strengthening legal inspections as the CNIL today does not have the authority for regulating the prefectural devices.

MV – Are there business figures about these technologies? We are not going to give them in detail as doing so would be tedious. However we know very well for instance how the biometrics market pays today. Who would like to give us an answer here?

MV – MM ?

MM – Today (2009) relatively to biometrics apart from DNA (as DNA analysis constitutes another market), the market raises $3.5B and the predictions from an international group of industrials and consultants are around $9.5B in 2014. Even more important than the figures, I’d like to specify which are the sectors draining the market. At the international level, then at the european level and eventually at an operational level in France and elsewhere, we notice a market structured by the government decisions on account of the biometric passport adoption. Opting for biometric id projects will organize the market. Choosing a biometric identifier like the facial recognition (digitized faces) is forming part of the process but also at the international level is brought up the question of picking out fingerprints or eye iris scan as a second identifier. Why does it put up political and economic issues? Simply because of the nature of the world leader in fingerprint technology, our industrial champion: the Sagem Défense Sécurité group. Who was the owner of the patents over the eye iris scan at the time of these discussions held since 2002 in the middle of INTERPOL meetings? Anglo-saxon companies. Consequently, during an INTERPOL meeting in lyon, Nicolas Sarkozy, who was the Minister of the Interior, declared “the fingerprint technology is the French tradition, we are going to keep this technology” (quoted in the press). France and Germany were pro-fingerprint technology and the United Kingdom, in connection with the U.S.A., was in favor of the eye iris scan. These sectors are the ones draining the market.

MV – The tradition following the industry.

Summary of the debate “Sécurité ou Vie Privée ?” (ed: Security or Private Life) moderated by Mathieu Vidard (MV)

“Security or Privacy?”
- Do we have a choice any longer?-

Guests :
Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)
Stéphanie Lacour (SL) – CNRS researcher
Meryem Marzouki (MM) – CNRS researcher
Jean-Luc Dugelay (JLD) – EURECOM researcher
Jean-Marc Manach (JMM) - internetactu.net

MV to IFP – What is the role of the CNIL?
IFP – The CNIL plays a critical role in protecting individual freedoms in the digital world. The CNIL was founded in 1978. At that time, files already existed, in particular in administrative offices and nobody really knew how they were put together. As a result some worries started to surface in France especially when the “Plan Calcul” (ed: Calcutta Plan) was launched and the idea of a unique identifier per individual working across all administrative department emerged. The creation of the CNIL appeared as an answer to these worries. It represents the first French step for setting rights over administrative files. In 2004, the law enacting the foundation of the CNIL was severely amended. This reform substantially altered the role of regulator owned by the CNIL. What is crucial to understand is that such role has to be completed by the commitment of individuals and companies.
MV to IFP – So first of all, your role is about informing people, checking, regulating and taking measures.
IFP – Absolutely, this penalization capability has been granted to the CNIL in 2004 since the Commission can decide economic sanctions against personal data processing which don’t abide by the law of 1978. Besides, the educational role is more and more important as they are files anywhere. There are public files but also a proliferating set of private files.
As opposed to the year of 1978 when 90% of the CNIL activity was about public files, today 90% of its activity is related to private files.
MV to MM – Myriam Marzouki, may I ask you to introduce the IRIS organization?
MM – IRIS means Imagine a Solidary Internet Network. The organization exists since 1996. We’re defending and promoting human rights and fundamental freedoms within IT-related activities and networks. To go on from the statement of IFP, the CNIL was founded after the very first public scandal concerning files in France. The second public scandal of the nearly same intensity came last year (2008) with the Edwige files project and thanks to a very strong citizen mobilization (around 2000 organizations) the project was withdrawn so far. And now we’re about dealing with other proposals and law projects.
MV to SL – Stéphanie Lacour, which are the technologies on top of which you are driving today your research?
SL - I am inclined to think that the topic we are discussing: Security versus Privacy is difficult to consider in very general terms, at least in my opinion it is, so I try to address it under the perspective of specific technologies and I am interested in seeing how these very material technologies (chips, nanotechnologies) impact privacy protection and the conservation of a balance established by the law of 1978 between data security, privacy protection and other imperatives such as economic or public ones. I focus on these challenges in terms of new technologies or given technologies in particular.
MM - We will talk about the citizen rights in regards to the circulating data in Navigo pass for instance. JLD, could you please do the same thing, quickly introducing EURECOM (Nice).
What kind of research do you conduct?
JLD – EURECOM is a school founded in 1991 with a heavy international call. The organization comprehend an economic interest group with an industrial department and educational department. Our research activities touch mobiles, multimedia, security, networks, new technologies in general. I am a specialist in image processing for security technologies such as digital tattoos, biometrics and video surveillance. Our goal consists in unlocking technologies to make progress in these fields.
MM - Finally, Jean-Marc Manach, what are your expectations as a journalist and blogger
JMM – I’m actually forming part of a group called Big Brother Awards, rewarding those who shine in impairing privacy or promoting surveillance. For ten years, we have been documenting year by year, the most protruding projects, law projects, technologies or companies and I mostly agree with what was said before namely it is quite uneasy to encompass this problem of security relatively to privacy in a large way as it is fuzzy. Nonetheless I can tell that the law of 1978 was adopted after an exposure in connection with police files called Safari Files, hub of every French administrative files. Today and since the adoption of the law of 2004, the police filing activity got dramatically bigger. Within three years there was a 70% positive increase in police filing activity. Even “Informatique et Libertés” (ed: Information Liberty) laws and the CNIL doesn’t prevent police filing from persisting though last year something that happened along with Edwige.
On the other side, administrative files are interconnected. There is more and more interconnected social files. At the technology level, more and more scientists are working on using biometrics, video surveillance, RFID chips and nanotechnologies for security purposes, marketing (like they say to improve customer relationship) or creating fun things to manage playing down these monitoring technologies, which are a bit scary, so that it can be massively sold out. We should not forget that all security technologies are intertwined with prosperous markets and business, which doesn’t really suffer from crisis.
MM - Ok, I think it is nice introducing what you do in detail. Are there already some questions?

Several years ago, using software engineering methods, University of California San Diego researchers demonstrated SSH is provably secure.  And SSH has shown itself to be nearly as good as claimed, posting only 31 bugs since 1998, most of which were minor.  Until now…  Three researchers from the Royal Holloway Information Security Group (ISG) at the University of London, Martin Albrecht, Kenny Paterson and Gaven Watson, found flaws in the proof.  They’ve shown that SSH is vulnerable to a “Man-in-the-middle” attack, where someone inserts themselves between a sender and receiver, grabs information, changes it and sends it along.

The Problem

There are actually three problems that account for the ISG discovered flaw:

1. The first lies in the manner the original security models used for the proof were constructed. The original proof pre-supposes garbled information may simply be reset as a failure and will not impact the security of the encryption used to protect the data.  The model never distinguished between the various kinds of failure, but the failure information turns out to be accessible to an adversary.  
2. The second is an implementation decision made by the original software developers for SSH.  The developers had two choices: send how big the transmitted information is (packet length field) unencrypted, which gives a small amount of information that tells an attacker how much data they had to crack, or encrypt hacker detectable information in the packet length field, possibly creating a “known plaintext” attack and thereby decreasing the keyspace.  SSH’s developers chose the unknown.  
3. The last problem has to deal with encryption modes and feedback loops.  In order to efficiently create and keep an encrypted tunnel between two computers hard to break, information from the current set of mathematical operations is used to incrementally change the next set, preventing various encryption attacks.  What data are taken from the current packet and fed into the next depend on the “cryptographic mode” chosen.  By default, SSH uses cipher-block chaining (CBC) mode instead of counter (CTR) mode.

Exploiting the ssh flaws

The ISG researchers took the error information reported that the proof never accounted for, and the design decision made by SSH developers, and began tinkering.  They eventually found a method of reducing the security in the default settings of SSH.  They reduced the overall security by creating a guessing game where an attacker has a one in 262,144 chance of success versus a brute force attempt at 1 in 4.2 billion  (2^18 vs 2^32).  You’ll only recover a very small amount of information using this method (14 or 32 bits), but it is enough to be useful.  The researchers’ vulnerability was first announced in November 2008, when the UK Centre for the Protection of National Infrastructure (CNPI) simply could not ignore the problem and, working with the ISG, issued a CPNI advisory.  Full details of the flaw were not announced until this month, when the researchers presented at an IEEE Symposium in California.

Vulnerability mitigation strategies

Even though the attack will work “with probability 1″ in some circumstances, it’s somewhat difficult to pull-off in general, and is about as stealthy as a freight train.  OpenSSH v 5.2 and above should not be susceptible to this particular exploit.  According to the CPNI advisory, the SSH flaw may be mitigated in current SSH versions by using CTR mode instead of the default CBC mode.  

Takeaway

This same technology reliance problem shows up repeatedly.  Use new equipment and products to increase efficiency, but do not over-rely on automation and technology.  Someone somewhere will notice of something unexpected, even with proven secure products.  Audit system results and write policies to take into account that the technology eventually will fail, not just from hackers or even questionable coding decisions – hurricanes, fires and employee clumsiness can all accomplish the same thing.  If your systems fail, any private information exposed will cost money – in breach notifications, time resetting the systems and general reputation.   The ISG researchers summed up the situation succintly in their paper: 

Unfortunately, it seems that real world cryptographic implementations are more complex than the current security models for SSH handle.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management, Compliance
• Information Security (Foundations: II.C) including: Encryption (data-in-motion) and Threats & Vulnerabilities

Mr. Elefant, would you please tell me a little bit about your background?

I’ve been in and around payments for 20 plus years. I started a company called IC Verify which was the first PC payment software company in the 80’s doing credit cards, ATM / debit and check processing on personal computers. We rolled that out to 250K merchants in 21 countries with a half dozen languages. ICVerify was merged with CyberCash, and I became the vice chairman of CyberCash. After leaving CyberCash, I was involved in several other startups including a company called Price Radar in the online auction space, a digital content management and micro payments company called Yaga and then venture capital for the last five years before joining Heartland Payment Systems.

________________________________________

So the division you’re handling is the payment systems?
I am the executive director of end-to-end encryption. This position touches on many aspects of Heartland’s diverse business.

________________________________________

As far as the end-to-end encryption, first, what do you think of the media’s treatment of Heartland? From my perspective, with a little time in journalism, the story was ‘if it bleeds, it leads’… that seems to be the mantra and the announcements that went on with Heartland incident, the media absolutely had a field day. What was the actual severity of the breach, and was it as bad as the media portrayed?

We seem to be turning the tide. We’ve been proactive in leading industry change, sharing information and furthering the development of end-to-end encryption as a key element that will help the industry be more secure.
________________________________________

What do you think of the PCI DSS? Does it go far enough? Obviously, with Visa putting you guys and RBS on probation… What was the disconnect, and what do you think of the PCI DSS?

Heartland was PCI certified every year it was assessed. Yet our system was breached, showing that the standards did not fully protect data. It may well be that no set of standards ever could fully protect data in this environment — where motivated criminals develop ever more sophisticated ways to infiltrate systems. We are working on new approaches to enhance security.
_______________________________________

So it’s just the application itself has to be certified and you guys are going above and beyond that throwing in the end-to-end encryption to take care of everything that’s not currently called out in the PCI-DSS?

Yes. What we’re doing is from the time the digits leave the mag stripe, as they are read through that read head, they will be encrypted with very strong TRSM (Tamper Resistant Security Module) and AES encryption. Through the terminal, over the wires, through our hosts and through the card brands, the transaction will be encrypted – as long as the brands agree to do this.

________________________________________

As far as the price tag for a breach, what are we looking at as far as potential sanctions from the PCI, I’m not talking about specifically about Heartland, but in general terms if you can’t talk about Heartland, what are we looking at as a breach? We’re talking sanctions, breach notifications, brand harm – what do you see as the final price tag?

Breaches are expensive in all of those categories and more. The results of some past breaches are publicly available. I don’t’ know how to answer your question about a specific price tag. It’s still TBD.
________________________________________

A pretty consistent theme in my reading and at conferences is people saying, “The reason we’re doing all this security work is for compliance – we’re trying to comply with the governmental regulations rather than trying to do what’s in the best interest of protecting the customer.” Because there are risk tradeoffs, how do you weigh between the privacy of the user and the compliance with whatever regulation?

I think compliance and security go hand in hand. Compliance, though, is not enough in and of itself. That is why we are working to enhance the existing industry standards. We are also working with ANSI X9 F6 t to help create greater security around PAN’s as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Payments Processing Information Sharing Council (PPISC) to share threat information and protect the entire industry, business owners and consumers
________________________________________

So one of the reasons for the CIPP Guide website is to serve as a resource for the privacy professional certification. What do you think of certification programs, both in general as far as technology certifications go?

I think they’re very important. The education process that goes on within the industry has to be an ongoing one. It’s not a one-time thing. The industry changes and evolves, and the threat vectors change. This is a continuous process the industry needs to continue to support.
________________________________________

It definitely seems like you guys are moving in the right direction. As I said earlier, it’s unfortunate that the media gets a hold of these things, because, I seem to recall that the information that was lost was bad, but not so bad that it was going to bring about the end of the financial market.

We are trying to do things that benefit our business, the entire industry, merchants and consumers.

The complete interview with Mr. Steven Elefant, including more details on PCI and his thoughts on compliance is available in the CIPP Guide forums.

Ed. note:  Before the interview, Visa had revoked Heartland’s PCI compliant status as of March 13th, 2009.  According to Visa’s website, Heartland apparently regained their PCI compliant status as of April 30, 2009.  As of May 7, 2009, the Heartland breach reportedly cost over $12.5 Million.

Join the forum discussion on this post - (1) Posts

History & Rationale

Mr. Cavit explained the new push behind the End-to-end trust initiative.  The Internet empowers the end user, providing instant access to worldwide information and a freedom of expression capable of eliminating waste, eliciting transparency from governments and toppling dictatorial regimes.  ”Blogging is the new town square,” he said during the presentation.  For all of it’s benefits, however, the ‘Net’s threats originally prompted Microsoft’s Security Development Lifecycle (SDL) initiative.  At the beginning the SDL centered on viruses crashing computers and the bad reputation Windows developed from poor coding practices.  More recently though, the SDL and SD³ (Secure: by Design, by Default, in Deployment) work formed the basis in Microsoft’s view of how to tackle such issues as ID theft, child safety and combating zombies and botnets used in nation state attacks.  Microsoft formed a strategy that all of these types of networked issues come down to trust, or the lack thereof, and the successful processes and procedures developed for dealing with security internally at Microsoft should be shared in the name of the greater good of the community.

Reputation in the Wild, Wild West

The parallel Mr. Cavit drew compared the current state of the Internet and the Wild, Wild West.  It was easy in the mid to late 1800′s for an adversary to simply relocate to a different area, blend in and go unrecognized for the rest of their lives.  This anonymity faded away over the next hundred years, with discoveries and wide range use of everything from photographs and fingerprints to car license tags and convenience store videos.  With each passing decade, reputation grew in importance.  A citizen’s fingerprint doesn’t typically show up in databases until after a crime or government service.  A car’s license tag remains unremarkable and a driver may enter another area without real fear of tracking.  However, once the vehicle becomes of interest because of say an Amber Alert, the plates proffer accountability and allow officials fast identification. 

Basis for trust

What is the basis of trust?  What cues define an entity that deserves respect?  Those are two questions posed during the briefing.  In a face-to-face meeting, people use all five senses in evaluating others.  Visual clues such as excessive perspiration or an audible uneasiness in a speaker’s voice are tell tale reliability metrics in a physical meeting.  There are simply no comparable attributes available in digital transactions.  In the physical world, once someone establishes a reputation, it’s relatively static, following the individual in future job prospects, social circles and housing efforts.  In a digital world, trust decisions are very dynamic and may be complete, limited, or untrusted.  Online trust is also quite often unreliable.

Mr. Cavit suggests how to create trustworthiness online, with a basis that “must start with a strong root”.  In Microsoft’s interpretation, that implies hardware, amounting to something such as the Trusted Platform Module, commonly referred to as the TPM chip.  Microsoft calls this layering a trusted stack, and already touts the 64 bit version of Windows Vista as capable of securing up through the trusted applications layer.  The next version of Windows (7) will include something called AppLocker.  Similar to BitLocker, AppLocker controls what software may run in user mode, effectively creating application white lists.

According to Microsoft, end-to-end trust must be built from the bottom up. Source: Microsoft ISSA presentation

Trusted data and trusted people comprise similar verification systems.  To become a trusted person, one must apply in person, providing physical credentials expected to authenticate the individual.  This would be similar to submitting your driver’s license or passport to a Public Notary for practically any legal document.  Trusted applications writing data will access the trusted person’s digital credentials, verify the certificates and read and write digitally signed, thereby trusted, data.   (I’m sure there are several caveats to these scenarios from a security and privacy standpoint, such as an illegitimate in-person verification either due to identity theft or maybe a bribed employee, compromised locally cached credentials or a newly discovered cryptographic algorithm flaw.)  The trusted stack does serve as an academic starting point.

Anonymity

The biggest stumbling block and loudest opposition to the end-to-end sorts of activities described come from the loss of anonymity highlighted by privacy pundits.  Mr. Cavit acknowledges the possibility for privacy protections exist, without delving much into too many details during the one hour presentation.  The one area that he did cover surrounded identity federation, where a user has multiple credentials appropriate to separate tasks they’d like to accomplish online.  One example presented was a bowling league card, a driver’s license and an over 18 validation marker on a driver’s license.  Each of these ID’s are appropriate for completing specific tasks.  Your league card probably won’t do much good if you’re stopped by a police officer, whereas your drivers license won’t necessarily show you paid the $50 bowling membership fee.  

A federated identification system presents the correct credentials without exposing impertinent or inappropriate information, choosing the bowling league card at the lanes and the video rental card for the DVDs.  The over 18 marker is of interest as Equifax apparently offers an I-card credentialing program to prove adult status without exposing any other personally identifying details to the requesting web site.  Federated ID  also avoids creating huge personally identifiable information (PII) databases.  Cavit highlights a successful implementation of a federated credentialing pilot program at the Lake Washington School System.  

Mr. Cavit echoed several of the discussion points found on the end-to-end website, where Microsoft further addresses “Anonymity and User Control”:

First, there is concern about how we protect anonymity (and the values that anonymity supports, such as free speech) in a more highly authenticated Internet. Most have addressed this issue by noting the importance of allowing users to control what they disclose and when, a very important privacy principle (i.e., user control).  One commentator noted, for example, that “I imagine this won’t be perfect for a long time, but the last things I would want to see from these changes are lost privacies, and loss of control. The ultimate control should remain in the end-user’s hands.”  Similarly, another commentator noted that people have the right to “own and control their identity” and “be anonymous while controlling their identity at the same time.” 

Auditing

Another sticking point with privacy advocates lies in auditing.  In a trusted environment, every action must be attributable to someone.  That attribution involves the who, what, when and  where, which flies smack in the face of anonymity.  Mr. Cavit proclaims that much of this information may be anonymized away for privacy protection, but still accessible later for investigations and prosecution.  Challenges exist as there are no industry standard tools, collection processes or data formats.  Lacking common policies, sharing audit information between multiple companies, or even sectors within a company,  also presents liabilities as yet to be determined.  

Risks and Rationale

Mr. Cavit described the risks associated with the Internet’s lawlessness.  People are thinking twice about expanding presence or making futher Internet based decisions for risk of reputation problems.  Teenagers are putting personal information on social sites without regard to the persistence of the Internet.  Cavit specifically cited dating and feuds where teens want to highlight their perspective on a situation before someone else posts something slanted negatively.  Botnets continute growing, and spam overloads 90% of the total mail traffic on the web.  The presentation ended with Mr. Cavit’s ‘One Key Question’:

As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally-connected, anonymous, untraceable Internet and rely on devices that run arbitrary code of unknown provenance?

We now know the rationale/strategy behind Microsoft’s response.  Mr. Cavit admitted that, essentially some anonymity must be relinquished for higher levels of trust, equating this fact several times to drivers licenses, automobile tags and video surveillance in today’s society.  Cavit said, “Free speech is not the ultimate objective” of the End-to-End Trust inititiative.  Rather, the objective should be allowing users the ability to balance anonymity with trust, to accept communications from unknown senders with full knowledge of the consequences.  Microsoft hopes to “[e]nable law enforcement to find more criminals and thus increase deterrence,” with the “want to be able to prosecute” people who act maliciously on the Internet.

Q&A

The 46 attendees asked Cavit several questions at the end of the presentation surrounding practicality, implementation, other participants in the trust initiative and the progress surrounding the federated anonymization.  Currently there are 3 different bills in Congress discussing cyber defense and security, and most of the technology already exists and is implemented today.  Identity metasystems already exist on Windows since Card Space shipped with XP sp3, and Geneva provides a back end development interface for single sign on and cloud computing authentication.  As with the federated identification, Cavit points out you want the concept, not a standard.  The biggest hurdle surrounds the in-person proofing from multiple sources and what sorts of reputation go along with those credentials.  

The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

The impact of this flaw increases exponentially because of Acrobat’s wide deployment.  The Portable Document Format (PDF) associated with Acrobat is nearly ubiquitous, and the Reader version is included with nearly every OS downloadable off the Internet, bought in stores, or pre-loaded on shipping systems.  Plus, it’s a standard IT deployment in corporate desktops.   This vulnerability touches them all: Windows, Linux, Mac, Solaris and other Unix variants, and as mentioned earlier, practically every version and release of Acrobat.  

This is not the first time Adobe’s best known product has faced this type of publicity.  A February 2009 flaw, also designated by Adobe as critical, was finally patched March 18th.  That flaw only affected versions 7, 8, and 9.  Numerous other flaws have been found in the past.

One big fear?  Not that this will result in an increase in the number of “zombies”, or computers controlled remotely that form the basis of so-called botnets, which will happen.   But more importantly the directed or fully targeted attacks on corporations and their privately held information.  The recently released, 2009 Verizon Data Breach Report cites 72% of attacks are either directed or fully targeted, where attackers select an entity in an effort to compromise machines within the institutional environment.  This could imply further attacks and breaches in the financial sector, such as those perpetrated against Heartland Payment Systems,  the medical community, like the recently announced 8M+ Virginia Prescription Monitoring Program records currently held for ransom, or even public utilities such as the US power grid.

Another consideration – software built on or around Acrobat.  In the security world, the National Security Agency created a product called NetTop, meant to allow simultaneous connections to multiple classified networks.  Thin client implementations of this sort of multi-level desktop existed within government contractors’ repertoire’s for quite some time, but the NSA’s NetTop took it one step further.  Information could be processed between the levels, creating something called a Cross Domain Solution (CDS).   The processing between the NetTop CDS levels would be handled by separate privileged applications based on COTS products.  

One of the products chosen – a seemingly benign, older version of Adobe Acrobat without all the bells and whistles – albeit probably adjusted and renamed past recognition.  The JavaScript processing vulnerability is probably not even exploitable on the NetTop system because of numerous mitigations such as likely security policies and best practices installation defaults.  But without an enterprise traceability matrix documenting how specific requirements are met, many people might overlook such a nested installation of a program within a product and not even put it on the list to be tested.  This is a great example of how wide our security and privacy processing net must be cast, the amount of detail necessary to detect a problem, and how far consequences may reach.

As far as the Acrobat vulnerability goes, Adobe’s instructions are:

To minimize the risk until an update may be found, disable JavaScript following the instructions below:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

A simultaneously announced similar flaw dealing with javascript and the Custom Dictionary appears to affect a much smaller grouping of Adobe Acrobat products.  That flaw has yet to be confirmed by Adobe, but only targets Acrobat Reader 8.1 and 9, and should be mitigated through the same disabling of JavaScript.