Active versus Passive RFID Tags

Mark Wahl has written to clarify the difference between the ScanPak RFIDs mentioned in my earlier piece and typical passive tags. He says the ScanPak press release mentions they have a read range of up to 200 meters and that the RF tag is “powered by two parallel lithium coin cells.”

These are active tags: they contain their own power source. In contrast, a passive tag does not contain batteries, it obtains power from from the reader, and generally could not be reliably accessed over such a distance. A tag that is intended to be read only from a few, well-defined locations such as a passing through a doorway, or a tag that is intended to be attached to a low-value consumer item, would likely be a passive tag.

Thanks for the heads up, Mark. It looks like hackers will have to get up out of the Food Court and head right on in to the stores.

Still, experts are routinely quoted as saying the range of passive RFID devices is being significantly extended by new reader and antenna technology. For example:

But what about a more powerful RFID reader, created by criminals or police who don't mind violating FCC regulations? Eric Blossom, a veteran radio engineer, said it would not be difficult to build a beefier transmitter and a more sensitive receiver that would make the range far greater. “I don't see any problem building a sensitive receiver,” Blossom said. “It's well-known technology, particularly if it's a specialty item where you're willing to spend five times as much.”

You can build quite a transciever for the price of a Comme des Garcons outfit.

And strangely, the RFID components used by the Britton School District were the size of a “roll of dimes” – meaning they could easily be Active tags.

I Wish All Taxonomies Were This Amusing

Chris Ceppi has picked up and extended an interesting piece by Stefan Brands where he uses a transportation analogy to classify personal digital identity systems such as FOAF and LID as bicycles whereas SAML and Liberty are jet planes. Chris goes on to say:

UniUnder this taxonomy, I see LID as a unicycle – novel, but impractical and limited to people with a very specialized set of skills. As has been dissected in numerous other places (most expertly at Burningbird), LID's dependence on URLs as an identifier misses the mark in a number of ways – like a unicycle, LID is just not a useful way to get around.

CesSXIP would then be a Cessna – complex enough (with its hosted identities and 3rd party assertions) that you need a pilots license to use it, but not rigorous enough for a broad set of air travel requirements (e.g. SXIP is not based on standards).

ShuttleSAML and Liberty as they have currently been implemented might be considered the space shuttles of identity.

I'm not sure I buy this taxonomy – I think several of the systems have a lot to offer – but it is really amusing. And I do buy Chris’ conclusions – we have work to do in getting to a unifying metasystem.

Back to you, William

William Heath of Ideal Government has been thinking and talking with colleagues in the United Kingdom about what we have called the Law of Control:

Technical identity systems MUST only reveal information identifying a user with the user's consent.

He writes:

Kim's laws (as well as Liberty Alliance and the state-of-the-art identity debate) take shape in a crucible of US-based entrpreneurial creativity. This is principally and primarily business and consumer focussed. Just like every other aspect of IT it needs a bit of a stretch and a rethink when we come to apply it to public services.

Imagine we get arrested (for a crime of conscience, eg deliberate trespass on a foreign military base). We don't control the process as our identity details are taken by the police and passed to court to prison to probation services. Yet we may accept collectively that institutions within a democratically elected government have the right to do this to one of us. In this sense “collective consent” (or just “consent”) might be a closer expression of what we mean than “control”. So I'm not entirely comfortable with it being called the law of control.

I'm aware of the inevitable limitations of our perspective, although I confess to having many friends and collaborators in the public service. My limitations make me deeply interested in the perspectives of people like William, so I look forward to reaching a mutual understanding on these issues.

William is discussing the relations between the individual and the institutions of democracy, which operate just as he describes, and owe their endurance to deep collective consent.

I'm not sure what this has to do with the Law of Control, which discusses the relation between the computer user and her technical identity system.

Let's leave the name aside for a moment, and concentrate on the content of the law itself.

Would those in the public services rather have it read, “Technical identity systems MUST only reveal information identifying a user with the user's consent – or that of the state”? And if not this formulation, what would they like to see expressed?

I think one way to look at it is to say that the individual controls her identity system – even if under certain circumstances the state may control the individual.

But I am open to the idea that there is more to it than this, and am waiting to hear what William has in mind.

"Far Out"… of Compliance

A picture named id_badge_meeting.jpg

Jamie Lewis has caught a good one here:

According to this story on SFGate.com, the Brittan School District — a small district in California — in January began requiring all students to wear RFID-enabled badges that monitor their whereabouts on campus. The district has 587 kindergarten through eighth-graders who now have the privilege of being “the first public school kids in the country to be tracked on campus by such a system.” The story says the system “is designed to ease attendance taking and increase campus security.” The school district did this without involving the parents, many of whom are now raising a ruckus. How many ways does this system violate Kim's laws of identity?

It's strange – I was just catching up on RFID progress myself… But this is a really nutso development. Do you think one day products will need to carry a tag that says ‘Compliant with the laws of identity’? That would sure cut down on embarassing public pronouncements.

Of course, we know that the reaction of the outraged parents was totally predictable through the first law of identity (which states that people will tend to reject identity systems which do not obtain consent about the release of identity information). There has so far been no explicit reaction to the improper use of omnidirectional identifiers (an equal or worse offense in Identity Court), but that seems to be because criminals have just begun to take advantage of the technology. Those of us who think about this know it is only a matter of time before we witness some very bad outcomes.

“It's baffling why so many people are bothered by the district being able to tell them where their kids are at,” said Tim Crabtree, a high school teacher who said he hoped the technology would come to his classroom.

I like the word ‘baffling’ as used here.

Seven classrooms were equipped with the readers, as were two bathrooms. The bathroom readers were never turned on, according to school and company officials, and were removed Wednesday by InCom because of objections by parents.

Yes, bathrooms are very important. Of course administrators often fit them with sensors and never turn them on.

InCom has also disabled its system and deleted data it has collected to date. Readers have been turned off until the board reaches a decision next week.

I can hardly wait to see what the outcome will be. The RF readers have been turned off – but not the tracking badges themselves, which I assume continue to emit omnidirectional “public” identifiers when queried.

Developers of the system say parents concerned over privacy violations don't understand the short range of radio frequency identification devices.

“The tags physically can't be read from a long distance,” said Doug Ahlers, an InCom partner.

I wonder what distance the developers are quoting. It wouldn't be 15 feet by any chance, would it? Seems like not many people follow radio technology and advanced antenna design these days.

I would like to brainstorm with the InCom partners about what could be done to bring their system into compliance with the laws of identity. If anyone knows them, why not introduce us?

More on the Law of Contexts

Bill Barnes suggested it might be possible to simplify the 7th law to this:

The unifying identity metasystem must make it easy for humans to make fully informed identity choices in the course of interacting with relying parties.

I see this as an important practical corollary of the law. But the law implies more.

  • First, we need a system in which different identities (and kinds of identities) are reified (represented as “things”) in a consistent way, so the user can easily conceptualize and enumerate different identities, and select the right one for a given context. So from the point of view of the user the identities need to represent a harmonious set.
  • Second, the relying party should be able to switch between different kinds of identities as needed with no technical or programming overhead, even if the identities are based on completely different technical systems and tokens – so from the point of view of the relying party, the identities again constitute a harmonious set

Thus we say:

The unifying identity metasystem MUST facilitate negotiation between a relying party and user of a specific identity – presenting a harmonious human and technical interface while permitting the autonomy of identity in different contexts.

Shoplifting and… chaos attacks

Today's RFID tags include a fixed (read-only) omnidirectional identifier plus some rewritable memory. As explained in our discussion of the fourth law, the omnidirectional identifier means any party can obtain the identifier and collaborate with other parties about it. This means it is suitable for identifying public entities. Industry spokesmen have said the range of the tags is a maximum of 15 feet.

Tags are smaller than a nickel (basically the size of a drop of crazy-glue) and cost less too. They are already being added to packaging by retailers to keep track of inventory. But recently FutureSalon sent me to a piece by news.com's Robert Lemos about a security expert demonstrating how easily the tags “could be abused by hackers and tech-savvy shoplifters”. The expert, Lukas Grunwald, also said:

“While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods… This is a huge risk for companies, It opens a whole new area for shoplifting as well as chaos attacks...”

When RFID technology was evolving, expensive RFID reader hardware and hard-to-use software hindered security research. But in July, Mr. Grunwald announced a software tool called RFDump that can be used to read and reprogram radio tags. The software is available here.

Writer Robert Lemos pointed out:

“When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.”

It seems to me that users of RFID can get around some of these problems just by signing the writable data – implying the need to store a little extra data on the chip. This isn't hard since the signatures don't need to be calculated or understood by the tags or readers – only by the application software using the information. Further, the size penalty in bytes depends on how hard you want to make it to crack the signature. You don't need a scheme that costs a billion dollars to crack when protecting the RFID tag on a one dollar razor blade. You just need a scheme that costs at least a dollar per crack. And that isn't very many extra bytes.

Even the chaos attacks can be countered by storing data about the objects in a database where RFID fixed identifiers serve as lookup keys, rather than in writable memory on the tag. And finally, one summer's day when Moore's law has had more time to beautify the planet, RFIDs will be able to support unidirectional identifiers – they will just become invisible to the unauthorized.

Meanwhile, I was looking for the reader supported by RFDump and came across another related product. Guess what? Kiss the 15 foot range concept goodbye:

“Scanpak's RFID Kit contains a new wave of readers and tags developed using active technology. The readers, with a reading range of up to 200 meters, are the most advanced of their kind in the market today. The tags are available with an additional sensor output (light, pressure, temperature, weight). For more info, click here.”

Gee, does that mean a hacker can reprogram an entire shopping center from her seat in the Food Court? How will even the strongest of us ward off the temptation to “bring about” a 100% reduction in outfits by Comme des Garcons?

How do RFIDs relate to the laws?

Clearly the owner of an item has the right to deem it to be “public” – and to track it with an omnidirectional identifier. The question people are asking is, “What happens when it is sold?”. Everyone agrees that the new owner acquires the right to control the identifier. The point in public debate is whether it is incumbant on a retail seller to disable such identifiers at check-out time.

Applying our laws, when an RF tag comes into the possession of an individual user, it becomes an identifier for that user, and thus must not be released without the user's explicit consent (the first law of identity). That means it needs to be disabled unless the user explicitly approves its continued use. Further, the fourth law implies the user must be made aware this kind of identitifier can be detected by any interested party within… 200 meters.

A Global RFID Identity Infrastructure

For those, like me, who only check in on RFID from time to time, some relatively new documents are available at EBC Global Inc., which has now replaced Auto-ID Center. EBC Global is responsible for the Global Data Synchronization Network and the EBC Global Network. The former is a kind of UDDI for classes of things that get RFIDs slapped onto them. The latter is a world-wide object tracking network of practically unlimited scale:

The EPCglobal Network is the method for using RFID technology in the global supply chain by using inexpensive RFID tags and readers to pass EPCs, and then leveraging the Internet to access large amounts of associated information that can be shared among authorized users. To capture data, EPC tags carrying unique EPCs are affixed to containers, pallets, cases and/or individual units. Then, strategically placed EPC readers at gateways throughout the supply chain will read each tag as it passes and communicate the EPC and the time, date and location of the read to the network. EPC Middleware will control and integrate the EPC tags, readers and local infrastructure at the individual site.

Once the information is captured as described above, the EPCglobal Network then utilizes Internet technology to create a network for sharing that information among authorized trading partners in the global supply chain. Similar to Internet technology, the Object Naming Service (ONS) within the Discovery Services serves as White Pages that convert the EPC to a URL, which is then used to point local computers to where information associated with that EPC can be found. From there, actual access to data in the EPCglobal Network is managed at the local level by the EPC Information Services (EPC IS) where the company itself designates which trading partners have access to its information. The result will be a network of information that provides a history of individual product movement in real time.

*NOTE: Most EPC tags will pass only the EPC number to the reader. However, the potential value of more complicated tags with additional functionality justifies their increased cost in certain industries. For example, the food industry may want to add temperature tracking by adding a temperature sensor on tags. If a temperature sensor was added, the current temperature could also be passed to the reader when the tag was read.

In other words, we are looking at an identity system for objects which itself requires an identity system for domains which have owned, or now own the objects. This latter system (and probably the former) should integrate with the unifying identity system being discussed in this blog.

Gee. Do we still have some work to do or what?

The Seventh Law of Identity — Overnamed

I'm happy to go with Craig and P.T. about the name of the seventh law. After all, who can argue with this posting from Craig Burton:

Kim put forth the seventh — and final — law of identity Sunday:

The Law of Harmonious Contextual Autonomy

Kim, my man, the length and complexity of this name is too much. I want to be able to remember the laws easily and to use them as needed. The name you chose makes this objective impossible. I know you are dealing with complicated issues here, but please consider taking another cut at it. How about just “The Law of Contexts”? Something shorter and easier to remember, please.

Why was I trying to cram so much into the title? I don't know. I was running out of laws. It was a terrible feeling. What could I do?

Anyway, I squeezed too hard. And now I will make amends. I'm so glad we have a blog here and we can do all of this in real time. It is a great way to work.

So let's go with your much simpler and superior title for the Seventh Law:

The Law of Contexts:

The unifying identity metasystem MUST facilitate negotiation between a relying party and user of a specific identity – presenting a harmonious human and technical interface while permitting the autonomy of identity in different contexts.

I think it's a take.

How Hot is Cool?

Bill Barnes, who is the UI guru in new ways to “reify” identity here in the Identity and Access group at Microsoft, sent me this sobering thought about Craig‘s “sunspot-hot” comment:

I thought sunspots were actually cool spots on the sun

But of course, everything is relative:

Fisher says sunspots are still quite hot: “Instead of being about 5800 degrees Kelvin like the rest of the photosphere, the temperature of a sunspot is more like 4000 degrees Kelvin. But that is still very hot, compared to anything here on earth.”
Of course the Fifth Law transcends the earth.
Anyway, I'll get to this one day, but Bill is a very funny cartoonist as well, and is creator of a strip called “Unshelved“. He has a great sense of what identity is. And a certain firmness of approach:

P. T. Ong exhausted by 7th Law

P. T. Ong's reaction to the Seventh Law:
One quick first reaction to Kim Cameron‘s recently posted Seventh “Law” of Identity — it's too long.

7. Harmonious Contextual Autonomy: The unifying identity metasystem MUST facilitate negotiation between relying party and user of the specific identity and its associated encoding such that the unifying system presents a harmonious technical and human interface while permitting the autonomy of identity in different contexts.

Kim: You need to cut the number of words in half. It's a 41 word sentence!
Do you need to open the window, as Jamie said?
This might seem a frivolous reaction, but it is my experience that fundamental stuff can be expressed simply. If it is difficult to express simply, then it is probably not fundamental … and thus, shouldn't be a “law” or a principle. It should be broken down to it's component ideas.

I read #7 several times, and I still am having problems trying to understand it. I suspect the problem is not with the language but with the complexity of the idea.

You are totally right. I need to simplify this. Craig Burton has made the same point. I'm squeezing too hard.
As I said when writing the seventh law, the totalizing effect of the other six is that “the head explodes”. But we should be shielding the reader from this.

Pharming as well as Phishing

In presenting the Sixth Law I talked about new emerging identity attacks that are like phishing but don't require the user to respond to an email. Now eWeek tells us that Scott Chasin, CTO at MX Logic, has started calling these attacks “pharming.” Great word.

Chasin expects this first-generation phishing to move toward pharming, which involves Trojans, worms, or other technology that attack the browser address bar. Thus, when users type in a “valid” URL they are redirected to the criminals’ Web sites.

Another way to accomplish the same thing is to attack the DNS system rather than individual machines. Do this and conceivably everyone who enters what seems like a valid URL—the one that worked properly moments before—will instead be taken to the scammer's site.

Scott sent writer David Coursey a list of pharming-like attacks that have already taken place.

These include an incident last November, when Google and Amazon users were sent to “Med Network,” an online pharmacy. The Troj Banker A/j worm, seen last November and December, watched for users to visit specific banking sites and then grabbed the personal information entered there for use by the criminal pharmers.

Depending on how you look at it, a less-criminal incident involved the March 2003 hijacking of the Al-Jazeera site by the “Freedom Cyber Force Militia” using DNS poisoning. The message viewers received: “God bless our troops.”

In talking about the inevitability of this type of attack, I have said:

Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?

So we shouldn't be surprised that David's article concludes:

There are remedies for the pharming problem. A simple solution that works in some cases is a browser plug-in from Netcraft that displays information about the site being visited, such as its geographic location. If you notice that your mortgage company's site is being served from somewhere in the former Soviet Union, you can safely assume the worst.

But for those following the conversation here, who are attempting to understand how identity can work predictably across the entire internet, it is clear that threats like pharming and phishing must fundamentally shape the contours of the system, as expressed in the sixth and seventh laws of identity.