RFID in Libraries

2/8/2005

EFF continues opposition to RFID

Filed under: — Laura @ 11:11 am

The Electronic Frontier Foundation has updated its RFID information page providing links to recent developments in the library world and a report on the RFID panel at CLA.

Heads up to those of you in the vincinity of Berkeley, CA: The EFF is encouraging attendence at the Berkeley City Council meeting today and the Board of Library Trustees tomorrow so that community members may demand an investigation of a proposed restructuring plan and the budgetary implications of the RFID purchase. They provide a link to a flyer created by Berkeleyans Organizing for Library Defense.

BOLDs’ flyer is fairly extreme. In its unnuanced view of the implications of RFID it implies that RFID self-check machines will result in longer lines. It also ties the staff layoffs to the purchase of the technology – which has not been documented in any report I’ve seen. It’s entirely possible that the layoffs would have occured anyway given California’s current fiscal environment.
The language it uses (ex. “Director Griffen is sinking her talons into your civil liberties") is inflammatory. Jackie Griffen has a stellar reputation for upholding civil liberties in her work with the Intellectual Freedom Committee of the California Library Association.

I’m thinking some public education programs and discussion forums will be in Berkeley PL’s future.

1/19/2005

Chip security

Filed under: — Laura @ 11:57 am

Computerworld has a great article about Securing RFID information.

Our old friend RFDump is mentioned, as well as the security vulnerabilities hotlisting and racing. It’s good to note that the vulnerabilites were inherent in the standards and that RFDump was not a “hack” per se. The article discusses how next gen UHF chips have some protection designed-in. Racing is avoided via “masking.” Bear in mind that masking does not equal encryption. It only hides the data. If that data is found, it’s still readable.

1/11/2005

ALA IFRT Resolutions

Filed under: — Laura @ 10:18 am

Happy 2005!

There are some new developments at the American Library Association regarding RFID and privacy best practices.

The ALA Intellectual Freedome Committee (IFC) is submitting resolutions (to ALA Council? )at the upcoming mid-winter meeting. They will ratify the best practices that they created with the BISG (for background see prior entries on the topic from 7/2/2004 and 10/19/2004) and they will give the IFC Privacy subcommittee and the Office for Intellectual Freedom the mandate to continue developing best practices.

Here’s the text of the proposed resolution:

RESOLUTION ON RADIO FREQUENCY IDENTIFICATION (RFID) TECHNOLOGY AND PRIVACY PRINCIPLES

WHEREAS, Radio Frequency Identification (RFID) is a technology that uses various electronic devices, such as microchip tags, tag readers, computer servers, and software, to automate library transactions; and

WHEREAS, the use of RFID technology promises to improve library operations by increasing the efficiency of library transactions, reducing workplace injuries, and improving services to library users; and

WHEREAS, many libraries are adopting or in the process of adopting RFID technology to automate library circulation, inventory management, and security control; and

WHEREAS, consumers, consumer groups, librarians, and library users have raised concerns about the misuse of RFID technology to collect information on library users’ reading habits without their consent or knowledge; and

WHEREAS, protecting user privacy and confidentiality has long been an integral part of the mission of libraries; and

WHEREAS, Privacy: An Interpretation of the Library Bill of Rights states that “The American Library Association affirms that rights of privacy are necessary for intellectual freedom and are fundamental to the ethics and practice of librarianship,” and calls upon librarians “to maintain an environment respectful and protective of the privacy of all users"; and

WHEREAS, the ALA Intellectual Freedom Committee’s Privacy Subcommittee recognizes the importance of developing policies and guidelines for appropriate implementation of RFID technology in light of the profession’s commitment to preserving user privacy and its concern for preserving the trust of library users; and

WHEREAS, the ALA Intellectual Freedom Committee and the ALA Office for Information Technology Policy, recognizing the immediate need to draft privacy principles to protect and promote ALA’s values, joined with the Book Industry Study Group (BISG) to form a working group dedicated to developing a set of privacy principles to govern the use of RFID technology by all organizations and industries related to the creation, publication, distribution, and retail sale of books and their use in libraries; and

WHEREAS, the RFID working group agreed to affirm its respect for established privacy norms within and across the business, government, educational, and nonprofit spectrum, specifically acknowledging two essential privacy norms:

Data transferred among trading partners related to customer and/or patron transactions shall be used solely for related business practices and no unauthorized transaction shall be permitted.

Data related to customer and/or patron transactions shall not compromise standard confidentiality agreements among trading partners or information users; and

WHEREAS, the following RFID privacy principles were subsequently agreed to by the RFID working group:

All businesses, organizations, libraries, educational institutions and non-profits that buy, sell, loan, or otherwise make available books and other content to the public utilizing RFID technologies shall:
1) Implement and enforce an up-to-date organizational privacy policy that
gives notice and full disclosure as to the use, terms of use, and any change in
the terms of use for data collected via new technologies and processes,
including RFID.
2) Ensure that no personal information is recorded on RFID tags which,
however, may contain a variety of transactional data.
3) Protect data by reasonable security safeguards against interpretation by any
unauthorized third party.
4) Comply with relevant federal, state , and local laws as well as industry best
practices and policies.
5) Ensure that the four principles outlined above must be verifiable by an
independent audit.

Now, therefore, let it be RESOLVED, that the ALA adopt the RFID privacy principles developed by the IFC and OITP with the BISG to address concerns about the potential misuse of RFID technology in the library to collect information on library users’ reading habits without their consent or knowledge;

and be it further RESOLVED, that the ALA Intellectual Freedom Committee’s Privacy Subcommittee and the ALA Office of Information Technology Policy be directed to continue to develop implementation standards for the use of RFID technologies in the library.

Draft 01/05/05
Submitted by the Intellectual Freedom Committee

12/1/2004

ACLU on passports

Filed under: — Laura @ 9:21 am

I don’t often report on non-library related RFID happenings but this one struck a cord with me. The U.S. government is planning RFID & biometric passports and the ACLU is, naturally, protesting.

It makes me consider the oft cited example of people-tracking within Library RFID – that of the unsuspecting person carrying the Qur’an getting nabbed at the airport because the book’s RFID tag has been hotlisted. The notion of a library book as security risk pales in comparison with the RFID passport.

For the record, I am neither pro or con on RFID. I try to use this forum to look at the technology from all perspectives. My point with the ACLU link, is to provide a wider context. Those folks who protest RFID tags in libraries need to protest RFID tags everywhere (and I’m sure they do). Library tags are merely a drop in the privacy threat bucket.

11/30/2004

CLA Report

Filed under: — Laura @ 1:08 pm

Just in case you were wondering why I didn’t report on the vendor panel at the California Library Association conference – I was waiting for Lori Bowen Ayre to do it. She has. And she’s done it well.

Her summary pretty much says what I would have.

11/29/2004

Track consumer awareness of RFID

Filed under: — Laura @ 4:51 pm

BIGresearch and Artafact LLC have a syndicated report which looks at consumer awareness of RFID. They did an initial survey of 8000 people in 09/2004 and will be doing another report in 12/2004. According to them, most people still haven’t even heard of RFID. The press release says that most RFID aware adults get their information from the Internet and nearly two-thirds of them are concerned about the potential for privacy abuse and no source was recognized by them as a resource for good information. Government sources are not deemed trustworthy.

The RFID industry is keeping track of attitudes regarding privacy. What isn’t clear is whether or not they view privacy issues as a technological or communication issue. I predict that spin will come before secure chips.

SFPL saga continues

Filed under: — Laura @ 4:27 pm

San Francisco Public Library’s quest to install RFID is once again in the news. Local radio reports that the $300,000 plan to pilot RFID is currently on hold. The SF Board of Supervisors will revisit the issue in January.

All of the familiar players are quoted. Expect another contentious board meeting in the near future.

10/19/2004

IT org urges RFID industry to step up education efforts

Filed under: — Laura @ 9:22 am

The Progressive Policy Institute, an educational institute which promotes accelerated economic growth and challenging special interests, has issued a report calling RFID privacy concerns “at best premature and at worst hypothetical and impractical.”

Their policy document, Radio Frequency Identification: Little Devices Making Big Waves, disses legislative oversight. Instead they would prefer that the industry self-regulate and step up efforts to educate consumers.

More articles & BISG/ALA best practices

Filed under: — Laura @ 9:05 am

CNET weighs in on library RFID. It’s mostly the same old, same old. Of note: they mention the BISG and ALA RFID best practices, saying they have been released. I hadn’t yet seen this anywhere, although I did mention it in my 7/2/2004 post with a promise to scan and post my print copy. I didn’t do it. I’m horrible. A thousand lashes with a wet noodle for me.

I did a bit of poking around on the BISG site and found a ccompleted draft had been posted. On August 18. I wonder why ALA hasn’t made any big noises about it. It may have been announced on their Intellectual Freedom email list, but I’m not a subscriber (soon to be rectified, you can be assured dear reader). It hasn’t been mentioned on the Office of Intellectual Freedom’s RFID page nor has it garnered a link on the ALA RFID Fact Sheet. Perhaps we’ll hear something when the guidelines are ratified.

The other noteworthy part of the CNET article is the goals attributed to Vinod Chachra of VTLS

The real shakeup could come many years from now, when RFID completely transforms the way libraries operate, if you buy into Chachra’s grand plan. He envisions a day when libraries completely do away with the time-tested Dewey Decimal classification system, opting instead for a sort of organized chaos governed by the vigilant and unblinking eye of RFID.

Never going to happen. Somebody please explain the priciples of serendipity and collocation to this man!

10/13/2004

More on the Sept. SF protest

Filed under: — Laura @ 9:12 am

Another article on the 9/19 protest held outside of the San Francisco public library. It provides more detail on what the city could do with the $300,000 it’s holding for the library’s RFID project while the library prepares its analysis. Once again, it’s not much news. It does provide a bit more perspective on the public relations issues that face SFPL.

10/8/2004

FTC responds to Nelson

Filed under: — Laura @ 7:33 am

RFID journal reports that the Federal Trade Commission responded to queries by Democratic Senator Bill Nelson (Fla.). Their jurisdiction is limited to unfair or deceptive commercial practices – in other words, they will intervene if a company abuses personal information gathered from RFID. Nelson had asked what steps the FTC is taking to regulate RFID and Deborah Majoras, FTC chair, pointed to the last June’s workshop.

The commission will be releasing a report based on the workshop that will have some guidelines.

9/23/2004

Sen. Nelson’s FTC/FCC letters

Filed under: — Laura @ 3:27 pm

I found my copies of the letters U.S Senator Bill Nelson sent to the FTC and FCC and posted them.

9/22/2004

Senator queries FTC and FCC on RFID

Filed under: — Laura @ 11:26 am

I meant to post this in August when I first heard about it. RFID Journal scooped me in reporting that U.S. Senator Bill Nelson (D-Fla.) has gone to the Federal Trade Commission (FTC) with a list of questions about RFID. Somebody also informed me that he sent a similiar list of questions to the FCC, but I seem to have misplaced my notes on that.

Nelson wants to know what jurisdiction these two organizations have over regulating RFID and what they have done to stop abuses such as the Wal-Mart Gillette razor incident.

Another Senator calls for Fed regulation

Filed under: — Laura @ 8:55 am

Sonia Arrison writes a commentary for TechNewsWorld in which she discusses Senator Byron Dorgan’s (D-North Dakota) call for federal government to get involved with RFID development.

Arrison comes out against legislating the technology since “there is no current harm taking place as a result of RFID.”

I don’t think this is a very strong argument. Do you wait for a burglery before you lock your house up? Trust in Allah, but tie up your camel. I think industry proponents should be proactive in developing best practices if they don’t want legislators to intervene. The privacy issue is a political issue and politicians will make hay from it as protests like San Francisco’s continue.

I don’t know whether there should be intervention or not, but I’d like to see more developed arguments on both sides of the issue.

More protests in SF

Filed under: — Laura @ 8:21 am

The San Francisco Examiner reports that SF public library was the site of a protest over RFID last Sunday.

8/25/2004

Dutch book supplier goes all RFID

Filed under: — Laura @ 10:12 am

From Dow Jones Newswire:

UPM and NBD Use RFID to Track Books
Finnish forestry company UPM-Kymmene Oyj announced Dutch book supplier NBD Biblion will apply radio frequency identification (RFID) tags to all new books. The use of RFID will allow the companies to automatically track books in libraries. Under the deal, UPM will provide 50% of the tags, with more than one million RFID tags delivered already. [thanks Beth @ privacyrights.org]

More information [thanks Lori]

This is definitely a trend to watch. Some North American book jobbers are also including RFID tags in books, although only by library request. Examples which come to mind are: Blackwells, Baker & Taylor.

8/23/2004

Position paper on RFID

Filed under: — Laura @ 3:10 pm

Lori Ayre has made her draft chapter for a book on wireless privacy available. Go Lori!

Thanks to Mary Minnow for the heads-up. BTW, Mary has posted a draft of RFID info for California Association of Library Trustees and Commissioners. Notable for the links to privacy specific information.

8/11/2004

Anita says it well

Filed under: — Laura @ 9:14 am

Anita has a good post over at the RFID Weblog rebutting some of the common points that RFID proponets give regarding privacy issues. These are points I’ve discussed on this blog, but I’m glad to see that even a booster of RFID like Anita can see the validity of addressing the security problems with the technology.

8/5/2004

Chronicle gets wind of library RFID debate

Filed under: — Laura @ 10:54 am

I’m a bit sad that I was away and missed Scott Carlson’s call while he was writing this article for the Chronicle of Higher Education. He did leave a nice voice mail, however. Thanks Scott for thinking of this blog.

The best feature of this piece is the hard figures attached to ROI. Carlson writes:

The University of Nevada libraries found more than 500 lost items after officials tagged 600,000 items in its collection – which saved the library $40,000 in replacement costs. The library does inventories more frequently now. At the University of Connecticut, RFID tags have allowed the library to set up self-checkout stations. That has freed up staff members, whose salaries total about $120,000, for other tasks around the library.

Now I’m not entirely certain that staff salaries can be considered ROI. Unless staff was laid off you would have to pay those salaries anyway. The benefit here is not one of savings but opportunity-cost. By reassigning staff you have more opportunity to serve users. A study of user satisfaction or tracking of reference transactions might provide some quantification of the benefits. I’m not saying that the freeing up of staff isn’t a benefit. Surely it is. I only question where the ROI is being applied. Connecticut and UNLV are on the right track with their examination of benefits. I hope we see more publications from these institutions regarding it.

RF-DUMP validates Molnar & Wagner

Filed under: — Laura @ 9:59 am

I know this is old news to most of you. It’s still worthy of a bit of discussion, however. While I was away on vacation there was an interesting little conference, the Black Hat Security Briefings, in Las Vegas. Lukas Grunwald, chief technology officer of DN-Systems Enterprise Internet Solutions, demonstrated the beta version of RF-DUMP .

RF-DUMP, in case you haven’t yet heard about it, is software which enables your laptop or PDA read or write to most standard RFID tags. This makes the malicious rewrites predicted in David Molnar & David Wagner’s paper on library RFID security possible.

Speaking of that paper, David Molnar tells me it’s been accepted for publication in the proceedings of the 2004 ACM Computer and Communications Security conference.

I was going to give you a round-up of the various articles that appeared on RF-DUMP during my absence, but Grunwald already did a nice one on the RF-DUMP web site.

Besides validating Molnar & Wagner’s forecast, the release of RF-DUMP also lends credence to the arguments of various privacy advocates. The EFF and ACLU and various others have rebutted claims that RFID privacy concerns are overblown. Proponents argue that read ranges are too short, that library tags work on a different frequency than commerial tags, the solutions offered by different vendors aren’t interoperable, and that hardware to read/write is too expensive for the average hacker to procure.

RF-DUMP supports ISO 15693 tags. The beta version is a free download. It claims to read many types of tags. Perhaps that sci-fi future that RFID proponents poo-poohed is closer at hand than they thought. The release of RF-DUMP indicates that there are indeed folks out there interested in “breaking” the security of the system. Fortunately these folks are affiliated with research (Molnar/Wagner are at UC Berkeley) and commercial interests, rather than malicious/criminal interests.

The only library vendor that I currently see taking measures to reduce privacy threats is Library Automation Technologies. Other vendors, please correct me if I am wrong. Library Automation Technology has the encryption technology and they will be licensing this to other vendors. Does any vendor have plans to license??

8/4/2004

House Sub-committee hearing round-up

Filed under: — Laura @ 5:34 pm

On July 14 the U.S. House Committee on Energy and Commerce Sub-committee on Commerce, Trade, and Consumer Protection (what a mouthful!) held a hearing, “Radio Frequency Indentification (RFID) Technology: What the Future Holds for Commerce, Security and the Consumer.”

Transcripts and prepared testimonies should be available within a month or so. I’ve made links to articles reporting on the hearing in the extended post. Those on both sides of the issue trot out the same arguments we’ve already heard. One thing worth considering, however, is the notion of general privacy legislation covering all types of technologies. The Center for Democracy and Technology advocates such an approach.
(more…)

Nokia releases cell phone RFID reader

Filed under: — Laura @ 5:06 pm

Remember that tidbit I wrote about Nokia developing a RFID-enabled mobile phone? The first product has been released. The Guardian reports that you can now use a cover for the Nokia 5140 phone which contains a tag reader.

The reader works on the 1356MHz frequency –hey! that’s the one used by library applications. A cell phone reader would be cheaper than ones currently offered by the library automation vendors. The code for the phone reader is written in Java so developers can create their own applications. I wonder how long it will take an enterprising vendor to create a library app? (or for unauthorized access by patrons weilding cell phone tag readers)

Australian guidelines

Filed under: — Laura @ 4:28 pm

A coalition of retailers, the national UPC code administrators, and the the Australian Privacy Commissioner are collaborating on a RFID code of practice. [Computerworld Australia]

Too bad the article doesn’t indicate to what exactly this code of practice pertains. The piece reads as if the retailers and UPC folks are only interested in collaborating on standards. At least they are working with the privacy folks.

Compare and contrast with how North American commercial interests have lobbied against legislative restrictions on RFID use. A code of practice is, by nature, self-policing, but it’s at least an acknowledgment of the issue.

7/6/2004

SFPL moves ahead with RFID

Filed under: — Laura @ 9:19 am

A contact at the San Francisco Public Library brought me up to date about last Friday’s County Board of Supervisor’s Budget Committee meeting. The library has the ok to continue pursuing RFID. The committee put SFPL’s $300,000 budget request on reserve for six months. While it is in escrow, the library is expected to work with outside organizations to develop at Request For Proposal which addresses all of the concerns.

There will be an official press release today.

More on defeat of CA Bill

Filed under: — Laura @ 8:47 am

RFID Journal reports on the 6/25 defeat of California Senate Bill 1834 in the assembly committee on Business and Professions. According to the report Senator Bowen does plan to continue working on RFID legislation there is no indication that she will reintroduce this particular bill. Opponents to the bill thought the timing was innappropriate – essentially that we should wait for abuses to occur before regulating use.

7/2/2004

SF Examiner Predicts “No” Vote for RFID

Filed under: — Laura @ 3:15 pm

The SF Examiner says SF county supervisor Jake McGoldrick predicted a “no” vote on the proposal once the library’s budget is finalized, and Supervisor Chris Daly’s opposition has already been noted by those who advocate using the chip.

There’s only 3 supervisors on the committee. If 2/3 are opposed….well..stay tuned.

ALA Round-up

Filed under: — Laura @ 2:17 pm

I’ve finally got my thoughts about ALA organized – and I have many. I’ll put them into the extended post to help those of you who prefer shorter summaries in your aggegregator. ALA was a whirlwind of information regarding RFID. It includes: new privacy guidelines from affiliated orgizations, the debut of encryption solutions, best implementation practices, and a few vendor pronouncements.

Links featured in this post:
BISG RFID info
My notes on the Tips & Trends session
(more…)

7/1/2004

SFPL New Privacy Policy

Filed under: — Laura @ 12:54 pm

I’m still editing my detailed notes from the session, “The Radio Frequency Revolution: Tips & Trends for Implementing RFID Systems in Libraries” but some of the information is time dependent so I’m posting it now. San Francisco Public Library chief Susan Hildreth gave an update on the status of RFID implementation in her library.

The SFPL Library Commission sent their proposed budget to the city mayor’s office. Gavin Newsome approved it and it went to the county board of supervisors. The county board reviewed it on June 19 and again on the 24th. According to Hildreth, out of the three board members, one is opposed, one is neutral and one is relatively supportive. The vote was tabled until July 2 – so stay tuned for updates tomorrow.

Hildreth says that SFPL will be spending $2.8 million over 8 years to implement RFID. $1.5 million will come from the operating budget and $3 million will come from private funds – I know this doesn’t add up, but that’s what I wrote down. Consider those figures ballpark.

I went to the SFPL website today and noticed that their revised privacy policy is posted and it does include RFID. They will limit information on tags to barcode number, they won’t use smart patron cards and they will comply with the law in regards to gathering information. They have also posted their RFID bibliography and their proposed plan of action in a more publically accessible place.

Of the controversy, Hildreth says she was surprised at the public’s lack of concern regarding the repetitive strain injuries suffered by library staff. She thought there would be more support for creating a safer workplace. She recommended that other libraries know their communities well prior to considering the technology.

CA SB 1834 Fails Committee Vote

Filed under: — Laura @ 11:06 am

Hi all - I’m back from ALA so there will be many updates. Lots of things happened in the past week.

The California RFID privacy bill was heard again by assembly committee. This time it failed to pass, but it was granted reconsideration. I predict some more amendments. There was a new analysis posted on 6/23 (dated 6/22). Interestingly, they don’t list any organizations as being in support of the bill, but list several in opposition – including the EFF, ACLU and Privacy Rights Clearinghouse. Those three organizations are neutral regarding the bill but opposed to RFID in general. As an alterantive to SB 1834 they propose a three part framework of recomendations. The framework includes a detailed assesment of the technology, implementing RFID within the principles of fair information practice and flatly prohibiting certain uses.

The wording of the prohibited practices gets a bit murky. They say the banned practices:

would include forcing consumers to accept tagged products, prohibiting consumers from detecting and disabling tags, tracking individuals without consent, and incorporating tags into currency.

I think this means they want to prohibit prohibiting people from using blockers (i.e. allowing blocking) but the double negative leaves my head spinning a little bit.

6/27/2004

Flashscan/Library Automation Technologies announce RFID encryption

Filed under: — Laura @ 8:58 am

Flashscan/Library Automation Technologies has created Flashscan RFID Encryption Envelope (FREE) which claims to solve one of the eavesdropping vulnerability mentioned in Molnar’s article. FREE will encrypt the communication between an RFID reader/write device and a tag.

Better still, they are making the solution available as a standalone API set for licensing by ILS and library software vendors.

I’ve been talking to a few of the other vendors and the Flashscan announcement was news to them. Since best practices are still emerging it might be a good idea to ask your prospective vendors about their awareness of the vulnerabilities and what they would be willing to do to mitigate the problems. Kudos to Flashscan for their proactivity!

6/22/2004

FTC has no plans to regulate RFID

Filed under: — Laura @ 1:06 pm

The headline says it all. Check out this news article discussing yesterday’s workshop.

FTC Workshop Comments Posted

Filed under: — Laura @ 12:56 pm

You can view comments submitted to yesterday’s FTC RFID Worshop. Remember they are accepting comments unti July 9.

6/21/2004

Canucks post privacy guidelines

Filed under: — Laura @ 1:05 pm

The Information & Privacy Commissioner of the province of Ontario has released “Guidelines for Using RFID Tags in Ontario Public Libraries.” This is a substantial (15-page) document. It includes a glossary, a statement of broad assumptions (such as regular auditing and appropriate patron notification) which provide context for the specific recomendations (such as libraries should only use passive tags, no patron information should be included on a tag).

What is really notable about the document is that it asks libraries to ensure privacy issues are addressed at the design stage (emphasis mine). No closing the barn door after the horse there, eh?

The office of Information & Privacy Commisioner is a neat idea. The IPC is “acts independently of government to uphold and promote open government and the protection of personal privacy.” But the office was established by the provincial legislature to oversee two privacy statutes. [thanks to amada etches-johnson]

6/15/2004

Filed under: — Laura @ 2:59 pm

Laura Quilter from the Samuelson Law Technology & Public Policy Clinic at UC Berkeley tells me that the clinic will be talking about RFID in connection with information and library applications at the FTC workshop on June 21. This is good news because it means that our applications (and concerns!) won’t be completely buried by the commercial cheer-leaders.

Don’t forget that public comments on RFID can be sent to FTC until July 9. Be sure to send your thoughts, pro and/or con, by then.

CA SB 1834 Read 2nd time

Filed under: — Laura @ 10:59 am

More updates on California Senate Bill 1834: It was amended in commitee and yesterday it was read a second time on the assembly floor. It’s been referred back to committee.

The amendments are interesting. Now it says that it prohibits (emphasis mine) a library from using RFID unless certain conditions are satisfied. This is a shift from authorizing a library to use unless certain conditions are met. These conditions have not changed much since the last amendments.

6/14/2004

Update on CA SB 1834

Filed under: — Laura @ 9:41 am

The California Senate Bill to add RFID privacy guidelines to the business and professions code was sent to Assembly Committee on Business and Professions on 6/10/04.

6/8/2004

Draft Paper on Library RFID Security/Privacy Risks

Filed under: — Laura @ 12:53 pm

I’m happy to announce that David Molnar has released his draft paper on security and privacy issues with library RFID. David is a Berkeley doctoral student in electrical engineering, and he wrote the paper with his advisor David Wagner. He is looking for comments on the draft, contact info is on the PDF.

It’s not too technical to understand and it should be required reading for any librarian considering RFID. He does a great job outlining the types vulnerabilities inherent in the tags. These include:

  • eavesdropping on the wireless communication between readers and tags
  • static identifiers at the hardware-layer. These identifiers help readers perform “collision-avoidence” when simultaneously reading multiple tags.
  • authorized tag writing on re-writable tags, or “session-hijacking”

It would take a lot of leg-work to violate the security of a library RFID system. But we can’t rely on the laziness of hackers. David uses a great phrase for this: “security through obscurity.”

This document will be very useful for the development of library best practices - Kudos!

6/7/2004

FTC Posts Workshop Agenda

Filed under: — Laura @ 2:55 pm

The agenda for the 6/21 FTC workshop on RFID privacy has been posted. There is no explicit mention of library use in any of the proposed discussions. All the familiar players will be speaking from CASPIAN, privacyrights.ort and the EFF, to EPCGlobal and RSA (remember the folks who developed the blocker?).

5/28/2004

Small reader developed

Filed under: — Laura @ 9:18 am

Innovision has developed a RFID reader smaller than a U.S. dime and “especially suited for small, battery-powered handheld devices.” It’s a 13.56MHz reader – hmm, that would be the range of most library tags, no??

5/26/2004

Hong Kong Airport getting RFID

Filed under: — Laura @ 9:25 am

Yahoo financial news reports that Hong Kong Airport Authority has selected a vendor to install an RFID reader infrastructure in their baggage handling facilities. It says:

At various nodes within the airport including baggage carousels, unit load devices (ULDs) and conveyors, reader systems will be installed to read and write to RFID tags that will be applied on passenger bags. RFID-enabled handheld readers will also be used for mobile baggage operation.

It makes David Molnar’s scenario about airports and the Qur’an seem more plausible, doesn’t it?

5/25/2004

Extended deadline for public comment on FTC workshop

Filed under: — Laura @ 4:10 pm

According to its website:

The FTC has extended until July 9, 2004 the deadline for filing comments on “Radio Frequency Identification: Applications and Implications for Consumers.” On April 12, 2004, the agency announced that it will hold a workshop to “explore the uses, efficiencies, and implications for consumers associated with radio frequency identification (RFID) technology. The workshop will address both current and anticipated uses of RFID tags and their impact on the marketplace.”

[thanks SNTreport]

5/20/2004

Quasi Kill Commands

Filed under: — Laura @ 10:16 am

ZDnet reports Burt Kaliski, RSA Labs director making a case for “zombie” chips – those that are deactivated at purchase point but remain capable of being reactivated. The article reports that the controversy is some way off since item-level tagging hasn’t reached critical mass in retail.

Remember kids – libraries do item-level tagging.

Calls for Laws in Germany

Filed under: — Laura @ 10:07 am

Newbrainframes reports on a German federal data protection officer Peter Scharr is calling for law to define control of RFID tags. Activists have been protesting a store which implemented RFID in their consumer cards – without informing their customers. The store withdrew the tags. [thanks scott]

SFPL Round-up

Filed under: — Laura @ 9:53 am

As promised, a listing of the articles and resources about SFPL’s decision.

The SFPL implementation plan is particularly good. They have an understanding of the tag hardware specifications and seem very aware of the security flaws inherent at the chip level. They plan to work with vendors to develop tag encryption and better communications protocols between RFID tags and readers. They even encourage the development of environmentally friendly tags. Go SFPL!

David Molnar is quoted in the American Libraries piece. David is a Berkeley doctoral student in electrical engineering. He specializes in library RFID architectures. He has presented at the SFPL Library Commission meetings and it’s obvious they have paid attention. He currently has a scholarly article under review which details the technical security flaws in library RFID architectures. I’ll post a citation & summary as soon as I can.

I’m glad SFPL will attempt to work with the industry to improve chip security. Although libraries don’t have the purchasing clout of a Wal-Mart, we do have an activist tradition and the general respect of the public for keeping their interests at heart. Implementation plans such as SFPL’s and Berkeley’s best practices are a good start. It won’t be long before national-level best standards are available. The PLA Office of Intellectual Freedom is currently working on such a reccomendation.

5/17/2004

NCC calls for more awareness of RFID privacy issues

Filed under: — Laura @ 9:46 am

Jo Best at Silicon.com reports that the National Consumer Council (U.K.) has published a document calling upon the government to examine its current regulatory framework regarding RFID. They say consumers have been left out of the discussion on RFID privacy implications and they warn of widespead backlash should the technology proliferate without consumers awareness and consent.

The report, “Calling in the Chips” is available in PDF from the NCC site. [thanks RFID News]

5/3/2004

Tag Reader with 11′ range developed

Filed under: — Laura @ 3:09 pm

The RFID web log reports on a low power RFID system that purportedly can read tags from 11 feet away. Looks like Moore’s law may be applied to RFID systems a bit faster than we think.

4/30/2004

Update on SFPL status

Filed under: — Laura @ 1:49 pm

David Dodd from SFPL tells me that, depite what they say in the Senate Committee, the SFPL Library has definately not made a decision regarding RFID> They will be meeting next week, Thursday, May 6, to discuss it again. Take note: SFPL has updated its draft privacy policy. The most recent version supercedes the draft scanned in by Eric Ipsen. I’ll post a link to the policy once it is approved.

I’ll be in the Bay area on business 5/6 & 5/7, so I’ll try to attend the hearing.

More on SB 1834

Filed under: — Laura @ 9:32 am

Information Week also has an article about the approval of the California bill – and they get the number correct!

CA SB1834 Passed - SFPL approves plans??

Filed under: — Laura @ 9:24 am

The California RFID Privacy bill passed its third reading yesterday. It has now been passed to the assembly floor where it was held. The Senate committee analysis dated 4/26/04 says that

The San Francisco Public Library Commission has approved plans to start tagging library books with RFID chips by 2005. Questions have been raised about whether the technology will give anyone with an RFID reader, including homeland security agencies and businesses, the ability to track and identify people and the library books they’re carrying.

That is news to me. I don’t recall that the commission approved anything, but I could have missed it during my skimming of their minutes. I thought that the consensus of the Committee was that it would consider the issues before deciding whether or not to approve the procurement. Can somebody from the Bay area bring me up-to-date? Note also that the Senate bill analysis doesn’t have any organizations on record as supporting the bill, but opposition has been given by organizations with business interests. If you’re in California and you support what Sen. Bowen is trying to do, get in touch.

RFID Journal has a detailed article discussing the legislation. They call the bill SB 2208. I don’t know where they came up with that. There’s no bill 2208 listed on the official California legislative information web site for either the Assembly or the Senate. The article also discusses upcoming legislative actions in Maryland, Massachusetts, and Virginia.

4/27/2004

Berkeley PL best practices

Filed under: — Laura @ 4:56 pm

The Berkeley Public LIbrary has made available its RFID best practices. They will soon be posting a FAQ (no doubt to dispel the controversy which has dogged their neighbors across the Bay). BTW, under “Vendor news” Berkeley PL selected Checkpoint as their vendor.

4/26/2004

UM Center for Information Policy

Filed under: — Laura @ 9:02 am

The University of Maryland’s Center for Information Policy (CIP) is currently researching RFID. According to its web site:

Another project is considering the use of information collection and transmission technologies such as radio frequency identification (RFID) tags and smart cards. As expected, our research has found a significant lack of public understanding of the technology, but surprisingly, a significant level of distrust even in the context of homeland security applications, and a very significant consensus for governmental regulation.

They haven’t posted any of the research yet. They don’t have an RSS feed, but you can subscribe to their newsletter by sending an email to infopolicy@umd.edu

4/20/2004

SB1834 Hearing postponed by Committee

Filed under: — Laura @ 5:04 pm

The 4/13 hearing on SB 1834 was postponed.

4/16/2004

Federal Trade Commission to hold RFID workshops

Filed under: — Laura @ 9:13 am

The FTC will be having public workshop on privacy & RFID on 6/21/2004. They have a request for participation and public comment. [Thanks Beth]

FOR FURTHER INFORMATION CONTACT: Julie K. Brof, Attorney, (206) 220-
4475, Northwest Region, Federal Trade Commission, 915 Second Avenue,
Suite 2896, Seattle, WA 98174. Prior to the workshop, an agenda and
additional information for attendees will be posted on the FTC’s Web
site, http://www.ftc.gov/bcp/workshop/rfid.

RFID Journal Editorial on Privacy Discussion

Filed under: — Laura @ 8:58 am

An editorial in RFID Journal calls for “A Constructive RFID Dialogue” on privacy issues. I think it’s notable because it calls for international cooperation and it calls for a balance between reaping the benefits of technology and providing consumer protection. RFID Journal actually wants to fund a conference on the issue, due to Senator Leahy’s calls for dialog.

4/13/2004

Cell Phone as RFID reader

Filed under: — Laura @ 2:39 pm

Nokia has released a Mobile RFID kit.

4/12/2004

Big Corps Opposed to Mandatory Kill

Filed under: — Laura @ 4:37 pm

I hate to be cynical, but, um, it’s no big suprise to me that big companies and retailers don’t want to kill RFID tags upon purchase See Wired News: Watchdogs Push for RFID Laws

4/10/2004

More thoughts on scary scenario

Filed under: — Laura @ 1:34 pm

My sweetie & I were discussing SB 1834 and David’s scary scenario this afternoon as we drove from LA to San Diego. We came to the conclusion that encryption is the best way to work around the potential of any Joe-Blow using a tag reader & sensor to learn what book you’re carrying.

If the info on the tags was encrypted, only those people with authorized keys could access it.

Librarians can create ethical guidelines/best practices for RFID implementation, write technological specifications for privacy on the tags and work with vendors to ensure the inclusion of those specs in RFID solutions. We can also work with legislators to ensure that encryption technology is allowed within our legal frameworks.

Sound good?

4/9/2004

Privacy Invasion Scenario

Filed under: — Laura @ 9:41 am

I’ve been thinking that the privacy invasion implications of library RFID use were minimal given the current state of technology. What harm could be caused with low frequency readers and only item number information on the tag, right? Well, David Alexander Molnar from Berkeley has made me reconsider. He posits the following scenario [reposted with permission]:

Suppose we put RFID readers in the metal detector (and x-ray machines) at
the airport. The range issues with RFID are not much of an issue here,
since the metal detector is closer than the exit sensors of library RFID
deployments – if they work, placing them in the metal detector should
work as well (ignoring interference between reader and detector).

Now suppose we are interested only in seeing if a person is carrying a
copy of the Qur’an. We don’t care about other books, just this one. We go
to all the libraries near the airport, check out all their copies of the
Qur’an, read the RFID tag and record the bar code on the tag. Now if
someone walks through the metal detector with a copy of the Qur’an from
the area, we know.

This works *even if we don’t have the library database*. All we need is
for the number on the tag to be static.

I think David’s concept is plausible. Copying the id numbers from the tags of books from local libraries would take footwork, to be sure. But as David says, “The thing is, the footwork can be incremental. The bar codes don’t expire.”

U.S. Intra-government RFID council proposed

Filed under: — Laura @ 9:18 am

The U.S. Department of Defense is seeking to create an
intra-government RFID council to coordinate adoption
plans and ensure that all departments are using the
same technology.

Full Story[Source: RFID Journal]

SB 1834 Senate Bill - Bill Analysis

Filed under: — Laura @ 8:50 am

The analysis of California SB 1834was posted. It’s next hearing date is 4/13/04.

4/8/2004

RFID Blocker Concerns?

Filed under: — Laura @ 4:23 pm

Scott at Information Manager Journal
reports on the EFF’s thoughts on the RFID tag blocker technology being developed by RSA. At this point the blocker blocker is conceptual but Scott raises interesting questions on potential government regulation. Reminds me of radar dectectors….

4/5/2004

More Info on CA RFID Privacy Bill

Filed under: — Laura @ 10:20 am

I promised to investigate the status of California’s proposed RFID privacy bill. SB 1834 was introduced by state Sen. Debra Bowen on 2/20/2004. The bill was amended and read a second time on 4/1/2004. It is currently with committee.

The original bill covered retail applications and was appended to the Business and Professional Code. In essence it labelled businesses that didn’t comply with the privacy guidelines “unfair competition” and subjected them penalties. The 4/1 amendment would “authorize a library to use RFID tags attached to circulating materials to
collect information that could be used to identify a borrower under specified conditions.”

Those conditions are:

22651. A library may use an electronic product code system that
uses radio frequency identification (RFID) tags attached to
circulating materials only to collect, store, use, or share
information that could be used to identify a borrower if all of the
following conditions are met:
(a) The information is collected only to the extent permitted by
law.
(b) The information has been provided by the borrower for the
purpose of borrowing an item containing an RFID tag at the library.
© The information is not collected at any time before the
borrower actually attempts to borrow the item or at any time after
the customer completes the transaction to borrow the item containing
the RFID tag.
(d) The information is collected with regards only to a borrower
who actually attempts to borrow the item and is in regard only to
that item.

I think these conditions are a good start. But they don’t do far enough. There should be an explicit statement governing the linking of borrowing information with patron information. In most RFID systems, the link between the two is within the integrated library system not programmed on the tag. That link should only be used when the patron is checking out material and when the patron returns the item. That patron information should already be governed by a library’s privacy policy. For example, at my library only staff with a direct need-to-know would be authorized to view that patron info. And the borrowing information is removed as soon as the item is returned. It could be on the back-up tape for the ILS, but the information would have to be subpeoned. And it would only be on those back-ups for three months anyway.

3/26/2004

RFID Journal - Sen. Leahy Voices RFID Concerns

Filed under: — Laura @ 9:53 am

RFID Journal - Sen. Leahy Voices RFID Concerns

The article mentions state “right-to-know” legislation – and
California is considering such a bill. I’ll investigate further as this could affect our library’s implemention plans.

3/25/2004

Selective RFID blocker from RSA Laboratories

Filed under: — Laura @ 5:14 pm

RSA Laboratories has a technology which promises to block unwanted scanning of RFID tags. I wonder how the EFF will respond.

Powered by WordPress