The content below is a transcript of testimony that was presented at the Health IT Committee/Nationwide Health Information Network (NHIN) Workgroup public hearing on identity management and authentication on Jan. 7. by Frank Villavicencio, chair of the Identity Assurance Work Group (IAWG). The NHIN is a collection of standards, protocols, legal agreements, specifications, and services that enables the secure exchange of health information over the internet. To learn more about the NHIN please visit their site. If you would like to subscribe to the IAWG mail list or become involved in the IAWG activities visit their home page for further details.

Update on Jan 14, 2010: Frank Villavicencio (IAWG Chair) has also posted some follow-on additional information on his blog here >> http://bit.ly/7Bbc39

Testimony transcript is below —

My name is Frank Villavicencio, and I am here in my capacity of Chair of the Identity Assurance Work Group of the Kantara Initiative. We thank you for this invitation to testify.

The Kantara Initiative is an industry consortium formed by more than 120 different organizations, governments, foundations, associations, and individuals working on various aspects of digital identity.

Kantara’s goal is to develop the mechanisms to support industry development of interoperable identity management frameworks to increase Internet security while making it easier for users to log into multiple services. As such we believe strongly that the current Kantara work offers immediate solutions to healthcare’s security needs.

I believe that a specific program that Kantara has developed, the Identity Assurance Framework, or IAF, can be adopted immediately by the NHIN, it is ready now and is, in fact, already in use. The Identity Assurance Framework is technology agnostic and already supported by a wide range of industries and organizations globally, both within and outside of healthcare. This program allows multiple identity service providers to support the vast array of users in health care.

The Identity Assurance Framework (IAF) has been developed through collaboration and input from members of the global financial services, government, healthcare, biopharmaceutical, IT security, and telecom sectors. It is based on the four levels of assurance defined in NIST SP 800-63 and OMB publication M04-04. It supports different authentication solutions and identity proofing methods at the various levels of assurance. It recognizes the differences between low and high value transactions and, as such, associated risk profiles and trust levels. Specifically, the Kantara Identity Assurance Framework consists of four parts:

The end goal of the IAF work is to provide public and private sector organizations a uniform means of relying on digital credentials issued by a variety of identity assurance providers (credential service providers) to support multiple levels of assurance to facilitate public access to online information. The IAF does not replace any of the existing certificate service providers, nor does it aim to become a Federated Identity Provider. Rather, it provides the criteria to assess and measure compliance with established standards to assure interoperability of e-authentication systems.

Specifically for the focus of this forum, a common set of policies, procedures, and standards to facilitate reliable and secure access to health information is required. Such an approach assures the continued local authorization while using these standards and practices to specify what patient information can be shared, and how the information can be used. To ensure such compliance, yet maintain a level of local autonomy, we suggest the participating members of the NHIN belong to an IAF-compliant Identity Federation. Federation, in this view, is a response to the difficulties presented by the need to maintain decentralized systems with a certain level of local autonomy, yet ensure secure access to critical patient data. Formal federation using a standard set of policies, rules and procedures allows participants to access critical information across the federation.

We believe the adoption of federated identity is key to a viable national health network that protects the privacy and security of all ecosystem participants and helps contain escalating healthcare costs.

The implementation of the IAF supports identity federation that is secure, private, and auditable. It offers businesses, government, employees and consumers a more convenient and reliable way to exchange identity information in today’s digital economy. Please consider the following:

1. The IAF is a finished industry standard—it’s publicly accessible, based on recognized US Government standards and open and available for free use and implementation today.
2. The IAF is cross-industry—there is no need to create a Health-specific project which may or may not be adopted. Indeed, other experts before you today already utilize and/or have contributed to the IAF. It is currently in evaluation by the Federal CIO Council’s Identity Credentialing & Access Management (ICAM) sub-committee as the first US Government recognized Trust Framework.
3. The IAF structure is compatible with the existing NHIN/Connect gateways. It has already been utilized in various proofs of concept by HIMSS and GSA, HISPC, and others, and has been publicly adopted by the Michigan Health Information Exchange and the Minnesota HIE-Bridge Health Information Exchange. Additionally, the three co-chairs of our Healthcare Identity Assurance Workgroup, John Fraser, Pete Palmer, and Rick Moore, through their HIMSS support, led a pilot with the GSA in 2007 showing that six Health Information Exchanges (HIEs) spread across the country—Connecticut, Michigan, Minnesota, Nevada, Ohio and Texas, could use a common authentication framework. It was based on the operational interoperability defined in the IAF. (http://www.himss.org/content/files/GSAwhitepaper.pdf)
4. The IAF is technology agnostic. Through its four NIST-based levels of assurance, it is compatible with federal security architectures. In fact, in a co-funded exercise with the GSA in fall 2008, we mapped NIST 800-63 and the IAF requirements and found them to be compatible and complementary.
5. The IAF can help increase NHIN security, which helps protect patient privacy. This is a core tenant, we believe, to effective identity management—in fact, we have a whole work group dedicated to privacy issues—and we are committed to strong security in all activities.
6. Given all of these factors, use of the IAF will build stronger trust into NHIN, which will accelerate adoption. Widespread use will lead to better consistency of practice, cost savings and increased privacy and security.
7. Consistent process and the operational interoperability achieved via the IAF will help reduce the “fear factor” for health information exchanges (HIEs) to plug in and share. Indeed, the South-East Michigan Health Information Exchange (SEMHIE) has already paved the way to success here.
8. The urgency and importance of making this transformation to a better use of information and related technologies in the health system is very widely appreciated. Dozens of communities and innovative networks across America have begun implementing information exchange solutions – the IAF delivers a common pathway, uniform standards, and a secure, private and consistent basis for information exchange. Use of the IAF as a common framework will maximize the value of other U.S. Government efforts already in progress.

The NHIN can *only* succeed if digital identities are issued and credentials are managed using a common set of rules (policies and procedures). The IAF provides this rule book and has a program to assess and certify compliance. No other standards body provides this kind of comprehensive support for trusted identity management on a national and global scale

–

In Jose Manuel Barroso’s recent reshuffle of the European Commission, there were a couple of moves which bear some further inspection, from a privacy/identity perspective.

The former Commissioner for Information Society, Viviane Reding, is promoted to one of the Vice Presidents of the Commission, and given a new portfolio as Commissioner for Justice, Fundamental Rights and Citizenship. She has also been given the task of overhauling the Data Protection Directive (now 15 years old…).

Her former role passes to Neelie Kroes, who was previously Competition Commissioner (and oversaw, for instance, some of the Commission’s fiercest battles with Microsoft – on media player bundling, IE/Windows bundling, publication of technical interoperability documentation, Microsoft Office “Open” XML, and so on, and so forth…).

She has a reputation for being able to dive into the detailed technicalities of a brief, and for being extremely tenacious in pushing towards her intended goal.

There’s no doubt in my mind that, had the task of reviewing and revising the Data Protection Directive been left on the Commissioner’s desk at DG InfoSoc, Dr Kroes could have taken it on with competence and determination… which leads me to wonder what the implications are of Commissioner Reding taking it with her to her new role.

With the background of her four years heading DG InfoSoc, Commissioner Reding should have all the subject-matter expertise needed to make a proficient job of revising the Directive. However, what is perhaps more significant is the departmental context in which she will now undertake that work.

Instead of doing it from within DG InfoSoc, she will now do it in the same DG as is responsible for programmes such as this; the development of a framework for a European society based on notions of fundamental rights and rights derived from EU citizenship.

That suggests to me that, if anything, the revised DP Directive will be founded on even stronger links to notions of fundamental human rights and the social/citizenship context.

I foresee some lively discussions of principle between the EU and its partners, particularly where those partners either take a different view of what are fundamental rights, or of how great a role they should play in determining policy on the processing of personal data.

If Commissioner Reding wished to live in interesting times, I think her wish may have been granted.

It is now a year since the European Court of Human Rights’ (ECHR) ruling on UK vs. S and Marper. The court’s ruling in that case was clear: the UK government’s policy of systematic and indiscriminate retention of DNA samples, DNA profiles and fingerprints of those acquitted of any offence is disproportionate. The government had, it says,

“overstepped any acceptable margin of appreciation in this regard”.

Grudgingly and slowly, the government is considering amending its policy – but only to the extent of conceding on indefinite retention. [Editorial update: as of December 9th, the Council of Europe expressed its concern that the new proposals probably still fail the proportionality tests required by the ECHR. They are keeping the dossier open, and will review the UK position again in March 2010].

Under the Home Secretary’s current proposals, the data and samples of the innocent are now only to be held for 6 years (there’s an excellent summary paper here, on the House of Commons Library website). The ruling in full is accessible online here. It’s well worth a read; almost every paragraph contains something to back up the view that the policy on DNA retention is intrusive and obnoxious. For instance, how about this section on the Police and Criminal Justice Act 2001 (my emphasis):

27. As to the retention of such fingerprints and samples (and the records thereof), section 64 (1A) of the PACE was substituted by Section 82 of the Criminal Justice and Police Act 2001. It provides as follows:

“Where – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence, and (b) subsection (3) below does not require them to be destroyed, the fingerprints or samples may be retained after they have fulfilled the purposes for which they were taken but shall not be used by any person except for purposes related to the prevention or detection of crime, the investigation of an offence, or the conduct of a prosecution. …

(3) If – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence; and (b) that person is not suspected of having committed the offence, they must except as provided in the following provisions of this Section be destroyed as soon as they have fulfilled the purpose for which they were taken.

(3AA) Samples and fingerprints are not required to be destroyed under subsection (3) above if (a) they were taken for the purposes of the investigation of an offence of which a person has been convicted; and (b) a sample or, as the case may be, fingerprint was also taken from the convicted person for the purposes of that investigation.”

Even the ECHR judges somewhat understate the case against retention – for instance, in this paragraph:

“78. It is common ground that fingerprints do not contain as much information as either cellular samples or DNA profiles. “

Unfortunately, that is not accurate. The fingerprints themselves (as opposed to any scanned or photographic record of them) consist of natural oils and skin cells – which of course contain the subject’s DNA. There is plenty of published material on the practicalities of small-sample DNA analysis, and the technique has been used by UK law enforcement agencies. In other words, fingerprints not only contain the same information as cellular samples, they contain cellular samples in a very individual layout – the fingerprint itself.

But I digress…

What I really wanted to do was point to three excellent blog posts on the “justification” for DNA collection and retention in the UK system.

The first is this one from Privacy law specialists Amberhawk – correlating the government’s own re-offending statistics with their assertions about the benefits of 6-year retention.

The Tech and Law blog has further analysis of the Amberhawk piece, here, including a link to a trenchant letter questioning both the practicality and the proportionality of the current policy.

And finally, Toby Stevens adds his excellent analysis here, setting out (among other things) four fundamental flaws with the current approach. In passing, he notes that the UK’s national DNA database is (perhaps thankfully) unique; no other country has one like it, or uses DNA in the same way.

Which brings us back to the ECHR’s judgement in UK vs S and Marper. Sections 47 and 48 of that judgement bear repeating in full (my emphasis):

“47. The United Kingdom is the only member State expressly to permit the systematic and indefinite retention of DNA profiles and cellular samples of persons who have been acquitted or in respect of whom criminal proceedings have been discontinued. Five States (Belgium, Hungary, Ireland, Italy and Sweden) require such information to be destroyed ex officio upon acquittal or the discontinuance of the criminal proceedings. Ten other States apply the same general rule with certain very limited exceptions: Germany, Luxembourg and the Netherlands allow such information to be retained where suspicions remain about the person or if further investigations are needed in a separate case; Austria permits its retention where there is a risk that the suspect will commit a dangerous offence and Poland does likewise in relation to certain serious crimes; Norway and Spain allow the retention of profiles if the defendant is acquitted for lack of criminal accountability; Finland and Denmark allow retention for 1 and 10 years respectively in the event of an acquittal and Switzerland for 1 year when proceedings have been discontinued. In France DNA profiles can be retained for 25 years after an acquittal or discharge; during this period the public prosecutor may order their earlier deletion, either on his or her own motion or upon request, if their retention has ceased to be required for the purposes of identification in connection with a criminal investigation. Estonia and Latvia also appear to allow the retention of DNA profiles of suspects for certain periods after acquittal.48. The retention of DNA profiles of convicted persons is allowed, as a general rule, for limited periods of time after the conviction or after the convicted person’s death. The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons.”

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

• Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

• This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).

Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?

Noted anti-virus vendor Eugene Kaspersky has weighed extravagantly into the larger security problem, arguing that  “anonymity causes security headaches and should be outlawed <http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity>” (http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity).  So he wants an Internet Passport.

This is surely madness.  The social repercussions are obvious, while it’s not at all clear what problem it might solve.

Most cybercrime is actually associated with an *excess* of arbitrary identification, with inadequate safeguards.  For the average user, anonymity in reality has become a luxury.  The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of.

Mainstream authentication is so difficult to use that most users choose the same password for all services.  The Federated Identity and Single Sign On movements, typified by OpenID, amount to the same thing.  Everything gets linked to everything else.  This is hardly the “anonymity” that Kaspersky so dreads.

It’s also likely that, like many before him, he’s underestimated the legal complexity and cost associated with general purpose Internet identities.  Who will issue and warrant an Internet passport, vouchsafing the bearer in all contexts?  This is what’s stopped authentication brokers schemes to date.  Some of my own analysis of these issues is presented in brief at  http://lockstep.com.au/library/babysteps/babyste13-identity-silos and http://lockstep.com.au/library/babysteps/babystep-15-introducing-ident.

Of course, what would happen is that any real world Internet passport would come with risk-managed warranty limitations.  It wouldn’t be good for all conceivable transactions, only ones that the issuer has been able to analyse and circumscribe.  For other uses, the holder would need to supplement their passport with other credentials suited to teh context … and we’d be back where we started.
Advocates of Internet passports should re-visit how a conventional passport works, and reconsider their metaphor.  A passport is not a universal key to cross all borders; many countries require you need to obtain a visa, to make sure you meet their security, cultural and political norms.  That is, risk profile, appetite and management strategies vary from one country to another (just as they vary in e-business from one segment to another) and there really is no universal passport.

So I say to Kaspersky, an Internet passport is utopian, and proper anonymity would be a blessing!  To solve cybercrime, we don’t need any new passport, rather we need to protect the plurality of identities we already have against online theft and abuse.

Posted on behalf of:

Stephen Wilson
Lockstep Group
http://www.lockstep.com.au

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

• What if I’m using my PC outside the EU?
• What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
• What about non-EU citizens, in the EU, accessing EU sites?
• Or non-EU citizens accessing EU sites from elsewhere?
• Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
• … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

• the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
• internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

You know what? I’m actually starting to feel twinges of sympathy for the folks at Connectivity. There are two pieces in the Guardian devoted to the suspension of their mobile directory enquiries services, one from yesterday and one from today.

Now, I’m not trying to argue that basing the service on an “opt out” principle was a good idea – it wasn’t. But at least Connectivity set it up in such a way that you would first find out that someone had looked you up, then have the opportunity to decide whether or not to take the call, and then have the option of asking to be removed from the list. All this would happen without the requesting party being told your number. So in a way, there was at least a certain amount of privacy-friendliness built into the protocol. Whether that made it a good idea for Connectivity to be sitting on a database of numbers which might get shared with other service providers is another question entirely.

However, any slight twinges of sympathy at Connectivity’s plight are (and should be) rapidly displaced by a concern that all this high-profile coverage is distracting us from a more significant issue: namely, the means by which Connectivity were able to populate their directory in the first place. As I’ve suggested above, the way they set up their enquiry protocol show at least some concern for the data subject’s privacy. The same cannot be said for those data brokers who handed over their subscriber lists to Connectivity in the first place.

It’s just that, as they are not in a part of the food chain which is normally visible to the data subject, they don’t come under the same kind of scrutiny as the company which delivers a service direct to the consumer.

For all the focus on Connectivity, we should not pass up on this opportunity to shine the spotlight on the behaviour and regulation of the intermediaries who made Connectivity’s business model possible.

[Apologies - this should have been syndicated from the FutureIdentity blog in July]

Over the weekend, prompted by a message from @wendyg, I had another go at checking whether my details are on 118800, the UK online directory of mobile phone numbers which has excited so much comment over the past few months. Their website was down, though, and according to this article in today’s Guardian, it had been laid low by the number of people trying to unsubscribe.

Well, I think that tells us what we need to know.

1 – if the sheer weight of “negative demand” is enough to crash the site, it should seriously call into question whether the subscribers (who are, after all, the data subjects here) want this service to exist;

2 – it should certainly raise serious doubts – not least with the Information Commissioner’s Office (ICO) – about whether it’s acceptable for a service like this to be established on an “opt-out” basis, rather than making it the default that people should have to opt in if they want to be included in the directory.

To me, this suggests that 118800′s operating model is broken, not just their website.

In their defence, I expect that 118800 will make two points: first, that they don’t disclose the data subject’s phone number: they only offer to connect the caller, and that only if the data subject consents to receive the call. Fair enough, but I’m afraid my reaction the first time I receive one of those requests will be to decline it and request that they take me off the system.

Second, they will probably repeat that the numbers they hold are inthe public domain alreday, having been obtained from (among others) market research companies and list brokers. The issue here, to my mind, is one of informed consent. I can honestly claim that I have never knowingly disclosed my mobile number for the purpose of having it listed in a directory enquiries service.

That, if nothing else, should give the ICO some basis on which to look at the legality of the system, under the second Data Protection Principle:

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

I think mobile subscribers could also expect the ICO to give a view on whether the proposed 118800 service represents good practice, whether or not they consider it to be legal.

I blogged back in February about Chris Paget’s successful attempts to read US-issued RFID credentials while simply driving past their owners… so I was a little surprised to see the same “news” cropping up in this article from Saturday’s LA Times. However, by the fourth paragraph they did acknowledge the date of Paget’s experiment, so I read on – and there’s plenty in the rest of the article to make that worthwhile.

I owe @haroonalrasheed, by the way, for the link to the LA Times article, and I regret that, like him, I am quite unable to come up with a sensible interpretation of this quotation from the CPO of the Dept of Homeland Security:

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at Homeland Security, but rather “to verify that the identification document holds valid information about you.”

There I was thinking that the clue was in the acronym.

The article is particularly interesting on the subject of read distance. It seems that each time the implementing departments publish a figure, researchers have consistently succeeded in reading the cards from much further away – whether that’s a yard instead of 4 inches, or 30 feet instead of a yard (1 metre, 10 cms, 10 metres respectively, if you are decimalised).

Those are just the numbers for trying to read the chip directly. In another experiment, the researcher went for the communications link between the chip and the reader instead, and is reported as having intercepted that traffic successfully from 160 feet away (50 metres). I haven’t tracked down the research paper in question, so can’t check, for instance, whether that was direct interception or whether, as proposed in this 2005 paper by Hancke and Kuhn, it makes use of ‘relays’ to extend the distance between the eavesdropper and the chip. Bear in mind, though, that in the most common places you would expect to show your passport – that is, at an airline check-in counter or at an airport security check, there is generally somewhere within 160 feet where it is perfectly legitimate for someone to be using a laptop…

(If anyone has a link to the “160 foot intercept” paper, perhaps you could include it in a comment).

Apart from the continuing bickering over read distance, then, what conclusion can one draw? Principally, I think, that any form of remote reading raises significant and legitimate concerns over user awareness and therefore consent. It’s clear that the confidentiality of embedded RFID chips has to reside in factors other than distance – and equally clear, from the article cited, that different implementations are being designed with different levels of protection against interception. I have yet to see one, though, which offers the user any information about or control over when the chip is read, and I think that is a fundamental design flaw.

[This is a syndicated post from the Future Identity blog - hence the reference to an earlier post in that blog - RW]