Personal Privacy Protection within Pervasive RFID Environments

Recent advancements in location tracking technologies have increased the threat to an individual\u27s personal privacy. Radio frequency identification (RFID) technology allows for the identification and potentially continuous tracking of an object or individual, without obtaining the individual\u27s consent or even awareness that the tracking is taking place. Although many positive applications for RFID technology exist, for example in the commercial sector and law enforcement, the potential for abuse in the collection and use of personal information through this technology also exists. Location data linked to other types of personal information allows not only the detection of past spatial travel and activity patterns, but also inferences regarding past and future behavior and preferences. Legislative and technological solutions to deal with the increased privacy threat raised by this and similar tracking technologies have been proposed. Such approaches in isolation have significant limitations. This thesis hypothesizes that an approach may be developed with high potential for sufficiently protecting individual privacy in the use of RFID technologies while also strongly supporting marketplace uses of such tags. The research develops and investigates the limits of approaches that might be us,ed to protect privacy in pervasive RFID surveillance environments. The conclusion is ultimately reached that an approach facilitating individual control over the linking of unique RFID tag ID numbers to personal identity implemented though a combination of legal controls and technological capabilities would be a highly desirable option in balancing the interests of both the commercial sector and the information privacy interests of individuals. The specific model developed is responsive to the core ethical principle of autonomy of the individual and as such is also intended to be more responsive to the needs of individual consumers. The technological approach proposed integrated with enabling privacy legislation and private contract law to enable interactive alteration of privacy preferences should result in marketplace solutions acceptable to both potential commercial users and those being tracked

Personal Privacy Protection within Pervasive RFID Environments

Recent advancements in location tracking technologies have increased the threat to an individual\u27s personal privacy. Radio frequency identification (RFID) technology allows for the identification and potentially continuous tracking of an object or individual, without obtaining the individual\u27s consent or even awareness that the tracking is taking place. Although many positive applications for RFID technology exist, for example in the commercial sector and law enforcement, the potential for abuse in the collection and use of personal information through this technology also exists. Location data linked to other types of personal information allows not only the detection of past spatial travel and activity patterns, but also inferences regarding past and future behavior and preferences. Legislative and technological solutions to deal with the increased privacy threat raised by this and similar tracking technologies have been proposed. Such approaches in isolation have significant limitations. This thesis hypothesizes that an approach may be developed with high potential for sufficiently protecting individual privacy in the use of RFID technologies while also strongly supporting marketplace uses of such tags. The research develops and investigates the limits of approaches that might be us,ed to protect privacy in pervasive RFID surveillance environments. The conclusion is ultimately reached that an approach facilitating individual control over the linking of unique RFID tag ID numbers to personal identity implemented though a combination of legal controls and technological capabilities would be a highly desirable option in balancing the interests of both the commercial sector and the information privacy interests of individuals. The specific model developed is responsive to the core ethical principle of autonomy of the individual and as such is also intended to be more responsive to the needs of individual consumers. The technological approach proposed integrated with enabling privacy legislation and private contract law to enable interactive alteration of privacy preferences should result in marketplace solutions acceptable to both potential commercial users and those being tracked

Towards Secure and Scalable Tag Search approaches for Current and Next Generation RFID Systems

The technology behind Radio Frequency Identification (RFID) has been around for a while, but dropping tag prices and standardization efforts are finally facilitating the expansion of RFID systems. The massive adoption of this technology is taking us closer to the well known ubiquitous computing scenarios. However, the widespread deployment of RFID technology also gives rise to significant user security issues. One possible solution to these challenges is the use of secure authentication protocols to protect RFID communications. A natural extension of RFID authentication is RFID tag searching, where a reader needs to search for a particular RFID tag out of a large collection of tags. As the number of tags of the system increases, the ability to search for the tags is invaluable when the reader requires data from a few tags rather than all the tags of the system. Authenticating each tag one at a time until the desired tag is found is a time consuming process. Surprisingly, RFID search has not been widely addressed in the literature despite the availability of search capabilities in typical RFID tags. In this thesis, we examine the challenges of extending security and scalability issues to RFID tag search and suggest several solutions. This thesis aims to design RFID tag search protocols that ensure security and scalability using lightweight cryptographic primitives. We identify the security and performance requirements for RFID systems. We also point out and explain the major attacks that are typically launched against an RFID system. This thesis makes four main contributions. First, we propose a serverless (without a central server) and untraceable search protocol that is secure against major attacks we identified earlier. The unique feature of this protocol is that it provides security protection and searching capacity same as an RFID system with a central server. In addition, this approach is no more vulnerable to a single point-of-failure. Second, we propose a scalable tag search protocol that provides most of the identified security and performance features. The highly scalable feature of this protocol allows it to be deployed in large scale RFID systems. Third, we propose a hexagonal cell based distributed architecture for efficient RFID tag searching in an emergency evacuation system. Finally, we introduce tag monitoring as a new dimension of tag searching and propose a Slotted Aloha based scalable tag monitoring protocol for next generation WISP (Wireless Identification and Sensing Platform) tags

When Mobile Phones are RFID-Equipped - Finding E.U.-U.S. Solutions to Protect Consumer Privacy and Facilitate Mobile Commerce

New mobile phones have been designed to include delivery of mobile advertising and other useful location-based services, but have they also been designed to protect consumers\u27 privacy? One of the key enabling technologies for these new types of phones and new mobile services is Radio Frequency Identification (RFID), a wireless communication technology that enables the unique identification of tagged objects. In the case of RFID-enabled mobile phones, the personal nature of the devices makes it very likely that, by locating a phone, businesses will also be able to locate its owner. Consumers are currently testing new RFID-enabled phones around the globe, but the phones are not yet in general use by consumers in the United States and Europe. The incorporation of RFID into cell phones in order to deliver mobile advertising and other location-based services raises a host of important privacy questions that urgently need to be addressed before the phones become widely available. Analyzing the risks to consumer privacy in this new context, this paper offers a comparative law analysis of the applicable regulatory frameworks and recent policy developments in the European Union and the United States and concludes that there are many privacy concerns not presently addressed by E.U. and U.S. laws. This article also offers specific ideas to protect consumers\u27 privacy through applications of fair information practices and privacy-enhancing technologies. When mobile phones are RFID-equipped, consumers will need new privacy protections in order to understand the risks and make knowledgeable decisions about their privacy

Ensuring Application Specific Security, Privacy and Performance Goals in RFID Systems

Radio Frequency IDentification (RFID) is an automatic identification technology that uses radio frequency to identify objects. Securing RFID systems and providing privacy in RFID applications has been the focus of much academic work lately. To ensure universal acceptance of RFID technology, security and privacy issued must be addressed into the design of any RFID application. Due to the constraints on memory, power, storage capacity, and amount of logic on RFID devices, traditional public key based strong security mechanisms are unsuitable for them. Usually, low cost general authentication protocols are used to secure RFID systems. However, the generic authentication protocols provide relatively low performance for different types of RFID applications. We identified that each RFID application has unique research challenges and different performance bottlenecks based on the characteristics of the system. One strategy is to devise security protocols such that application specific goals are met and system specific performance requirements are maximized. This dissertation aims to address the problem of devising application specific security protocols for current and next generation RFID systems so that in each application area maximum performance can be achieved and system specific goals are met. In this dissertation, we propose four different authentication techniques for RFID technologies, providing solutions to the following research issues: 1) detecting counterfeit as well as ensuring low response time in large scale RFID systems, 2) preserving privacy and maintaining scalability in RFID based healthcare systems, 3) ensuring security and survivability of Computational RFID (CRFID) networks, and 4) detecting missing WISP tags efficiently to ensure reliability of CRFID based system\u27s decision. The techniques presented in this dissertation achieve good levels of privacy, provide security, scale to large systems, and can be implemented on resource-constrained RFID devices

Data protection of RFID-Based distributed storage

Radio Frequency Identification (RFID) has been emerged as one of the most promising technologies used as an automatic data collection and information storage technology in vast number of applications. One of the biggest hindrances in the wide adoption of this technology is the challenge in security. There have been extensive studies on RFID security, in particular authentication and privacy issues. In most protocols, the discussions focus on scenarios that RFID tags are used mainly for tracing or identification, and the access to data stored on RFID is enforced through authentication. Recently, there is a rise in interests of using RFID tags as distributed storage, e.g., storing floor plans which can be used by fire fighters during emergencies. In this new type of applications, quite often, XML (eXtensible Markup Language) is employed since it has been considered as a de-facto standard to store and exchange information on the Internet and through other means. This research proposes to securely and efficiently store data on RFID tags in XML format. We introduce a framework using cryptography that ensures data confidentiality and integrity; we employ multi-level encryption together with role-based access control on the data stored on an RFID tag. In the given framework, a user is assigned with a certain role and can only access the part of data that she is authorized according to her role and the Access Control Policy (ACP). In addition, a more profound and accurate definition of simple and complex XACL (XML Access Control Policies) is given and a workable cryptographic solution is provided to handle complex policies. Furthermore, two different encryption methods are introduced to minimize the size of a file encrypted using XML encryption specifications. The research also extends the current technique of populating RFID tag memory with BIM (Building Information Model) database information in Facilities Management System (FMS) applications, by adding roles and different security levels. To explore the technical feasibility of the proposed approach, a case study in facilities management with different roles and security permissions has been implemented and tested at Concordia University. In this case study, we apply the proposed framework and encryption scheme to provide fine-grained access to data stored on RFID tags. To the best of our knowledge, it is the first work that addresses security issues in this new type of RFID-based distributed storage application

Privacy-preserving E-ticketing Systems for Public Transport Based on RFID/NFC Technologies

Pervasive digitization of human environment has dramatically changed our everyday lives. New technologies which have become an integral part of our daily routine have deeply affected our perception of the surrounding world and have opened qualitatively new opportunities. In an urban environment, the influence of such changes is especially tangible and acute. For example, ubiquitous computing (also commonly referred to as UbiComp) is a pure vision no more and has transformed the digital world dramatically. Pervasive use of smartphones, integration of processing power into various artefacts as well as the overall miniaturization of computing devices can already be witnessed on a daily basis even by laypersons. In particular, transport being an integral part of any urban ecosystem have been affected by these changes. Consequently, public transport systems have undergone transformation as well and are currently dynamically evolving. In many cities around the world, the concept of the so-called electronic ticketing (e-ticketing) is being extensively used for issuing travel permissions which may eventually result in conventional paper-based tickets being completely phased out already in the nearest future. Opal Card in Sydney, Oyster Card in London, Touch & Travel in Germany and many more are all the examples of how well the e-ticketing has been accepted both by customers and public transport companies. Despite numerous benefits provided by such e-ticketing systems for public transport, serious privacy concern arise. The main reason lies in the fact that using these systems may imply the dramatic multiplication of digital traces left by individuals, also beyond the transport scope. Unfortunately, there has been little effort so far to explicitly tackle this issue. There is still not enough motivation and public pressure imposed on industry to invest into privacy. In academia, the majority of solutions targeted at this problem quite often limit the real-world pertinence of the resultant privacy-preserving concepts due to the fact that inherent advantages of e-ticketing systems for public transport cannot be fully leveraged. This thesis is aimed at solving the aforementioned problem by providing a privacy-preserving framework which can be used for developing e-ticketing systems for public transport with privacy protection integrated from the outset. At the same time, the advantages of e-ticketing such as fine-grained billing, flexible pricing schemes, and transparent use (which are often the main drivers for public to roll out such systems) can be retained

Enhancing RFID performance and security in networked environments

In this thesis we propose and present a number of methods by which the performance and security of networked RFID systems can be improved. These include a networked P2P RFID architecture, a comprehensive RFID security framework, a RFID security protocol and an RFID malware detection and Prevention technique