8 July 2003
Silicon.com has an explanation of what went wrong at the Auto-ID Web
site with the leaked confidential documents:
Tracking tag firm exposes confidential data online
http://silicon.com/news/500013-500001/1/5037.html
"These are now being taken down as the company works to fix the hole
but visitors typing "confidential" into the site's search engine were
presented with 68 sensitive documents."
I willing to bet early visitors to the Auto-ID Web site also looked at
internal documents and didn't even know it. Pretty much any search
phrase could end up finding internal documents.
I hadn't thought of this problem before. A site-based search engine
is much more likely to find internal documents than Google. A
site-based search engine gets to work with directory listings, while
Google does not. Internal documents can appear in a directory, but
they may never be linked to by other documents. A site-based search
engine will find everything, but Google only finds linked documents.
A site-based search engine would also find hidden directories with yet
more internal documents.
I bet this problem is present on many Web sites. I wonder what
companies who make search engine software for Web sites have to say
about this "glitch".
Richard M. Smith
http://www.ComputerBytesMan.com
8 July 2003
FOR IMMEDIATE RELEASE
RFID Twist: CASPIAN Praises Auto-ID Center's "Openness Policy"
Consumer group seeks answers to three basic questions
July 8, 2003
CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
invites the MIT Auto-ID Center to demonstrate its claim of being
nonsecretive about the tracking of consumer products with radio
frequency identification (RFID) tags.
Yesterday, the Center's Director Kevin Ashton claimed openness in a
Boston Globe interview: "We don't have anything to hide, and we're
very open with what we do."
This was in response to CASPIAN's disclosing a security hole on the
Auto-ID Center website (www.autoidcenter.org) that permitted access to
embarrassing and confidential documents. See
http://www.boston.com/dailyglobe2/18...racking+.shtml
"We're very pleased that the Center is open to sharing information
about its activities," said CASPIAN Founder and Director Katherine
Albrecht.
"This is what we have been calling for all along. Now we'd like to see
them prove it."
CASPIAN is challenging Ashton's claim by issuing 3 basic questions
about the Center's current trials, including trials where Gillette
Mach 3 razors are silently tagged and tracked at selected Wal-Mart
stores.
1. What products are currently being tagged with RFID devices as part
of the Auto-ID Center trials? What products have been involved in past
trials?
2. Where can consumers see the RFID trials underway? Please provide
specific store location information.
3. Where can consumers get details about what information is being
collected when they purchase tagged items during these trials? For
example, are consumers being tracked, videotaped, or photographed?
Even RFID supporters are requesting that trial information be made
public. Pro-RFID journalist Mark Roberti of RFID Journal beseeched
companies to share more information after hearing of yesterday's
security gaffe:
"I would implore any company currently running a pilot or considering
one to brief the press on it and be as open about it as possible.
Openness will convince your customers that you have no ill intent.
Secrecy breeds mistrust. I know companies are risk-averse, and it's
easy to think that not publicizing a trial reduces the risk of bad
publicity. In fact, it only increases the risk that your company and
this technology will be portrayed in a negative light." See
http://www.rfidjournal.com/article/articleview/494/1/1)
"We encourage Mr. Ashton and his organization to release these details
as evidence of their public commitment to openness," says Albrecht.
Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
is a grass-roots consumer group fighting retail surveillance schemes
since 1999. With members in all 50 U.S. states and 15 nations across
the globe, CASPIAN seeks to educate consumers about marketing
strategies that invade their privacy and to encourage
privacy-conscious shopping habits across the retail spectrum.
For more information about CASPIAN visit http://www.nocards.org.
Katherine Albrecht, CASPIAN Founder and Director: (877) 287-5854
Mary Starrett, CASPIAN Media Associate: (602) 315-6193
###
8 July 2003. Mirrors of the Auto-ID RFID docs:
http://quintessenz.org/rfid-docs/cry.../rfid-docs.htm
http://www.cryptogon.com/2003_07_06_...58884475666166
http://leaked.info/rfid-docs/rfid-docs.htm
8 July 2003: A Zipped file of the 10 documents cited by CASPIAN:
http://cryptome.org/rfid/rfid-10.zip (2MB)
Mirrors are encouraged; send URLs to: jya@pipeline.com
7 July 2003
Auto-ID has begun to withdraw many of the documents cited in the
CASPIAN release, and might substitute with less offensive files.
Cryptome archived the original files and has replaced the original
CASPIAN links to Auto-ID with Cryptome links.
--------------------------------------------------------------------------------
FOR IMMEDIATE RELEASE
July 7, 2003
RFID Site Security Gaffe Uncovered by Consumer Group
CASPIAN asks, "How can we trust these people with our personal data?"
CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
says anyone can download revealing documents labeled "confidential"
from the home page of the MIT Auto-ID Center web site in two mouse
clicks.
The Auto-ID Center is the organization entrusted with developing a
global Internet infrastructure for radio frequency identification
(RFID). Their plans are to tag all the objects manufactured on the
planet with RFID chips and track them via the Internet.
Privacy advocates are alarmed about the Center's plans because RFID
technology could enable businesses to collect an unprecedented amount
of information about consumers' possessions and physical movements.
They point out that consumers might not even know they're being
surveilled since tiny RFID chips can be embedded in plastic, sewn into
the seams of garments, or otherwise hidden.
"How can we trust these people with securing sensitive consumer
information if they can't even secure their own web site?" asks
CASPIAN Founder and Director Katherine Albrecht.
"It's ironic that the same people who assure us that our private data
will be safe because 'Internet security is very good, and it offers a
strong layer of protection' [see
http://www.autoidcenter.com/new_medi...s_answers.pdf]
http://cryptome.org/rfid/questions_answers.pdf
would provide such a compelling demonstration to the contrary," she
added.
Among the "confidential" documents available on the web site are slide
shows discussing the need to "pacify" citizens who might question the
wisdom of the Center's stated goal to tag and track every item on the
planet [ http://www.autoidcenter.com/media/communications.pdf ],
http://cryptome.org/rfid/communications.pdf
along with findings that 78% of surveyed consumers feel RFID is
negative for privacy and 61% fear its health consequences [
http://www.autoidcenter.org/media/pk-fh.pdf ].
http://cryptome.org/rfid/pk-fh.pdf
PR firm Fleischman-Hillard's confidential "Managing External
Communications" suggests a variety of strategies to help the Auto-ID
Center "drive adoption" and "neutralize opposition," including the
possibility of renaming the tracking devices "green tags." It also
lists by name several key lawmakers, privacy advocates, and others
whom it hopes to "bring into the Center's 'inner circle'" [
http://www.autoidcenter.com/media/external_comm.pdf ].
http://cryptome.org/rfid/external_comm.pdf
Despite the overwhelming evidence of negative consumer attitudes
toward RFID technology revealed in its internal documents, the Auto-ID
Center hopes that consumers will be "apathetic" and "resign themselves
to the inevitability of it" instead of acting on their concerns [
http://www.autoidcenter.com/publishe...toid-eb002.pdf ].
http://cryptome.org/rfid/cam-autoid-eb002.pdf
Consumer citizens who are not feeling apathetic will be pleased to
learn that the site provides names and contact information for the
corporate executives who oversee the Center's efforts. Since the phone
list isn't labeled "confidential," we're assuming that Auto-ID Center
Board members are open to calls and mail that might help them better
understand public opinion on this important subject.
Anyone interested in speaking with Dick Cantwell, the Gillette VP who
heads the Center's Board of Overseers, for example, can find his
direct office number listed on the Auto-ID Center's website here:
http://www.autoidcenter.com/uploads/..._overseers.pdf
http://cryptome.org/rfid/226691160-l..._overseers.pdf
To experience the Auto-ID Center's security holes firsthand, simply
visit the web site at http://www.autoidcenter.org and type
"confidential" in the site search box. The Center encourages such site
exploration: "Our website has Research Papers and other information
that anyone can download for free. There is also a Sponsors Only area
of the site, which includes information and materials not available to
the public at large. We encourage you to visit our site frequently to
stay up to date with the Center's many activities."
Following are other examples of sensitive documents available at the
site:
February 27, 2003 Board minutes:
http://www.autoidcenter.com/media/fe...utes_feb03.pdf
http://cryptome.org/rfid/joint_minutes_feb03.pdf
ONS server schematics:
http://www.autoidcenter.com/media/fe...oatsystems.pdf
http://cryptome.org/rfid/oatsystems.pdf
EMS documentation:
http://www.autoidcenter.com/media/software.pdf
http://cryptome.org/rfid/software.pdf
Documentation of RFID field tests:
http://www.autoidcenter.com/media/field_test_nov02.pdf
http://cryptome.org/rfid/field_test_nov02.pdf
Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
is a grass-roots consumer group fighting retail surveillance schemes
since 1999. With members in all 50 U.S. states and 15 nations across
the globe, CASPIAN seeks to educate consumers about marketing
strategies that invade their privacy and to encourage
privacy-conscious shopping habits across the retail spectrum.
For more information about CASPIAN, visit http://www.nocards.org.
Katherine Albrecht, CASPIAN Founder and Director: (877) 287-5854
Mary Starrett, CASPIAN Media Associate: (602) 315-6193
###
--------------------------------------------------------------------------------
The confidential documents listed below will likely be withdrawn as
soon as the host, Auto-ID Center, learns they are publicly accessible
(see note above). Mirrors of the documents are encouraged. Cryptome
has archived the documents (~20MB). If they are withdrawn by Auto-ID,
and you want mirror send a request to jya@pipeline.com
Item 11 describes a PR campaign to persuade the public that RFID --
radio-frequency ID tagging of products -- is beneficial technology
despite consumer privacy fears. It proposes an "international privacy
advisory council:"
• Create a Privacy Advisory Council to:
provide 3rd party validation to Center’s privacy commitment
offer valuable guidance on technology and privacy issues
serve as spokespeople, when necessary
• Made up of:
well known, credible, and credentialed experts
potentially adversarial advocates
• Examples of potential members:
Harvard Information Infrastructure Project
Georgetown Center on Law and Technology
Center for Democracy and Technology
Electronic Privacy Information Center
Global Information Infrastructure Commission
Consumer Federation of America
Privacy Officers Association
European Consumers’ Union
and enlist prominent opinion-makers:
• Including, for instance:
U.S. Senators Leahy and McCain
U.S. Representatives Dingell and Tauzin
FTC Bureau of Consumer Protection
National Association of Attorneys General
AARP
AFL-CIO
Head of Unit, EC, Information Society
Leaders of European Parliament Industry Committee
--------------------------------------------------------------------------------
Source: http://www.autoidcenter.org/
Reply With Quote