The reading notes record thoughts from things I read. 這網誌是我的一些閱讀後的思考和摘要記錄。My website 我的網頁:

Mickey Mouse is following you

Your personal data privacy is constantly invaded by various parties; to many of those you voluntarily and happily give out personal data.  Who else is the most likely party than your favourite games and toys.  IT World recently disclosed that the Disney World is planning to improve the fun and her services this Spring by introducing RFID wristbands to visitors to the park.

This gadget is not new.  Many game parks are already providing RFID bracelets to children to monitor their whereabout in the park.  Lost kids are now history.  Many large safari parks also use such devices on vehicles in order to monitor the movement of tourists.  A safari park is practically the wilderness and safety of tourists is a major concern.  The Disney wristband attracted media attention because it is an upgrade of RFID usage and could do a lot more.

RFID is basically an electronic barcode from which simple information such as a serial number can be read.  It is convenient because of the proximity access; it can be read from a short distance.  More importantly, it can be read by scanners placed at strategic locations, thus obtaining location-based data.  The advertisement of Disney announced many benefits.

  • Use your wristband to open the door of your Disney World hotel room.
  • Use your wristband to directly go through the turnstile at the entrance of the park.
  • Use your wristband to buy a cinnamon bun at the park bakery.
  • Meet Mickey Mouse, and it will address you by your first name.
  • Hold up your wristband for the photographer, and he will take the classic family photo at the famous spot for you.
  • Use your wristband to play the interactive spy game.  It can help unlock the hidden secrets for you.
  • Just hold up your wristband at the thrill ride and a video of you on the ride is added to your PhotoPass account.

All these friendly features and improved services hinged on the fact that you gave out your personal information and credit card information to be recorded; and the many scanners located at service delivery spots around the park.  The reporter asked the obvious conspiracy theory question: What are you going to do with my personal data?  The standard answer is: Data are only used for park business; more convenient, fast and personal services, easy accounting, and safety in the park.

The worry of the privacy advocators is how long will these data be kept, and will they be disclosed to others.  Despite the assurance that data will be destroyed after a certain period, the fact is that data will be kept for accounting and audit purposes for as long as they are required. If the data are stored somewhere, then someone somehow may gain access to them.  Many large corporations have stated the intention that the data en masse may be used for statistical and research purposes.  However, the assurance of the security of personal identity is still weak.  We may have to live with the fact that our personal data are always in the cloud.

Personal data privacy with the RFID technology has been studied for quite some time.  Notwithstanding its convenience and power in logistics, marketing, and commerce, its weakness comes from its strength.  It is as convenient as air that anyone with a scanner can read the RFID information from a distance.  The initial success of RFID was from warehouse control where the movement of pallets and inventories were accurately tracked.  Academics warned that RFID is not secure and should not be used on sensitive information and personal identification.  There is a related article in IT World on this topic which is very interesting.  However, hopefully after weighing all the pros and cons, the government moved away from the personal privacy concern and pushed RFID technology into diverse areas.

The basic form of RFID only records a number.  This number can be related as an index to a database for further information.  The hardening of the database and its security measures could provide strong security to information.   Plain scanning of this number may not have deep meaning.  New RFID chip could do a lot more.  The memory capacity could be a few kilobytes large.  It could then store identity card number, social security number, full name, credit card information and much more.  We are all quite familiar with the Octopus Card where storage of door access code or membership number is now very common.

printoutSomeone swiped the Octopus Card to buy something.  Just see what happened.  This was a printout for the customer.  The shop should know much more.  From the printout, this Octopus Card holder, whose identity and credit card information were known to the merchant, was at Apleichau shop AL03 on 13 January 2013 at about 1 pm.  He bought two packets of biscuits at a discount.  He is probably a teenager who likes sweet snacks, and is probably a couch potato who likes to watch TV while nibbling on the snacks.  Without his knowing, the shop based on his personal data rearranged the shop front, putting sweet snacks and soft drinks at prominent location; more stocks and more varieties of snacks were ordered.  Next time he visits, he will probably buy a lot more.  If the shop did this for me, I will be very happy.

Proximity is relative.  We have a false sense of security that keeping the card safely in the wallet is good enough.  But being a proximity card, RFID can be read from a distance; and the distance depends on the scanner device.  We again have a false sense of security that the card must be swiped against the reader for it to function.  But it is not quite true.  If you have watched the MTR advertisement, you should know that you do not have to hit the turnstile with the Octopus Card; just pass the card a few millimetres above.  With a powerful scanner, few millimetres could become centimetres or even metres.  There was an experiment that a powerful scanner carried along a busy street could capture many credit card information of people passing by.  But don’t panic.  The thief who carried this scanner all day could die of cancer first because of its strong radiation.

tagOn the good side, we could make use of the convenience of RFID technology to improve our quality of life.  Embrace Mickey Mouse while you still can, and on a more friendly term because you now know each other by first name.  The reporter said, RFID is good, but not in my arm.  What if the RFID tag injected in your arm recording your every move is also your cell phone, digital camera and MP3 player.  Would that be cool and worth a bit of your personal data?