Saturday, 8 August 2009

Locational Privacy

EFF (Electronic Frontier Foundation) has published a great article covering the implications that location-aware services and technology have on privacy.

Transit passes and access cards

Another broad area of application is for passcards and devices
allowing access to protected areas; for instance, passcards which allow
access to bike lockers near train stations, or cards which function as
a monthly bus pass. A simple implementation might involve an RFID card
reporting that Bob has checked his bike into or out of the storage
facility (and deducts his account accordingly), or equivalently that
Bob has stepped onto the bus (and checks to make sure Bob has paid for
his pass). This sort of scheme might put Bob at risk.

A better approach would involve the use of recent work on anonymous credentials.
These give Bob a special set of digital signatures with which he can
prove that he is entitled to enter the bike locker (i.e. prove you're a
paying customer) or get on the bus. But the protocols are such that
these interactions can't be linked to him specifically and moreover
repeated accesses can't be correlated with one another. That is, the
bike locker knows that someone authorized to enter has come by, but it can't tell who it was, and it can't tell when this individual last came by. Combined with electronic cash, there are a wide-range of card-access solutions which preserves locational privacy.

The time has come for the unnecessary collection of personally identifying information by transport operators to stop, permanently addressing this aspect of locational privacy.

This subject surfaced briefly with the introduction of the Snapper transport payment card in Wellington but was not addressed practically by the transport operators who appear to rely on assertions of the security associated with the device rather than prevent the undesirable uses that the gathered information may be put to.

The technology required for anonymous credentials is now practical. Legislators and privacy guardians should move from the wording policy statements to demanding that personally identifying information is not collected unnecessarily.

No comments: