Wednesday, July 26, 2006

Proximity Passport Perception Problems Persist

Image Credit: theducks.org/© 1995-2006 Alex Dawson

Radio Frequency Identification (RFID) enabled passports have many inherent benefits, however, some fears of identity theft and other potential information breech perceptions exist.

The confusion and concerns about the potential of anyone being able to retrieve private, personal information "from a distance" may just be a matter of education - says an ABI Research Report.

Excerpts from eWEEK -

Report: DHS Should Soothe RFID Passport Fears
The upcoming U.S. e-passports are still giving rise to privacy concerns; ABI Research recommends that the government speak up about the technology.
By Renee Boucher Ferguson - eWEEK - July 25, 2006


There is a lot of miscommunication regarding the security and privacy of the U.S. government's new RFID-based e-passports, according to ABI Research Analyst Sarah Shah.

ABI Research released a report July 25 that suggests that the Department of Homeland Security, which will issue the e-passports in conjunction with the State Department starting in August, should speak out to reassure the public about the safety of contactless technologies.

The U.S. government plans to implement contactless technology, which is essentially data transmission that is activated by waving a reader over an RFID (radio-frequency identification) chip that has a tiny embedded antenna, in all electronic passports by the end of 2006.

"There are uneducated claims being made by some privacy advocates," said Shah, in Oyster Bay, N.Y. "They make claims such as, 'If you have a contactless chip in your passport [the government] can track you everywhere and they'll know everything about you.' This is simply not true, and the DHS should publicly explain what the technology is capable of, and why it's secure."

Since the State Department announced in 2005 that it would issue RFID-chipped passports by the end of 2006 to all passport agencies, security and privacy advocates have been up in arms.
The concern is that the data stored on the chips - including name, address, nationality and date of birth—will be accessible not only to customs agents, but to anyone with the wherewithal to hook up a reader and go scanning (or skimming, as the case may be) for information. The tiny silicon-based RFID chips that will be embedded in the passports themselves contain embedded antennas, which transmit data once a specially designed RFID reader is waved in front of it. One issue is the range at which the readers can access data.


"Our concerns extend beyond the passports," said privacy advocate Katherine Albrecht, co-author of "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID," during a May 26 interview with eWEEK. "At a recent conference calling for RFID tags in identity documents [some speakers] were talking about the tags being read from 20 to 30 feet away. We were actually quite stunned by that."

Kevin Ashton, the co-founder of MIT's Auto ID-Labs, the research center that essentially founded a global RFID network and standard that has since become EPCglobal, is against the idea of using RFID chips in passports.

"The idea of storing all this sensitive data [in passports] is horrible. You can take the chip off one passport and stick it on another. No one will know the difference," said Ashton, now vice president of marketing at ThingMagic, in Cambridge, Mass., and a professor teaching RFID classes at MIT. "My big issue is it is truly a stupid idea to store any information on an RFID tag other than a unique number. Otherwise there is always the risk of data change."

Ashton suggested that the way the e-passport's RFID technology should work - if it has to be there at all - is to have a chip that stores a unique number that can only be authorized by those people who should have access to it. The number would refer back to data stored in a secure database. The only information anyone should be able to find on the passport, he said, is a photo.

----
Bruce Schneier, a well-known security technologist and author, said during a May 26 interview with eWEEK that eavesdropping will only get easier.

The DHS has implemented some security and privacy devices on the e-passport chips: a metal shielding device on the passport's front cover that prevents the data from being read when it's closed, and BAC [basic access control] technology to prevent skimming and eavesdropping of data. Schneier said the precautions are good, but not good enough.

"Shielding is good. Basic access control is good. Putting a switch would be great," said Schneier, in Mountain View, Calif. "But if you don't have RFID you don't need any of this. I haven't seen any compelling reasons why we are doing this. If we [the government] did it out in the open then everyone would scream."

----
"The public has pretty overwhelmingly said they don't want RFID in documents, yet [the government] plowed ahead with it anyway," Albrecht said.

ABI Research said the bottom line is that the ongoing security and privacy debates probably will not have an impact on the DHS' decision to issue e-passports in August.

"We feel that the DHS should take steps to mitigate public concerns today," Shah said.

Read All>>

RFID may sound like a good idea for automating the process of identification through our nation's checkpoints, but when it comes to the internal security of our country and the protection of our identity ... this just isn't the same application process as a "Mobil Speedpass" or a freeway tollway access payment verification.

Typical, the federal government remains clueless to the real issues that surround the application of this proximity technology.

As in real estate (location, location, location) the axiom for the implementation of a new technology is "application, application, application!"


UPDATE (August 21, 2006):
New US Passports Contain Secure Identification Chips from Infineon; Advanced Technology Meets International Standard for Secure Travel Documents Image Credit: Infineon Technologies AG

Infineon to supply chip for U.S. e-passports
U.S. set to begin issuing passports equipped with RFID chips containing biometric data
By John Blau, IDG News Service - August 21, 2006

German chip maker Infineon Technologies will supply chips for new electronic passports that the U.S. will begin issuing in the coming weeks.

Of the 15 million e-passports to be issued by the end of the year, several million of them will be equipped with Infineon chips, the manufacturer said Monday.

The first wave of U.S. passports with chips, however, comes despite lingering privacy and security concerns. Earlier this month, a German security expert at the Black Hat security conference in Las Vegas demonstrated how e-passports -- equipped with an RFID (radio frequency identification) chip containing biometric data -- could be copied using a laptop computer, an RFID reader and smart card reader software.

The chip contained in each new U.S. passport issued from October will contain personal data, such as the bearer's name, date of birth, validity period, and a digital photo of the individual.

The e-passport, according to Infineon, is designed with multiple security levels, including the basic access control (BAC). This security feature requires the border control inspector to pass the document over a scanner that reads coded information and then authorizes the electronic reader to access the data stored on the chip. Data transmission occurs over a distance of only around four inches, or 10 centimeters.

More than 50 individual security mechanisms are inside the Infineon chip, including sophisticated computing methods for encrypting data. Protective shields on the surface of the chip and sensors also help prevent unauthorized people from being able to read the contents of the chip.

Infineon, which is located in Munich, is supplying chips for e-passport to several other countries, including Germany, Norway, and Sweden.
Link Here>>

Tuesday, July 25, 2006

Convenience Trumps Impulse Capitalism

Image Credit: Fujitsu Transaction Solutions - USCAN

It turns out that when shoppers are into a pure "Hunter/Gatherer" mode of shopping (ie. get in - get it - and, get out), the impulse nature of decision shopping drops dramatically.

You know what you want and you run to the store to get the items, where do you choose to checkout and get on with your day? The self-checkout station, that's where. A place where there is elbow room, no racks to bump into, and a quick turn-around conclusion to your short shopping experience ... after all, you have better things to do.

This self-checkout thing has become a real problem to retailers, however. Now, some of us will not even shop in a store unless they offer a self-checkout option!

This from the New York Post -

QUICKIE CHECKOUT CUTS BUYS
By SUZANNE KAPNER - New York Post - July 25, 2006

Self-checkout aisles at supermarkets dramatically reduce impulse purchases of items like chocolates and magazines, a new study reveals.

Shoppers make last-minute purchases 45 percent less often when they use automated checkout machines, as opposed to waiting for a cashier to check them out, according to IHL Consulting Group.

The drop in impulse purchases was greater for women (50 percent), than for men (27.9 percent), according to IHL, which polled 533 people to determine their shopping habits.

IHL analyst Greg Buzek warned that companies like Hershey's, Wrigley's and Pepsico, which make many of the products that line supermarket check-out lanes, could face a drop in sales unless they figure out a way to better appeal to time-strapped consumers.

Some supermarket chains like Kroger and Meijer have addressed changing consumer behavior by adding items like rotisserie chicken and fresh baked breads to the front of stores, to entice shoppers through their sense of smell, as opposed to simply using visual displays, Buzek noted.

In 2005, consumers spent more than $110.9 billion in self-checkout transactions at retailers, up 35 percent from the prior year, IHL said.

However nearly 30 percent of respondents said they preferred cashiers, opting to only use self-checkout when lanes staffed by employees had long lines.

Read All>>

Have Scanner ... Will Shop!

Wednesday, July 19, 2006

"Food Deserts" Lead To Heightened Early Death Rates

Researcher Mari Gallagher measured the distance to the nearest grocery and the nearest fast-food restaurant for every city block to come up with what she called a "food balance" score for each community area in Chicago. Image Credit: Chicago Sun-Times

A report titled, "Examining the Impact of Food Deserts on Public Health in Chicago," is believed to be the first to examine the correlation between population and the access to food in supermarkets. Further, this report follows past research by Gallagher looking at the distribution of chain supermarkets in Chicago and access to grocery stores as a function of income.

Excerpts from the Chicago Sun-Times via FMI Daily Lead -

Early deaths tied to lack of grocery stores
BY JANET RAUSA FULLER Staff Reporter - July 18, 2006

Chicagoans who live in areas with scant grocery stores and many fast-food restaurants are more likely to die prematurely and at greater rates from diabetes, cancer or heart disease, a study to be released today finds.

Residents of such "food deserts" -- clustered predominantly on the West and South sides -- also are more likely to be obese and suffer from hypertension, according to the study commissioned by LaSalle Bank.
----

Taking into account health data for those areas and holding race, income and education constant, Gallagher found that the more "out of balance" a community is in terms of food choices, the higher the prevalence of chronic health issues and diet-related deaths.

Diabetes rates more than double

African Americans, in particular, are "most disadvantaged when it comes to balanced food choices," her research found. They travel the farthest on average to any type of food store and tend to live in communities that make up three main clusters of food deserts in Chicago, according to the study.

The death rate from diabetes in the worst -- and predominantly black -- food deserts is more than twice that of other communities, the study found.

"I think the good news of this study is that it brings a new call to action for what can be done in these communities," Gallagher said. "We know that across the country, the black population generally has higher diet-related deaths and health disparities. Can you change somebody's genetics? Can you change somebody's eating preferences? Can you change somebody's income? Certainly there are some things along those lines that can be done . . . but the good news is you can probably even more easily locate a grocery store somewhere."

----
The areas with the highest concentrations of single mothers and children "is almost a one-on-one match" with areas designated as food deserts, the study found.

Obesity also said to be related

The study, which will be the focus of a forum today at the Palmer House Hilton, also makes a correlation between the location of grocery stores and body mass index, suggesting that, "as grocery store access decreases, obesity increases." The West and South sides have the highest obesity rates, while the North and Northwest sides have the lowest rates, the study found. Gallagher said the addition of even a single grocery store in an area where there are few to none could lower obesity rates.

Read All>>

Why Symblogogy? -- If you are not scanning, you are not living!

Wednesday, July 12, 2006

2 Fingers, Or 3? ... The Accountability Of RFID

Typical bar scene at the Mai Thai Bar - Patong beach - Phuket Thailand. Image Credit: phuketwatch.com

RFID (Radio Frequency Identification) tag technology has come a long way from just being a tool to log if something or someone has passed through a reader field so that one knows if the object has been tracked to its present location or not.

Now, there are tags that record the movements and duration (time) the tagged object was moved so that one could make assessments as to what was happening with the tagged object without actually watching exactly what had happened to be informed.

These tags are now being applied to liquor bottles to aid the owner as to the efficiency of the bartending staff. These tags track the angle movement of the bottle to be poured and logs the amount of time the bottle is in this position, and with software, the manager is able to determine how much was actually poured and served to the bar customer.

So, when the bartender asks you, "Is it 2 fingers, or 3? ... What he/she really means is - is it a two or three second "tilt" from the RFID-tagged bottle.

Excerpts from eWEEK -

Bartending, RFID Style
By Evan Schuman, Ziff Davis Internet - July 11, 2006

On a busy Saturday night, a good bartender makes a lot of money for the bar's owner, but an overly generous bartender - or one fond of pouring free drinks for friends - can cost the owner even more.

A Miami-based 7-year-old beverage-monitoring software company is drinking from the keg of RFID and is selling a tilt switch that attaches to bottles and updates an Internet database every time the bottle is poured. Hilton, Hyatt, Outback Steakhouse, TGI Fridays and others are reportedly testing the system.

It's not merely recording how many times the bottle is poured, but it factors in the tilt of the bottle, the duration of the pour and the bartender's pouring style to calculate how much liquid is leaving the bottle.

"The software converts the tilt into an estimated volume, and the conversion is automatically perfected based on the history of each bottle; hence it becomes more accurate over time and adapts to each bartender's habits. When the bottle is empty, our sensor knows it and the software readjusts the historical pours of each bottle to the known volume of the bottle," said Beverage Metrics CEO David Teller, who said his company has between $5 million and $10 million in annual revenue. "Our system reconciles pours to ring-ups and recipes and automatically decides what is a long pour that should be changed to two pours [and] when to combine short pours in sequence."

Because the server that watches the tilt-tracking RFID system also tracks the POS (point-of-sale) system, it can also know what ingredients bartenders are using to make drinks and whether they are following the authorized recipes in addition to whether they are pouring too much or too little.

Teller said he expects the sensors to eventually sell for "less than $2 with housing, attachment means, on/off switch, tilt switch, TI micro, five-year battery and RF circuit." Right now, though, the price is closer to $5 plus a subscription fee roughly equivalent to about 1 percent of revenue, Teller said.
----
Although the system's readers have a range of about 50 feet, Teller said a bartender can't outsmart the system by pouring a drink beyond the range of the sensor - or simply disabling the sensor - because all of the tags are in periodic contact with the server.

"It issues an alert if the tag is removed," he said. "If the sensor doesn't ping, 'Hey, I'm here' after an hour, we start paying attention to that guy."

John Fontanella, an RFID analyst with the Aberdeen Group, dubbed Teller's system "an interesting idea" but wondered whether wireless rings around the bottles would scare off customers and chill some of the bartender-drinker relationship.

----
But Fontanella is even more cynical about whether it will truly minimize theft. "I'm already thinking about how bartenders will beat this," he said. "They will find a way."
Read All>>

Thursday, July 06, 2006

RFID Privacy Guidelines - Like Catching JELL-O.

Jell-O Trivia: March 17, 1993, technicians at St. Jerome hospital in Batavia test a bowl of lime Jell-O with an EEG machine and confirm the earlier testing by Dr. Adrian Upton that a bowl of wiggly Jell-O has brain waves identical to those of adult men and women. Image and Information Credit: LeRoy Historical Society/JELL-O Museum

The Canadian province of Ontario recently issued guidelines on how companies, using RFID in consumer based applications, should always consider the privacy of the individual consumer's information gathered and how it can or should be used.

The guidelines were issued by the Information and Privacy Commissioner/Ontario - Ann Cavoukian, Ph.D., Commissioner, in June - and were intended to serve as privacy "best practices" guidance for organizations when designing and operating Radio-Frequency Identification (RFID) information technologies and systems.

The problem comes when a company is already using information gathered via barcode, how does one square these privacy guidelines with the company's current loyalty program and advertising methods.

There's more.

Excerpts from an opinion issued by eWEEK -

Canadian Province's New RFID Privacy Guidelines Could Have the Wrong Effect
By Evan Schuman, Ziff Davis Internet - June 22, 2006


The commissioner for Information and Privacy in Ontario unveiled June 19 a series of tips and guidelines for using RFID within her part of Canada.
----
The guidelines themselves certainly need to be examined seriously, because North American products can ill afford to accommodate two different standards, and besides, neither Mexico nor the United States has any material privacy RFID rules at the moment.

Current U.S. views on RFID privacy pretty much come down to a modified monetary laissez-faire policy ("leave campaign contributors alone and the market will take care of itself"), while Mexico's position is closer to "You can capture anything about our citizens that you want as long as you pay a living wage. OK, one-fourth a living wage, but we want a break after 18 hours of work."

The Ontario approach is a bit different. One example: "Organizations should only collect, use or disclose RFID-linked personal information for purposes that a 'reasonable person' would consider appropriate in the circumstances."


It then lists two things that Ontario believes would be unreasonable: "price discrimination" and "tracking and profiling individuals without their informed, written consent."

The "price discrimination" is aimed at applications that will charge lower prices to customers they want to attract and higher prices for those they want to repel, such as aggressive bargain hunters.

There have been unsubstantiated allegations about this on some Web sites, but those allegations involved cookies, not RFID.

Still, the potential exists for RFID to enable the same kind of capability. But isn't this simply a continuation of the time-honored discounts for those with a frequent shopper loyalty card?

Aren't those card programs offering discriminatory pricing, in the sense that some customers are being charged different prices than others?

That gets into that second reference: " tracking and proļ¬ling individuals without their informed, written consent."

Is this to be interpreted to mean that such tracking/profiling is permitted in Ontario, as long as it doesn't involve RFID?

It would seem silly to permit it for CRM programs as long as they used barcodes, but to somehow find the privacy invasion reprehensible if it involves RFID.


Tracking and profiling are fighting words. Is it profiling to offer discounts on one brand of peanut butter only for people who regularly purchase a particular competing brand?

Is it tracking to note that one consumer spends more than $900 per month typically and then to send them e-mail invitations to some event?

The wording in the Canadian material doesn't exclude aggregate data, but isn't that based on tracking individuals? Is that prohibited as well?

----
Here's a well-intentioned one: "Organizations should not use or disclose RFID-linked consumer information for any purpose to which the individual has not consented."

The only problem is that retailers will likely throw such language into the fine print on the back of every loyalty card, check-cashing card or anything else, including credit card slips.

As long as fine print exists on unrelated documents, such consumer consent will have little value.

It's certainly a good thing that some government officials are thinking through where RFID could go in terms of consumer protections.

But government edicts without industry support won't help much.

----
Back in December 2004, U.S. Senator Chuck Schumer called a news conference to promise legislation to regulate how retailers handle return policies. That legislation was never introduced.

Although Schumer's office has never officially explained what happened, some who were working on the legislation said that it became quite difficult to legislate wording and policy on something so customizable and also so proprietary.

In other words, the exact methodology to determine excessive returns could be thwarted if fraudsters knew the particulars.

----
There is a common thread between the two. On a surface level, forcing return policies and RFID tracking policies to be public sounds like a good thing, but digging down deeper, it's very complicated to do it in a meaningful way that will actually advance the public cause.

Will government leaders score points by announcing rules and then abandon their efforts without enforcement?


Updated: Opinion: Warning consumers about anything presupposes that there is something bad about that item, something that should be avoided. This might be a self-fulfilling prophecy.
Read All>>

Consumer based RFID applications will always require critical review of their intended results and eventual consent by consumer privacy advocacy groups as to the benefits derived.

Tuesday, July 04, 2006

Grocery Database Errors vs. Price-Scanner Errors

Label with Universal Product Code (UPC) barcode. Borrego Springs Bottled Water distributed throughout San Diego County in Southern California. Image Credit: ecj

This issue of terminology is really getting out-of-hand. The terminology in question is the use of "Price-Scanner Errors" when the price on the shelf and/or the price sticker on a product does not match-up with the price stored in the database when the product is passed over the barcode scanner at checkout.

The terminology suggests that the problem with the difference in the price rests with the lowly input device ... the barcode scanner ... that the scanner has transmitted errors in the price.

It never fails that the Main Stream Media (MSM) packages a story to be broadcast around the Holidays warning of this evil, ugly threat of the barcode scanner getting the price wrong, and it usually benefits the retailer and gyps you, the consumer. That darn barcode scanner!

The poor barcode scanner is just a (excuse me) dumb input device. The scanner reads the barcode which contains a code specific to the product being scanned. The code is then transmitted to the main computer that holds the information programmed to be looked-up for that product in a file called a 'Database" (or look-up file). Humans control the information that is stored the file about the product and that includes the pricing information.

So, guess what, the price-scanner errors are really human to computer database entry errors. The information is not kept up-to-date (sloppy) or there is an attempt to defraud (not good) which is why companies that continually have errors after a survey ... get fined.

Please correct this terminology - "Price-Database Errors" as opposed to "Price-Scanner Errors".

This from the Winston-Salem Journal -

Clemmons market pays error penalty
The Winston-Salem Journal - Thursday, June 29, 2006

The N.C. Department of Agriculture and Consumer Services recently collected a $1,170 civil penalty from Southern Family Markets #83 at 3627 Clemmons Road in Clemmons, for excessive price-scanning errors.

Inspectors found price-scanner errors during two separate inspections at the store, the department said in a statement. An initial inspection in February found an error rate of 7 percent based on seven overcharges from an inspection lot of 100 randomly selected items.

A follow-up inspection in April found eight errors from 300 items, an error rate of 2.7 percent. If a store has more than a 2 percent error rate on overcharges, inspectors discuss the findings with the store manager and conduct a more intensive follow-up inspection, the statement said.

Link Here>>