Bug devices track officials at summit
Published: 18 Dec 2004 (Washington Times Article, Audrey Hudson (Washington Times))
Badges assigned to attendees of the World Summit on the Information Society were affixed with radio-frequency identification chips (RFIDs), said Alberto Escudero-Pascual, Stephane Koch and George Danezis in a report issued after the conference ended Friday in Geneva. The badges were handed out to more than 50 prime ministers, presidents and other high-level officials from 174 countries, including the United States.
The trio's report said they were able to obtain the official badges with fraudulent identification only to be stunned when they found RFID chips â a contentious issue among privacy advocates in the United States and Europe â embedded in the tags.
Researchers questioned summit officials about the use of the chips and how long information would be stored but were not given answers.
The three-day WSIS forum focused on Internet governance and access, security, intellectual-property rights and privacy. The United States and other countries defeated an attempt to place the Internet under supervision of the United Nations.
RFID chips track a person's movement in "real time." U.S. groups have called for a voluntary moratorium on using the chips in consumer items until the technology and its effects on privacy and civil liberties are addressed.
Mr. Escudero-Pascual is a researcher in computer security and privacy at the Royal Institute of Technology in Stockholm. Miss Koch is the president of Internet Society Geneva, and Mr. Danezis studies privacy-enhancing technologies and computer security at Cambridge University.
"During the course of our investigation, we were able to register for the summit and obtain an official pass by just showing a fake plastic identity card and being photographed via a Web cam with no other document or registration number required to obtain the pass," the researchers said.
The researchers chose names for the fake identification cards from a list printed on the summit's Web site of attendees.
The hidden chips communicate information via radio frequency when close to sensors that can be placed anywhere "from vending machines to the entrance of a specific meeting room, allowing the remote identification and tracking of participants, or groups of participants, attending the event," the report said.
The photograph of the person and other personal details are not stored on the chip but in a centralized database that monitors the movement. Researchers said they are concerned that database will be used for future events, including the next summit to be hosted by Tunisian authorities.
The lack of security procedures violates the Swiss Federal Law on Data Protection of June 1992, the European Union Data Protection Directive, and United Nations' guidelines concerning computerized personal-data files adopted by the General Assembly in 1990, the researchers said.
"The big problem is that system also fails to guarantee the promised high levels of security while introducing the possibility of constant surveillance of the representatives of civil society, many of whom are critical of certain governments and regimes," the report said.
"Sharing this data with any third party would be putting civil-society participants at risk, but this threat is made concrete in the context of WSIS by considering the potential impact of sharing the data collected with the Tunisian government in charge of organizing the event in 2005," it said.
The organization Reporters Without Borders was banned from attending the summit and launched a pirate radio broadcast to protest the ban and detail press-freedom violations by some countries attending the meetings, including Tunisia.
"Our organization defends freedom of expression on the Internet on a daily basis. Our voice should therefore be heard during this event, despite this outrageous ban," said Robert Menard, secretary general of Reporters Without Borders.
Tunisia is among several countries Reporters Without Borders has accused of censoring the Internet, intercepting e-mails and jailing cyber-dissidents.