Summit group confirms use of ID chip
Published: 17 Dec 2004 (The Washington Times Article, Audrey Hudson and Betsy Pisik (The Washington Times))
However, a spokesman for the International Telecommunication Union (ITU), which was the host of the three-day event in Geneva last week, scoffed at concerns by privacy advocates that the technology could monitor an individual's movement or that the data it collects could be misused.
Three European researchers who discovered the chips in their badges, first reported by The Washington Times on Sunday, said participants were not told about the chips.
ITU spokesman Gary Fowlie confirmed during an interview from Geneva that radio frequency identification chips (RFIDs) were embedded in the passes and that data readers were in place to record information transmitted by the chip.
Mr. Fowlie disputed that RFIDs have long-range tracking capability, and called The Times story "really off base."
"Transmission distance is 1 to 2 centimeters. You have to put your badge right up to the screen," he said.
But U.S. and European privacy advocates and critics of RFID technology said the story was on target, and that the use of the chips at the summit has caused an uproar in the United States and Europe.
"It sent off a shot heard round the world," said Katherine Albrecht, director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), a leading opponent of RFID technology.
"We're rolling in e-mails on this thing. It's confirmation this is real, it is here, and it's being abused already."
Last week's summit, which was partly organized by the United Nations, focused on Internet governance and access, security, intellectual-property rights and privacy. The badges were worn by more than 50 prime ministers, presidents and other high-level officials from 174 countries, including a representative from the United States, John Marburger, head of the White House Office of Science and Technology Policy.
In a lengthy statement to The Times yesterday, summit officials said participants were notified some personal information would appear on the Internet, but declined to say whether participants were told of the embedded technology.
The passes were intended "to facilitate identification by security at entry checkpoints," and participants had to swipe the badges across the readers to gain access to the summit and meeting rooms, the statement said.
"Readers were quite prominently displayed and were only placed at entry checkpoints," WSIS spokeswoman Francine Lambert said. "The data stored on our servers do not and cannot monitor movement."
U.S. companies use RFID chips to track inventory from the factory to stores. Manufactures also are testing a system that tracks products leaving the shelves and alerts employees to restock.
EZ Pass, used at toll booths, uses RFID technology. Authorities investigating the murder of federal prosecutor Jonathan P. Luna learned that he had made repeated trips to Philadelphia during the past six months by tracking electronic data gathered at toll booths in Pennsylvania and Delaware.
The Defense Department is requiring its top 100 suppliers to implement RFID technology by 2005 to track inventory. The remainder of its 43,000 suppliers must ship items RFID-ready by 2006.
But privacy advocates say the technology Mr. Fowlie described in use at the summit can be used on humans. "It's going to be used to track us," said Barry Steinhardt, director of the technology and liberty program for the American Civil Liberties Union in New York.
The ACLU said it has received complaints from Europeans concerned about how data collected at the summit will be used at the 2005 summit, where Tunisia plays host.
"There is a lot of concern this data will be transferred to Tunisia and used to punish citizens or residents, or to keep tabs on the participants who are coming there, perhaps deny entry," Mr. Steinhardt said. "There is a lot of concern that this data will be transferred to a less-than-democratic nation."
Ms. Lambert said the data was stored for one day on the readers and erased, but did not say how long data was stored on the database or if it was ever erased.
"The actual data submitted by participants was stored on ITU-secured servers that were not accessible by any other party than the [ITU, United Nations, and WSIS executive secretariat], and the data has not been communicated to any other party," she said.
The personal data was obtained from visa applications.
"This has tremendous value for intelligence gathering," said Alberto Escudero-Pascual, a researcher in computer security and privacy at the Royal Institute of Technology in Stockholm.
The chips were discovered by Mr. Escudero-Pascual, Stephane Koch, president of Internet Society Geneva, and George Danezis, a researcher of privacy-enhancing technologies and computer security at Cambridge University.
When the card containing an RFID chip is swiped onto the reader, the location information is sent via the chip's antenna to a database that contains information on the subject.
Mr. Escudero-Pascual said he witnessed the data collected by the summit when his information flashed on a computer screen at an entry point. The information included a picture of the participant, name, occupation, organization, a time stamp of all main entry points and each time the participant passed a line into a room.
The data is stored in chronological order, allowing readers to determine when, where and which participants are walking into the room.
"They might want to know, 'Who has Alberto been queuing with for the last few days?' and they can basically see who Alberto is working with or talking to by who he enters with," Mr. Escudero-Pascual said.
"This is not a conspiracy theory. We use these systems in our daily lives to open garages, but people are not aware" of other ways the technology can be used, he said.
RFID chips are embedded in many "smart card" systems used for access to military bases, airports, gated communities, hospitals, state parks and country clubs. RFID chips also can alert government agencies to a host of law-breaking activities, such as expired insurance policies or license plates.
But tagging participants in a political summit raises privacy and security issues, and privacy advocates think the summit's organizers might have broken laws by not disclosing the chips' presence.
At least one of the researchers said it violates the Swiss Federal Law on Data Protection of June 1992.
"They may be exempt from those laws, but they certainly violated the spirit of the law by collecting highly personal information without their knowledge or consent," Mr. Steinhardt said.