In Search of a Perfect Identifier: Identifiers and Privacy Claire Vishik, David Hoffman and Karim Lesina Introduction RFID technology can present privacy and security issues. These issues must be understood and the risks must be mitigated. Press coverage of some of these issues has often used hyperbole, instead of reasoned analysis to assess the risks. In this paper, we attempt to address one of these risk areas of today’s technology that is not limited to RFID,: unique identifiers used in hardware and software. These identifiers are connected to the ease with which a transaction can be linked to an individual directly or indirectly. Therefore, these identifiers have been considered by researchers and regulators, but no one has yet formed a unified theory of analysis. In the past, the designers of various protocols, such as the ethernet protocol, did not consider the potential privacy impacts from embedded static identifiers However, developers now must pay more attention to mitigating these issues, by obfuscating those identifiers that are linkable to a platform or a user. Concerns about privacy and security of RFID applications are not limited to the technology itself, but are primarily centered on issues of data collection, aggregation, and analysis. Security and privacy problems in RFID are broader than the core technologies, and therefore should be considered in broader terms that would address additional complexities of the specific application area. Therefore, talking about “RFID security” or “RFID privacy” is difficult without giving consideration to the data collection process used for the specific application. In this paper, in order to initiate this broader discussion, we highlight general characteristics of identifiers that make them more privacy-friendly. We also analyze conflicting trends in designing new systems and protocols, and describe the Trusted Computing Group’s (TCG) key hierarchy as an example of building specifications using privacy-friendly systems of identifiers. Without providing specific suggestions for RFID because the technology is so diverse, we bring the issue of privacy-conscious identifiers to the attention of the technology community and regulators, We do this to highlight the approach to privacy and security that, without replacing current methods of security and privacy protection, can complement them to create a more robust environment that is applicable to multiple technologies, including RFID. A Perfect Identifier The first goal of a specification is to solve a business problem in a standard way. Although security and privacy are increasingly incorporated into the design stage, features supporting primary functionality in a system or protocol are given priority. As a result, security and privacy have to be adapted to the functional features in a specification. In this regard, ensuring that all the components provide the best possible privacy solutions while also ensuring optimal performance and efficiency for the primary tasks is not always possible.

The sections below describe features of privacy-friendly identifiers that are designed in a way that makes their links to objects and individuals they denote extremely hard to capture. Table 1 below illustrates some of them: an ideal identifier is dynamic, not linked to identifiable information, can be transferred to a different object and is controlled by the user. Table 1. Some features of unique identifiers Feature Description Perfect Identifier Ability of the ID, or its Has no connection with the Ability to identify easily obtainable individual or easily combinations with other attributable object in the information, to reliably identifier identify an individual or an object with sole ownership by an individual Mutability Transferability

Frequency of change

Changes very frequently, sometimes used only once Extent to with which the Can be transferred from identifier can be transferred object to object with ease to a different object or can be applied to a large group of objects

Assignability

Ease of passing the object Can be easily transferred to with identifier to other other individuals or individuals attributable objects

Accessibility

Ease with which the User exercises control over identifier can be accessed who/what can access the identifier

While incorporating all of these features into all new protocols cannot be expected due to intrinsic technology limitations, some of the characteristics described above have become common. For example, dynamic identifiers are ubiquitous, and many applications use random combinations of characters as account IDs or session IDs. But static identifiers, e.g. MAC addresses, continue to exist as foundations of commonly used protocols. In cases where new privacy-friendly identifiers cannot be designed, technology comes to the aid of developers to compensate for the limitations of identifiers used in everyday applications.

Figure 1. Characteristics of Identifiers

RFID: Security and Privacy RFID is a family of diverse technologies, ranging from simple and inexpensive passive supply chain tags to sophisticated “systems on a chip” and smart cards. Figure 2. RFID security and privacy

In applications as varied as e-passports, credit cards, patient tracking and inventory tags, the security and privacy vulnerabilities and means of remediation are also diverse. In addition, some applications, such as supply chain and inventory control systems, are not susceptible to negative privacy impacts if used as designed. Figure 2 above illustrates some of the security and privacy vulnerabilities in a simplified generic RFID system. Privacy vulnerabilities (enclosed in red frames in Figure 2) include potential for eavesdropping, unauthorized tracking, aggregation and dissemination of analytical information including data captured by RFID readers, and similar risks Some of the privacy vulnerabilities described above can be mitigated by designing identifiers and related protocols in a privacy-friendly fashion. The actual methods of increasing privacy-friendliness of identifiers in systems including RFID are dependent upon the design and nature of the applications. While the advice relating to RFID identifiers is not provided in this paper, the next section is an illustration of privacyconscious approach to designing identifiers that is used by TCG and in Intel’s products based on this technology.

Trusted Computing and Intel® Trusted Execution Technology: Creating Privacy Conscious Identifiers As the sophistication of software attacks increases ahead of detection techniques, can we continue to trust our own computers and other devices and ensure that an entity “ will behave in a particular manner for a specific purpose 1”? A series of open specifications developed by TCG is defining an environment that can increase the trust of users or service providers to establish a higher standard of safer computing. The immediate impact of these specifications is on client machines. The core TCG specification is for the Trusted Platform Module (TPM). The TPM is a chip typically attached to the motherboard of a PC. The TPM enables important security features, such as secure nonvolatile storage for encryption keys, integrity reports, and secrets. TCG is also working on TPMs for other devices (e.g. mobile phones and PDAs) to achieve greater trust in multi-device mobile environments typical of modern computing. The result should provide stronger protection for information in all locations where it resides. Intel® Trusted Execution Technology (TXT), formerly LaGrande Technology, extends capabilities of a TPM. Directed at business customers, Intel® TXT helps create a trusted computer – one that provides its users enough information to decide whether to trust the platform. In conjunction with Intel® Virtualization Technology (VT), Intel® TXT enables a protected partition where applications requiring greater confidentiality can be executed in isolation. Protected execution in isolated domains and memory protection increases the likelihood that only the CPU in protected execution mode accesses protected memory pages enhances security of confidential data and applications. TCG specifications have developed procedures and architecture necessary to mitigate potential privacy concerns in a trusted platform without sacrificing the validity of the 1

https://www.trustedcomputinggroup.org/groups/glossary/

assurance a trusted platform is designed to provide. TPM-equipped PCs require the owner’s authorization to switch on the TPM and for activities supported by a TPM, such as attestation. Intel® TXT supports the privacy safeguards already present in a standard TPM, adding opt-in for Intel® TXT and Intel® VT to uphold the user’s choice in all the components of the trusted platform. As a root of trust on the platform, a TPM needs to provide cryptographic support for such functions as platform attestation and authentication, but also ensure that the user’s choice and his/her need for privacy are preserved at all times. In order to uphold privacy, the TPM specification designs the (cryptographic) key hierarchy so that a static identifier (Endorsement Key or EK) is substituted with domain-oriented keys (Attestation Identity Keys or AIKs) to limit the exposure of a trusted platform in standard user protocols. With EK only, there would be some danger of tracking transactions associated with a particular device. To avoid even a possibility of tracking, the complex key hierarchy for a TPM (Figure 3 below) is implemented to eliminate cryptographic associations between the static Endorsement Key (EK) and domain oriented AIKs used for attestation and authentication. To supplement the privacy features contained in the key hierarchy, TCG specifications support architectures and protocols that further strengthen privacy. The architecture using a third party–Privacy CA (Certification Authority)---that can validate the TPM keys in transactions without revealing the identity of the device is one of these methods supported by TCG. Figure 3. TPM Key Hierarchy

Since the use of a third party may be a source of weakness in some scenarios, TCG also endorsed the Direct Anonymous Attestation (DAA) protocol that can ensure complete anonymity of transactions directly while preserving the high level of assurance. DAA permits the user to convince a verifier that a trusted hardware module is used without revealing the user’s identity. If the same platform accesses the same verifier several times, the verifier will not be able to identify the transaction as originating from the same platform. DAA is based on the group signature scheme and Camenisch-Lysyanskaya anonymous credentials system and has the ability to detect rogue credentials, which thereby protects the trusted environment. As the TPM example illustrates, even in a complex system like a TPM focusing on authentication, it is possible to design privacy-friendly architectures and protocols.

Obfuscation Technologies In addition to “anonymization” and “brokering” approaches illustrated in the previous section, numerous technologies have been invented to obfuscate different types of unique identifiers, with the intent to make it harder to link the identifier to the full record or transaction and make interception more difficult. Some of these technologies are briefly described below. 1. Splitting. Splitting is a popular method to obfuscate objects, and it is used in a variety of applications. In medical information systems, records and identifiers are sometimes split and encrypted with different keys. Technologies exist where encrypted files or encryption keys are split to protect against unauthorized access. Credentials are “split” for strong/multi-factor authentication where password, PIN, or token is supplemented with biometrics or additional information. These technologies enhance security and have a beneficial effect on privacy. 2. Encrypting Scrambling confidential information both at rest and during transmission is one of the most common ways of security/privacy protection. Encryption has to be coupled with other technologies and precautions: encryption keys should be protected, revoked, and renewed; access to data and keys needs to be strictly controlled. Encryption provides strong support for confidentiality of information, but does not have built-in capabilities to support the user’s choice,; they need to be supplied by the application using encryption. 3. Changing components of data This method is not very different from encryption, but can be applied more directly to identifiers as is done in RSA SecureID token. In this token random number generation algorithms are synchronized on the server and the token and then are combined with other factors, such as a PIN or password. A similar method is used in “virtual” credit cards adapted for online use, where a new random number is generated every time the card is involved in online transactions. In other applications, components can be changed in images (e.g. in CCTV footage) to prevent re-identification of subjects.

4. Removing links In order to protect the identifier and prevent re-identification, links to other components of a transaction may be removed, relocated or eliminated. In an example, if only a list of dynamic IP addresses having accessed a Web site during the last 15 minutes are preserved, in the absence of other information; they will provide very little insight into the browsing patterns of individuals. Similarly, a list of record ID numbers is not very informative if other parts of the record have been removed from the logs or accessible servers. Many other technologies and approaches are available to help protect privacy in a system, if protocols or system specifications used have limited privacy and security coverage. With the constant increase in computing power and available bandwidth, these technologies will become more common and provide additional privacy protection for everyday online activities.

Identifiers, Interoperability, and Global Identities RFID and TPM are only two examples of the use of unique identifiers in technology. RFID is also not unique in its ability to transmit potentially identifiable information without the users’ knowledge and consent. Although currently other technologies similar to RFID have not been widely deployed, it is reasonable to expect that in the near future many objects will be networked and will possess one or more unique identifiers; it will be the “Internet of Things.” Sensor networks of the near future are likely to span numerous environments, from healthcare and shopping to everyday household activities. Today’s technologies include numerous identifiers that ensure communications between and among software and hardware components. These identifiers, while frequently not identifying an individual, can be coupled with other information to derive unique characteristics allowing those with sufficient knowledge and access to identify individual users, locations or groups. Future technologies and applications will include increasing numbers of linked identifiers. Future analytical applications will be able to correlate better these identifiers, leading to greater potential for re-identification under some circumstances. As applications and protocols become increasingly interoperable, they have to exchange information identifying various components of a transaction. These components can represent a device, or its element, a user, an application, a connection or a session, and many other “modules” that are part of end-to-end connectivity and comprehensive systems. End-to-end coverage is highly desirable because it improves the users’ experiences, but it also creates additional issues for security and privacy because more information has to be shared and disambiguated in order to ensure correct operations. Recent technology trends emphasize the importance of interoperability, frequently through the use of open standards. When different systems interoperate, they need to mutually identify components and processes to be linked. This linking leads to a greater propagation of information and potentially greater security and privacy risks. Multiple

access points may increase the number of vulnerabilities. Even the most secure protocols have unique identifiers that need to be used in order to implement core functionality. As electronic transactions and digital assets proliferate, efforts to enforce tracking of digital objects and access control will need to be undertaken together to ensure that such transactions could happen anonymously. We witness co-existence of these seemingly opposing trends. They reveal themselves in technologies invented to support two conflicting goals: end-to-end auditability and support for anonymity. The use of identifiers is essential for success of RFID and sensor networks, for system integration, and for simplifying access to users’ accounts. It is always desirable to limit the number of identifiers that could be linked, directly or indirectly, among themselves and to personal information. It is always desirable to give the users control over identifiers in devices and applications they own or access, and, at the same time, it is also necessary, to link identifiers among themselves and with their “global” representations, thus increasing the efficiency of networked applications, but also the probability that some information may be inadvertently released, transmitted without appropriate protection or notice, or become susceptible to new security threats. Many RFID applications rely on new technologies, and can take advantage of the approaches to privacy developed during thirty years of personal computing and fifteen years of the commercial Internet. Designing privacy-friendly identifiers together with other methods of privacy protection can be part of the solution for some of the privacy problems associated with current and future uses of RFID technologies. Existing member state implementing legislation of the 95/46 Data Protection Directive provides an adequate framework to understand the privacy issues of unique identifiers. This framework focuses on the processing of “personal data”, which will by necessity review each specific application and require minimization of processing, and the proportional collection of “personal data”. There will be many uses of RFID, where the implementation will not process any “personal data”. For those areas that do use “personal data” the European Data Protection Authorities are well situated to provide guidance on how to provide effective notice and choice to preserve individual privacy. Robust, harmonized and predictable enforcement of the current implementing legislation can work in concert with responsible product design to mitigate privacy risks.

Conclusions Privacy is about individual control. If people have control over their personal information, they then have the authority to approve or reject various uses of such information. Ideally, users should be able to switch on and off the features that transmit personally identifiable information, and new technologies could ensure that the opportunity to exercise choice and control exists in a growing number of systems and that an adequate level of privacy protection is ensured. In this way, technology innovation can help mitigate privacy issues. Identifiers and related protocols can be designed in ways that support users’ choice and desire for privacy. In older established protocols, innovative technologies can be used to enhance privacy.

The general study of identifiers that is the main topic of this paper illustrates that modern computing technologies are too complex and too dynamic to be a direct subject of regulation. If legislation focuses on the use of the technology, then innovation can provide the tools to help entities collect and process personal information in compliance with the regulations.

Bibliography S.Balfe , S. Li, and J.Zhou, Pervasive Trusted Computing, 2nd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Lyon, France, June 2006. Lejla Batina, Jorge Guajardo, Tim Kerins, Nele Mentens, Pim Tuyls, and Ingrid Verbauwhede. Public-Key Cryptography for RFID-Tags. PerSec 07, March 2007. Available at: http://lasecwww.epfl.ch/~gavoine/rfid/ E. Brickell, J. Camenisch, and L. Chen: Direct anonymous attestation. In Proceedings of 11th ACM Conference on Computer and Communications Security, ACM Press, 2004. [pdf] D. Chaum. Blind signatures for untraceable payments. In Crypto'82, pp. 199-203. New York: Plenum Press, 1983. D. Chaum. Blinding for unanticipated signatures. In: Eucrypt'87, LNCS 304, pp. 227-236. Springer-Verlag, 1987 W.Diffie and M.E.Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654. http://citeseer.ist.psu.edu/diffie76new.html Rivest, R. L., Shamir, A., Adleman, L. A.: A method for obtaining digital signatures and public-key cryptosystems; Communications of the ACM, Vol.21, Nr.2, 1978, S.120-126. http://citeseer.ist.psu.edu/rivest78method.html Serge Vaudenay. RFID Privacy Based on Public-Key Cryptography. ICISC, NovemberDecember 2006. Available at: http://lasecwww.epfl.ch/~gavoine/rfid/