Use of RFID tags raises privacy concerns - Computerworld

"If ever there was a technology calling for public-policy assessment, it is RFID," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy organization in San Diego. "RFID is essentially invisible and can result in both profiling and locational tracking of consumers without their knowledge or consent."

The EPC product identity network has been under development at the MIT AutoID Center for some time and will have its coming out party in Chicago Sept 15th at the EPC Symposium. EPC is the acronym for Electronic Product Code, and is the segment of RFID that is looking to replace bar codes on products with serialized RFID tags of a standardized design.

I find it significant that you have to read well into this article before you see the phrase RFID. Repositioning the EPC segment of the RFID market as "electronic bar codes" in this article is clearly not accidental, and is probably smart, given the poor PR and privacy issues that have been raised by recent RFID pilot projects.

I've written often in my weekly newsletter (you do subscribe right? If not go to the home page and put your email address in the box at the top center of the page) that digital identity projects must give thought to their positioning on levels beyond the technology to avoid creating political problems for themselves.

For RFID, this repositioning comes after failure to think about the socio-political impact of their technology has created legislative hearings on privacy around EPC technology, but it is early and the repositioning has a very good chance to be successful. This never had to happen, however, and other identity technology developers should learn from their experience.

Security firm aims to ease RFID concerns | CNET News.com

The technique, one of few RFID-blocking technologies being worked on by researchers, is still a concept in the labs. But the next step is to develop prototype chips and see if manufacturers are interested in making the processors, according to Ari Juels, a principal research scientist with RSA Laboratories. Blocker and RFID tags are about the size of a grain of sand and cost around 10 cents.

This article highlights the use of 802.11b and RFID in a german retailer. The uses are as you would suppose they would be, but its interesting to see this taking place in real-time with real customers.

Moreover, when stimulated by a radio signal, the chip transmits a unique code to identify the product to which the tag is fixed. This unique identifier carries not only the product's universal product code as bar codes currently do, but also gives that item its own unique identification. For example, instead of a bar code saying: "This is a box of Brand X detergent," the RFID chip says: "This is box No. 12345 of Brand X."

Talk about digital identity!

We've been having some conversations around Digital ID World as of late that digital identity breaks down into two essential categories: the identity of people and the identity of things. The identity of people gets of the attention, but the identity of things seems to be the larger of the categories.

FBI hunts down worm writers | CNET News.com

"It appears the account was created with a stolen credit card for the sole purpose of uploading the virus to the Usenet network," Michael Minor, chief technology officer of Easynews, said in the statement.

That's a new one for me -- identity theft facilitating a malicious hack. I guess that's why identity theft is called a "breeder offense" -- identity is never stolen *just* to steal it; the only use comes in committing another crime.

WebServices.Org - The Web Services Industry Portal - Waveset Offers Open Source Service Provisioning Markup Language Tool Kit

Waveset Technologies, Inc., a leading provider of innovative identity management solutions, today announced it has developed the industry's first SPML (Service Provisioning Markup Language) toolkit that allows third parties to SPML-enable their applications and management platforms. The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures. It is based on SPML version 1.0 which was submitted earlier this month to OASIS (the Organization for the Advancement of Structured Information Standards) for review and acceptance as a worldwide standard. It is publicly available for download at no cost at www.openspml.org.

Portability near for wireless set

Interestingly, I've heard several tales of telecom companies turning to federated identity specifications (i.e., Liberty) for a possible solution for some of the problems associated with number portability.....and, of course, the entire impetus for number portability comes from Mark Foster, CTO of Neustar - Liberty Alliance member, and Industry Advisory Board member for Digital ID World (as well as a speaker at this year's conference)......you see, it really all does go back to identity.

Cutting-edge 'smart shelf' test ends | CNET News.com

The Tesco chain stopped using a high-tech shelf that it was testing in a Cambridge store, Greg Sage, a spokesman for the company, confirmed Friday. The shelf was designed to monitor stock and detect theft of Gillette razors, which are commonly stolen, by recording images of shoppers who removed razors from the shelf. The system also grabbed images at the cash register, when razors were rung up, according to reports. People taped at the shelf but not at the register could be suspected of shoplifting.

InfoWorld: Identity theft: It's not about you: August 22, 2003: By Tom Yager: Security

An interesting editorial from Tom Yager that talks about the need for a "single public standard for verifiable digital identity." Personally, I think that's a bit unreasonable to expect, although there are some things on the horizon at the goverment level that could *begin* to push toward standardizing the credentialing of individuals.

Coming soon: biometric passports

Indeed, a report written in January by the departments of State and Justice and the National Institute of Standards and Technology predicted that Congress will have to push back its biometric deadlines by at least one year because of the “size and intricacy of what needs to be implemented.”

A Meta Group Survey showed that 90% of companies are either already engaged in (65%) or planning in the near term (25%) Sarbanes-Oxley compliance programs.

Most of these projects are being initiated by CFOs. 29% of the companies surveyed, believe they can acheive compliance on their own, but Meta cautions this is a risky choice given the "relatively untested regulatory environment and the lack of experienced resources (actually none) internally."

SOX (the acronym for Sarbanes-Oxley) is driving more compliance projects than HIPAA or the USA PATRIOT act. The survey notes that 88% of companies indicate that the Sarbanes-Oxley compliance will be implemented globally (even though it is a US law.) The surevy author says ""Because of the required high level of preparation on a global scale, many firms will utilize SOX as a means of improving business efficiency, going beyond what is merely required to comply. We expect company leaders to initiate projects that deploy applications providing visibility/transparency, financial controls, and communications and fraud protection."

Can you say Digital Identity?

Treasure Coast is releasing "mail-lock", its email rights management software. It will integrate into Office 2003 and they claim it is easier to use than Microsoft's new rights management capability.

Rights Management has a bad name from its poorly thought out involvement in audio and video. But as it gains a Digital Identity focus it will become ever more common and important. It looks like already with the release of Microsoft Rights Management Server and Information Rights Mangement (IRM) technology in Office 2003, the concept is sinking in enough to prompt competition.

Spam may be a key here to driving deployment and acceptance, but the entire concept is to return control of data to its originator. This is a major concept at every level in a networked environment. Up to now it has sparked mostly controversy, but as it becomes understood it will garner fans as well - everyone likes to know they can make things work their way.

RFID Tunes Into Supply Chains - Computerworld

Everyone in the retail industry stopped and took notice when Wal-Mart Stores Inc. declared in June that it will urge its top 100 suppliers to deliver pallets and cases equipped with radio frequency identification (RFID) tags by 2005. Any directive issued by the world's largest retailer has the potential to drive sweeping adoption, and this particular one could spell major changes for supply chain management.

Several days ago, Eric alerted you to the plan for smart stamps. Now, as anticipated, the privacy issue debate begins.

This is one of many places where digital identity provides the capability to close holes in technology, and society needs to answer the question "should it do so?". Is there a right to mail a letter anonymously? Should there be? These are not simple questions, especially when you realize there really are bad people in the world who send letter bombs and things. The debate is needed, even if what prompts it isn't particularly well thought out...

Lawmakers are going to "probe" the implications of RFID technology:

Privacy activists worry, however, that the unchecked use of RFID could end up trampling consumer privacy by allowing retailers to gather unprecedented amounts of information about activity in their stores and link it to customer information databases. They also worry about the possibility of companies and would-be thieves being able to track people's personal belongings, embedded with tiny RFID microchips, after they are purchased.

RFID was out in front earlier this year in terms of adoption of identity technology, but the Wal-Mart debacle really stopped the industry in its tracks (at least, that's my sense). And now the politicians are getting involved.....

I knew there was a reason that digital identity is so interesting!

(sidenote: Phil Windley, ex CIO for the State of Utah, will be moderating a panel on identity at the state and federal levels....Do NOT miss this conference!)

Identity deploys on cell phones in europe:

MapAmobile locates users by tracing the unique identifier each cellphone transmits and triangulating between the network towers that transmit and receive signals to and from phones.

U.S. Postal Service eyeing technology for 'smarter' mail - Computerworld

In a final report released July 31, the President's Commission on the U.S. Postal Service said sender identification technologies such as "personalized stamps" that embed digital identification information would not only improve mail tracking and delivery operations but would also enhance the security of the entire mail system.

WebServices.Org - The Web Services Industry Portal - OASIS Call for Public Review of Extensible Resource Identifier Specification

Since the completion of the IETF URN work, a number of new technologies have appeared for modeling human semantics and data exchange relationships over the Internet, including the Semantic Web, Topic Maps, Web services, digital identity, and digital rights management. While many of these technologies require persistent identifiers, they have also generated a number of other new requirements for abstract identifiers that are not addressed by URNs. These requirements form the primary motivations for XRIs...

IBM gives nod to Wave security tools | CNET News.com

The recognition from Big Blue comes days after Wave announced another security software boost, from chip giant Intel. Last week, Intel announced it was working with Wave Systems to develop software that will enable a chip called the Trusted Platform Module (TPM) to handle security functions. The chip will be included on an Intel motherboard that's coming out in the fourth quarter of 2003.

News: Intel locks up deal for secure PCs

Under the pact, Portland, Ore.-based Wave Systems will supply software to enable a chip that handles security functions, called the Trusted Platform Module (TPM). The chip will be included on an Intel motherboard coming out in the fourth quarter, an Intel spokeswoman said.

With the TPM, users will be able to encrypt or decrypt documents as well as ensure that they get stored in secure areas on a PC's hard drive. The TPM specification was designed by the Trusted Computing Group, an industry consortium trying to establish standards for security. Members include Advanced Micro Devices, Hewlett-Packard, IBM, Intel and Microsoft.

WebServices.Org - The Web Services Industry Portal - Forum Systems Partners with Netegrity to Provide Solution for Web Services Security
Convergence of web services and identity begins in earnest:

Forum Systems, Inc., provider of the award-winning Forum Sentry™ 1500 series of XML Web services security gateways, today announced a partnership with Netegrity (Nasdaq: NETE), a leading provider of identity and access management solutions. Through this technology partnership, Forum Systems has integrated Forum Sentry with Netegrity TransactionMinder technology to deliver a centralized infrastructure for best-of-breed XML identity management, data privacy, digital signatures, and intrusion detection and prevention.

A 'Web service' you can use

Former Apple wiz Steve Wozniak thinks people would pay to be able to quickly locate those things they frequently misplace or otherwise lose track of. His Wheels of Zeus start-up hopes to combine the Global Positioning System (GPS) with a low-power, long-range wireless protocol that operates at about 1,200 baud. The company expects the combination GPS monitor and wireless radio to sell for less than $100. It is estimated that this can cover a range of 1 or 2 miles, but Wozniak believes it can be extended by using the Internet - by connecting one radio to another in a global peer-to-peer network you'd be able to search within a couple of miles of every attached wireless device.

End of the road for SMTP? | CNET News.com

The hard part, according to Hoffman and others, is establishing the "trust relationships" required to back up any computer-based authentication scheme--in other words, verifying that a person is who he or she claims to be.

The problem worsens, Hoffman said, when trying to design a system that authenticates mail servers, rather than individuals. In part, this is because a third party would have to determine whether an e-mail server is responsible for sending spam. That kind of responsibility--voluntarily assumed by operators of various spam blacklists--could be onerous and expensive, if applied to the Internet as a whole.

"Who is paying this third party for both the time and the legal risk in doing this?" Hoffman asked.