Results: RFID and Identity Management in everyday life - ITAS
Results: RFID and Identity Management in everyday life - ITAS
Results: RFID and Identity Management in everyday life - ITAS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Results</strong>: <strong>RFID</strong> <strong>and</strong> <strong>Identity</strong> <strong>Management</strong> <strong>in</strong> <strong>everyday</strong> <strong>life</strong><br />
This could be any day <strong>in</strong> an ord<strong>in</strong>ary <strong>life</strong>: a person go<strong>in</strong>g to work by public transport, tak<strong>in</strong>g a car to<br />
go shopp<strong>in</strong>g <strong>and</strong> hav<strong>in</strong>g fun afterwards. In every sett<strong>in</strong>g, <strong>RFID</strong> displays an identity of this person to<br />
ga<strong>in</strong> access to services. In return the ma<strong>in</strong>ta<strong>in</strong>er of the <strong>RFID</strong> environment receives valuable<br />
<strong>in</strong>formation on this person. First of all on access: is this person allowed here? Once the systems are<br />
implemented <strong>and</strong> the databases start runn<strong>in</strong>g, they provide much <strong>in</strong>terest<strong>in</strong>g <strong>in</strong>formation, sometimes<br />
even more than anticipated. Profiles start to emerge on movements, spend<strong>in</strong>g, productivity,<br />
preferences, habits <strong>and</strong> so forth. These case studies demonstrate <strong>in</strong>novation takes place <strong>in</strong> practice,<br />
sometimes for better <strong>and</strong> sometimes for worse.<br />
Tak<strong>in</strong>g public transport: payments <strong>and</strong> profiles<br />
Many public transport organisations <strong>in</strong> Europe are currently replac<strong>in</strong>g paper based tickets <strong>in</strong> plastic<br />
public transport cards with <strong>RFID</strong> chip. These passive <strong>and</strong> partly rewritable chips are be<strong>in</strong>g read on<br />
enter<strong>in</strong>g a bus, metro, tra<strong>in</strong> or ferry. Most cards work as a debit card: money needs to be put on it<br />
before travell<strong>in</strong>g, either by putt<strong>in</strong>g cash <strong>in</strong>to a mach<strong>in</strong>e or a bank transaction. Some cards are more like<br />
credit cards: the costs of travell<strong>in</strong>g are purchased by the company after the trip took place. Debit cards<br />
can therefore, <strong>in</strong> pr<strong>in</strong>ciple, be anonymous as the traveller has already paid, while for credit cards full<br />
personal details are needed <strong>in</strong> order to secure payments are fulfilled.<br />
As long as the <strong>RFID</strong> system merely functions as a payment system, <strong>Identity</strong> <strong>Management</strong> is basically<br />
a matter of dist<strong>in</strong>guish<strong>in</strong>g between people who have paid or not, <strong>in</strong> some cases differentiat<strong>in</strong>g between<br />
one-off tickets, some forms of discount or seasonal tickets. For the user, it’s just like any other<br />
payment system. For the ma<strong>in</strong>ta<strong>in</strong>er however, many opportunities open up to monitor travell<strong>in</strong>g<br />
behaviour. With paper tickets, identities connected to it were cut off at the exit. With <strong>RFID</strong>, the l<strong>in</strong>k<br />
rema<strong>in</strong>s through the unique code which is scanned on every entry or exit. Sometimes this identity can<br />
be anonymous, for example “traveller X enter<strong>in</strong>g Bus 1 at 10.05, tak<strong>in</strong>g Bus 2 at 11.40.” This provides<br />
<strong>in</strong>formation for build<strong>in</strong>g profiles, such as: “people go<strong>in</strong>g from A to B, also travel frequently between C<br />
<strong>and</strong> D”. This can be valuable <strong>in</strong>formation for the market<strong>in</strong>g or the logistics department. In the<br />
follow<strong>in</strong>g cases, cards are also l<strong>in</strong>ked to a specific name, address <strong>and</strong> bank account – open<strong>in</strong>g up many<br />
opportunities for direct market<strong>in</strong>g or crime <strong>in</strong>vestigation.<br />
Remarkable enough, we found relatively few cases <strong>in</strong> which this use of <strong>RFID</strong> triggered any debate.<br />
One such example is the VRR/VRS Card [case #123] <strong>in</strong> North-Rh<strong>in</strong>e-Westphalia, Germany. The<br />
German Verkehrsverbund Rhe<strong>in</strong>-Ruhr (VRR) <strong>and</strong> Verkehrsverbund Rhe<strong>in</strong>-Sieg (VRS), was <strong>in</strong> 2003<br />
Europe’s biggest case <strong>in</strong> implement<strong>in</strong>g smart cards <strong>in</strong> tra<strong>in</strong>s <strong>and</strong> busses. The cooperation <strong>in</strong>volved 54<br />
different transport operators cover<strong>in</strong>g the whole region of North-Rh<strong>in</strong>e-Westphalia, with a total<br />
population of 10.6 million <strong>in</strong>habitants <strong>and</strong> h<strong>and</strong>l<strong>in</strong>g 1.1 billion passengers per year. The ma<strong>in</strong><br />
advantage of the e-Tickets is that travellers don’t have to buy a ticket anymore. A card reader which is<br />
placed <strong>in</strong> the bus or tra<strong>in</strong> registers where the cardholder gets on <strong>and</strong> off. At the end of the month the<br />
costumer gets the bill.<br />
Privacy watch group Foebud (Vere<strong>in</strong> zur Förderung des öffentlichen bewegten und unbewegten<br />
Datenverkehrs) did warn on its website the travel data could be used to monitor movements of people<br />
<strong>and</strong> make extensive use of personal data. Still, we found very few accounts of people or organisations<br />
who claim VRR/VRS actually uses the cards for other than mak<strong>in</strong>g transactions. VRS/VRS also<br />
explicitly claims only the relevant data necessary for the validity of the card are stored on the chip:<br />
name, validity-date <strong>and</strong> “zone-validity”. No travel details or more personal data are stored. Customers<br />
can even choose if they want to pay with a personalised credit card or an anonymous debit card.<br />
9