RFIDRFID

GoodOr

Evil?

By J.A. Hitchcock

Author of Net Crimes & Misdemeanors

Pros of RFIDsPros of RFIDs• Easy to use

• Libraries can set up automated or self-checkout stations• At the University of Connecticut, the library to set up self-checkout stations.

That has freed up staff members, whose salaries total about $120,000, for other tasks around the library.

• Makes inventory easier• The University of Nevada libraries found more than 500 lost items after they

tagged 600,000 items in its collection -- which saved the library $40,000 in replacement costs.

• Prevents theft

• You can see if books/media are out of order faster

• Wave at a shelf and find “lost” books/media or rarely checked out books/media that can be moved to remote storage or sold at book sales

Some FactsSome Facts• RFID tags have been in use

for decades• Over 60 years ago, the British

used RFID to identify incoming planes during WWII

• EZ-Pass RFID tags have been used to pay tolls since 1993 (New England now has FastLane)

• Mobil began using SpeedPass for faster transactions in 1997

• Over 300 libraries now use RFIDs

• Library RFID tags are not tracked by satellite

• Tags are read by “readers” located in the library’s exit• (All of the major readers currently in libraries use

13.56 MHz technology. At this frequency, the read range is fairly short, typically no more than a few feet)

• Books/media can’t be tracked after leaving the library

These are actual quotesThese are actual quotesfrom privacy “experts”from privacy “experts”

• “What if a person is gay and the status isn't public. Someone could look at the books (they checked out) and wonder if they are gay based on their reading choices.”

• "I would hope that people wouldn't think that just because I was reading Ezra Pound that I wasn't a fascist or some kind of secret op.”

• “Here's a technologically-possible scenario for the future: The microchip in your butt could be engineered to keep track of the books you have checked out or handled.”

Privacy ConcernsPrivacy Concerns

1. How much information is embedded on a tag?2. What if someone goes to a building with a library

book and the reader there transmits the tag information in the book/media?

3. RFID tags could be used to place a person at a certain location/time

4. The RFID database could be hacked into5. Someone may bring a portable reader into the

library to find out who has what books/media

1. How much and what kind of information is 1. How much and what kind of information is embedded on a tag?embedded on a tag?

• The majority have a barcode (usually around 96 digits long) or unique identification number which is associated with that book/media

• Some systems have more, such as the title, author and publication date

• Others could possibly hold more information including the patrons name and/or library card number (this is far and few between though)

• But no matter how little information is on the tag, it all traces back to who checked the book/media out, when and where UNLESS the library de-links or deletes that information when the book/media is checked back in.

2. What if someone carrying a library book/media goes 2. What if someone carrying a library book/media goes to a building with RFID technology and the reader to a building with RFID technology and the reader

there transmits the tag information?there transmits the tag information?

• Many government and other buildings have RFID readers at their entrance (usually for SmartBadge IDs)

• There is the possibility the book’s tag will be read• But this goes for any item the person has on them that may

have RFID tags, such as a SmartCard, SpeedPass, etc.• But there is only a slight possibility, because of the 13 or so

manufacturers of readers, none have a common system• This means the government or other entity would need a reader

from each company, which is not cost-efficient or feasible• Even if the reader was the same as your library’s, the tag

usually has just a bar code or unique identifying number• It will mean nothing to the reader at a building that is not your

library

3. RFID tags could be used to place a person at a 3. RFID tags could be used to place a person at a certain location/timecertain location/time

• Possibly, but historically, every time a patron checks out a book/media through non-RFID means, there is a record of the date, time and library location on their account

• While it’s technically possible to store who borrowed the book/media on the RFID, it’s not practical because of the limited memory capacity of the tags (usually 128 MB)

• Currently, no library RFID system on the market records any customer information on the tag itself.

• And no library RFID system can track down an overdue book to a certain location• You’ll have to find it the old-fashioned way, mail an overdue notice

or call the patron to remind them it’s overdue

4. The RFID database could be hacked into4. The RFID database could be hacked into

• Yes, it can

• Don’t freak out

• If all you have on the tag are a barcode or unique identifying number, then there shouldn’t be any worries

• Proper protection is available if you are still worried: Consider using an encryption method, such as FlashScan RFID Encryption Envelope (www.flashscan.net), making it harder for the database to be hacked into

5. Someone may bring a portable reader into the library 5. Someone may bring a portable reader into the library to find out who has what books/mediato find out who has what books/media

• Portable readers currently cost over $1500, not something the average person can afford

• Even if they could, why would they want to know what a patron is checking out or carrying around?

• Since there are so many different RFID systems, there’s no telling the handheld/portable reader would even be able to read the tags in your library

$1599.99

What people should really worry about instead:What people should really worry about instead:• SmartCards (with or without RFID technology)

• Visa is combining smart cards and RFID chips so people can conduct transactions without having to use cash or coins. These smart cards can also be incorporated into cell phones and other devices. Thus, you could pay for parking, buy a newspaper, or grab a soda from a vending machine without opening your wallet. And a record is kept.

• EZ-Pass• Investigators in divorce cases and criminal investigations regularly subpoena E-

Z Pass records to figure out where an individual's car was at a particular time. • Reward Cards

• When you sign up for a reward card at your favorite store(s), you fill out an application, right? So, every time you use your reward card, they can trace back what you bought and when to you

• Credit Cards• Stores already capture who bought what at the point of sale (POS) when credit

cards are used. People think nothing of using their credit cards to buy all kinds of things - including memberships to online X-rated sites. Monthly statement ring a bell?

• Cell phones• Many cell phones now have SIM cards which can store phone numbers and

personal settings, among other data; other cell phones have GPS capability, so that if you are lost, in an accident, etc, you can be tracked to your location

• Don’t get me started on GPS!• And these are just the tip of the iceberg.

What Can You Do?What Can You Do?

• Make sure patrons know about the RFID system you have in place and what it does and doesn’t do

• Have an effective privacy policy in place

• Post prominent signs that your library uses RFID technology

• Create a flyer to hand out or put at the checkout station describing what type of RFID technology your library is using, why you use it (emphasize the efficiency for you and patrons) and how much information is stored on the tag

• Audit the use and security of RFID technology regularly to make sure it is being used properly and is justified

• Make sure the tags have just a barcode or unique identifying number

If a patron is still worried about If a patron is still worried about RFIDs and privacy concerns after RFIDs and privacy concerns after

you’ve explained everything to them you’ve explained everything to them and/or given them a flyerand/or given them a flyer

You could recommend this:

http://zapatopi.net/afdb.html

My wife already has me tracked via My wife already has me tracked via cell phone, IM, GPS, email & cell phone, IM, GPS, email &

webcam...webcam...

now she's considering RFIDnow she's considering RFID

NET CRIMES & MISDEMEANORS:NET CRIMES & MISDEMEANORS:

Outmaneuvering the Spammers, Swindlers and Stalkers Who Are Targeting You Online

www.netcrimes.net

CyberAge BooksISBN 0-910965-57-9

Copyright 2004 J.A. Hitchcock

What is Spam?What is Spam?Spam is electronic junk mail.

It in e-mail Inboxes; on newsgroups, message boards and forums; in chat rooms; via IM; and even cell phones.

It’s spam if. . .

Copyright 2004 J.A. Hitchcock

The TO: line has many e-mail addresses besides yours:

Copyright 2004 J.A. Hitchcock

The TO: line has

or something similar, or no e-mail addresses listed

The TO: and FROM: lines have your e-mail address in it

Copyright 2004 J.A. Hitchcock

The CC: line has many addresses in it:

Date: Tue, 03 Jun 2003 06:20:54 +0000From: Lilia <t5186@webinfo.fi>Subject: Love from abroadTo: "marv@actionisp.net" <marv@actionisp.net>Cc: vickiewalters@comcast.net, marquis@iwon.com, jwdent@netscape.net, rafalw@juno.com, pauljc@colba.net, adelv73@latinmail.com, kaykay@clearsource.net, orders@hidirect.com, a7j@hotmail.com, giroir@compsol.net, bowtie@blazenet.net, pdriver@lycos.com, cti@us.net, lydia.whitaker@mortgagefamily.com, kalle.anka@telia.com, cpepe@mlsnet.com, kaliyantra4@hotmail.com, gregory_v_olson@dell.com, wildcard326@hotmail.com, d2m@att.net, jarrett@mcdonoughs.com, jonadunn@webtv.net, milehi@juno.com, a51a@juno.com, pmlinton@webtv.net, awriter@jahitchcock.com

Russian Mail Order Brides

Tired of Dating Spoiled American Women?

Russian Women are Unspoiled, Devoted and Grateful!(Browse the FREE Pictures THEY Sent In!)

We'll Post Your FREE Ad on Our Russian Site.Let Women Come To You For A Change.

Check it Out Here

Copyright 2004 J.A. Hitchcock

The subject line has an offer you didn’t request:

Copyright 2004 J.A. Hitchcock

The content of the message is pornographic, a plea for money/help or other “junk mail” such as:

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

Then there are theThen there are the Nigerian spam scams: Nigerian spam scams:

• They aren’t always from Nigeria• They always have a lot of money outside the USA

that they need to get into the USA and want you to help

• But. . .you need to fork over a “small” amount to get things started

• If you do, you’re promised hundreds of thousands of dollars, sometimes millions.

• Examples follow:

Copyright 2004 J.A. Hitchcock

Date: Sun, 18 May 2003 12:00:21 -0700 (PDT)From: USA AMERICA <us001419@go.com>Subject: HITo: us001419@go.com MY NAME IS CAPTAIN GIPSON NATHAN FOXES, A MEMBER OF THE AMERICAN 97 BATTALLION REINFORCE TO THE CAPITAL CITY OF IRAQ

DURING THE SURVEILLANCE TO CAPTURE SADDAM HUSSEIN THE THEN PRESIDENT OF IRAQ ALLEGED FOR MISCONDUCT, MISUSING OF POWER AND FULLY ENSLAVING THE ENTIRE CITIZEN OF IRAQ. IN THE PROCESS OF THIS SURVEILLANCE AT OUR DISEMBARKING TO BAGHDAD IN OUR ATTEMPT TO CAPTURE SADDAM HUSSEIN, MEMBER OF THE MARINE TROOPS INCLUDING ME WERE LUCKILY GAINED ASSESS TO THE PRESIDENTIAL VILLA AND IN ATTEMPT TO SEARCH FOR HIM THE CAPTURED SECURITY IN CHARGE OF THE VILLA DIRECTED US TO THE PRESIDENTIAL PRIVATE SAFE. AS WE GAINED ENTRANCE TO THIS PRIVATE SAFE OF THE PRESIDENT WE FOUND SOME BOXES CONTAINING ALL KINDS OF AMMUNITIONS, DIAMOND, GOLD, SADDAM HUSSEIN DOLLARS, AND AMERICAN DOLLARS, WE HAVE TO ABIDE BY THE INSTRUCTION BY DESTROYING EVERYTHING THEREIN, AS WE BEGIN FROM THE AMMUNITION AND SADDAM HUSSEIN DOLLARS,  AS THE TROOP BATTALION COMMANDANT, I ORDERED THE LOWER RANKED OFFICERS AMONG US TO LEAVE THE SPOT IN PRETENCE TO DO CERTAIN THINGS. IT IS FROM THIS END WE REMOVED SIX BOXES OF FULL AMERICAN DOLLARS EACH CONTAINING $15.8M USD AS INDICATED ON EACH BOX. WITH GOD ON OUR SIDE, WE SUCCEEDED IN MOVING THE BOXES TO NEGHBOURING COUNTRY OF IRAQ (KUWAIT) WHERE WE SHARE THE MONEY WITH EACH OFFICER HAVING $31.6M USD.I HAVE FURTHER SUCCEEDED IN LODGING THIS MONEY INTO TRUST AND FINANCE HOUSE.  I AM PRESENTLY IN MY COUNTRY (USA) AND NOW SEEKING FOR YOUR HELP AND ASSISTANCE FOR YOU TO COME TO MY AID I PROPOSED THAT YOU STAND AS MY PROXY PERSON TO CLAIM THIS BOXES THAT CONSTANT MONEY SINCE I HAVE RETURNED TO THE CAMP. MOREOVER, ANY MOMENT FROM NOW WE SHALL STILL BE DEPLOYED TO IRAQ SINCE THE DEATH OF SAD DAM HUSSEIN HAS NOT BEING CONFIRMED. AS TO GET THE METAL BOX OF THE MONEY OUT OF THE TRUST AND FINANCE HOUSE, TRANSFER IT TO YOUR ACCOUNT WHERE WE CAN MAKE USE OF IT IN A LUCRATIVE BUSINESS INVESTMENT.  THIS TRANSACTION IS NOW ONLY KNOWN BY YOU, AND MYSELF THE SECRECY AND CONFIDENTIALITY SHOULD BE MAINTAINED FOR THE SUCCESSFUL TRANSFER OF THIS FUND. THESE FUND WAS DEPOSITED WITH A SECRETE CODE THAT MEANS IT WILL BE MORE EASY FOR YOU TO RETRIEVE THE FUND AND I WITHHOLD THE SECRET CODE FOR SECURITY REASONS AS YOU SHOW INTEREST THE SECRET CODE OF DEPOSIT WILL BE GIVEN TO YOU AFTER SOLID ARRANGEMENT WITH BOTH OF US THEN YOU CAN NOW PROCEED TO THE FINANCE HOUSE TO RETRIEVE THE MONEY AND TRANSFER THE MONEY INTO YOUR ACCOUNT.  FOR SECURITY REASONS, WE WOULD BE COMMUNICATING THROUGH FAX OR E-MAIL BUT PREFERABLY FAX. PLEASE SEND ME YOUR PRIVATE FAX NUMBER FOR CONFIDENTIAL DISCUSSIONS.  I SHALL BE DELIGHTED TO RECEIVING YOUR RESPONSE TOWARDS ASSISTING ME. MY PRIVATE FAX LINE IS +1-419-844-0250  YOURS TRULY, CAPTAIN GIPSON NATHAN

Copyright 2004 J.A. Hitchcock

Date: Fri, 30 May 2003 01:05:57 +0100 (BST)From: bode owomida <bodeowomida@yahoo.com>Subject: HELP METo: org@sfwa.org

Dear friend,   First,i must solicit your strictest confidence in this transaction.This is by viture of its nature as being utterly confidential.You have been  recomended by an associate who assured me in  confidence of your ability and reliability to prosecute a transaction involving a pending business transaction requireing maximum confidence.we are top officials of Federal Government Contract Review panel who are interested in the importation of goods into our country with funds which are presently trapped in Nigeria.  In order to commence this business,we solicit your assitance to enable us transfer into your account the said trapped funds.  The source of the funds is as follows:During the last Military Regime here in Nigeria,the Government officials set up companies and awarded themselves contracts which they grossly over invoiced in the various Government ministries.The present Civilian Government set up a contract Review panel of which we are the constitute members.We have identified alot of of inflated contract funds which are presently floating in the Central Bank Of Nigeria ready for payment.  How ever,by virtue of our position as civil servants and members of this panel,we cannot acquire this money in our names.I have therfore been mandated as a matter of trust by my colleagues of this panel to look for a foriegn partner into whose account we will transfer the sum of us$11.550,000.00(Eleven million five hundred and fifty thousand U.S Dollar.)Hence we are writing this letter,we have agreed to share the money thus:  1. 20% for the account holder (you).  2. 80% for us(the officials) and any foriegn expenses.It is from this 80% we wish to commence the importation business .please note that this transaction is 100% safe and we hope to commence this transfer latest 7(seven) Banking days from the date of receipt of the following information through my e-mail Box.  The information required are:   1. Your company Name,Address,telephone and fax numbers.  2.  Bank name and Account number.  3.  Your private telephone and fax numbers where i can reach you.    The above information will enable us write a letter of claim and job description respectively.This way we will use your company`s name to reapply for payments and reaward contracts in your company`s name.We are looking forward to doing this business with you and we solicit your confidentiality in this transaction.i will bring you into the complete picture of this pending project when i have heard from you.    Subject to your satisfaction,all expenses will be taken care of by me and my partners and shall be sent to you on request.therefore,you are expected to calculate all expenses you will incure as well as telephone bills and all shall be sent to you immediately we commence this transaction.     Yours  Faithfully,    Dr.Bode I. Owomida.

Copyright 2004 J.A. Hitchcock

Advising People How To Get Rid of Advising People How To Get Rid of SpamSpam

• Do NOT reply to the spam asking to be removed

• Do NOT click on “Remove me” or “No more advertisements” or something similar

• Do NOT do what this man did:

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

Instead, Do ThisInstead, Do This

• Delete the spam

• Use spam filtering software such as Norton Antispam; Spamkiller; McAfee Antispam

• Pay for an anti-spam service such as Vanquish or Spamarrest

• Report it

Copyright 2003 J.A. Hitchcock

Reporting SpamReporting Spam

This is what you usually see when you get spam:

Date: Fri, 21 Nov 2003 13:50:54 -0700From: Mattie Kenny <dbjtifoh@canada.com>Subject: Re: %RND_UC_CHAR[2-8], annushka had spilledTo: awriter@jahitchcock.com

No more spam. We can help you!

You need to show “full headers” to see where this really came from. . .how?

How To Show Full HeadersHow To Show Full Headers

• Yahoo! Mail• Hotmail

• Compuserve• Free Agent/Agent (newsgroup programs)

• MS Outlook 98 and Outlook 2000• Pine

• Netscape Navigator/Communicator• Microsoft Internet Explorer

• Microsoft Exchange• UNIX

• Pegasus• Newswatcher

• Eudora Pro• MORE!

www.haltabuse.org/help/headers

Copyright 2004 J.A. Hitchcock

Full HeadersFull HeadersReturn-path: <dbjtifoh@canada.com>Received: from ms-mta-01 (ms-mta-01-smtp [10.10.4.5]) by ms-mss-04.nyroc.rr.com (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) with ESMTP id <0HOP00EE0Z4GUW@ms-mss-04.nyroc.rr.com> for awriter%maine.rr.com@ims-ms-daemon; Fri, 21 Nov 2003 15:48:29 -0500 (EST)Received: from nymx03.mgw.rr.com (nymx03.mgw.rr.com [24.92.226.164]) by ms-mta-01.nyroc.rr.com (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) with ESMTP id <0HOP006G0Z4S6I@ms-mta-01.nyroc.rr.com> for awriter@maine.rr.com (ORCPT awriter@maine.rr.com); Fri, 21 Nov 2003 15:48:29 -0500 (EST)Received: from plushie.suespammers.org (plushie.suespammers.org [207.126.97.64])      by nymx03.mgw.rr.com (8.12.10/8.12.8) with ESMTP id hALKmGdv008455  for <awriter@maine.rr.com>; Fri, 21 Nov 2003 15:48:28 -0500 (EST)Received: from zorac.sf-bay.org (zorac.sf-bay.org [204.74.68.55])        by plushie.suespammers.org (8.12.9-20030919/8.12.9) with ESMTP id hALKmGMT022123   for <awriter@jahitchcock.com>; Fri, 21 Nov 2003 12:48:16 -0800Received: (from smap@localhost) by zorac.sf-bay.org (8.12.6p2/8.9.3) id hALKmFIx049229      for <awriter@jahitchcock.com>; Fri, 21 Nov 2003 12:48:15 -0800 (PST envelope-from dbjtifoh@canada.com)Received: from cpe-66-189-88-24.ma.charter.com(66.189.88.24, HELO cpe-66-189-88-24.ma.charter.com) by zorac.sf-bay.org via smap (V1.3)    id xma049193; Fri, 21 Nov 2003 12:48:03 -0800Received: from 66.189.88.24; Fri, 21 Nov 2003 18:47:54 -0200Date: Fri, 21 Nov 2003 13:50:54 -0700From: Mattie Kenny <dbjtifoh@canada.com>Subject: Re: %RND_UC_CHAR[2-8], annushka had spilledTo: awriter@jahitchcock.comReply-to: Mattie <dbjtifoh@canada.com>Message-id: <NBNLVVXTZJZYRACQUCKMRSO@yahoo.ca>MIME-version: 1.0X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)Content-type: multipart/alternative; boundary=--10581131654388834374X-Priority: 1X-MSMail-priority: High

Copyright 2004 J.A. Hitchcock

Now that you have full headers:Now that you have full headers:

Use a free spam reporting service such as Spamcop.net

Copyright 2004 J.A. Hitchcock

Copyright 2004 J.A. Hitchcock

If it’s harassment or a scam, send If it’s harassment or a scam, send them to WHO@them to WHO@

www.haltabuse.org

Click on “Need Help?”

Then follow the instructions

Thank you!Thank you!