Difference between revisions of "MIT whitepaper"
(New page: Section 1 – History of the MBTA....................................................................................6 Section 1.1 – Early Public Stagecoach Service........................) |
|||
Line 1: | Line 1: | ||
Section 1 – History of the MBTA....................................................................................6 | Section 1 – History of the MBTA....................................................................................6 | ||
+ | |||
Section 1.1 – Early Public Stagecoach Service............................................................6 | Section 1.1 – Early Public Stagecoach Service............................................................6 | ||
+ | |||
Section 1.2 – Passenger Comfort and Reliability.........................................................7 | Section 1.2 – Passenger Comfort and Reliability.........................................................7 | ||
+ | |||
Section 1.3 – The First Subway in America.................................................................8 | Section 1.3 – The First Subway in America.................................................................8 | ||
+ | |||
Section 2 – History of RFID..........................................................................................10 | Section 2 – History of RFID..........................................................................................10 | ||
+ | |||
Section 2.1 – The Commercialization of RFID..........................................................10 | Section 2.1 – The Commercialization of RFID..........................................................10 | ||
+ | |||
Section 2.2 – Mult-Purpose RFID Cards....................................................................11 | Section 2.2 – Mult-Purpose RFID Cards....................................................................11 | ||
+ | |||
Section 3 – Benefits to the MBTA.................................................................................12 | Section 3 – Benefits to the MBTA.................................................................................12 | ||
+ | |||
Section 3.1 – Personnel Cost Savings........................................................................12 | Section 3.1 – Personnel Cost Savings........................................................................12 | ||
+ | |||
Section 3.2 – Maintenance Advantages......................................................................13 | Section 3.2 – Maintenance Advantages......................................................................13 | ||
+ | |||
Section 3.3 – Financial Benefits................................................................................13 | Section 3.3 – Financial Benefits................................................................................13 | ||
+ | |||
Section 3.4 – Law Enforcement Considerations.........................................................16 | Section 3.4 – Law Enforcement Considerations.........................................................16 | ||
+ | |||
Section 4 - Technical Basics..........................................................................................19 | Section 4 - Technical Basics..........................................................................................19 | ||
+ | |||
Section 5 – Cautionary Anecdotes.................................................................................20 | Section 5 – Cautionary Anecdotes.................................................................................20 | ||
+ | |||
5.1 – A story says 1,000 images.................................................................................20 | 5.1 – A story says 1,000 images.................................................................................20 | ||
+ | |||
5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20 | 5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20 | ||
+ | |||
5.3 – Insider Abuse Has Major Risks.........................................................................22 | 5.3 – Insider Abuse Has Major Risks.........................................................................22 | ||
+ | |||
5.4 – Holey Matrimony.............................................................................................23 | 5.4 – Holey Matrimony.............................................................................................23 | ||
+ | |||
5.5 – Tracking Customers is Bad Business................................................................24 | 5.5 – Tracking Customers is Bad Business................................................................24 | ||
+ | |||
Section 6 - Case Studies of RFID Smartcards in Transit................................................25 | Section 6 - Case Studies of RFID Smartcards in Transit................................................25 | ||
+ | |||
Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26 | Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26 | ||
+ | |||
Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26 | Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26 | ||
+ | |||
Reduced Fares and Student Registration................................................................27 | Reduced Fares and Student Registration................................................................27 | ||
+ | |||
Limiting Unregistered Card Use Geographically....................................................27 | Limiting Unregistered Card Use Geographically....................................................27 | ||
+ | |||
Section 6.1.2 – Oyster Card Privacy Communications...........................................28 | Section 6.1.2 – Oyster Card Privacy Communications...........................................28 | ||
+ | |||
An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29 | An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29 | ||
+ | |||
Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30 | Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30 | ||
+ | |||
Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30 | Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30 | ||
+ | |||
Clearly Indicating the Differences between Cards with and without Registration...31 | Clearly Indicating the Differences between Cards with and without Registration...31 | ||
+ | |||
Maintaining Fare (Fair) Incentives.........................................................................32 | Maintaining Fare (Fair) Incentives.........................................................................32 | ||
+ | |||
The CTA’s Need for Clearly Defined Privacy Measures........................................33 | The CTA’s Need for Clearly Defined Privacy Measures........................................33 | ||
+ | |||
Releasing Information to Individuals – Security Protections for Registered Cards.34 | Releasing Information to Individuals – Security Protections for Registered Cards.34 | ||
+ | |||
Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34 | Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34 | ||
+ | |||
Best Information Practices: Logging Employee Interactions with Data..................35 | Best Information Practices: Logging Employee Interactions with Data..................35 | ||
+ | |||
The WMATA’s Need for Defined Privacy Measures.............................................35 | The WMATA’s Need for Defined Privacy Measures.............................................35 | ||
+ | |||
Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul, | Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul, | ||
+ | |||
MN)..........................................................................................................................36 | MN)..........................................................................................................................36 | ||
+ | |||
A Blurry Line between Registered and Unregistered Cards....................................36 | A Blurry Line between Registered and Unregistered Cards....................................36 | ||
+ | |||
Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37 | Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37 | ||
+ | |||
Reduced Fares and Registration Requirements Revisited.......................................38 | Reduced Fares and Registration Requirements Revisited.......................................38 | ||
+ | |||
Section 6.4 - Comparing RFID Smartcard Implementations.......................................39 | Section 6.4 - Comparing RFID Smartcard Implementations.......................................39 | ||
+ | |||
Section 6.5 - Other Implementations on the Horizon.................................................39 | Section 6.5 - Other Implementations on the Horizon.................................................39 | ||
+ | |||
Section 6.6 - General Reflections on Interviews and Case Studies.............................40 | Section 6.6 - General Reflections on Interviews and Case Studies.............................40 | ||
+ | |||
Section 6.7 - The MBTA’s Privacy Action Plan........................................................41 | Section 6.7 - The MBTA’s Privacy Action Plan........................................................41 | ||
+ | |||
Section 7 – Legal Considerations..................................................................................42 | Section 7 – Legal Considerations..................................................................................42 | ||
+ | |||
Section 7.1 – Chapter 66A........................................................................................43 | Section 7.1 – Chapter 66A........................................................................................43 | ||
+ | |||
Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43 | Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43 | ||
+ | |||
Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44 | Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44 | ||
+ | |||
Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44 | Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44 | ||
+ | |||
Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45 | Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45 | ||
+ | |||
Section 7.2 – The Personal Information Protection Act..............................................45 | Section 7.2 – The Personal Information Protection Act..............................................45 | ||
+ | |||
Section 7.3 – A Constitutional Right to Travel Anonymously....................................46 | Section 7.3 – A Constitutional Right to Travel Anonymously....................................46 | ||
+ | |||
Section 7.4 – The Data Protection Act of 1998..........................................................47 | Section 7.4 – The Data Protection Act of 1998..........................................................47 | ||
+ | |||
Section 8 - Our Recommendations................................................................................48 | Section 8 - Our Recommendations................................................................................48 | ||
+ | |||
Section 8.1 - Gaining Citizen Trust...........................................................................49 | Section 8.1 - Gaining Citizen Trust...........................................................................49 | ||
+ | |||
Section 8.1.1 - Openness........................................................................................50 | Section 8.1.1 - Openness........................................................................................50 | ||
+ | |||
Section 8.1.1.1 - Example Privacy Statements.......................................................51 | Section 8.1.1.1 - Example Privacy Statements.......................................................51 | ||
+ | |||
Section 8.1.2 Choice...........................................................................................54 | Section 8.1.2 Choice...........................................................................................54 | ||
+ | |||
Section 8.1.2.1 Functionality not required for an Opt-out Program........................54 | Section 8.1.2.1 Functionality not required for an Opt-out Program........................54 | ||
+ | |||
Section 8.2 - Providing a Safe, Secure Service...........................................................55 | Section 8.2 - Providing a Safe, Secure Service...........................................................55 | ||
+ | |||
Section 8.2.1 Preventing Internal Abuse.............................................................56 | Section 8.2.1 Preventing Internal Abuse.............................................................56 | ||
+ | |||
Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57 | Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57 | ||
+ | |||
Section 8.2.1.2 - Data Use Policies........................................................................60 | Section 8.2.1.2 - Data Use Policies........................................................................60 | ||
+ | |||
Section 8.2.1.3 Response to Government Request for Data.................................61 | Section 8.2.1.3 Response to Government Request for Data.................................61 | ||
+ | |||
Section 8.2.1.4 Accountability............................................................................62 | Section 8.2.1.4 Accountability............................................................................62 | ||
+ | |||
Section 8.2.2 - Preventing External Abuse.............................................................62 | Section 8.2.2 - Preventing External Abuse.............................................................62 | ||
+ | |||
Section 8.2.2.1 - Encryption..................................................................................62 | Section 8.2.2.1 - Encryption..................................................................................62 | ||
+ | |||
Section 8.2.2.2 - Separation from other Networks..................................................63 | Section 8.2.2.2 - Separation from other Networks..................................................63 | ||
+ | |||
Section 8.2.2.3 Minimal Storage of Data............................................................64 | Section 8.2.2.3 Minimal Storage of Data............................................................64 | ||
+ | |||
Section 8.2.2.4 Evolving with Technology.........................................................65 | Section 8.2.2.4 Evolving with Technology.........................................................65 | ||
+ | |||
Section 9 - Suggestions Not Included............................................................................66 | Section 9 - Suggestions Not Included............................................................................66 | ||
+ | |||
Section 9.1 Data Quality............................................................................................66 | Section 9.1 Data Quality............................................................................................66 | ||
+ | |||
Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66 | Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66 | ||
+ | |||
Section 9.3 - Recommending a Particular Storage Architecture.................................67 | Section 9.3 - Recommending a Particular Storage Architecture.................................67 | ||
+ | |||
Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67 | Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67 | ||
+ | |||
Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67 | Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67 | ||
+ | |||
Appendix A - Technical Information.............................................................................69 | Appendix A - Technical Information.............................................................................69 | ||
+ | |||
A.1 - Overview of RFID System...............................................................................69 | A.1 - Overview of RFID System...............................................................................69 | ||
+ | |||
A.1.1 What is RFID?.............................................................................................69 | A.1.1 What is RFID?.............................................................................................69 | ||
+ | |||
A.1.2 What the DOD and Wal-Mart see in RFID...................................................69 | A.1.2 What the DOD and Wal-Mart see in RFID...................................................69 | ||
+ | |||
A.1.3 Active or Passive........................................................................................70 | A.1.3 Active or Passive........................................................................................70 | ||
+ | |||
A.1.4 What’s so remarkable about this stuff?.........................................................72 | A.1.4 What’s so remarkable about this stuff?.........................................................72 | ||
+ | |||
A.2.0 Plunging one level deeper (technically)............................................................73 | A.2.0 Plunging one level deeper (technically)............................................................73 | ||
+ | |||
A.2.1 Active vs. Passive revisited..........................................................................73 | A.2.1 Active vs. Passive revisited..........................................................................73 | ||
+ | |||
A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73 | A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73 | ||
+ | |||
A.2. How cards are fabricated....................................................................................75 | A.2. How cards are fabricated....................................................................................75 | ||
+ | |||
A.3 Pushing the technical limits................................................................................76 | A.3 Pushing the technical limits................................................................................76 | ||
+ | |||
A.4 ###%20# hWo eNeds nEcryption? ####^%687#..............................................77 | A.4 ###%20# hWo eNeds nEcryption? ####^%687#..............................................77 | ||
+ | |||
A.4.1 128 bit vs. 3DES vs. scrambling letters.......................................................78 | A.4.1 128 bit vs. 3DES vs. scrambling letters.......................................................78 | ||
+ | |||
A.4.2 What manufactures want you to believe.......................................................79 | A.4.2 What manufactures want you to believe.......................................................79 | ||
+ | |||
A.4.3 What Encryption experts want you to know.................................................80 | A.4.3 What Encryption experts want you to know.................................................80 | ||
+ | |||
A.4.4 What should we demand in the future (technically)......................................81 | A.4.4 What should we demand in the future (technically)......................................81 | ||
+ | |||
Appendix B - A Possible Design...................................................................................83 | Appendix B - A Possible Design...................................................................................83 | ||
+ | |||
Section B.1 General Design.......................................................................................83 | Section B.1 General Design.......................................................................................83 | ||
+ | |||
Section B.1.1 Operation of the Databases..............................................................84 | Section B.1.1 Operation of the Databases..............................................................84 | ||
+ | |||
Section B.1.2 Meeting the Specifications...............................................................85 | Section B.1.2 Meeting the Specifications...............................................................85 | ||
+ | |||
Section B.2 Variation 1: Shared Secret (Password)....................................................86 | Section B.2 Variation 1: Shared Secret (Password)....................................................86 | ||
+ | |||
Section B.3 Variation 2: Personal Information...........................................................86 | Section B.3 Variation 2: Personal Information...........................................................86 | ||
+ | |||
Section B.4 A Combination.......................................................................................88 | Section B.4 A Combination.......................................................................................88 | ||
+ | |||
Appendix C - Modifying a Current System to Incorporate our Recommendations.........89 | Appendix C - Modifying a Current System to Incorporate our Recommendations.........89 | ||
+ | |||
Appendix D - RFID and Transit Smartcard Glossary.....................................................91 | Appendix D - RFID and Transit Smartcard Glossary.....................................................91 | ||
+ | |||
Reference List...............................................................................................................94 | Reference List...............................................................................................................94 |
Latest revision as of 00:00, 17 April 2007
Section 1 – History of the MBTA....................................................................................6
Section 1.1 – Early Public Stagecoach Service............................................................6
Section 1.2 – Passenger Comfort and Reliability.........................................................7
Section 1.3 – The First Subway in America.................................................................8
Section 2 – History of RFID..........................................................................................10
Section 2.1 – The Commercialization of RFID..........................................................10
Section 2.2 – Mult-Purpose RFID Cards....................................................................11
Section 3 – Benefits to the MBTA.................................................................................12
Section 3.1 – Personnel Cost Savings........................................................................12
Section 3.2 – Maintenance Advantages......................................................................13
Section 3.3 – Financial Benefits................................................................................13
Section 3.4 – Law Enforcement Considerations.........................................................16
Section 4 - Technical Basics..........................................................................................19
Section 5 – Cautionary Anecdotes.................................................................................20
5.1 – A story says 1,000 images.................................................................................20
5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20
5.3 – Insider Abuse Has Major Risks.........................................................................22
5.4 – Holey Matrimony.............................................................................................23
5.5 – Tracking Customers is Bad Business................................................................24
Section 6 - Case Studies of RFID Smartcards in Transit................................................25
Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26
Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26
Reduced Fares and Student Registration................................................................27
Limiting Unregistered Card Use Geographically....................................................27
Section 6.1.2 – Oyster Card Privacy Communications...........................................28
An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29
Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30
Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30
Clearly Indicating the Differences between Cards with and without Registration...31
Maintaining Fare (Fair) Incentives.........................................................................32
The CTA’s Need for Clearly Defined Privacy Measures........................................33
Releasing Information to Individuals – Security Protections for Registered Cards.34
Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34
Best Information Practices: Logging Employee Interactions with Data..................35
The WMATA’s Need for Defined Privacy Measures.............................................35
Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul,
MN)..........................................................................................................................36
A Blurry Line between Registered and Unregistered Cards....................................36
Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37
Reduced Fares and Registration Requirements Revisited.......................................38
Section 6.4 - Comparing RFID Smartcard Implementations.......................................39
Section 6.5 - Other Implementations on the Horizon.................................................39
Section 6.6 - General Reflections on Interviews and Case Studies.............................40
Section 6.7 - The MBTA’s Privacy Action Plan........................................................41
Section 7 – Legal Considerations..................................................................................42
Section 7.1 – Chapter 66A........................................................................................43
Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43
Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44
Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44
Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45
Section 7.2 – The Personal Information Protection Act..............................................45
Section 7.3 – A Constitutional Right to Travel Anonymously....................................46
Section 7.4 – The Data Protection Act of 1998..........................................................47
Section 8 - Our Recommendations................................................................................48
Section 8.1 - Gaining Citizen Trust...........................................................................49
Section 8.1.1 - Openness........................................................................................50
Section 8.1.1.1 - Example Privacy Statements.......................................................51
Section 8.1.2 Choice...........................................................................................54
Section 8.1.2.1 Functionality not required for an Opt-out Program........................54
Section 8.2 - Providing a Safe, Secure Service...........................................................55
Section 8.2.1 Preventing Internal Abuse.............................................................56
Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57
Section 8.2.1.2 - Data Use Policies........................................................................60
Section 8.2.1.3 Response to Government Request for Data.................................61
Section 8.2.1.4 Accountability............................................................................62
Section 8.2.2 - Preventing External Abuse.............................................................62
Section 8.2.2.1 - Encryption..................................................................................62
Section 8.2.2.2 - Separation from other Networks..................................................63
Section 8.2.2.3 Minimal Storage of Data............................................................64
Section 8.2.2.4 Evolving with Technology.........................................................65
Section 9 - Suggestions Not Included............................................................................66
Section 9.1 Data Quality............................................................................................66
Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66
Section 9.3 - Recommending a Particular Storage Architecture.................................67
Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67
Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67
Appendix A - Technical Information.............................................................................69
A.1 - Overview of RFID System...............................................................................69
A.1.1 What is RFID?.............................................................................................69
A.1.2 What the DOD and Wal-Mart see in RFID...................................................69
A.1.3 Active or Passive........................................................................................70
A.1.4 What’s so remarkable about this stuff?.........................................................72
A.2.0 Plunging one level deeper (technically)............................................................73
A.2.1 Active vs. Passive revisited..........................................................................73
A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73
A.2. How cards are fabricated....................................................................................75
A.3 Pushing the technical limits................................................................................76
A.4 ###%20# hWo eNeds nEcryption? ####^%687#..............................................77
A.4.1 128 bit vs. 3DES vs. scrambling letters.......................................................78
A.4.2 What manufactures want you to believe.......................................................79
A.4.3 What Encryption experts want you to know.................................................80
A.4.4 What should we demand in the future (technically)......................................81
Appendix B - A Possible Design...................................................................................83
Section B.1 General Design.......................................................................................83
Section B.1.1 Operation of the Databases..............................................................84
Section B.1.2 Meeting the Specifications...............................................................85
Section B.2 Variation 1: Shared Secret (Password)....................................................86
Section B.3 Variation 2: Personal Information...........................................................86
Section B.4 A Combination.......................................................................................88
Appendix C - Modifying a Current System to Incorporate our Recommendations.........89
Appendix D - RFID and Transit Smartcard Glossary.....................................................91
Reference List...............................................................................................................94