Difference between revisions of "ORCA whitepaper"

From PublicWiki
Jump to: navigation, search
(New page: == Whitepaper == === Background === ==== RFID overview ==== ==== ORCA background ==== ==== ERG group ==== === Stakeholders / Concerns === * Why do we care? * Anonymity == Legal consi...)
 
(Questions)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Whitepaper ==
+
== Outline ==
 +
*Section 1 – Background/History of the ORCA
 +
** Where are we now, how did we get to be here?
 +
** Motivations
  
=== Background ===
+
*Section 2 – Background of RFID
 +
** Very high level, focus more on transit implications
  
==== RFID overview ====
+
*Section 3 - RFID in Transit Systems
 +
** Potential Benefits
 +
** Oyster, Octopus, Charlie, etc.
 +
** ERG Group
 +
** Personnel Cost Savings
 +
** Maintenance Advantages
 +
** Financial Benefits
 +
** Other Benefits (law enforcement, university, city, state, etc)
  
==== ORCA background ====
+
* Section 4 - ORCA Details
 +
** ERG Group
 +
** MiFare DESFire
 +
** Trip History
 +
** Data retention
  
==== ERG group ====
+
* Section 5 – Cautionary Anecdotes
 +
** A story says 1,000 images
 +
** Trust Your Data to People Who Manage Data [Not Trains]
 +
** Insider Abuse Has Major Risks
 +
** Holey Matrimony
 +
** Tracking Customers is Bad Business
  
=== Stakeholders / Concerns ===
+
* Section 6 - Stakeholder Analysis
* Why do we care?
+
** Why do we care?
* Anonymity
+
** Who else should care?
  
== Legal considerations ==
+
* Section 7 – Deployment Considerations
 
+
** Legal/Regulatory
== Technical ==
+
*** Audit trails (DC)
* What's encrypted? When? How? Where?  
+
*** Anonymity in warehousing?
* Who owns the keys?  
+
*** Data retention
* Who's writing the encryption code?
+
*** Rights to access? Across orgs?
* Access control?
+
*** Is information that is passed between parties anonymized/aggregated?
 
+
** Technical
== Regulatory ==
+
*** What's encrypted? When? How? Where?
* Audit trails (DC)
+
*** Who owns the keys?
* Anonymity in warehousing?
+
*** Who's writing the encryption code?
* Data retention
+
*** Access control?
* Rights to access? Across orgs?
+
*** Who makes cards?
* Is information that is passed between parties anonymized/aggregated?
+
** Informing the public/media
 +
* Section 8 - Our Recommendations
  
 
== Questions ==
 
== Questions ==
 
* Has ERG group had any kind of compromises?
 
* Has ERG group had any kind of compromises?
 +
* How is data shared? Is it aggregated or unique records?
 +
* How do the privacy policies extend across organizations? Who owns and who can sell the data (UW? KC Metro?)
  
 
== Action Items ==
 
== Action Items ==
 
* contact MIT people (Yaw)
 
* contact MIT people (Yaw)
 
* repurpose best practices from RFID clinic
 
* repurpose best practices from RFID clinic

Latest revision as of 00:43, 17 April 2007

Outline

  • Section 1 – Background/History of the ORCA
    • Where are we now, how did we get to be here?
    • Motivations
  • Section 2 – Background of RFID
    • Very high level, focus more on transit implications
  • Section 3 - RFID in Transit Systems
    • Potential Benefits
    • Oyster, Octopus, Charlie, etc.
    • ERG Group
    • Personnel Cost Savings
    • Maintenance Advantages
    • Financial Benefits
    • Other Benefits (law enforcement, university, city, state, etc)
  • Section 4 - ORCA Details
    • ERG Group
    • MiFare DESFire
    • Trip History
    • Data retention
  • Section 5 – Cautionary Anecdotes
    • A story says 1,000 images
    • Trust Your Data to People Who Manage Data [Not Trains]
    • Insider Abuse Has Major Risks
    • Holey Matrimony
    • Tracking Customers is Bad Business
  • Section 6 - Stakeholder Analysis
    • Why do we care?
    • Who else should care?
  • Section 7 – Deployment Considerations
    • Legal/Regulatory
      • Audit trails (DC)
      • Anonymity in warehousing?
      • Data retention
      • Rights to access? Across orgs?
      • Is information that is passed between parties anonymized/aggregated?
    • Technical
      • What's encrypted? When? How? Where?
      • Who owns the keys?
      • Who's writing the encryption code?
      • Access control?
      • Who makes cards?
    • Informing the public/media
  • Section 8 - Our Recommendations

Questions

  • Has ERG group had any kind of compromises?
  • How is data shared? Is it aggregated or unique records?
  • How do the privacy policies extend across organizations? Who owns and who can sell the data (UW? KC Metro?)

Action Items

  • contact MIT people (Yaw)
  • repurpose best practices from RFID clinic