Difference between revisions of "MIT whitepaper"

From PublicWiki
Jump to: navigation, search
(New page: Section 1 – History of the MBTA....................................................................................6 Section 1.1 – Early Public Stagecoach Service........................)
 
 
Line 1: Line 1:
 
Section 1 – History of the MBTA....................................................................................6  
 
Section 1 – History of the MBTA....................................................................................6  
 +
 
Section 1.1 – Early Public Stagecoach Service............................................................6  
 
Section 1.1 – Early Public Stagecoach Service............................................................6  
 +
 
Section 1.2 – Passenger Comfort and Reliability.........................................................7  
 
Section 1.2 – Passenger Comfort and Reliability.........................................................7  
 +
 
Section 1.3 – The First Subway in America.................................................................8  
 
Section 1.3 – The First Subway in America.................................................................8  
 +
 
Section 2 – History of RFID..........................................................................................10  
 
Section 2 – History of RFID..........................................................................................10  
 +
 
Section 2.1 – The Commercialization of RFID..........................................................10  
 
Section 2.1 – The Commercialization of RFID..........................................................10  
 +
 
Section 2.2 – Mult-Purpose RFID Cards....................................................................11  
 
Section 2.2 – Mult-Purpose RFID Cards....................................................................11  
 +
 
Section 3 – Benefits to the MBTA.................................................................................12  
 
Section 3 – Benefits to the MBTA.................................................................................12  
 +
 
Section 3.1 – Personnel Cost Savings........................................................................12  
 
Section 3.1 – Personnel Cost Savings........................................................................12  
 +
 
Section 3.2 – Maintenance Advantages......................................................................13  
 
Section 3.2 – Maintenance Advantages......................................................................13  
 +
 
Section 3.3 – Financial Benefits................................................................................13  
 
Section 3.3 – Financial Benefits................................................................................13  
 +
 
Section 3.4 – Law Enforcement Considerations.........................................................16  
 
Section 3.4 – Law Enforcement Considerations.........................................................16  
 +
 
Section 4 - Technical Basics..........................................................................................19  
 
Section 4 - Technical Basics..........................................................................................19  
 +
 
Section 5 – Cautionary Anecdotes.................................................................................20  
 
Section 5 – Cautionary Anecdotes.................................................................................20  
 +
 
5.1 – A story says 1,000 images.................................................................................20  
 
5.1 – A story says 1,000 images.................................................................................20  
 +
 
5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20  
 
5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20  
 +
 
5.3 – Insider Abuse Has Major Risks.........................................................................22  
 
5.3 – Insider Abuse Has Major Risks.........................................................................22  
 +
 
5.4 – Holey Matrimony.............................................................................................23  
 
5.4 – Holey Matrimony.............................................................................................23  
 +
 
5.5 – Tracking Customers is Bad Business................................................................24  
 
5.5 – Tracking Customers is Bad Business................................................................24  
 +
 
Section 6 - Case Studies of RFID Smartcards in Transit................................................25  
 
Section 6 - Case Studies of RFID Smartcards in Transit................................................25  
 +
 
Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26  
 
Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26  
 +
 
Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26  
 
Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26  
 +
 
Reduced Fares and Student Registration................................................................27  
 
Reduced Fares and Student Registration................................................................27  
 +
 
Limiting Unregistered Card Use Geographically....................................................27  
 
Limiting Unregistered Card Use Geographically....................................................27  
 +
 
Section 6.1.2 – Oyster Card Privacy Communications...........................................28  
 
Section 6.1.2 – Oyster Card Privacy Communications...........................................28  
 +
 
An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29  
 
An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29  
 +
 
Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30  
 
Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30  
 +
 
Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30  
 
Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30  
 +
 
Clearly Indicating the Differences between Cards with and without Registration...31  
 
Clearly Indicating the Differences between Cards with and without Registration...31  
 +
 
Maintaining Fare (Fair) Incentives.........................................................................32  
 
Maintaining Fare (Fair) Incentives.........................................................................32  
 +
 
The CTA’s Need for Clearly Defined Privacy Measures........................................33  
 
The CTA’s Need for Clearly Defined Privacy Measures........................................33  
 +
 
Releasing Information to Individuals – Security Protections for Registered Cards.34  
 
Releasing Information to Individuals – Security Protections for Registered Cards.34  
 +
 
Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34  
 
Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34  
 +
 
Best Information Practices: Logging Employee Interactions with Data..................35  
 
Best Information Practices: Logging Employee Interactions with Data..................35  
 +
 
The WMATA’s Need for Defined Privacy Measures.............................................35  
 
The WMATA’s Need for Defined Privacy Measures.............................................35  
 +
 
Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul,  
 
Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul,  
 +
 
MN)..........................................................................................................................36  
 
MN)..........................................................................................................................36  
 +
 
A Blurry Line between Registered and Unregistered Cards....................................36  
 
A Blurry Line between Registered and Unregistered Cards....................................36  
 +
 
Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37  
 
Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37  
 +
 
Reduced Fares and Registration Requirements Revisited.......................................38  
 
Reduced Fares and Registration Requirements Revisited.......................................38  
 +
 
Section 6.4 - Comparing RFID Smartcard Implementations.......................................39  
 
Section 6.4 - Comparing RFID Smartcard Implementations.......................................39  
 +
 
Section 6.5  - Other Implementations on the Horizon.................................................39  
 
Section 6.5  - Other Implementations on the Horizon.................................................39  
 +
 
Section 6.6 - General Reflections on Interviews and Case Studies.............................40  
 
Section 6.6 - General Reflections on Interviews and Case Studies.............................40  
 +
 
Section 6.7 - The MBTA’s Privacy Action Plan........................................................41  
 
Section 6.7 - The MBTA’s Privacy Action Plan........................................................41  
 +
 
Section 7 – Legal Considerations..................................................................................42  
 
Section 7 – Legal Considerations..................................................................................42  
 +
 
Section 7.1  – Chapter 66A........................................................................................43  
 
Section 7.1  – Chapter 66A........................................................................................43  
 +
 
Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43  
 
Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43  
 +
 
Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44  
 
Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44  
 +
 
Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44  
 
Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44  
 +
 
Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45  
 
Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45  
 +
 
Section 7.2 – The Personal Information Protection Act..............................................45  
 
Section 7.2 – The Personal Information Protection Act..............................................45  
 +
 
Section 7.3 – A Constitutional Right to Travel Anonymously....................................46  
 
Section 7.3 – A Constitutional Right to Travel Anonymously....................................46  
 +
 
Section 7.4 – The Data Protection Act of 1998..........................................................47  
 
Section 7.4 – The Data Protection Act of 1998..........................................................47  
 +
 
Section 8 - Our Recommendations................................................................................48  
 
Section 8 - Our Recommendations................................................................................48  
 +
 
Section 8.1  - Gaining Citizen Trust...........................................................................49  
 
Section 8.1  - Gaining Citizen Trust...........................................................................49  
 +
 
Section 8.1.1 - Openness........................................................................................50  
 
Section 8.1.1 - Openness........................................................................................50  
 +
 
Section 8.1.1.1 - Example Privacy Statements.......................................................51  
 
Section 8.1.1.1 - Example Privacy Statements.......................................................51  
 +
 
Section 8.1.2 Choice...........................................................................................54  
 
Section 8.1.2 Choice...........................................................................................54  
 +
 
Section 8.1.2.1 Functionality not required for an Opt-out Program........................54  
 
Section 8.1.2.1 Functionality not required for an Opt-out Program........................54  
 +
 
Section 8.2 - Providing a Safe, Secure Service...........................................................55  
 
Section 8.2 - Providing a Safe, Secure Service...........................................................55  
 +
 
Section 8.2.1 Preventing Internal Abuse.............................................................56  
 
Section 8.2.1 Preventing Internal Abuse.............................................................56  
 +
 
Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57  
 
Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57  
 +
 
Section 8.2.1.2 - Data Use Policies........................................................................60  
 
Section 8.2.1.2 - Data Use Policies........................................................................60  
 +
 
Section 8.2.1.3 Response to Government Request for Data.................................61  
 
Section 8.2.1.3 Response to Government Request for Data.................................61  
 +
 
Section 8.2.1.4 Accountability............................................................................62  
 
Section 8.2.1.4 Accountability............................................................................62  
 +
 
Section 8.2.2 - Preventing External Abuse.............................................................62  
 
Section 8.2.2 - Preventing External Abuse.............................................................62  
 +
 
Section 8.2.2.1 - Encryption..................................................................................62  
 
Section 8.2.2.1 - Encryption..................................................................................62  
 +
 
Section 8.2.2.2 - Separation from other Networks..................................................63  
 
Section 8.2.2.2 - Separation from other Networks..................................................63  
 +
 
Section 8.2.2.3  Minimal Storage of Data............................................................64  
 
Section 8.2.2.3  Minimal Storage of Data............................................................64  
 +
 
Section 8.2.2.4  Evolving with Technology.........................................................65  
 
Section 8.2.2.4  Evolving with Technology.........................................................65  
 +
 
Section 9 - Suggestions Not Included............................................................................66  
 
Section 9 - Suggestions Not Included............................................................................66  
 +
 
Section 9.1 Data Quality............................................................................................66  
 
Section 9.1 Data Quality............................................................................................66  
 +
 
Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66  
 
Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66  
 +
 
Section 9.3 - Recommending a Particular Storage Architecture.................................67  
 
Section 9.3 - Recommending a Particular Storage Architecture.................................67  
 +
 
Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67  
 
Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67  
 +
 
Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67  
 
Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67  
 +
 
Appendix A - Technical Information.............................................................................69  
 
Appendix A - Technical Information.............................................................................69  
 +
 
A.1 - Overview of RFID System...............................................................................69  
 
A.1 - Overview of RFID System...............................................................................69  
 +
 
A.1.1 What is RFID?.............................................................................................69  
 
A.1.1 What is RFID?.............................................................................................69  
 +
 
A.1.2 What the DOD and Wal-Mart see in RFID...................................................69  
 
A.1.2 What the DOD and Wal-Mart see in RFID...................................................69  
 +
 
A.1.3  Active or Passive........................................................................................70  
 
A.1.3  Active or Passive........................................................................................70  
 +
 
A.1.4 What’s so remarkable about this stuff?.........................................................72  
 
A.1.4 What’s so remarkable about this stuff?.........................................................72  
 +
 
A.2.0 Plunging one level deeper (technically)............................................................73  
 
A.2.0 Plunging one level deeper (technically)............................................................73  
 +
 
A.2.1 Active vs. Passive revisited..........................................................................73  
 
A.2.1 Active vs. Passive revisited..........................................................................73  
 +
 
A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73  
 
A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73  
 +
 
A.2. How cards are fabricated....................................................................................75  
 
A.2. How cards are fabricated....................................................................................75  
 +
 
A.3 Pushing the technical limits................................................................................76  
 
A.3 Pushing the technical limits................................................................................76  
 +
 
A.4 ###%20#  hWo eNeds nEcryption?  ####^%687#..............................................77  
 
A.4 ###%20#  hWo eNeds nEcryption?  ####^%687#..............................................77  
 +
 
A.4.1  128 bit vs. 3DES vs. scrambling letters.......................................................78  
 
A.4.1  128 bit vs. 3DES vs. scrambling letters.......................................................78  
 +
 
A.4.2 What manufactures want you to believe.......................................................79  
 
A.4.2 What manufactures want you to believe.......................................................79  
 +
 
A.4.3 What Encryption experts want you to know.................................................80  
 
A.4.3 What Encryption experts want you to know.................................................80  
 +
 
A.4.4 What should we demand in the future (technically)......................................81  
 
A.4.4 What should we demand in the future (technically)......................................81  
 +
 
Appendix B - A Possible Design...................................................................................83  
 
Appendix B - A Possible Design...................................................................................83  
 +
 
Section B.1 General Design.......................................................................................83  
 
Section B.1 General Design.......................................................................................83  
 +
 
Section B.1.1 Operation of the Databases..............................................................84  
 
Section B.1.1 Operation of the Databases..............................................................84  
 +
 
Section B.1.2 Meeting the Specifications...............................................................85  
 
Section B.1.2 Meeting the Specifications...............................................................85  
 +
 
Section B.2 Variation 1: Shared Secret (Password)....................................................86  
 
Section B.2 Variation 1: Shared Secret (Password)....................................................86  
 +
 
Section B.3 Variation 2: Personal Information...........................................................86  
 
Section B.3 Variation 2: Personal Information...........................................................86  
 +
 
Section B.4 A Combination.......................................................................................88  
 
Section B.4 A Combination.......................................................................................88  
 +
 
Appendix C - Modifying a Current System to Incorporate our Recommendations.........89  
 
Appendix C - Modifying a Current System to Incorporate our Recommendations.........89  
 +
 
Appendix D - RFID and Transit Smartcard Glossary.....................................................91  
 
Appendix D - RFID and Transit Smartcard Glossary.....................................................91  
 +
 
Reference List...............................................................................................................94
 
Reference List...............................................................................................................94

Latest revision as of 00:00, 17 April 2007

Section 1 – History of the MBTA....................................................................................6

Section 1.1 – Early Public Stagecoach Service............................................................6

Section 1.2 – Passenger Comfort and Reliability.........................................................7

Section 1.3 – The First Subway in America.................................................................8

Section 2 – History of RFID..........................................................................................10

Section 2.1 – The Commercialization of RFID..........................................................10

Section 2.2 – Mult-Purpose RFID Cards....................................................................11

Section 3 – Benefits to the MBTA.................................................................................12

Section 3.1 – Personnel Cost Savings........................................................................12

Section 3.2 – Maintenance Advantages......................................................................13

Section 3.3 – Financial Benefits................................................................................13

Section 3.4 – Law Enforcement Considerations.........................................................16

Section 4 - Technical Basics..........................................................................................19

Section 5 – Cautionary Anecdotes.................................................................................20

5.1 – A story says 1,000 images.................................................................................20

5.2 – Trust Your Data to People Who Manage Data [Not Trains]..............................20

5.3 – Insider Abuse Has Major Risks.........................................................................22

5.4 – Holey Matrimony.............................................................................................23

5.5 – Tracking Customers is Bad Business................................................................24

Section 6 - Case Studies of RFID Smartcards in Transit................................................25

Section 6.1 - A Foreign Case – Transport for London (Oyster Card)..........................26

Section 6.1.1 – Opt-out Availability for the Oyster Card........................................26

Reduced Fares and Student Registration................................................................27

Limiting Unregistered Card Use Geographically....................................................27

Section 6.1.2 – Oyster Card Privacy Communications...........................................28

An Alternative to a Privacy Policy – London’s Ticketing Data Protection Policy...29

Section 6.2 - Fully Implemented Domestic Cases – The CTA and WMATA.............30

Section 6.2.1 - Chicago Transit Authority (Chicago Card and Chicago Card Plus).30

Clearly Indicating the Differences between Cards with and without Registration...31

Maintaining Fare (Fair) Incentives.........................................................................32

The CTA’s Need for Clearly Defined Privacy Measures........................................33

Releasing Information to Individuals – Security Protections for Registered Cards.34

Section 6.2.2 - Washington Metropolitan Area Transit Authority (SmarTrip)........34

Best Information Practices: Logging Employee Interactions with Data..................35

The WMATA’s Need for Defined Privacy Measures.............................................35

Section 6.3 - A Domestic Case in Development – Metro Transit (Minneapolis/St. Paul,

MN)..........................................................................................................................36

A Blurry Line between Registered and Unregistered Cards....................................36

Integrating Use Incentives in an RFID System - The Ride to Rewards Program.....37

Reduced Fares and Registration Requirements Revisited.......................................38

Section 6.4 - Comparing RFID Smartcard Implementations.......................................39

Section 6.5 - Other Implementations on the Horizon.................................................39

Section 6.6 - General Reflections on Interviews and Case Studies.............................40

Section 6.7 - The MBTA’s Privacy Action Plan........................................................41

Section 7 – Legal Considerations..................................................................................42

Section 7.1 – Chapter 66A........................................................................................43

Section 7.1.1 - Chapter 66A Requires Reasonably Minimal Data Collection..........43

Section 7.1.2 - Chapter 66A Constrains the feasibility of a Multi-Use CharlieCard44

Section 7.1.3 - Chapters 66A Requires Advance Notice of a Subpoena..................44

Section 7.1.4 - Chapter 66A Provides Customers a Right to Access Their Data.....45

Section 7.2 – The Personal Information Protection Act..............................................45

Section 7.3 – A Constitutional Right to Travel Anonymously....................................46

Section 7.4 – The Data Protection Act of 1998..........................................................47

Section 8 - Our Recommendations................................................................................48

Section 8.1 - Gaining Citizen Trust...........................................................................49

Section 8.1.1 - Openness........................................................................................50

Section 8.1.1.1 - Example Privacy Statements.......................................................51

Section 8.1.2 Choice...........................................................................................54

Section 8.1.2.1 Functionality not required for an Opt-out Program........................54

Section 8.2 - Providing a Safe, Secure Service...........................................................55

Section 8.2.1 Preventing Internal Abuse.............................................................56

Section 8.2.1.1 Storing Reasonably Minimal Personal Data...................................57

Section 8.2.1.2 - Data Use Policies........................................................................60

Section 8.2.1.3 Response to Government Request for Data.................................61

Section 8.2.1.4 Accountability............................................................................62

Section 8.2.2 - Preventing External Abuse.............................................................62

Section 8.2.2.1 - Encryption..................................................................................62

Section 8.2.2.2 - Separation from other Networks..................................................63

Section 8.2.2.3 Minimal Storage of Data............................................................64

Section 8.2.2.4 Evolving with Technology.........................................................65

Section 9 - Suggestions Not Included............................................................................66

Section 9.1 Data Quality............................................................................................66

Section 9.2 - Specifying Where Data is Stored and How in the Privacy Policy..........66

Section 9.3 - Recommending a Particular Storage Architecture.................................67

Section 9.4 - Including Why Data Use is Acceptable in the Privacy Policy................67

Section 9.5 - Printing "RFID Inside" Whenever RFID Technology is Used...............67

Appendix A - Technical Information.............................................................................69

A.1 - Overview of RFID System...............................................................................69

A.1.1 What is RFID?.............................................................................................69

A.1.2 What the DOD and Wal-Mart see in RFID...................................................69

A.1.3 Active or Passive........................................................................................70

A.1.4 What’s so remarkable about this stuff?.........................................................72

A.2.0 Plunging one level deeper (technically)............................................................73

A.2.1 Active vs. Passive revisited..........................................................................73

A.2.2 Passive Cards – Inductive vs. RF coupled....................................................73

A.2. How cards are fabricated....................................................................................75

A.3 Pushing the technical limits................................................................................76

A.4 ###%20# hWo eNeds nEcryption? ####^%687#..............................................77

A.4.1 128 bit vs. 3DES vs. scrambling letters.......................................................78

A.4.2 What manufactures want you to believe.......................................................79

A.4.3 What Encryption experts want you to know.................................................80

A.4.4 What should we demand in the future (technically)......................................81

Appendix B - A Possible Design...................................................................................83

Section B.1 General Design.......................................................................................83

Section B.1.1 Operation of the Databases..............................................................84

Section B.1.2 Meeting the Specifications...............................................................85

Section B.2 Variation 1: Shared Secret (Password)....................................................86

Section B.3 Variation 2: Personal Information...........................................................86

Section B.4 A Combination.......................................................................................88

Appendix C - Modifying a Current System to Incorporate our Recommendations.........89

Appendix D - RFID and Transit Smartcard Glossary.....................................................91

Reference List...............................................................................................................94