Skip to content or view mobile version

Home | Mobile | Editorial | Mission | Privacy | About | Contact | Help | Security | Support

A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.

WSIS: Security and privacy risks

manos | 10.12.2003 16:27 | WSIS 2003 | Technology | Cambridge

An international group of independent researchers attending the Word Summit
on the Information Society (WSIS) has revealed important technical and legal
flaws, relating to data protection and privacy, in the security system used
to control access to the UN Summit.

A photo of the access control system
A photo of the access control system


PRESS RELEASE, Immediate distribution
URL:  http://www.contra.info/wsis |  wsis@contra.info

World Summit on Information Society: The personal data collection practises
in the summit is a threat for the privacy of the participants.

PRESS CONFERENCE, RUEDA DE PRENSA.

GENEVA PRESSE CLUB - CLUB SUISSE DE LA PRESSE
Friday 12th December 2003 at 11.30 am
à « La Pastorale », Route de Ferney 106 à Genève
 http://www.pressclub.ch/menu/sub_menu/adresse_csp.html

GENEVA, 10th DEC 2003

An international group of independent researchers attending the Word Summit
on the Information Society (WSIS) has revealed important technical and legal
flaws, relating to data protection and privacy, in the security system used
to control access to the UN Summit. The system not only fails to guarantee
the promised high levels of security but also introduces the very real
possibility of constant surveillance of the representatives of the civil
society.

During the course of our investigation we were able to register for the
Summit and obtain an official pass by “just” showing a fake plastic identity
card and being photographed (via a webcam), with no other document or
registration number required to obtain the pass. The limited personal data
required to produce the fake ID and thus register was easily obtained - a
name from the WSIS website of attendees.

However this is only half of the story.

The official Summit badges, which are plastic and the size of a credit card,
hide a “RF smart card” [1] - a hidden chip that can communicate its
information via radio frequency. It carries both a unique identifier
associated with the participant, and a radio frequency tag (RFID) that can
be "read" when close to a sensor. These sensors can be located anywhere,
from vending machines to the entrance of a specific meeting room allowing
the remote identification and tracking of participants, or groups of
participants, attending the event.

The data relating to the card holder (personal details, access
authorization, account information, photograph etc.) is not stored on the
smart card itself, but instead managed by a centralized relational database.
This solution enables the centralized system to monitor closely every
movement of the participants at the entrance of the conference center, or
using data mining techniques, the human interaction of the participants and
their relationship. The system can potentially be extended to track
participants' movements within the summit and detect their presence at
particular session.

Because all of the personal data is stored in a centralized database, any
part of the database can be replicated locally, or transferred to future
events - for example the next WSIS Summit hosted by the Tunisian authorities
in 2005.

During the registration process we requested information about the future
use of the picture and other information that was taken, and the built-in
functionalities of the seemingly innocent plastic badge. No public
information or privacy policy was available upon our demands, that could
indicate the purpose, processing or retention periods for the data
collected. The registration personnel were obviously not properly informed
and trained.

Our main concern is not only that the Summit participants lack information
about the functionalities of this physical access system implemented, or
that no one was able to answer questions of how the personal data would be
treated after the Summit. The big problem is that system also fails to
guarantee the promised high levels of security while introducing the
possibility of constant surveillance of the representatives of civil
society, many of whom are critical of certain governments and regimes.
Sharing this data with any third party would be putting civil society
participants at risk, but this threat is made concrete in the context of
WSIS by considering the potential impact of sharing the data collected with
the Tunisian government in charge of organizing the event in 2005.

That a system like this gets implemented without a transparent and open
discussion amounts to a real threat for the participants themselves, and for
our Information Society as a whole.

More information is available at:
---------------------------------
 http://www.contra.info/wsis
email:  wsis@contra.info

================
Contact persons:
================
>>Ass. Prof. Dr. Alberto Escudero-Pascual, Researcher in Computer Security
and Privacy, Royal Institute of Technology, Stockholm, Sweden (EN, SP) Tel:
+ 41786677843 , +46 702867989

>>George Danezis, Researcher in Privacy Enhancing Technologies and Computer
Security, Cambridge University, UK. (FR, EN, GR)

>>Stephane Koch, President Internet Society Geneva, Executive Master of
Economic Crime Investigations, Geneva, Switzerland. (FR, EN) Tel: +41 79 607
57 33

-----------------
NOTES TO EDITORS
-----------------
>>The World Summit of Information Society has contracted SportAccess, a
Company of Kudelski Group, as the main responsible of an integrated solution
for physical access control solution during the United Nations Summit of
Information Society. The MultiSAK system has already been deployed in other
meetings as the World Economic Forum in previous years and was globally
designed and developed by NagraCard and NagraID.

>>The procedures of how personal data is being handled during WSIS break the
principles of the Swiss Federal Law on Data Protection of June 1992 [2], the
European Union Data Protection Directive 95/46/EC [3] and the United Nation
guidelines concerning Computerized personal data files adopted by the
General Assembly on December 1990.

>>The Electronic Privacy Information Center [1] has an extensive news
archive and background material on the subject of privacy threats and
RFtags. Usage of RFtags in supermarkets, to tag products for purposes of
stock management and security, has already attracted oppositions on privacy
grounds by CASPIAN (Consumers Against Supermarket Privacy Invasion and
Numbering) [5] and has lead to campaigns for customer boycott of tagged
products [6].

REFERENCES

[1] Electronic Privacy Information Center Website about RFID Identification
 http://www.epic.org/privacy/rfid/

[2] Swiss Federal Law on Data Protection,
 http://www.edsb.ch/e/gesetz/schweiz/index.htm

[3] European Union Data Protection Directive,
 http://europa.eu.int/comm/internal_market/privacy/index_en.htm

[4] Guidelines for the Regulation of Computerized Personal Data Files,
 http://www.unhchr.ch/html/menu3/b/71.htm

[5] -  http://www.nocards.org/AutoID/overview.shtml

[6]The Boycott Gillette Campaign -  http://www.boycottgillette.org/

manos
- Homepage: http://www.contra.info/wsis

Upcoming Coverage
View and post events
Upcoming Events UK
24th October, London: 2015 London Anarchist Bookfair
2nd - 8th November: Wrexham, Wales, UK & Everywhere: Week of Action Against the North Wales Prison & the Prison Industrial Complex. Cymraeg: Wythnos o Weithredu yn Erbyn Carchar Gogledd Cymru

Ongoing UK
Every Tuesday 6pm-8pm, Yorkshire: Demo/vigil at NSA/NRO Menwith Hill US Spy Base More info: CAAB.

Every Tuesday, UK & worldwide: Counter Terror Tuesdays. Call the US Embassy nearest to you to protest Obama's Terror Tuesdays. More info here

Every day, London: Vigil for Julian Assange outside Ecuadorian Embassy

Parliament Sq Protest: see topic page
Ongoing Global
Rossport, Ireland: see topic page
Israel-Palestine: Israel Indymedia | Palestine Indymedia
Oaxaca: Chiapas Indymedia
Regions
All Regions
Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World
Other Local IMCs
Bristol/South West
Nottingham
Scotland
Social Media
You can follow @ukindymedia on indy.im and Twitter. We are working on a Twitter policy. We do not use Facebook, and advise you not to either.
Support Us
We need help paying the bills for hosting this site, please consider supporting us financially.
Other Media Projects
Schnews
Dissident Island Radio
Corporate Watch
Media Lens
VisionOnTV
Earth First! Action Update
Earth First! Action Reports
Topics
All Topics
Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista
Major Reports
NATO 2014
G8 2013
Workfare
2011 Census Resistance
Occupy Everywhere
August Riots
Dale Farm
J30 Strike
Flotilla to Gaza
Mayday 2010
Tar Sands
G20 London Summit
University Occupations for Gaza
Guantanamo
Indymedia Server Seizure
COP15 Climate Summit 2009
Carmel Agrexco
G8 Japan 2008
SHAC
Stop Sequani
Stop RWB
Climate Camp 2008
Oaxaca Uprising
Rossport Solidarity
Smash EDO
SOCPA
Past Major Reports
Encrypted Page
You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.
If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

Global IMC Network


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech