We are working on a new release of materials that includes the audio files of the press conference. Thanks to all the people interested in following up the case, we will keep you informed.

We are translating the report to different languages, we have translated already to english, spanish and swedish. Mail us if you can translate the information presented in this website. Thanks!


 

 

THE PHYSICAL ACCESS SECURITY TO WSIS:                

A PRIVACY THREAT FOR THE PARTICIPANTS.

 

[IN PICTURES]

PRESS RELEASE,  Immediate distribution

            URL: http://www.contra.info/wsis | wsis@contra.info

 

PRESS CONFERENCE

Friday 12th December 2003 at 11.30 am

                                    à « La Pastorale », Route de Ferney 106  à  Genève

http://www.pressclub.ch/menu/sub_menu/adresse_csp.html

[Press Release English PDF] - [Nota Prensa en Castellano]

 

- Ass. Prof. Dr. Alberto Escudero-Pascual, Researcher in Computer Security and Privacy, Royal Institute of Technology, Stockholm, Sweden (EN, SP) Tel: + 41786677843 , +46 702867989 - Stephane Koch, President Internet Society Geneva, Executive Master of Economic Crime Investigations, Geneva, Switzerland. (FR, EN) Tel: +41 79 607 57 33 - George Danezis, Researcher in Privacy Enhancing Technologies and Computer Security, Cambridge University, UK. (FR, EN, GR)

 

GENEVA, 10th DEC 2003

 

An international group of independent researchers attending the Word Summit on the Information Society (WSIS) has revealed important technical and legal flaws, relating to data protection and privacy, in the security system used to control access to the UN Summit. The system not only fails to guarantee the promised high levels of security but also introduces the very real possibility of constant surveillance of the representatives of the civil society.

 

During the course of our investigation we were able to register for the Summit and obtain an official pass by “just” showing a fake plastic identity card and being photographed (via a webcam), with no other document or registration number required to obtain the pass. The limited personal data required to produce the fake ID and thus register was easily obtained - a name from the WSIS website of attendees.

 

However this is only half of the story.



More photos of the WSIS Access Control

 

The official Summit badges, which are plastic and the size of a credit card, hide a “RF smart card” [1] - a hidden chip that can communicate its information via radio frequency. It carries both a unique identifier associated with the participant, and a radio frequency tag (RFID) that can be "read" when close to a sensor. These sensors can be located anywhere, from vending machines to the entrance of a specific meeting room allowing the remote identification and tracking of participants, or groups of participants, attending the event.

 

The data relating to the card holder (personal details, access authorization, account information, photograph etc.) is not stored on the smart card itself, but instead managed by a centralized relational database. This solution enables the centralized system to monitor closely every movement of the participants at the entrance of the conference center, or using data mining techniques, the human interaction of the participants and their relationship. The system can potentially be extended to track participants' movements within the summit and detect their presence at particular session.

 

Because all of the personal data is stored in a centralized database, any part of the database can be replicated locally, or transferred to future events - for example the next WSIS Summit hosted by the Tunisian authorities in 2005.

 

During the registration process we requested information about the future use of the picture and other information that was taken, and the built-in functionalities of the seemingly innocent plastic badge. No public information or privacy policy was available upon our demands, that could indicate the purpose, processing or retention periods for the data collected. The registration personnel were obviously not properly informed and trained.

 

Our main concern is not only that the Summit participants lack information about the functionalities of this physical access system implemented, or that no one was able to answer questions of how the personal data would be treated after the Summit. The big problem is that system also fails to guarantee the promised high levels of security while introducing the possibility of constant surveillance of the representatives of civil society, many of whom are critical of certain governments and regimes. Sharing this data with any third party would be putting civil society participants at risk, but this threat is made concrete in the context of WSIS by considering the potential impact of sharing the data collected with the Tunisian government in charge of organizing the event in 2005.

 

That a system like this gets implemented without a transparent and open discussion amounts to a real threat for the participants themselves, and for our Information Society as a whole.

 

More information is available at:

http://www.contra.info/wsis

wsis@contra.info

 

NOTES TO EDITORS

 

· The World Summit of Information Society has contracted SportAccess, a Company of Kudelski Group, as the main responsible of an integrated solution for physical access control solution during the United Nations Summit of Information Society. The MultiSAK system has already been deployed in other meetings as the World Economic Forum in previous years and was globally designed and developed by NagraCard and NagraID.

· The procedures of how personal data is being handled during WSIS break the principles of the Swiss Federal Law on Data Protection of June 1992 [2], the European Union Data Protection Directive 95/46/EC [3] and the United Nation guidelines concerning Computerized personal data files adopted by the General Assembly on December 1990.

· The Electronic Privacy Information Center [1] has an extensive news archive and background material on the subject of privacy threats and RFtags. Usage of RFtags in supermarkets, to tag products for purposes of stock management and security, has already attracted oppositions on privacy grounds by CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) [5] and has lead to campaigns for customer boycott of tagged products [6].

REFERENCES

[1] Electronic Privacy Information Center Website about RFID Identification http://www.epic.org/privacy/rfid/

[2] Swiss Federal Law on Data Protection, http://www.edsb.ch/e/gesetz/schweiz/index.htm

[3] European Union Data Protection Directive, http://europa.eu.int/comm/internal_market/privacy/index_en.htm

[4] Guidelines for the Regulation of Computerized Personal Data Files, http://www.unhchr.ch/html/menu3/b/71.htm

[5] - http://www.nocards.org/AutoID/overview.shtml

[6]The Boycott Gillette Campaign - http://www.boycottgillette.org/

RELATED NEWS

News in the following languages: Spanish, English, French, Dutch, German, Portuguese, Catalan, Galego...

More related articles