R adio frequency identification technology has become popular as an effective, low-cost solution for tagging and wireless identification. Although early RFID deployments focused primarily on industrial settings, successes have led to a boom in more personal, pervasive applications such as reminders 1 and eldercare. 2 RFID promises to enhance many everyday activities but also raises great challenges-in particular, with respect to security and privacy.At the University of Washington, we've deployed the RFID Ecosystem, a pervasive computing system based on a building-wide RFID infrastructure with 80 RFID readers, 300 antennas, tens of tagged people, and thousands of tagged objects. 3 The RFID Ecosystem is a capture-and-access system that streams all data from the readers into a central database, where applications can access it. Our goal is to provide a laboratory for longterm research in security and privacy, as well as applications, data management, and systems issues for RFID-based, community-oriented pervasive computing.RFID security is a vibrant research area, with many protection mechanisms against unauthorized RFID cloning and reading attacks emerging. 4 However, little work has yet addressed the complementary issue of protecting the privacy of RFID data after an authorized system has captured and stored it. We've investigated peer-topeer privacy for personal RFID data through an access-control policy called Physical Access Control. PAC protects privacy by constraining the data a user can obtain from the system to those events that occurred when and where that user was physically present. While strictly limiting information disclosure, PAC also affords a database view that augments users' memory of places, objects, and people. PAC is appropriate as a default level of access control because it models the physical boundaries in everyday life. Here, we focus on the privacy, utility, and security issues raised by its implementation in the RFID Ecosystem.
Privacy and utility in pervasive architecturesThe 18th-century legal philosopher Jeremy Bentham first described the perfect architecture for surveillance: the panopticon, a prison that arranges its cells about a central tower from which a guard can monitor every cell while remaining invisible to the inmates. The architecture's innovation is that the guard's presence becomes unnecessary except for occasional public demonstrations of power. Many privacy concerns in pervasive computing stem from a similar potential for an unseen observer to access and act on data about someone else. Under these conditions, the "state of conscious and permanent visibility [assures] the automatic functioning of power" 5 because individuals must constantly conform to the code of conduct their peers or superiors hold them to.Just as surveillance can be built into an architecture, so can privacy assurances. Our fundaTo protect the privacy of RFID data after an authorized system captures it, this policy-based approach constrains the data users can access to system events that occurred whe...
