There’s a sense of déjà vu about this week’s Black Hat Conference, with yet another revealing presentation pulled at the last minute. Two years ago it was Cisco attempting to quash Mike Lynn’s presentation. This week it’s HID Global threatening legal action to stop Chris Paget, a security researcher, from demonstrating weaknesses in contactless RFID cards.
Like most people, I’ve always believed that such interventions are counter-productive. It’s healthier to come clean about security issues than keep them hidden away. And, ironically, such action can serve to attract even more publicity and potential reputation damage. But for me, the real issue is whether society and industry is ready for RFID. Any new identification technology will present security challenges. RFID is no different. But there are some deeper issues with RFID.
Several years ago I served as a subject matter expert for the Royal Society’s excellent Science in Society Programme, during which I sat with citizen focus groups debating issues associated with emerging technologies and their impact on privacy and security. I was highly impressed with how quickly they grasped the implications of these technologies and formed decisive views. Generally they were willing to accept some loss of privacy in the interests of greater benefits. Most of them favoured technologies such as Identity Cards provided that the costs were not excessive. The one exception was RFID. Many felt that it was intrusive and did not offer them clear benefits. Some found it “scary”. I must admit I was surprised. But I came away with a clear learning point: that we should not introduce such technology without full understanding of the implications and a proper consultation with all stakeholders.