I’ve been meaning to write about RFID tags since I got an email on Monday about a security hole on the Auto-ID center’s website that allowed anyone to access their confidential documents.  These documents related to market studies on RFID tags and how they would “pacify” consumers with regards to their “emotional” privacy fears.  CASPIAN’s email might be a bit breathless and overblown concerning the issue, but the documents are still somewhat damning to the industry.  They have since pulled the documents (or fixed the hole), but not before Cryptome mirrored them.

For those that haven’t been following the issue, an RFID tag is a small (imagine a grain of rice or smaller) passive (non-powered) microchip that emits a radio signal with a unique identifier when it is hit by a radio transmission in a certain frequency range (it varies for each device).  The signal is of very low power and can only be read (at present) within a few feet (once again, this varies by device from approximately 3 to 15 feet).  The idea is that these tags can be used to track inventory in stores and warehouses.  If you had a case of razors, simply moving the box by an RFID scanner would tell you how many you had in the case.  Stores are interested in this technology as a replacement to barcodes (both for automated checkout and for “smart shelves” that could manage inventory).

At this point you may be wondering what the big deal about all this is.  After all, it’s just a way of tracking products.  And at present the trials are just in warehouses (with tags attached to pallets and boxes).  However, the industry direction is to push the price of these tags down to less than one cent per tag so that the tags can be embedded in the product (or in its packaging).  This level of tracking would be required to realize the goals of automated checkout and smart shelves.

It’s at this point that people like me who worry about privacy get concerned.  If the tag is not deactivated (in a way that we can trust is permanent) at the point of sale, it leads to the possibility of tracking on a scale that boggles the mind.  The RFID tag is different from a bar code in that each and every RFID tag emits a unique identifier.  This means that not only does the RFID tag identify the type of an object, it identifies the specific instance of that object (like a serial number).  If this is linked to purchase records, it means that anyone with a scanner and access to the records could identify you and everything you have on or about your person.

Of course, the RFID people claim that they would never do this.  And I think they may actually mean it.  However, I don’t trust that the businesses that get their hands on this technology won’t abuse it in the future.  Also, the RFID people claim that the tags can only be read from a short distance, so it’s unlikely that you could be easily scanned.  Once again, I find this unpersuasive.  Most stores these days have scanners at their entrances and exits that work with the existing inventory control system.  In some cases, they force you to walk though a choke-point where the scanner is only a few feet from you.  It wouldn’t take much to convert one of these to an RFID scanner.

Can you imagine a business that wouldn’t drool over the ability to know who you are and what you’re carrying when you walk into a store?  While some would say that this is good, I don’t agree.  The potential for misuse is far too high.

Another concern is that criminals could obtain scanners and could instantly know what you’re carrying if they got near you.  Also, there is concern that new technology could be developed that increased the range of the scanners.  The RFID industry tries to downplay this angle by saying that the power of the chips is so low that they can’t be read at a distance.  And it’s true that the chips rely on the EM from the scanner to be activated.  However, advances in technology of the receiver might someday allow for greater ranges (or even for the signal to be read through a wall).  If that ever happens, and you have a houseful of RFID equipped stuff (provided they aren’t premanently deactivated), a criminal could scan your house and know what you had without having to come in. 

Or even if the privacy issue is ignored, the potential for wrongful harassment by “loss prevention” types is still there.  Imagine if the system wasn’t coded correctly (or lost data) and thought that the pair of pants you bought there last week weren’t actually sold.  You’d be detained by security on the way out and have to prove that you bought the pants you’re wearing.  If you don’t think it can happen, I experienced something similar when I was in college concerning the library’s security system and a textbook that I legally owned.

At this point, though, it appears that the technology is still too immature to use on store shelves.  Wal-Mart, which championed bar codes in the 80’s, was hot to use RFID tags, but they’ve cancelled a trial in one of their stores.  They will now focus on warehouse operations.  But this doesn’t mean that they’ve given up.  It just means that it has been delayed.  And I suspect that we’ll see a public relations campaign to “pacify” the public’s privacy fears in the meantime.

What I find interesting is that while the industry had paid lip service to privacy concerns, they don’t seem really interested in killing the RFID tag at the point of sale.  They’re adding a “kill” feature to some of the new chips, but they want to make you “opt-out” of using the tag, rather than having you opt-in to leaving it active.  For me, I want them all dead when I leave the store, and this will be yet another hassle to deal with at checkout.  They keep talking about a “smart house” concept where your pantry keeps track of the food and your washer knows the right settings for the clothes, but their own market research (which they conveniently left open for us to read) shows that people think that the concept is ridiculous.  If I was prone to conspiracy theories, I’d think that they are looking for a way to spin the technology so that we’ll accept keeping the tags alive.  Then they would be able to implement the other tracking features that worry people like me.  But that’s only if I were to buy into conspiracy theories. 

In the meantime, I’m going to keep watching this issue.  If it comes to market, and I don’t trust their implementation of it, I’ll have to examine how to disable them myself (they say that microwaving works, but that it could set the object on fire, which would be a definite drawback).  I suspect that there will come a day when we won’t be able to buy an object without an RFID tag in it.  We need to be vigilant to make sure that the RFID tags are handled on our terms.

It appears that the telemarketers aren’t getting the message.

Companies that are major users of telemarketing calls are preparing to shift efforts to e-mail and direct mail once a new federal “do-not-call” list takes effect in October, according to a published report.

As of Tuesday morning about 12.5 million Americans have signed up to block phone solicitations in the first four days of the program, according to the Federal Trade Commission. Solicitors who call homes on the list after Oct. 1 face fines of up to $11,000 per call. Another 14 million homes are being transferred from state do-not-call registries, and 60 million homes are eventually expected to sign up to block calls by calling the FTC or signing up on its Web site.

The Wall Street Journal said Wednesday that companies such as AT&T and Allstate Insurance are looking to shift some of their sales efforts away from the phone solicitations that have been central to their business plans in the past.

“We plan to shift into other communication mediums, and rely more heavily on traditional TV advertising and e-mail marketing,” Allstate acting Chief Marketing Officer Todd DeYoung told the paper. “We also plan to stimulate inbound call volume by doing more directed advertising and more direct mail.”

It should be clear from the backlash against telemarketers that a large number of people are not receptive to their message.  Why would they think the message would be better received if sent via another medium?

I closely guard my email addresses, and I’m careful to make up a new address for each company I deal with.  That way, I can find out who sold my address to spammers, or I can tell which company is ignoring its promises to me.  I come down hard on companies that contact me via email without my permission (to the point of redirecting the email to the company’s marketing address in one case).

Oh, and this won’t be very helpful, either:

The paper said that in addition to seeing more e-mail or junk mail, consumers who call companies on other business may now have to listen to sales pitches while negotiating voice mail messages.

If they incoporate this into their VRUs, I’ll be more likely to drop out to an operator rather than sit around listening to their crap.  This will ultimately increase their costs and decrease customer satisfaction. 

On the other hand, a few companies are seeing an opportunity in all this:

But the companies won’t drop their phone banks altogether. They believe that those who do not sign up for the do-not-call list will be more open to telephone pitches and that could help their phone solicitation efforts.

I don’t know if that will exactly be the case, but at least they won’t be bothering people who obviously don’t want to be bothered.

Link via Slashdot.

I tried to sign up for the National Do Not Call list this morning, but it took me about an hour of waiting and retries to get through.  Now I’m waiting for the email confirmation so that I can complete the process.  I don’t envy the system admins for this thing.  I bet their mail server is coughing up a huge hairball about now.

Texas Penal Code,  Chapter 21:

§ 21.01. Definitions

In this chapter:

(1) “Deviate sexual intercourse” means:

(A) any contact between any part of the genitals of one person and the mouth or anus of another person; or

(B) the penetration of the genitals or the anus of another person with an object.

(2) “Sexual contact” means, except as provided by Section 21.11, any touching of the anus, breast, or any part of the genitals of another person with intent to arouse or gratify the sexual desire of any person.

(3) “Sexual intercourse” means any penetration of the female sex organ by the male sex organ.

Acts 1973, 63rd Leg., p. 883, ch. 399, § 1, eff. Jan. 1, 1974. Amended by Acts 1979, 66th Leg., p. 373, ch. 168, § 1, eff. Aug. 27, 1979; Acts 1981, 67th Leg., p. 203, ch. 96, § 3, eff. Sept. 1, 1981; Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.

Amended by Acts 2001, 77th Leg., ch. 739, § 1, eff. Sept. 1, 2001.

§ 21.06. Homosexual Conduct

(a) A person commits an offense if he engages in deviate sexual intercourse with another individual of the same sex.

(b) An offense under this section is a Class C misdemeanor.

Acts 1973, 63rd Leg., p. 883, ch. 399, § 1, eff. Jan. 1, 1974. Amended by Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.

Deviate.  Sexual.  Intercourse.  The very phrase drips with moral opprobrium.  I thought it would be informative to see exactly what the Texas statute said, and I find this very interesting.  I think this is a case where they just weren’t devious enough for their own good.  While the law prohibits anal and oral sex between two men or two women (and also appears to prohibit the use of dildos or other “objects”), I think there just might be a little loophole in the law.  I don’t think they classify the human hand as an object, so it would seem that it wouldn’t prohibit fisting.  I hope that someone, somewhere pointed this out to the bill’s author so that he died of shock at the thought…

Anyway, that wasn’t what I really set out to write about.  The old “Morality can’t be legislated” saying came up in the comments to this post at The Bitch Girls.  One poster thought it was dumb “bumper-sticker philosophy”.  I think the commenter misses the point, or at least misses the way I’ve always interpreted it.  To me, it simply means that any law that attempts to legislate something on moral grounds will fail.  I was amused several years ago by a television interview with some politician whose response to this was, “Just watch me.”  He obviously didn’t get it.

As we’ve seen with morally-based laws on sodomy, alcohol (prohibition, anyone?), drugs (history repeats itself with tragic consequences), prostitution, or just about any other victimless crime, a large number of people will simply ignore the law.  Why?  To these people these aren’t areas where the state has any business if their actions don’t have a direct, non-consensual effect on other people.  In a way, this is an intuitive natural rights view (at least from my viewpoint).  Some people try to argue that if we don’t enshrine moral judgements into the law then we’ll have to rip the murder and rape statutes from the books.  However, if one starts from a natural rights foundation of the person as self-owner, one can build a case for laws against murder and rape (and a whole host of other acts).  I understand that some people dispute the natural rights concept, but that leaves them with the nasty dilemma of trying to decide whose morals to use.  And what if the democratic majority’s morals say it’s OK to do something horrific (like killing homosexuals)?  This is why I think there are areas that are not subject to legislation or intrusion by the state and that there must be limits to what the state tries to do (i.e. any area where acts between consensual adults take place that do not harm any nonconsenting party should be out of bounds for the state).

Of course, I’m a bit radical in my thoughts on this matter.  And I fully understand that my beliefs would open the door to removal of laws against bigamy and prostitution and a whole bunch of other stuff.  But these things don’t scare me like they seem to do the moralists who would like to control us every minute of our lives.  Some days I’m not sure who’s worse, the moralists or the socialists.  Both of them want to control us; they only differ slightly on the areas they would interfere in (and it won’t be long until they’ve converged).

The National Do Not Call Registry has opened for online registrations at donotcall.gov.  If you’re already on a state do not call list, there is a possibility that your number will be automatically added to the national registry.  This is decided on a state-by-state basis.  The list of states and their decision on this can be found here.  I discovered that Texas will not be automatically adding people to the national registry.

Of course, the registry was mentioned on Slashdot this morning, so the server is being pounded into a pulp right now (i.e. it’s experiencing a thorough “slashdotting”, which is kind of like an Instalanche to the third power).

Mrs. du Toit wrote a post today that struck a nerve with me.  I have a special loathing deep within for telemarketers.  They’re a plague of bottom feeding scum as far as I’m concerned.  Is that harsh?  Not really.  They invade my space and take up my time for their intrusive scripted crap. 

My phone exists for my personal use.  I give out the number to people whom I wish to have contact me.  It is not an open invitation for any dumbass with an autodialer to try to part me from my money. 

I have made it a policy that I will not buy anything from a telemarketer and I will not give money to any charity that calls me on the phone.  I make no exceptions, because I’ve learned from hard experience that once you do you’ll end up on a list of suckers which they pass around among the different groups.  Because of this unscrupulous behavior I don’t even accept calls from the NRA or other groups I’m sympathetic to.

But the lowest of these scum are the ones who call you up with prerecorded marketing messages.  It’s the telephonic equivalent of a drive-by.  And one company stands out for me as the worst offender and has earned my eternal enmity—Dish Network.  They called me with a prerecorded message that I could not hang up on (despite repeated attempts).  After trying to hang up and being unable to, I finally listened to what they were saying.  After a bit they gave me the option to “press 1 for more information about this offer” or to “press 2 to end this call.”  I pressed ‘2’ only to be informed that this “was an invalid option.”  At this point I hit ‘2’ about 35 more times, which kind of jammed the system for a while.  I was spitting mad by this point so I hit ‘1’ so I could chew on a person.  Unfortunately, these bastards must have anticipated this reaction, because it dumped me into a voicemail box where I had to leave a message.  I left them a very nasty message and I included my name and number and told them never to call me again or I’d get the FCC involved, since I was under the impression that the use of recorded messages is illegal.

Calls using artificial or prerecorded voice messages – including those that do not use autodialers – may not be made to residential telephone numbers except in the following cases:

• emergency calls needed to ensure the consumer’s health and safety;
• calls for which you have given prior consent;
• non-commercial calls;
• calls which don’t include any unsolicited advertisements;
• calls by, or on behalf of, tax-exempt non-profit organizations; or
• calls from entities with which you have an established business relationship.

Calls using autodialers or artificial or prerecorded voice messages may be placed to businesses, although the FCC’s rules prohibit the use of autodialers in a way that ties up two or more lines of a multi-line business at the same time.

If an autodialer is used to deliver an artificial or prerecorded voice message, that message must state, at the beginning, the identity of the business, individual, or other entity initiating the call. During or after the message, the caller must give the telephone number (other than that of the autodialer or prerecorded message player that placed the call) or address of the business, other entity, or individual that made the call. It may not be a 900 number or any other number for which charges exceed local or long distance transmission charges.

Autodialers that deliver a recorded message must release the called party’s telephone line within 5 seconds of the time that the calling system receives notification that the called party’s line has hung up. In certain areas there might be a delay before you can get a dial tone again. Your local telephone company can tell you if there is a delay in your area.

Since then, I’ve used caller ID to screen all of my calls.  If I don’t recognize the name or number I will not answer.  I’m also on the Texas do-not-call list which has helped quite a bit.  But Dish Network can still kiss my ass.  I’ll never do business with them.  Ever.  (Which is why I’m glad their deal to buy DirecTV failed.)

Last year about this time I bought a pair of Oakley sunglasses from the Sunglass Hut in the mall.  Yesterday I received the Sunglass Hut Oakley summer catalog.  I was suspicious because it was addressed directly to me (rather than resident), and it was for Oakleys (smells like customer profiling…).

But here’s what upsets me:

• I never registered the sunglasses with anyone.
• I never gave Sunglass Hut my personal information.
• Because I’m a privacy “nut” I almost never give businesses my personal information.
• In those rare cases that I do, I withold permission for them to send me stuff.

This can only mean that Sunglass Hut used my credit card information to obtain my address.  I consider this a serious breach of my privacy (and I would hope that it violates the credit card company’s acceptable use policy for merchants, although I need to do some more research on this). 

I’ve included the text of the email that I sent to Sunglass Hut customer service in the extended entry.

What’s sad (for them) is that I was about to buy a new pair to replace my last pair and I was probably going to go there this weekend.  Now, I’ll be looking elsewhere because I don’t trust them.

Maybe I just need to start paying cash everywhere…

My email to Sunglass Hut:

Last year at about this time I purchased a pair of Oakley sunglasses from the Sunglass Hut store/kiosk in the Golden Triangle Mall in Denton, TX. Yesterday, I was surprised to receive a catalog in the mail from Sunglass Hut with the summer Oakley collection. This catalog was addressed directly to me.

I find this unacceptable because I never gave my personal information to Sunglass Hut. And even if I were to have done such a thing, I would *never* have given you permission to send me anything. I guard my privacy quite zealously. The only way that your company could have gotten my mailing address was through the credit card that I used to purchase the sunglasses.

If this is how poorly Sunglass Hut regards a customer’s private information, I won’t be doing business with you any more. Please let me know how my address was obtained and remove me from any of your mailing lists.

My address is:
    < street address >
    Denton, TX <zip>

It looks like Doubleclick and the others of their ilk can’t resist the lure of knowing everything about you.

Condé Nast owner Advance Publications, for one, recently began testing a product from Tacoda Systems that promises to compile detailed information about the Web site visitors of its Advance Internet news network.

And it’s got company. Tacoda, launched by the executives behind Internet ad network Real Media, said it has so far signed up at least 10 other publishing customers, including Weather.com, USAToday.com, Tribune Interactive and Scripps Networks.

Tacoda’s technology is designed to give Web publishers more insight into their visitors so that they can better target their ads. At its full potential, Tacoda’s Audience Management System can create profiles that include a person’s age, gender, location, billing address, e-mail address, Web surfing habits and subscription information to offline publications. To do this, it draws from data-mining technology, tracking software such as cookies and Web site registration information.

Just last week, the company signed a deal with ad technology provider DoubleClick that could further boost the two-year-old company’s profile among Web publishers that want to court advertisers with better audience-targeting tools. The deal essentially makes it easier for companies that employ DoubleClick’s widely used ad-serving system to also use Tacoda’s profiling software.

There’s a reason that these kinds of tracking systems were met with such an outcry when they first came out.  And frankly, I don’t give a rat’s ass how many so-called “safeguards” they add to it, I don’t trust them with my data.  A company has to have a lot of trust and goodwill built-up before I will knowingly allow them to have this amount of data about me.

But more importantly, where might this data turn up in the future?  The government would love to get its cloven hooves on this data through TIA if it could, which is brought up by a privacy advocate in the article.

Smith said he had little concern about the practices of Web publishers collecting data on consenting individuals in order to send targeted advertisements to them. But the nut of the privacy issue, he said, is that anytime profiles are amassed, there runs the risk that they could fall into other hands.

“If you’re just going to show ads with them, that’s no big deal, but what else is going to happen with them? Will law enforcement get their hands on them some day?” he questioned.

No, I don’t trust these bastards with this data and I don’t trust that it won’t end up somewhere it doesn’t belong.

A pox on all of these wankers and their apologists.

The Department of Homeland (in)Security has chosen the the former privacy officer of DoubleClick as its first privacy “czar”.  DoubleClick is one of the worst offenders with regards to disregard for privacy.  Their goal, before getting a huge public black eye at the time, was to link all of your online activity to your personal profile information (which they acquired through the purchase of another company).  They were planning to do this through the use of cookies and web bugs that would be used to identify you at any site where you browsed or (of most interest to them) purchased.  This earned them an FTC investigation and forced them to change their plans.

Of course, this woman was hired after that fiasco, but I still don’t trust anyone who works in the data collection industry to look out for our interests (nor do I expect them to give a damn about the constitution for that matter).

My initial impression:
   Hello, fox.  Would you like the keys to the henhouse?

But then I’m just a hysterical luddite wanker who wants to get us all killed because I have something to hide. 

Link via Slashdot

Now I’m pissed.  Check out this article from Wired about the comments of some lawyer from the Manhattan Institute about those of us who oppose government spying on innocent citizens.

If you don’t want the government to do what it must to protect you from terrorists, you should butt out, said Heather MacDonald, a lawyer at the Manhattan Institute, a conservative think tank. She made her remarks Wednesday at the 13th annual Computers, Freedom and Privacy conference.

And, she urged, stop all the panic-stricken screaming, because it’s endangering human lives.

Al-Qaida and other terrorist groups wield technology as a weapon with no worries about privacy rights, MacDonald said. But fear and distrust of anti-terrorism and surveillance technology hampers the U.S. government’s ability to shore up defenses and stop attacks before they happen.

…

McDonald said the “hysterical cries” from those who see dark plots behind every government antiterrorist plan just proves that privacy advocates have a “luddite mentality.”

Luddite?!  Anti-technology?!  I’ve forgotten more about technology that this constipated harpy will ever know.  In fact, it’s because of my occupation that I know just how insidious these kinds of technologies are.

It isn’t hysterical or luddite to demand that the government follow the damn constitution.  We have a right to be free from government searches and seizures unless they have a specific and demonstrable reason.  What part of that does she not understand?

I will not sit idly by while government hacks and control-freak politicians destroy what little privacy we have left.  I will not be bought off by false promises of “safeguards” and outright lies that the information won’t be abused (Quis custodiet ipsos Custodes?).  I will continue to stand up and tell them to their faces that they are misguided, wrong, and in danger of destroying our constitution.

Damn wankers.