Ask the Experts: Ross Stapleton-Gray, the Sorting Door Project
22 August, 2005
category: Contactless, Financial, Library, RFID
Ross Stapleton-Gray is Stapleton-Gray & Associates’ principal analyst and the founder of the Sorting Door Project.
What are the goals of the Sorting Door Project?
It is intended to examine RFID, surveillance and privacy issues. In a nutshell, while the read ranges of passive RFID tags are fairly short, they might be readily scanned in constrained spaces, like doorways; doorways are also natural places to want to monitor individuals, e.g., to welcome a friend (or valued customer), or bar access to a threat. The project proposes to link numerous and independent Sorting Doors (the name derives from the Sorting Hat, of the Harry Potter series, which could mystically look into the character of the wizardry student on whose head it was placed) to back end resources used to aggregate and analyze RFID-derived data, and to make inferences about the nature of those passing through the Doors.
Where did this start?
One of the features of the Information Age: you never have to delete all that old e-mail, and the means to dredge through it improves every year! – According to the e-mail, I first put the name “Sorting Door” to the idea of collecting and analyzing RFID “in the wild,” to study issues of surveillance and privacy, in December 2003. Checking IMDB, that falls somewhere in between two “Harry Potter” movie releases… maybe one of the books had just come out, to prompt the idea for the name. That was also a few months before the Computers, Freedom and Privacy conference, to be held that year in Berkeley, at which I was part of a workshop session on RFID and privacy issues, and shortly after the initial workshop on RFID and privacy convened at MIT. (That workshop was the catalyst for a book, “RFID Applications, Security and Privacy,” just published by Addison Wesley.
Why is the Sorting Door an open research project?
There are a number of reasons to do it, the best probably being that someone else will certainly do it, but won’t publish. That is to say, various parties have needs and interests to conduct surveillance, and if RFID turns out to be useful for that, they’ll use it. But if all the research stays locked in a corporate R&D lab, all of the rest of us won’t be aware of how we might be surveilled. I would describe this as trying to put all the information out on the table, to inform public debate. Two bad outcomes I’d like to avoid: we’re underinformed on RFID, and suffer from some of the negative potential (e.g., surveillance) for lack of tools, or just the knowledge, to mitigate it; and we’re underinformed, and cripple the technology through bad public policy choices arising from paranoia.
Isn’t the creation of such a system privacy advocates’ worst case scenario?
This question comes up a lot… isn’t this just helping people who might want to use RFID for surveillance to figure out all of the worst things they might do? I don’t think so. I’m a big believer in “sunlight as disinfectant,” and I’d much rather have a good idea of what’s possible, to have the chance to either (1) develop tools and techniques to compensate; or (2) push for laws or policies to lessen the negative consequences.
What should participants expect?
One of the original ideas, way back in 2003, was that one of the applications of the Sorting Door would be a very public one: set up a Door in a public space–a plaza, in a library, etc.–and invite people to walk through it, displaying information on any RFID they had on their person, along with any inferences that might be drawn from that. This is the educational, public policy-oriented purpose: help people to better understand what’s going on, increasingly pervasively, in a slice of spectrum (radio frequencies) they can’t see or feel. Many of us may have been carrying RF-responsive devices for years, e.g., building access badges, or contactless payment devices like the Mobil Speedpass… are we aware that we’re lugging around little radio beacons? And that if someone’s looking for them, they might be found?
The plan for the project, though, is that there will eventually be a great many Doors, created and used for a variety of purposes; some would be educational, as described above, while others might be used as experimental testbeds to see what sorts of RFID devices are out there (imagine a Sorting Door in any high-traffic area… how many RFID devices or tags might one encounter in a day? What types? What might they imply?), or even for “technologies of privacy,” e.g., to test the so-called “blocker tag” developed by RSA.
Any and all of the Doors would have access to some shared resources, such as databases to help map between RFID tag values, and information about tagged things. Given the enormous weight of legacy bar codes (many tens of millions of unique types of products, and a standard now 30+ years old), Electronic Product Code (EPC) tags will almost certainly reflect (or, really, contain) those older codes… tell me an EPC, and I can give you the product’s UPC, and, through the help of a number of commercial companies who do this for a living, a set of facts about the product: its manufacturer, weight, color, etc., etc. Some of those facts may be useful in making inferences about the person who’s just carried or worn that tagged object through the Door… in the example I often give, if you detect a tag that maps to the product code for a size 4 Donna Karan dress, you can make a reasonable guess that you’ve either detected a petite woman, or someone with a nice gift for one.
The area I find most interesting in all of this is the back end: if RFID is creating the “Internet of Things,” all those things have characteristics, and one can draw all sorts of inferences from knowing things are present, and what those things are made of, used for, found with, etc.