[Infowarrior] - Patently Bad Move Gags Critics

Richard Forno rforno at infowarrior.org
Wed Feb 28 19:21:13 EST 2007


Patently Bad Move Gags Critics

By Jennifer Granick| Also by this reporter
02:00 AM Feb, 28, 2007
http://www.wired.com/news/columns/0,72819-0.html

Guess what? Radio frequency identification tags are insecure. But don't
demonstrate the technology's problems at a security conference. If you do,
HID Global, a manufacturer of access-control devices, might sue you for
patent infringement.

That's the threat the company leveled against Chris Paget of IOActive
Monday, forcing him to pull the presentation he planned for the Black Hat DC
2007 conference taking place this week in Washington.

Paget had planned to discuss and demonstrate a technique for cloning RFID
proximity cards -- the kind that are used to control access to buildings and
offices. He performed a similar demonstration at the RSA Conference
recently, using a home-brew RFID reader/writer.

I haven't seen the cease-and-desist letter, but from reports, HID Global
seems to be claiming that cloning an RFID security card violates one or more
of the company's patents on RFID reading technology. If true, this would
make any third-party research into the security of the company's products
illegal, as well as any public demonstration.

I'm sure burglars, identity thieves and others who misuse insecure RFIDs for
personal gain will be deterred by the years of messy patent litigation
they'll face if they start hacking RFIDs. It seems to have scared legitimate
researchers pretty well.

I'm glad we didn't worry about whether hacking RFID infringes upon patents
back in January, because at a symposium about new technology and the Fourth
Amendment put on by Stanford Technology Law Review students, University of
California at Berkeley computer science student David Molnar demonstrated
(.mp4) for the audience a cheap little device cobbled together from Radio
Shack parts that was able to read and clone radio frequency tags contained
in our university ID cards.

On that same panel, Nicole Ozer, technology and civil liberties policy
director for the ACLU of Northern California, told us that most people carry
some sort of card that someone can read through a pants pocket, and thereby
identify, track or impersonate them.

But it makes a much bigger impression when you see it happen before your
very eyes, which is why a company might want to block a demonstration.

HID Global reportedly pointed to two of its patents for card readers -- No.
5,041,826 and No. 5,166,676. The important parts of a patent are the claims.
To infringe a patent, one must make, use, sell or offer for sale an
invention described by the patent's claims without the patent owner's
authorization.

Paget doesn't sell his reader, which you can see him demonstrate here. But
he did make it. So if it operates identically to the card readers described
in HID's patents, then the company's legal threat actually makes some
theoretical sense. That should scare everyone reading this.

Patents have been issued for the most trivial of inventions -- there are
multiple patents like No. 7,111,753, which grants rights with regard to a
piece of paper that goes around a hot cup to stop your hand from getting
burned. Combine excessive grants of patent rights with a company's narrow
corporate self-interest in maintaining an image, and we have a free speech
and security nightmare.

Imagine if, in the 1970s, the tobacco companies had patented devices to
measure the health effects of smoking, then threatened lawsuits against
anyone who researched their products.

The use of patent law to prevent vulnerability discovery and discussion is
bitter irony, because a fundamental purpose of patent law is disclosure: In
exchange for the right to exclude others from using, making or selling a
novel invention, an inventor agrees to make public all the details. Once
issued, patents are a searchable public record, and expire after 20 years.

This isn't a case about keeping dangerous information out of the hands of
attackers. There's nothing new about RFID vulnerabilities: Everyone knows
about them and has for years. Nor is this a case about properly rewarding
HID for its innovative creativity. Paget isn't building and selling his own,
competing devices.

This is a case about misusing intellectual property laws to silence critics
who want to inform customers and consumers alike that the RFID emperor has
no clothes.

- - -
Jennifer Granick is executive director of the Stanford Law School Center for
Internet and Society, and teaches the Cyberlaw Clinic. 




More information about the Infowarrior mailing list