RFID Issues Revisited
October 17, 2013
Logs
Readers of Fordham’s campus newspapers may have noticed a discrepancy in information regarding the implementation of the new radio-frequency identification (RFID) technology.
When asked, “Are there logs of who is in the building and when they sign-in? Are those saved somewhere?” during an interview with The Observer, John Carroll, associate vice president of safety and security, responded “No. No, no, no. Absolutely not. This is not a Big Brother thing at all,” a quote that was printed as part of the article “RFIDs Set a New Standard for Security” in the Sept. 9 issue of The Observer.
The Ram, the Rose Hill-based student publication, reported in their Sept. 25 article “With ‘Apple Picking’ on the Rise, Security Moves Towards Campus-Wide Digital System,” that “As part of the system, Fordham’s security staff is able to keep a digital log of timestamps when students enter residence halls, and soon, when they step onto campus.”
The conflicting pieces of information were brought to the attention of Observer staffers by Jeff Lockhart, Graduate School of Arts and Sciences ’14, who previously emailed Carroll asking for a clarification on the logging process as well as other security measures taken by the university to minimize the potential risk of stolen or copied RFID credentials.
In a follow-up interview with The Observer, Carroll said that these two quotes do not necessarily negate each other.
“I think if you look at the statement I made to The Ram and the statement I made to [The Observer], you will see they are exactly the same,” Carroll said.
“I know they sound incongruous,” Carroll said of his two statements, “but the fact is we will never be using those logs for any Big Brother purpose, and that’s what I meant. But there is a log kept.”
“We need to keep the log data for a minimum of a year in order to use for diagnostics and to run the system,” Carroll said, however the Fordham safety and safety website states that this data is only “retained for several months.”
The data retention policy of Fordham safety and security also specifies that logs “are not fed into any other University data systems,” that the “logs are protected, physically and electronically,” that “Fordham personnel do not have routine access to log data,” and that, ultimately, “log data may be made available to Fordham officials and/or civil authorities,” under extraordinary circumstances.
“The University reserves its right to do an investigation. And that is the same thing as this,” Carroll said. “You can look at any student handbook you want, it will always say that the university, regardless of what anybody wants, retains its right to do an investigation.”
“I’m not talking about bringing beer in a dorm or anything,” Carroll said of the conditions for accessing logs. “I’m talking about a serious felony.”
While the data retention policy states that log data can be made available to Fordham officials or civil authorities in “extraordinary circumstances, such as criminal investigation, emergency or disaster recovery,” these categories seem too broad for Lockhart, who expressed his concerns to The Observer over email regarding the policy: “There is no accountability or oversight whatsoever, or transparency. Who makes sure they’re only looking at it in the ‘right’ circumstances? Who do they go to for approval?”
Lockhart also expressed worry regarding the safety of data logs.
“The first and most frequent lesson in any class on computer security is to keep no data you don’t absolutely need, so that there’s no risk of abuse or theft later.”
Lowenstein Scanners
Another notable issue on the Lincoln Center campus is the “Out of Order Please Show ID Card” signs covering the RFID scanners at the 60th Street and Columbus Avenue entrance of Lowenstein and plaza level entrance; just weeks after its implementation the system appears to be having some technical difficulties.
“They are not out of order. The problem was [that] I was kind of running ahead of myself. The supporting back part of the system was not fully engaged, so you could show your ID card and it would light up green, which just meant that it had read your card. It did not mean it was fully processed,” which ensures you are a current employee or student, Carroll said.
In the meantime, Carroll has instructed guards at this entrance to continue manually checking ID cards and is waiting for the system to be fully implemented.
“I’m hoping all of the software and programming stuff gets into place by January [2014], I know for sure it will be in place by June 2014,” Carroll said.