<
>

RFID use raises on-slope privacy concerns

11/16/2010
Courtesy Alpine Meadows

Radio frequency identity has revolutionized the ski industry. Instead of fumbling with frozen fingers, skiers and snowboarders can now move through scanners, letting RFID chips embedded in lift passes open gates before them.

But are there consequences to this convenience? Ski instructor, identity theft expert and former Vail Resorts employee Jon Lawson says yes, and he has invented a product called Ski Pass Defender to protect snow riders' privacy.

Off the hill, RFID has dozens of uses, from tracking inventory and livestock to linking debit accounts with chips injected under the skin of nightclub frequenters. But from Jay Peak to Verbier, ski resorts worldwide are increasingly using RFID for more than just lift access. This season, Aspen Skiing Co. will allow guests to attach a credit card to season passes, and Vail Resorts is using RFID to power its new social media application, EpicMix, which tracks vertical feet and terrain skied by users via the lifts they ride. A user who chooses to create an online account will be able to view this information. EpicMix also allows users to opt in to share this information with Facebook friends.

To Lawson, this is cause for concern. "RFID is an open structure. It was never meant to be encrypted or to have safe data on it. I realized as chips became less expensive and more robust, companies could put more information on them. I saw more of a need, so I wanted to get in front of that wave," he told ESPN.

Lawson has found a ready customer base for his product, which launched in June. He has sold 700 Ski Pass Defenders since September, with a surge of sales since Keystone and Breckenridge opened (Nov. 5 and 12, respectively). He has also received multiple requests from local ski shops to stock his product. "Some are anti-corporate," Lawson said of his customers. "Others -- like me -- say, 'I choose not to give that information, I choose not to be tracked.'"

The SPD, which sells for $15.95, is comprised of two aluminum-backed sheaths attached to a lanyard. The aluminum prevents the RFID chip from being read. To board a lift, an alligator-style clip is squeezed, activating patented "squeeze to read" technology, allowing passholders to control when and how the information on their RFID chip can be shared.

Other entrepreneurs are breaking into the RFID protection market -- sleeves, wallets and bags are being made to prevent RFID-chipped passports and credit cards from being read, and portable devices such as the RFID Guardian alert users when their chips are scanned.

But Hal Charych, CEO of Mountain Pass Systems LLC, whose company helps ski resorts implement RFID technology for lift ticket verification, calls RFID protection products a "waste of money."

RFID chips contain a multidigit ID number. Vail Resorts stores these ID numbers in a secure database separated from another secure database that contains customers' personal information. According to Charych, this is standard practice in the industry.

"When you actually read what is on that ticket, you just get an ID number," Charych said. "Without having the database behind it, the number is meaningless."

Lawson's conscientious approach stems from his own experience with identity theft. During his freshman year of college, Lawson was a victim of utility fraud. Since 2005, he has worked as a consultant on mitigating identity theft. His experiences have made him cautious about how his personal information is shared.

In the May 2006 issue of Wired, an article titled "The RFID Hacking Underground" reported that hackers used homemade USB devices to pickpocket access codes to an office building from a smartcard badge, lifting a medical ID number from an implanted tag. Devices such as these are readily available on eBay and using them is a YouTube click away.

Lawson is concerned that ski resorts will use data stored in RFID chips in workers' comp proceedings or in cases of guest liability. If an employee is injured on the job, will lifts ridden and terrain skied during time off be used to prove personal liability? He has the same concern for guests.

Vail Resorts contends there's no need for concern. "We go to great lengths to protect the privacy of our guests," said Kelly Ladyga, VP of corporate communications for Vail Resorts. "Which is why the only thing on the RF chip is a unique ID number and our guests' personal and credit card information is kept in a separate customer database with all of the appropriate safeguards. For those who do not want us to track their lift rides, the RF chip can be easily disabled."

EpicMix was launched Aug. 30. Soon after, Lawson was called in to meet with upper management at Breckenridge, where he had worked for 17 years as a ski instructor. According to Lawson, he was told his product was inhibiting the EpicMix initiative and that he would be able to continue working at Breckenridge only if he shut down Ski Pass Defender and signed a code of conduct.

"We cannot comment on any personnel matters," Ladyga said. "But Vail Resorts will not permit its employees from purposefully [and] publicly spreading inaccurate, false information on the company or its products or activities."

Lawson now works at Loveland Ski Area. He continues to operate Ski Pass Defender.