This article appeared in MIT's Faculty Newsletter, Vol VIII. No. 1, October 1995, p. 18. MIT Card Holds Promise and Pitfalls: Questions of Privacy and Security by Amy Bruckman The social implications of new technologies are not always obvious. Consider MIT's installation of key-card operated gates in parking lots. This greatly increases security for parking lots, reduces individual privacy by creating a record of people's comings and goings, and makes it awkward to loan your car to a friend during the work day. Parking gates are in place in the Albany Garage and West, Westgate, Pacific Annex parking lots, and will be installed in the West Garage this winter. To enter or leave these lots, you need to swipe your MIT Card through a card reader. To date, the security benefits of the new system have far exceeded expectations. Chief of Police Anne Glavin reports that only four cars have been stolen from those lots since the gate system was first installed in 1994, (and in that case the gate arm was mis-adjusted, something which can be prevented in the future.) Previously, one car was stolen per month from Westgate lot alone. This increase in security comes at the price of decreased privacy. Most areas of MIT using the MIT Card have chosen to record little data about people's comings and goings. However, if the parking lots are to prevent people from parking multiple cars on the same card, all comings and goings must be recorded. Regardless of Chief Glavin's good intentions for the use of that data, it must be remembered that if the data exists, it is vulnerable to a court subpoena, and could be used in court proceedings. Further, even more potential issues are raised with the announced plan to outsource the parking. There are also other, logistical problems. Suppose you want to loan your car to a friend. If the friend is a member of the MIT community and uses his or her ID to get out of the lot, the lot management program it may look like you are trying to park multiple cars on one card. (Glavin plans to confront only repeat offenders with a pattern of abuse.) If the friend is not a member of the MIT community, then you will need to loan them your card--which becomes problematic if you now need it to open doors, take books out of the library, and buy things around campus. The problem has been somewhat ameliorated since Campus Police started issuing additional cards for spouses of authorized parkers. Difficulty loaning cars may well be a fair price to pay for a dramatic decrease in car thefts. Is decreased individual privacy a fair price to pay for more effective parking lot management? There are a variety of trade-offs to consider. Similar problems arise when dormitories want to take people's MIT Cards as collateral for the loan of equipment like vacuum cleaners. You might have trouble stepping outside, buying a soda, or doing laundry while you've borrowed a vacuum cleaner. If the MIT Card is now to be used for financial transactions, there is the added problem of whether they could potentially be stolen--what happens when a dormitory desk attendant wanders away for a few moments? Are cards to be kept under lock and key? The Committee on Athletics is to be commended for switching to a separate athletic card for exactly these reasons. A number of these difficulties could be avoided by having separate cards for each function. The MIT Card Office has advocated combining many functions on one card for reasons of administrative efficiency. However, this overloading of functions gives the card conflicting requirements. It is impossible to make it fill all these requirements well. The MIT Card began as a project of Housing and Food Services. Enthusiastic about the initiative they were taking, they convinced many other parts of MIT's administration to adopt it. When it became clear that the card had broader social implications for people on campus, there was no one charged with the task of seeing this broader picture--it's certainly not the job of Housing and Food Services to tell the Campus Police how much data it's reasonable collect on when people come and go from parking lots. Unfortunately, right now it's no one's job. Privacy-related issues fall under the purview of The Privacy Committee, but that committee has not met since May of 1994, because it has had no chair. Fortunately, Professor Joseph Ferreira of Urban Studies and Planning has now agreed to chair the committee. However, even when the committee has met in the past, it had no authority or resources, and its recommendations were often ignored or laxly enforced. Furthermore, the issues the MIT Card raises for the MIT community go well beyond privacy concerns. Consider, for example, trade-offs between security and openness. This is particularly well illustrated by the issue of whether to lock doors with keys, combinations, or key cards. The Medical Center door is one example. If a friend who is not part of the MIT community would like to meet me at my office in the evening or over the weekend, I can tell him or her the combination to the medical building atrium door, and to the Media Lab elevator. If the door and elevator were operated by keys, I might make copies for a regular visitor and I could loan a copy to a visiting colleague in town for a few days, but I'd be unlikely to give direct access to someone who visits only occasionally. If the door and elevator were controlled by key cards, I'd need permission from an official authority to give my friend access (which I'd be unlikely to seek). Combinations slowly spread to a wider segment of the population, but that access can be periodically revoked by resetting the combination--you have to know someone currently at MIT to know the combination. Key access is more tightly controlled--I might tell the medical center combo to a stranger trying to get through, but I wouldn't give a stranger a key. However, because key locks are harder to change than combination locks, the group of people with access grows over time and is not easy to reset. Key cards are tightly controlled by a central authority, and access can be easily revoked to all who are not official, current members of the community. However, ironically, controlling access too tightly may sometimes result in decreased security--doors that are too frustrating to get through often simply get propped open. The medical center door has long operated on a combination lock. Plans are in place to change it to the MIT Card in the fall. Signs protesting this change recently appeared around campus: MIT Card Access coming soon A joint surveillance project brought to you by The MIT Card Office Big Brother SPODSA and the Committee to Keep Alumni Off Campus ("SPODSA" evidently stands for "Secret Police of the Office of the Dean for Student Affairs.") MIT makes an effort to include members of the broader community in a number of its activities--bridge, folk dancing, and community league softball are just a few examples. These take place in the evenings after the medical center door is locked, and many participants arrive by T. These participants are generally told the medical center combo to make it easier for them to reach campus. There are currently no plans to allow members of the broader community to get MIT Cards. While it's true they can still walk around the long way, anyone who has watched visitors stare at that locked door in frustration on a cold, rainy day knows that this will have an impact on how people feel about MIT. The efforts made by some parts of MIT to embrace the broader community will be somewhat undermined as a result. Of course it's also important to acknowledge the very real security concerns of the people who work in that building. There is a trade off here between openness and security. These details are not mere matters of convenience: they affect the openness of the MIT community. Key card locks generally provide increased security at the expense of decreased openness, the potential for decreased privacy, and decreased flexibility. Is this what is most desirable for the MIT community? There are multiple legitimate answers to that question. My primary concern is that no one at MIT is currently even asking these sorts of questions. In the Spring of 1994, Professor Jerry Saltzer assigned his Computer System Engineering (6.033) class to design a new plan for the MIT Card to better respect individual privacy, using "smart card" technology. Saltzer tells the story of a student who came to him seeking additional information--she wanted to know where she could get a copy of the master plan for implementation of the card at MIT. When she was told there was no such plan, she was flabbergasted. Graduate student Andre Dehon has pointed out that the security of the MIT Card is inadequate. While the same system is in use at a number of other universities, other universities are not MIT. MIT has a long-standing tradition of "hacking" technologies and the physical plant of the university. Dehon was easily able to decode the card's data structure, and show how it could be hacked. He presents a number of possible scenarios. For example, he describes how for $500, a fraternity could easily make a set of cards to give its members access to any building on campus accessed by The Card. (See http://www.ai.mit.edu/people/andre/mit_card/). The administration is reportedly trying to remedy these shortcomings. I believe the hacker community is up in arms against The MIT Card for aesthetic as well as practical reasons--it's perceived as so low-tech and poorly engineered that it seems an insult to an MIT sensibility. There are a myriad of small and large issues that arise. The broader problem is one of administrative structure: no one was initially charged with overseeing the MIT Card and the broader social and practical implications of its uses on campus. Fortunately, Dean Art Smith recognized this problem, and before retirement set into motion the process of appointing a new committee to take on this task. If the committee is given adequate resources and authority, it should be possible to resolve these issues.