John Gilmore's proposal: Test hotel card keys for personal info [priv]

[Declan McCullagh <declan () well com>]

---

To: cryptography () toad com, gnu () toad com
cc: declan () well com
Subject: [Politech] Hoax debunked: Hotel card keys store sensitive personal
 info
Date: Wed, 29 Oct 2003 23:21:33 -0800
From: John Gilmore <gnu () toad com>

I think Declan missed the story here, by calling this an urban legend.
We now have denials that "sensitive" personal information is stored in
hotel card-keys.  The question is what "non-sensitive" personal
information is stored in them, and why.  The stories referenced below
quote one hotel chain that "only" your name, room number, arrival and
departure dates are on their cards.  Oh, and that there are other
fields that might have contained home addresses and/or credit card
numbers "in years past", but now clerks are instructed not to fill
them in on the screen any more.  Surely this factoid makes us feel
much more comfortable.

Hmm.  If I rewrote a card with someone else's room number, or a later
departure date, would the door open for me when it's supposed to lock?

And what, if any, records are kept whenever you enter or exit your
hotel room?  E.g. is every coming and going recorded on a PC somewhere
in the hotel?  Or stored in flash memory in the door itself, and
periodically dumped to somewhere?  Can the hotel tell my key from my
roommate's key?  What happens to these records?  Are any of them on
the Internet?  Can the police look at them without a warrant, the way
they look over hotel checkin/out registers (and hotel-xeroxed copies
of their guests's ID cards)?  When, if ever, are they destroyed?  Or
are they kept forever for market research (e.g. "12% of hotel guests
never left the room except to check out, and 37% of those guests
phoned their home area code from the room")?

If there's central validation of the cards, then there's no need to
put anything but a random number on the card.  The PC that decides
whether to open the door would only need to know which card number had
been issued to the current guest in that room, and whether that guest
has already checked out.  Putting names and dates on the card *is* a
useless privacy leak, and would be particularly egregious if that info
gets logged with each use.  And putting room numbers (with or without
departure dates) on the card means that someone who finds a card can
easily know which door to try it in.  This is particularly bad if you
dropped the card somewhere, and your luggage is still in the room --
or if you yourself are in the room when your attacker returns
and comes in using your lost card.  The only supposed advantage
FOR GUESTS of card-keys over ordinary keys is that lost keys don't
lead the finder to your vulnerable room.

(I am presuming that any "encryption" on these cards (mentioned in the
web pages referenced below) is snake oil -- but that would be useful
to verify as well.)

Cypherpunks/cryptography-ers must visit a fair number of hotels over time;
anybody got a good cheap source for USB barcode readers and free
interface software?  Do we have a volunteer to read a few hundred such
cards from various people who'd stayed in various hotels?  That would
put the cat of facts among the pigeons of rumor and spin.

        John

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)