• silicon.com
• Technology
• Security

By Andy McCue, 8 July 2003 11:00

NEWS An organisation that plans to tag and track all manufactured goods over the internet has suffered an embarrassing security breach that exposed confidential documents on its website. The Auto-ID Centre is a body of 100 companies and five leading research universities, including the Massachusetts Institute of Technology, which is committed to developing a global internet infrastructure that will track all objects tagged with radio frequency ID (RFID) chips. But privacy body Consumers Against Supermarket Privacy Invasion and Numbering (Caspian) discovered a hole on the firm's web site that allows visitors to access confidential plans. These are now being taken down as the company works to fix the hole but visitors typing "confidential" into the site's search engine were presented with 68 sensitive documents. Powerpoint presentations accessed by Caspian discuss the need to "pacify" opposition to the tagging of every item manufactured, while confidential survey results showed 78 per cent of people are worried about the privacy implications of RFID tags and 61 per cent are concerned about health implications of the chips. In another document the Auto-ID Centre's public relations company Fleischman-Hillard also suggests a change of name to a more consumer-friendly "green tags" in an attempt to reassure shoppers. Board meeting minutes and contact details of senior executives were also accessible. Katherine Albrecht, founder and director of Caspian, said in a statement that the privacy organisation first stumbled across the hole in March. She said: "How can we trust these people with securing sensitive consumer information if they can't even secure their own website?" Phil Cracknell, an independent security consultant working in the government and finance sectors, told silicon.com it is a problem that is occurring more often as organisations move to store all data in central repositories. He said: "It is a clear example of one of the dangers when organisations centralise their data for both public and private access. It is an example of failure to apply proper security policies that look at the source requesting that data and say 'is it internal or is it external'." The Auto-ID Centre is currently unavailable for comment.