Zum deutschen Text gehts hier lang.

Fans are to be spied upon

How will RFID be used at the World Cup?

How are RFIDs in the tickets being justified?

What data are being collected?

A Special Case: Passport Numbers

Who will get access to the data collected?

How will it go on after the World Cup?

Who is paying for all this?

What can I do against being spied out through RFID in the world championship tickets?

Our demands

Since 1 February 2005 fans can order the RFID-bugged tickets for the FIFA World Cup. Far too much data is being collected – processing ID-card numbers for example isn't even legal. Quite notably, even the question of who will get the data afterwards is not clearly answered, even on request. Scandalous behaviour, properly speaking, but since fans eagerly want to get at the tickets, the German Federal Football Association (DFB) and FIFA can more or less do whatever they want. Only after a widely recognised press release from the FoeBuD did the relevant authority, the Regional Presidency of Darmstadt, publicise a handful of details. On these pages we collect everything we can find out. What you can do yourself can be read further down. More details about the radio and reading technology employed can be found in our FAQ.

Especially for RFID technology, the world championship will serve as the flying lane. It hasn’t been really possible to convince the German citizens of how they would personally be profiting from the spychips, as yet. For the time being, scepticism and concerns prevail. This makes the World Cup an ideal platform: One can take advantage of the fear of hooligans to sell RFID as “security technology”. And fans’ wishes to be there "live" will almost surely be greater than concerns about being spied out.

Fans are to be spied upon

And spying out the fans is what this technology is all about. This is what Helmut Baeumler, former Data Protection Officer of the federal state of Schleswig-Holstein, said already some months ago in an interview with German TV network ARD: “It isn’t about who has the ticket so much, the ticket itself is not important. It is which person is in the stadium what one wants to find out. And as much as I understand that one wants to recognise and ward off hooligans in time, here one can see what this technology leads to, namely, surveillance of people.”

The danger of this: If the fans don’t defend themselves against this, the RFID lobby in the future will advertise with the slogan: “Football fans have nothing against RFID.”

How will RFID be used at the World Cup?

Every entrance ticket will contain an RFID chip. These chips will contain, according to what the speaker of the German Federal Data Protection Officer, Peter Buettgen, said towards news agency ddp, only "serial and customer’s number, but no information on personal data." However, in the same article he is reported by press agency ddp as saying: "To have the last four digits [of the applicant’s passport number] would be totally sufficient." So the last word on this has not yet been spoken. The radio transmission of the data would be encrypted, anyway, he added.

It is to be expected that RFID chips with the common standard ISO 14443 will be used. From what range these chips can be read out depends on the strength of the antenna in the reading device. Officials still do go on saying that the reading range is only three to five inches (ten to fifteen centimetres), in order to play down the dangers of being spied upon. This is wrong! With chips of ISO 14443 experts speak of maximum reading ranges of about five feet, or 1.7 metres (in 2004) – how else would theft protection be expected to work efficiently?

So is it ignorance or cover-up tactics when it is said time and again that fans would have to hold their tickets “against a reading device” at the entrance? They are also readable through buttoned-up coats… In any case it was once said that one wanted to speed up entrance procedures with this. But since there will still have to be passport controls – if only spot checks – the time saving factor, which once was one of the top arguments for the introduction of RFID, will be rather limited. For some time now this argument has not been uttered any more.

How are RFIDs in the tickets being justified?

Supposedly RFID tagged tickets are forgery proof. – No, they’re not, forging them will only be a little more expensive.

Supposedly one wants to "personalise" the tickets through them, i.e. trace back every ticket to a specific person. (In former times one would simply have printed the name of the owner on them. Why isn’t that sufficient any more nowadays?) For this the fans have to fill out a rather detailed questionnaire on the internet that asks personal data – and more of them than would seem necessary at first sight (see below).

Supposedly "personalising" the tickets is to prevent black marketing. Also, one wants to keep hooligans and other kinds of blackguards and rioters out of the stadiums, said head of the ticket-division of the organising committee, Juergen Domscheidt, at a meeting of the security tickets industry (according to German daily newspaper “tageszeitung”, also known as “taz”). How exactly this is going to go has not yet been made known.

No spychip can prevent brawls, scuffles, or fights.

Instead it will be so, as the Regional Presidency of Darmstadt comfirmed, that the ticket data will be compared with the stadiums’ databases of banned individuals. We assume that also the police’s database "Gewalttater Sport" will be attached. So, in the simplest case the RFID chip in the ticket of such a suspicious person will stop the turnstile, but according to the RP of Darmstadt (the DFB does not mention this passage in its otherwise partially word-identical data protection statements) the reading devices can also be tuned in such a way "that the personnel employed by the DFB (or their servicers [i.e. private security firms]) can at the same time read the personal data of the respective person and compare them with the passport presented." For reasons of simplicity the ticket could also set off an alert when it is being scanned, along the lines of "Caution, person XY is entering the stadium."

During the World Cup, Darmstadt confirms, this data base will be infinitely supplemented, e.g. through registration of fans who "make themselves suspicious of violence during the World Cup matches." The more reading devices will be installed, the more detailed this information will be. Also information like "Person XY has been standing in the same block as person ZA, who fired a flare at the field" etc. will become thinkable, dependent on the number of reading devices placed in the stadiums. And all this without person XY noticing at all that he has been scanned by an antenna, or getting information about this, or being able to take any influence when being denied access to a game.

What data are being collected?

Data will presumably be collected in at least two places: For one, through the questionnaire for application for a ticket (see above), secondly, directly in the stadiums. As yet, there is only talk of “entrance controls”, where the ticket-spychips will be read out. If there will be reading devices also in other places (e.g. at every block), or whether even the security services and personnel will be equipped with mobile (handheld) reading devices is at the moment probably only known to the organising committee. The more readers there are, the more detailed the personal profiles will be.

The questionnaire at beginning of sales on 1 Feb. requires the following data:

• First and last name
• Postal address: Street, number, place and country (postal code is optional)
• Date of birth
• Nationality
• Number of ID-card or passport (for our criticism of this see below)
• Telephone number (optional)
• Fan of which national team (here one can state "neutral")
• E-mail address (should be optional, according to RP Darmstadt, but turned out to be a requirement!)
• Matche(s) applied for, price-category of ticket(s)
• Bank- or credit card data
• Additional applications in the name of other people
• Contrary to former information a fax number is no longer required.

We wonder. For what does one need the date of birth in an application for a football ticket? For what does one need the number of an ID card or a passport? Why telephone number and favourite team? All of this are data which are of considerable value for the advertising industry, but we can’t see their use for the issue of the entrance tickets.Again: If one wants to "personalise" tickets, why not simply print a name on them?

Also: If one applies for (additional) tickets for other people, the last question asks for the personal data of them – which requires an explicit consent of the people concerned for passing on their personal data. How this will be checked and made feasible through the internet without opening doors to misuse has yet to be found out.

A Special Case: Passport Numbers

Persistently one hears rumours that the chips probably will contain the passport number of the ticket-owner, i.e. not just any old encrypted sign code which would make sense only with a data base behind it. The relevant data protection authorities have by now disclaimed this. The speaker of the Federal Data Protection Officer, Peter Buettgen, said towards ddp that "the last four digits [of the passport number] will be absolutely sufficient" – so there is still talk of storing of passport numbers. Heightened scepticism in this point is in order, because:

Already about asking the passport number through the internet there has been a shower of criticism. Renate Hillenbrand-Beck from the Regional Presidency of Darmstadt wrote about this on 25 January 2005: "The gathering of complete passport numbers as requested by security authorities is yet accompanied by a question mark. About this the Federal Data Protection Officer will seek consultations with the Federal Ministry of the Interior." But in the questionnaire that was launched on February 1 the passport number is not at all indicated with a question mark but with an *asterisk* for "required information." Maliciously speaking: The authorities are still consulting, but the industry can meanwhile go ahead…??

Who will get access to the data collected?

Good question.

We don’t know. Who is it, actually, that runs this so-called security technology? The individual stadiums? From the letter from the Regional Presidency of Darmstadt we assume that at least the DFB (German Football Association) and FIFA will have access to the data. Who else? Presumably the private security service(s) that have been commissioned. "FIFA is the chief organiser of the World Cup but the ticket sales will be organised by the DFB (through the Organising Committee). So it is the DFB who is the contract partner responsible," writes the Regional Presidency of Darmstadt. What contracts on sharing of data have been made with FIFA or others is not known to us. Among the members of the Board of Directors of said Organisation Committee, incidentally, was also the former German Minister of the Interior, Otto Schily, who of course had to step down to make way for the new Minister, Wolfgang Schäuble. So, could it be that also the police or the Ministry will get access to the data? – Asking maliciously: The data will be available to everyone who would like to take a peep?

German newspaper “Tageszeitung” (also known as “taz”) cites minister Schily in connection with the World Cup tickets in an article from January 21: “We will set up … a national office where all information and analyses of the relevant national and international security authorities will come together and be coordinated. From this information arise images of the national situation which will be made accessible to all involved.”

All.

The data will thus be shared first of all with all participating "countries" – what ever this may mean: Security services? Governments? Apart from this perhaps also at least with the sponsors (if one has ticked one’s consent in the relevant place in the application form). The press spokesman of the organising committee, Gerd Graus, is cited by silicon.de as saying: "Data will only be shared with state institutions, and only if they have sufficient legal provisions. Further sharing will, of course, only take place with the consent of the ticket-buyer."

But according to data protection laws one has to prove one’s legitimate interest in gaining insight into the data bases. And which interests are deemed “legitimate” is laid down in the “Terms and Conditions” (Allgemeine Geschaeftsbedingungen / AGB), which have been made public only at the start of ticket-sales – and which no one will read, anyway, if he wants to be the first to apply…

How will it go on after the World Cup?

Here also we have to say: We don’t know.

But what is clear is that it will go on. Already now a number of stadiums, among them the “Arena Auf Schalke” in Gelsenkirchen, the "Gottlieb-Daimler-Stadion" in Stuttgart and the "Fritz-Walter-Stadion" in Kaiserslautern, are using RFID in their entrance tickets. (Source: FIFA) And of course, so says the DFB, the technology in the stadiums will not be dismantled but extended afterwards.

As yet there is no official statement about whether the ticket- and spectator-databases will be deleted after the World Cup!

In the middle or long run there will be no RFID-less soccer games at all anymore.

World Cup matches, and that also means “RFID first equipments”, will be in the following stadiums:

• Munich
• Nuremberg
• Stuttgart
• Berlin (the "Olympiastadion", according to information of the Netzzeitung were to be equipped with the necessary turnstiles and reading devices already for the 2005 season. Security personnel was supposed to go through the stands with handheld readers, Ingo Schiller, director of Berlin club Hertha BSC, is reported as saying. But they would be used "only to a limited extent" for surveillance purposes, he added. Whether this plans have been carried trough in time, we don't know.)
• Hamburg
• Hanover
• Kaiserslauten
• Gelsenkirchen (where RFIDs are already used in the tickets. In the "terms and conditions" of ticket vendor "Ticket und Secure (T&S)" it says: "T&S reserves the right share data with third parties, who have been commissioned by T&S to carry out the ticket sales, insofar as this measure is prerequisite to fulfilling the contract. T&S furthermore reserves the right, as long as there is no objection of the customer, to collect, use and process the data collected from the customer for advertising, market research on behalf of T&S and the design of the services of T&S.")
• Dortmund
• Cologne
• Leipzig
• Frankfurt/M.

The organising committee has announced that it will hand over the ticketing system to the "Deutscher Fussballbund (DFB)", the German Federal Football Association, after the Championships. However, the speaker of the Federal Data Protection Officer, Peter Buettgen, in newspaper "Rheinische Post" voices doubts about the appropriateness of RFID-enabled tickets for normal first league (Bundesliga) matches. "Considering the importance of the World Cup, they may well be in order there. But they should not be used in regular Bundesliga matches." Nonetheless:

According to Netzeitung also the “Volkwagen-Arena” in Wolfsburg, which isn’t taking part in the World Cup, is installing RFID based entrance controls. Uwe Kaempfe, head of the ticket department at football club VFL Wolfsburg, is in raptures, according to this article, about "total control from point of sale to entering the stadium": The stadium owners could see exactly who is passing which turnstile when. Plans are, apart from this, that fans could pay without cash through the RFID tickets, the amount would then simply be withdrawn from their bank accounts. Curiously enough, advocates of RFID tickets at the same time try to soothe critics by saying that a see-through fan were impossible because the tickets (especially those for the World Cup) would be thrown away directly by the fans. Our advice: take good care of where you dispose of it, so as not to give someone else an opportunity to stand the whole stadium a round at your expense…

Who is paying for all this?

The RFID-equipped tickets will probably cost 20 to 30 Euro-Cents more than without (in the autumn of 2004 the cost of one RFID was at ca. 50 ct. per piece, but prices are dropping continuously). But since they don’t have to be posted as insured mail any more, as they can quickly be blocked when they get lost or stolen, the individual cost of the chips will very soon get levelled. Said press spokesman Gerd Gaus from the organisation committee towards silicon.de. Installing the technology, according to him, will have to be paid for by the individual stadiums.

It is not yet known who will be manufacturing the chips for the tickets. But: Philips is one of the sponsors of the World Cup...

What can I do against being spied out through RFID in the world championship tickets?

If you don’t want your personal data to be collected, you shouldn’t have yourself be registered. ... But of course this is no real alternative, for the simple formula is: "No data – no ticket!" Millions of people have applied for tickets. Most of them have been left empty-handed. But anyway their data are still at large.

Now the first issue is to keep the potential of surveillance through RFID as low as at all possible.

As long as the FIFA cannot explain that and why security in the stadiums can’t be kept up without RFID, there is no reason for employment of spychips!

Reading devices must – if at all – only be placed at the entrances to the stadiums. All others (for example those installed to track fans within the stadium) have to be shut down! Fans have to get information after the match about the data they left behind and need to be empowered to demand deletion of them. They must be able to rely even on sponsors not to further process the data obtained.

Is it written anywhere that one will only be let into the stadiums with the RFID chip intact? You might protect your ticket against unwanted readings by keeping it in your pocket in a metal box. Thus no antenna would have a chance and you would regain control about being registered only when you consent to be. And anyway: Should your chip be defect when you want to enter the stadium, demand to be let in anyway. You have paid for your ticket, after all!

Write to the data protection officials of the German Federal States and the Federal Government to take care of the use of RFID at the World Cup!

It is a little complicated at times to find out the exact competencies and areas of jurisdiction, but in general the individual offices will forward your letters and requests to the appropriate stations. An example: The DFB, the German Federal Football Association, is located in Frankfurt. That is in the state of Hessen. The Hessen data protection officer, Prof Michael Ronellenfitsch (contact see below), told a reader of STOPRFID that he himself is concerned only with data protection questions that have to do with the public administration, and that he therefore has passed on this reader's request to the appropriate body, i.e. in this case the Regional Presidency of Darmstadt. This letter, then, has reached its destination and therefore has been worth while! The authorities have to be notified that the fans do not want to be spied upon!

The stadiums, however, are located also in other states than Hessen, that means that the respective authorities of those states are the first addresses – if not for the distribution of the tickets then perhaps for the authorisation of deployment of antennas at the stadiums? These authorities are:

• Berlin: Dr Alexander Dix
• Hamburg: Hartmut Lubomierski
• Baden-Wuerttemberg: Peter Zimmermann
• Bayern: Reinhard Vetter is in retirement as of November 12 2005, and as yet there is no successor named. But somebody is going to read the mails...
• Niedersachsen: Burckhard Nedden
• Rheinland-Pfalz: Prof Dr Walter Rudolf
• Sachsen: Andreas Schurig
• Nordrhein-Westfalen: Bettina Sokol
• Hessen: Prof Dr Michael Ronellenfitsch, but he points to the Darmstadt data protection authority: Aufsichtsbehoerde für den Datenschutz, Regierungspraesidium, Luisenplatz 2, D-64278 Darmstadt. The contact person there is Renate Hillenbrand-Beck.

Our demands:

• Football-tickets without RFID-spychips!
• No collection of unnecessary data (e.g. date of birth) of stadium visitors, not through questionnaires and not via an antenna!
• No storage and sharing of the data collected with other countries and the sponsors! The application data must only be used for working out the applications and have to be destroyed directly after issue of the tickets!
• Even if the World Cup will not yet afford the technical structures for complete surveillance we, as before, demand that the RFID chips, which can be read out from a distance, must not be integrated in the tickets!
• The questions in the application form must be reduced to the absolute minimum (see above)!
• Passport data must not be collected or used in any place!
• The data must not be shared beyond the absolutely necessary processing!
• With scoring of the final World Cup goal the 40 million sets of data must be irretrievably deleted!

Links:

Homepage of the organisation “Aktive Fussball-Fans (BAFF)”