Risk Analysis of Tracking Adults at Trade Shows Report

The trade exhibition industry market has experienced drastic changes in the last decades. Firms are now using advanced data management systems to improve the visibility of events during trade fairs to boost their growth rate and profitability. RFID allows marketers to track attendees’ movement and purchasing behaviors, consequently improving the fairs’ visibility. However, these systems pose significant data privacy and security risks. This paper presents a comprehensive risk analysis report of an event management system that uses RFID technology to improve user experiences.

Trade Shows

Trade shows provide platforms where companies and businesses within the same industry present or showcase their products to consumers. Organizations can use trade fairs to communicate with actual or potential customers and establish business relationships. Attendees visit the designated location to view the expositions or exhibits made by multiple exhibitors. Some trade shows limit the attendees to industry professionals, while others allow the general public to attend.

Type of Private Information Collected during the Expo

Marketers can use RFID to collect information on:

• Attendees’ movements and interactions
• Credit card information
• Attendees’ motives
• Social media profile/ID cards
• Event information

Maintaining tangible return on investments (ROI) is extremely challenging due to the invisibility of what is happening during the event. Hundreds of attendees can walk in and out of the booths at any given time, making it difficult to determine the event’s actual market value. However, data management tools such as RFID have helped businesses accurately identify the total number of attendees during the trade show (“RFID At trade shows,” n.d.). RFID collects data such as the volume of traffic on each floor, which activities attendees participated in, and the type of event activities conducted during each event. The information increases event visibility or establishes trends used to evaluate the trade show’s marketing value and accurately measure and improve their ROI.

Attendees Movements and Interactions

Recent technological advances currently facilitate the use of overhead readers to capture attendees’ movement, generating data on floor traffic patterns. These readers promote accurate data collection of more than 150 people per minute in each aisle. The overhead readers eliminate the need for physical scanning of attendees’ badges or tags. They use ultrahigh-frequency signals to read the serial number of the RFID tag worn by an attendee (Kasiri, 2021). Other event organizers install RFID devices on session/booth doors, generating real-time data. The data collected from the booths include the number of people who attended an event or visited a booth, the type of booths/sessions each attendee went to, and the period spent in these sessions.

This attendance data can help organizers determine which events were popular during the trade show.

Attendees’ Motives

RFID, embedded with tags, electronic identifiers, and reader devices, generates spatial and temporal data to create customer profiles and understand their nature through studying purchasing behaviors. Attendees come to trade shows with different motives, some with buying intentions, while others with non-buying intentions (Beqqal & Azizi, 2017). Attendees with buying objectives will place orders or request product information from suppliers. Those with non-buying intentions collect competitive intelligence, conduct professional networking, and browse. RFID can help marketers isolate and cluster these attendees to identify lead customers.

Credit Card Information

Lead capture refers to collecting information about attendees who could potentially become actual customers. Purchasing behaviors related to serious intent include the amount of time spend at a booth, purchase or inquiry for product information, interaction types, type of booths visited, and the total number of booths visited during the show (Beqqal & Azizi, 2017). Credit card information is stored when the consumer makes an actual purchase. The RFID collects this data every time an attendee swipes the tag, makes a purchase, or when they enter or leave a floor/booth. Marketers can align these characteristics to identify customers they might target or attract.

Social Media Profile/ID Cards

The RFID is also used to collect data that can predict macro trends within the market, such as a spike in a new product’s demand. It can also be used for social networking. Attendees can be prompted to swipe the RFID badges to like the organizer’s session on Facebook. The RFID will save the users’ profiles once they log in. Organizers sometimes also use the RFID badges to offer giveaways- attendees can swipe their tags, and then random badges are awarded gifts. The attendees will then be prompted to collect the gift from the sponsoring firm’s booth, which will require ID submission.

Compliance Issues

The first compliance issue refers to tracking a customer’s location without their consent. When customers own the RFID bands or own products with RFID tags, their location and addresses can be identified and recorded without their knowledge (Afolabi et al., 2015). Data privacy provides consumers with the right not to be observed without consent. Therefore, tracking consumer movement across the floor without their knowledge is a violation. The second compliance issue relates to exposing a person’s credit card information or transaction history without their knowledge (Khan et al., 2017). The law requires all entities to protect the financial information of their consumers. However, when a consumer owns an RFID tag, an active transceiver can activate a signal that will communicate with the card’s payment terminal.

Another compliance issue relates to causing injury to a consumer due to a weak data security system. “Credit Card Not Present” (CCNP) is a form of impersonation involving using a consumers’ credit card without actually using the physical card (Khan et al., 2017). The law mandates businesses that collect and use consumer data to protect their customers from such incidences (Darcy et al., 2016). However, when a firm’s security system is weak, attackers can hack the system, steal or duplicate users’ data, and use the data to commit fraud.

Thirdly, the law prohibits unfair business practices, including benefiting from consumers’ data without their consent. RFID collects information about customers’ preferences, hobbies, personal financial information, interests, and brand preferences without their knowledge. This information can be sold to third parties, such as online advertisers who later use the data to improve their advertisement targeting techniques.

Another compliance issue relates to informing consumers on the presence of RFID on purchased products. The law requires all consumers to be notified when an RFID tag is present on a product and when the tag collects user information. Failure to inform consumers of these issues can result in legal in-compliance ‌(Ahson & Ilyas, 2017). The last compliance issue is related to data custodianship or data disclosure practices. Given the nature of trade shows, it is inevitable for data to be shared among different partners or collaborators. However, the data-sharing practices pose significant data security risks, especially when one affiliate’s security system is weak. The law mandates organizations to protect consumers’ data during storage and transfer.

Privacy and Security Issues

An RFID system uses tags to collect user data, transmits the information to the backend server, and finally, a network canal that manages communication. The common RFID attacks include Denial of Service (DoS), eavesdropping, cloning, tracking, and injection. A firm’s infrastructure that depends on RFID becomes vulnerable to denial-of-service risks through radio frequency signal jamming. Attackers can destroy tags or attack backend infrastructure.

Denial of Service (DoS): Attackers can remove equipment from the RFID system, block radio signal waves, or jam the system so that a rendered service is impossible. When these interruptions occur, the communication between the reader tag and backend servers is disrupted, making service provision impossible (Beqqal & Azizi, 2017). For example, the attackers can spam a legitimate tag reader with several requests, rendering the tag out of service.

An injection attack: It happens when a malicious tag, destructive code, virus, and buffer are introduced into the company’s backend system. Injection attacks can lead to severe data shrinkage and loss of data and data integrity (Beqqal & Azizi, 2017). Loss of data and data integrity will disable the prospects of trade shows coordinators estimating the real marketing value of the trade show.

Electro-Magnetic Pulses typically renders the RFID tags vulnerable to destruction. A mere discharge from a disposable camera discharge can destroy the RFID tag. If the attackers are present at the trade show, service provision will be disrupted, affecting the exhibitor’s prospect of reaching the goals.

Eavesdropping: Attackers can use RFID chips or spy chips to eavesdrop or read information by intercepting communication between a tag reader and the backend server (Zhao et al., 2020). The interception allows the attacker to record any exchanges between a tag reader and servers.

Cloning and ID theft: Some tags can be duplicated at a distance without the tag owner’s knowledge. This issue is significant considering that attendees link their credit cards to the RFID tag (Wei et al., 2015). Other information that can be stolen includes ID cards and RFID passports, presenting serious impersonation risks (Beqqal & Azizi, 2017). This attack is made possible by reverse engineering techniques that retrieve, modify, and duplicate cart properties such as secret keys.

Privacy Risks

Illicit tracking: It occurs when a tag owner’s location and address are accessed by unauthorized persons. Attackers can also use RFID chips or spy chips to listen to user conversations without their knowledge (Wei et al., 2015). It is also possible to collect private financial data, including the social security number, if a tagged product was paid for with a credit card or loyalty card. As long as the attacker’s tag reader is in range, information on an individual’s movement and presence will be available to the attacker.

Legislations

The U.S. Federal Trade Commission (FTC) requires all firms to deliver their promises to safeguard consumer data privacy and security. Section 5 prohibits any unfair and deceptive acts in the business, including using consumers’ data to make profits without their consent (“Privacy and security enforcement,” n.d.). The legislation can induce legal action against any organization that violates the privacy of its consumers. Title III of the Electronic Communications Privacy Act prohibits any intentional interception of oral or electronic communication. It states that “anyone who intercepts electronic communication will be held in violation of it as if proper consent has not been obtained.” It also covers civil penalties for disclosing a consumer’s private information (Edgar & Manz, 2017). The Organization for Economic Co-operation and Development (OECD) privacy guidelines mandate all businesses to disclose technical specifications and use of RFID tags (Phillips, 2018). The legislation requires all consumers to be informed of any product containing an RFID tag reader or when their information is being tracked. The business can inform the public of their intent of use through their policies and practices.

Recommendations/Best Practices

People

Marketers and event organizers need to have a unified view on how to deal with consumer data before any lead capture is acquired. Staff should be trained on data privacy to improve compliance. Disclosing to consumers’ data collection practices will increase their trust in a firm and willingness to share private and sensitive information (Martin & Murphy, 2016). Therefore, all event attendees should be notified of products with RFID tags and data collection intent.

Technology

If the company chooses to procure the system from third parties, it should ensure that the contract/alliance/collaboration upholds data safety practices. The following techniques can be adopted to improve the internal security system (Beqqal & Azizi, 2017):

• Protocol Added Schemes- This technique involves integrating a new coding scheme inside the RFID tag to create specific communication protocols. This way, attackers cannot intercept communication or access network tags.
• Tag Killing- This method involves destroying or detaching a tag’s content immediately after a product leaves the store. This technique will reduce privacy risks by eliminating the likelihood of attackers tracking consumers illicitly.
• The XOR encryption- This technique counters skimming and eavesdropping using a randomized protocol method and algorithms to encrypt communication operations.
• Blocker Tag- This technique creates an inductive field that blocks suspicious tag readers from entering the RFID system. Many tag IDs are generated to hide and shield the actual tag, making it difficult for attackers to capture the accurate tag’s signal.
• Firewalls- Firewalls can protect the organization’s database and RFID database, preventing data integrity loss.

Processes

The company should analyze its business operations to weigh the systems’ benefits and harms before implementation. The business analysis should also include documentation, policy, and best practice analysis. The company should consider access controls, surface controls (the surface where the RFID device will be attached), maintenance costs, data storage types to ensure the selected RFID tag is appropriate for the company.

Policies

It should establish and enforce data protection policies throughout the lifecycle of collected data; this includes data collection, processing, analysis, storage, and destruction. The policy should cover unlawful disclosure, data losses, storage, and sharing (Martin & Murphy, 2016). The guidelines should be periodically reviewed and updated to ensure that their practices accurately align with legal regulations.

Conclusion/Summary

RFID systems can be used for numerous reasons in trade shows, including lead capture, increasing event visibility to capture actual event’s marketing value. The data captured during the trade show include attendees’ movements and interactions, credit card information, attendees’ motives, social media profile/ID cards, and event information. However, these systems pose compliance issues regarding data sharing practices, failure to inform attendees on RFID tag presence, and tracking and collecting user data without their knowledge. The privacy and security risks include eavesdropping, cloning/id theft, injection (hacking), and DoS. These issues can be resolved by ramping the internal infrastructure and protocol security and aligning business practices and compliance with regulatory requirements.

References

Afolabi, A., Atayero, A. A., Ajayi, P., & Wogu, I. A. P. (2015). Implementation of biometric RFID identification system: A case study of Covenant University.2nd Covenant University Conference on African Development Issues (CU-ICADI), Africa Leadership Development Center – Covenant University, Ota, Nigeria, 11–13 May. Ogun: Covenant University publishing. Web.

Ahson, S. A., & Ilyas, M. (2017). RFID handbook: Applications, technology, security, and privacy. Taylor & Francis Group.

Beqqal, M. E., & Azizi, M. (2017). Review on security issues in RFID systems. Advances in Science, Technology and Engineering Systems Journal,2(6), 194–202. Web.

Darcy, P., Pupunwiwat, P. & Stantic, B. (2016). The challenges and issues facing the deployment of RFID technology. In Falk, E. (Ed.), Deploying RFID (pp. 1–26). Scitus Academics LLC.

Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security (1^st ed.). Elsevier.

Freiwald, S. (2018). At the privacy vanguard: California’s Electronic Communications Privacy Act (CalECPA).Berkeley Technology Law Journal, 33, 131–176. Web.

Khan, M. A. A., Qureshi, A. A. S., & Farooqui, M. (2017). Double security of RFID credit cards.International Journal of Computer Sciences and Engineering, 5(5), 42–46. Web.

Kasiri, N. (2021). RFID applications in retail. IntechOpen. Web.

Martin, K. D., & Murphy, P. E. (2016). The role of data privacy in marketing. Journal of the Academy of Marketing Science, 45(2), 135–155. Web.

Phillips, M. (2018). International data-sharing norms: From the OECD to the General Data Protection Regulation (GDPR).Human genetics, 137, 575–582. Web.

Privacy and security enforcement. Federal Trade Commission. n.d. Web.

RFID At trade shows. (n.d.). Universal RFID. Web.

Tafesse, W., & Skallerud, K. (2017). A systematic review of the trade show marketing literature: 1980–2014. Industrial Marketing Management, 63, 18–30. Web.

Wei, C. H., Hwang, M. S., & Chin, A. Y. H. (2015). Security analysis of an enhanced mobile agent device for RFID privacy protection. IETE Technical Review, 32(3), 183–187. Web.

Zhao, B. Q., Wang, H. M., & Liu, P. (2020). Safeguarding RFID wireless communication against proactive eavesdropping.IEEE Internet of Things Journal, 7(12), 11587-11600. Web.