This three-part post hilights two (new) technologies that may have an invisible impact on (y)our privacy. The first part was about Wifi and Bluetooth tracking on railway stations in The Netherlands. This second part shows a new technique to perform (concert) ticket registration using ultrasonic sound. In the final part, I will give my insights on these techniques, potential impact on personal privacy, and measures to prevent or minimise that impact.

Ultrasonic concert tickets

In July 2017, technology website Tweakers.net published a news article about Ticketmaster introducing a new method of verifying (concert) tickets through ultrasonic sound. This is an addition to the various methods for admitting visitors to concert venues, theatres, etc., such as Near Field Communication (NFC; the same technology that is used in, e.g., Dutch payment cards) or Radio Frequency IDentification (RFID; think of building access cards). Whereas NFC or RFID work in a similar way as an FM radio, this Smart Tone technology works within the theoretical audible range of the human ear (20 Hz – 20 000 Hz): between 18 750 Hz and 19 200 Hz.

The exact implementation of these ‘ultrasonic’ tones is (of course) proprietary technology; in this case of LISNR. They claim that NFC “has stopped gaining traction worldwide” due to various reasons (“hardware costs, fragmentation, and security issues”) and that their technology is a “more secure data transferring platform”. Whether or not these claims are valid, the notion of transferring data without the need of device pairing or a data infrastructure, such as Wifi or internet connectivity, does open up new forms of ‘local communication’.

One potential use case of local communication, as mentioned by VentureBeat, could be a way to track visitors throughout a venue, perhaps offer them a personalised experience at different places. Although Ticketmaster stated that they do not have plans to introduce such systems, one can imagine that the existence of such technology automatically means that, at some point, it will be introduced.

Nevertheless, a potential threat for this platform is its key communication channel: the air. Wireless communication protocols are far less difficult to eavesdrop compared to their wired equivalents. With a directional microphone and a recording device (or even an off-the-shelf smartphone), communication between two devices using the LISNR protocol can be intercepted and saved for later analysis.

LISNR says the following about their “Smart Tone Ticketing”: “Offline authentication: With Smart Tones, encoding and decoding happens locally – no traditional connectivity or device pairing needed. And because LISNR is a closed communication protocol capable of wrapping standard encryption standards of other protocols, it results in the most secure mobile ticketing authentication possible.

Kerckhoff’s principle states that “[A cryptosystem] should not require secrecy, and it should not be a problem if it falls into enemy hands. The closed communication protocol that LISNR uses is probably a bad idea. The frequency range they use is easily accessible1 and they may not have thought of verifying the security of their closed protocol.

In the following video that was used as a pitch for the Cannes Lions festival in 2017, LISNR states that their protocol can practically embed any data. This aspect, I think, can be recipe for disaster, when an “evil attendee” can broadcast messages that look legitimate.

*

In the next and final part of this series, I will reflect on these ‘audible’ tickets and Wifi tracking on train stations. I will give pros and cons regarding these new technologies in terms of (personal) privacy and try to find a (reasonable) balance between protecting privacy on the one hand, and comfort offered on the other hand.

  1. The device needed for interception is practically in everyone’s pocket: a smartphone. Comparing it to another wireless communication protocol such as GSM, more specialised devices are required (although Software Defined Radios, which can be tuned to an arbitrary frequency through software, have become rather cheap as well. I just found out that you can buy such a device that plugs into your smartphone for less than €15).