Update: Justin Reese from Abstractions writes, "policy changes were implemented last night and additional changes were made this morning."
He adds, "The article was also inaccurate from the start by calling the wristbands surveillance devices in the title. They are only used to control access and don't track where users are or have been except in the case where the attendee has given explicit permission in their profiles to share with sponsors and completed a double opt-in by scanning their ID at the sponsor table (the read range is about 2"). Unless we receive a double opt-in, the ids on the wristband are never associated with a user. It is no more a surveillance device than any other conference badge. I'd appreciate a retraction of this inaccuracy and an update regarding our policies."
Reese is correct that the manufacturers design RFID chips to be read from inches; however, that doesn't mean that they can't be read from longer distances (for example, distant, directional antennas can read them at longer distances while they are being energized by a nearby reader). Likewise, the idea that users can't be identified from persistent, anonymous identifiers is incorrect.
It's a pretty good example of how a thin understanding of privacy issues in wireless technologies and statistical analysis can result in selecting authentication systems that expose users to privacy risks.
Sumana Harihareswara (previously) writes, "The Abstractions tech conference (Aug 21-23, in Pittsburgh) doesn't tell attendees this before they buy a ticket, but attendance requires you wear their wristband with an embedded tracking chip -- and that you don't take it off at night or in the shower till the conference ends. Read the rest