On behalf of the "Unpicking PLAID" research team, I would like to point out that our response to this report is available from:
This response expresses our viewpoint on that report, rectifying some misrepresented facts and countering false allegations. In particular (but not limited to):
1) The author(s) of the report seem to consistently confuse the mere lack of known attacks with a proof of security.
2) They argue about a lack of a formal definition of privacy in our work and digress into musing about an Oxford dictionary definition of privacy. Our paper, however, allows the reader to easily infer what our attacks against the ISO standard achieve: tracing cards across executions, and identifying the supported key set of a card. None of these attacks should be possible according to PLAID's own claims of privacy.
3) They try to minimise the impact of our attacks, based on the availability of CPLC data, implying that CPLC data is anyway always available even in privacy-sensitive scenarios - which is incorrect. Furthermore, they completely ignore our fingerprinting attack on key sets, and focus only on the RSA fingerprinting attack.
4) They credit us for claims which we never made, and misrepresent the timeline and references in our paper.
Finally, we wish to remark that the personal email correspondence with Professors Fischlin and Paterson, linked to in Annex A of the project editor's report, was published without their consent.
We consider the situation to be self-explanatory, and encourage readers to draw their own conclusions.
The "Unpicking PLAID" team.