| Imagine a future in which your every belonging is | | | | accessories or other items. |
| marked with a unique number identifiable with the | | | | - Can be read a greater distances with a high-gain |
| swipe of a scanner, where the location of your | | | | antenna - For various technical reasons, RFID |
| car is always pinpoint-able and where | | | | reader/tag systems are designed so that distance |
| signal-emitting microchips storing personal | | | | between the tag and the reader is kept to a |
| information are implanted beneath your skin or | | | | minimum. However, a high-gain antenna can |
| embedded in your inner organs. | | | | actually read tags from much further away, |
| This is the possible future of radio frequency | | | | leading to privacy problems. Governments or |
| identification (RFID), a technology whose | | | | others could punch through privacy screens and |
| application has so far been limited largely to | | | | keep tabs on people. |
| supply-chain management (enabling companies, for | | | | - Difficult to remove - RFID tags are hard for |
| example, to keep track of the quantity of a given | | | | consumers to remove; some are very small (less |
| product they have in stock) but is now being | | | | than a half-millimeter square, and as thin as a |
| experimented with for passport tracking, among | | | | sheet of paper) - others may be hidden or |
| other things. RFID is set to be applied in a whole | | | | embedded inside a product where consumers |
| range of consumer settings. Already being tested | | | | cannot see them. New technologies allow RFID |
| in products as innocuous as shampoo, lip balm, | | | | tags to be printed right on a product and may not |
| razor blades, clothing and cream cheese, | | | | be removable at all |
| RFID-enabled items are promoted by retailers and | | | | - Disruptions if maliciously jammed - RF signals can |
| marketers as the next revolution in customer | | | | be jammed, which could complicate everyday life |
| convenience. Consumer advocates say this is | | | | if RFID tags became essential. Imagine a central |
| paving the way for a nightmarish future where | | | | bus or train station, maybe an airport, where |
| personal privacy is a quaint throwback. | | | | suddenly everyone could neither be ID'd or access |
| How RFID works | | | | their cash accounts. A single hour of jamming |
| There are two types of RFID tags: active and | | | | during morning rush over a large area could cost a |
| passive. When most people talk about RFID, they | | | | large city untold millions of dollars in delayed |
| talk about passive tags, in which a radio | | | | commerce and transport. It would be worse than |
| frequency is sent from a transmitter to a chip or | | | | a mass-transit strike, and easier to repeat. |
| card which has no power cell per se, but uses the | | | | - Could be linked to a credit card number - The |
| transmitted signal to power itself long enough to | | | | Universal Product Code (UPC) implemented with |
| respond with a coded identifier. This numeric | | | | barcodes allows each product sold in a store to |
| identifier really carries no information other than a | | | | have a unique number that identifies that product. |
| unique number, but keyed against a database that | | | | Work is proceeding on a global system of product |
| associates that number with other data, the RFID | | | | identification that would allow each individual item |
| tag's identifier can evoke all information in the | | | | to have its own number. When the item is |
| database keyed to that number. | | | | scanned for purchase and is paid for, the RFID |
| An active tag has its own internal power source | | | | tag number for a particular item can be |
| and can store as well as send even more detailed | | | | associated with the credit card number it was |
| information. | | | | purchased with. |
| The RFID value chain involves three parts: the | | | | - Potential for counterfeit - If an RFID tag is being |
| tags, the readers and the application software | | | | used to authenticate someone, anyone with |
| that powers these systems. From there, the data | | | | access to an RFID reader can easily capture and |
| generated by the application software can | | | | fake someone else's unique numeric identifier, and |
| interface with other systems used in an | | | | therefore, in essence, their electronic 'signature'. If |
| enterprise, or, if they obtain the information or | | | | an RFID-tagged smartcard is used for shopping, |
| collect it themselves, concievably by governments | | | | for instance, anyone who intercepted and |
| or more nefarious organizations. | | | | reverse-engineered your number, and |
| Where it's used today | | | | programmed another card with it, could make |
| Global companies such as Gillette, Phillips, Procter | | | | charges on your account. |
| & Gamble, Wal-Mart and others see huge savings | | | | - Marking for crime - Even after you leave a |
| to be made from the use of RFID, and there are | | | | store, any RFID devices in things you buy are still |
| numerous pilot projects underway which are | | | | active. A thief could walk past you in the mall and |
| indicating savings in supply chains as well as the | | | | know exactly what you have in your bags, |
| ability to add value to both product owner, | | | | marking you as a potential victim. Someone could |
| product reseller and customer. | | | | even circle your house with an RFID scanner and |
| But they're just pilots, mostly. RFID is a long way | | | | pull up data on what you have in your house |
| from being everywhere, so far. Pharmaceutical | | | | before robbing it. As a result, there are now |
| tracking has long been held out as one of the | | | | discussions of "zombie" RFID tags that expire |
| flagship applications of RFID in the short term, yet | | | | upon leaving the store and reanimate if the |
| just some 10 medications are expected be | | | | product is ever returned to the store and |
| tagged using RFID technology on a large scale in | | | | returned to the supply chain. |
| the U.S. during 2006, analysts predict. Slow | | | | - Marking for violence - Military hardware and |
| roll-outs are contrasting sharply with the optimism | | | | even clothing are beginning to make use of RFID |
| of a year ago, when evidence suggested tripling | | | | tags to help track these items through supply |
| or even quadrupling of RFID for consumer goods | | | | chains. RFID is being used today by the U.S. |
| tracking. Why? Uncertainty over pending legislation. | | | | military to track materials in Iraq and Afghanistan. |
| There are a complex mixture of federal and new | | | | Some analysts are concerned about particular |
| state laws (in particular Florida and California) | | | | items being associated with high-level officers that |
| intended to combat drug theft and counterfeiting | | | | could trigger roadside bombs via an RFID scan of |
| that have implications for RFID. The details are still | | | | cars going by. (Thankfully, RFID tags retained |
| being worked out. | | | | close to the body can rarely be scanned. For |
| Where it's likely to be used tomorrow | | | | instance, UHF tags, the kind being most widely |
| Depending which analysts you believe, the market | | | | deployed, are virtually unreadable near the body |
| for RFID technology will represent between 1.5 | | | | because of its high water content.) |
| and 30 Billion USD by the year 2010. Analyst firm | | | | Some have suggested that mobile phones are |
| IDTechEx, which tracks the RFID industry, | | | | already as great a threat to privacy as RFID. In |
| believes more than 585 billion tags will be delivered | | | | the case of mobile phones, information about |
| by 2016. Among the largest growth sectors, | | | | your whereabouts and calling patterns is regularly |
| IDTechEx forsees the tagging of food, books, | | | | available to your service provider, a centralized |
| drugs, tires, tickets, secure documents (passports | | | | and highly regulated source of information |
| and visas), livestock, baggage and more. | | | | gathering. An adversary with special-purpose |
| Buses and subways in some parts of the world | | | | equipment would also have the capability of |
| are being equipped with RFID readers, ready for | | | | tracking your mobile phone, but this would require |
| multi-application e-tickets. These are expected to | | | | significant expertise and investment. See our |
| make things easier for the commuter, and help | | | | separate article "Cell phone hazards". |
| stem the fraud from the current paper-ticket | | | | What makes RFID a more significant privacy |
| system. However the biggest problem facing | | | | threat than mobile phones is the fact that readers |
| rollouts of RFID for commercial micropayment | | | | will be readily available and ubiquitously deployed. In |
| tracking is apparently not technical, but involves | | | | other words, RFID readers will soon be an |
| agreeing on the fees charged by the clearing | | | | accepted element of everyday life, while |
| house and how credit from lost and discarded | | | | eavesdropping equipment for mobile phones is |
| tickets will be divided. | | | | unlikely to be. |
| Passport tracking | | | | How to thwart RFID technology |
| One of the highest profile uses of RFID will be | | | | There are a few approaches you can take to |
| passport tracking. Since the terrorist attacks of | | | | thwart RFID tags ... but before you take |
| 2001, the U.S. Department of Homeland Security | | | | proactive steps, note that sometimes the very |
| has wanted the world to agree on a standard for | | | | absence of a tag or its signal in places it's |
| machine-readable passports. Countries whose | | | | expected could arouse suspicion. For instance, if |
| citizens currently do not have visa requirements | | | | you're carrying what is expected to be an |
| to enter the United States will have to issue | | | | RFID-tagged passport and your tag isn't working, |
| passports that conform to the standard or risk | | | | say, you may invite unwanted scrutiny. Be careful |
| losing their non-visa status. | | | | which tags you choose to disrupt. |
| American and other passports are being | | | | The simplest, most permanent approach to |
| developed that include RFID-based chips which | | | | disable RFID tags is to destroy them. If you can |
| allow the storage of considerable amounts of data | | | | detect them and wish to permanently render |
| such as fingerprints and digitized photographs. In | | | | them useless, remove them and smash the small |
| the U.S., these passports are due to start being | | | | chip component with a hammer. If you're not |
| issued in October of 2006. Early in the | | | | sure whether a product you own contains a tag, |
| development of these passports there were | | | | consider putting it in a microwave to destroy the |
| gaping security holes, such as the capability of | | | | tag if the object is otherwise safe to be |
| being read by any reader, not just the ones at | | | | microwaved. Be careful with some plastics. Note |
| passport control (the upshot of this was that | | | | there have been reports of RFID materials |
| travelers carrying around RFID passports would | | | | catching fire in microwaves. |
| have been openly broadcasting their identity, | | | | If removing the tag is not practical, there are four |
| making it easy for wrongdoers to easily - and | | | | general ways to disrupt RFID tag detection. |
| surreptitiously - pick Americans or nationals of | | | | - Blocking - Construct a conductive foil box (even |
| other participating countries out of a crowd.) | | | | tin foil is good) around the tag. If you are |
| Those security blunders were initially corrected by | | | | concerned about RFID emissions from work |
| adding metal shielding to the passport cover to | | | | badges, school IDs, new generation drivers |
| minimize its readability when closed, dialing back | | | | licenses, credit cards, and even cash in the future |
| the range of the electronics and adding a special | | | | containing RFID tags, buy or make an RFID-proof |
| electronic protocol called Basic Access Control (or | | | | wallet. RFID wallet project details are easy to find |
| BAC). This scheme required the passport to be | | | | on the Internet. |
| opened and scanned before its data could have | | | | - Jamming - Since RFID systems make use of |
| been properly interpreted by an RFID receiver. | | | | the electromagnetic spectrum like wireless |
| Unfortunately, in early February 2006, Dutch | | | | networks or cellphones, they are relatively easy |
| security experts managed to "listen in" on the | | | | to jam using a strong radio signal at the same |
| communications between a prototype | | | | frequency the tag operates. Although this would |
| BAC-protected passport and a receiver and | | | | only be an inconvenience for consumers in stores |
| cracked the protocol. Which means the | | | | (longer waits at the checkout), it could be |
| international authority developing this new global | | | | disastrous in other environments where RFID is |
| passport standard may need to go back to the | | | | increasingly being used, like hospitals, or in military |
| drawing board as of this writing, because 'bad | | | | combat situations. Such jamming devices, |
| guys' could clearly stand in line at passport control | | | | however, would in most cases violate |
| and capture passport information. Details of the | | | | government regulations on radio emissions. A |
| Dutch hack here. | | | | group of researchers in Amsterdam have |
| Implications for privacy seekers | | | | theorized that a personal RFID jammer is possible |
| RFID has clear implications for those who are | | | | (their paper is linked to from the version of this |
| worried about their privacy and safety. Some of | | | | article that lives at our web site, but the device |
| them are obvious, and some of them are not. | | | | seems only theoretical at this time. |
| - Can be read without your knowledge - Since the | | | | - Repeated interrogation - Active RFID tags that |
| tags can be read without being swiped or | | | | use a battery to increase the range of the |
| obviously scanned (as is the case with magnetic | | | | system can be repeatedly interrogated to wear |
| strips or barcodes), anyone with an RFID tag | | | | the battery down, disrupting the system. |
| reader can read the tags embedded in your | | | | - Popping - Generating a very strong pulse of |
| clothes and other consumer products without | | | | radiation at the right frequency can cause RFID |
| your knowledge. For example, you could be | | | | tags to resonate and break. |
| scanned before you enter the store, just to see | | | | What strategy you should pursue depends on |
| what you are carrying. You might then be | | | | what RFID privacy threats you are trying to |
| approached by a clerk who knows what you | | | | thwart and your technical expertise. |
| have in your backpack or purse, and can suggest | | | | |