aubreyturner.org

July 09, 2003

RFID tags

I've been meaning to write about RFID tags since I got an email on Monday about a security hole on the Auto-ID center's website that allowed anyone to access their confidential documents. These documents related to market studies on RFID tags and how they would "pacify" consumers with regards to their "emotional" privacy fears. CASPIAN's email might be a bit breathless and overblown concerning the issue, but the documents are still somewhat damning to the industry. They have since pulled the documents (or fixed the hole), but not before Cryptome mirrored them.

For those that haven't been following the issue, an RFID tag is a small (imagine a grain of rice or smaller) passive (non-powered) microchip that emits a radio signal with a unique identifier when it is hit by a radio transmission in a certain frequency range (it varies for each device). The signal is of very low power and can only be read (at present) within a few feet (once again, this varies by device from approximately 3 to 15 feet). The idea is that these tags can be used to track inventory in stores and warehouses. If you had a case of razors, simply moving the box by an RFID scanner would tell you how many you had in the case. Stores are interested in this technology as a replacement to barcodes (both for automated checkout and for "smart shelves" that could manage inventory).

At this point you may be wondering what the big deal about all this is. After all, it's just a way of tracking products. And at present the trials are just in warehouses (with tags attached to pallets and boxes). However, the industry direction is to push the price of these tags down to less than one cent per tag so that the tags can be embedded in the product (or in its packaging). This level of tracking would be required to realize the goals of automated checkout and smart shelves.

It's at this point that people like me who worry about privacy get concerned. If the tag is not deactivated (in a way that we can trust is permanent) at the point of sale, it leads to the possibility of tracking on a scale that boggles the mind. The RFID tag is different from a bar code in that each and every RFID tag emits a unique identifier. This means that not only does the RFID tag identify the type of an object, it identifies the specific instance of that object (like a serial number). If this is linked to purchase records, it means that anyone with a scanner and access to the records could identify you and everything you have on or about your person.

Of course, the RFID people claim that they would never do this. And I think they may actually mean it. However, I don't trust that the businesses that get their hands on this technology won't abuse it in the future. Also, the RFID people claim that the tags can only be read from a short distance, so it's unlikely that you could be easily scanned. Once again, I find this unpersuasive. Most stores these days have scanners at their entrances and exits that work with the existing inventory control system. In some cases, they force you to walk though a choke-point where the scanner is only a few feet from you. It wouldn't take much to convert one of these to an RFID scanner.

Can you imagine a business that wouldn't drool over the ability to know who you are and what you're carrying when you walk into a store? While some would say that this is good, I don't agree. The potential for misuse is far too high.

Another concern is that criminals could obtain scanners and could instantly know what you're carrying if they got near you. Also, there is concern that new technology could be developed that increased the range of the scanners. The RFID industry tries to downplay this angle by saying that the power of the chips is so low that they can't be read at a distance. And it's true that the chips rely on the EM from the scanner to be activated. However, advances in technology of the receiver might someday allow for greater ranges (or even for the signal to be read through a wall). If that ever happens, and you have a houseful of RFID equipped stuff (provided they aren't premanently deactivated), a criminal could scan your house and know what you had without having to come in.

Or even if the privacy issue is ignored, the potential for wrongful harassment by "loss prevention" types is still there. Imagine if the system wasn't coded correctly (or lost data) and thought that the pair of pants you bought there last week weren't actually sold. You'd be detained by security on the way out and have to prove that you bought the pants you're wearing. If you don't think it can happen, I experienced something similar when I was in college concerning the library's security system and a textbook that I legally owned.

At this point, though, it appears that the technology is still too immature to use on store shelves. Wal-Mart, which championed bar codes in the 80's, was hot to use RFID tags, but they've cancelled a trial in one of their stores. They will now focus on warehouse operations. But this doesn't mean that they've given up. It just means that it has been delayed. And I suspect that we'll see a public relations campaign to "pacify" the public's privacy fears in the meantime.

What I find interesting is that while the industry had paid lip service to privacy concerns, they don't seem really interested in killing the RFID tag at the point of sale. They're adding a "kill" feature to some of the new chips, but they want to make you "opt-out" of using the tag, rather than having you opt-in to leaving it active. For me, I want them all dead when I leave the store, and this will be yet another hassle to deal with at checkout. They keep talking about a "smart house" concept where your pantry keeps track of the food and your washer knows the right settings for the clothes, but their own market research (which they conveniently left open for us to read) shows that people think that the concept is ridiculous. If I was prone to conspiracy theories, I'd think that they are looking for a way to spin the technology so that we'll accept keeping the tags alive. Then they would be able to implement the other tracking features that worry people like me. But that's only if I were to buy into conspiracy theories. :)

In the meantime, I'm going to keep watching this issue. If it comes to market, and I don't trust their implementation of it, I'll have to examine how to disable them myself (they say that microwaving works, but that it could set the object on fire, which would be a definite drawback). I suspect that there will come a day when we won't be able to buy an object without an RFID tag in it. We need to be vigilant to make sure that the RFID tags are handled on our terms.

Posted by Aubrey at July 9, 2003 11:56 AM | TrackBack
Comments

First time commenter, several months reader... oh wrong show...:) anyway, it is a concept that could be made to work at greater ranges. Examples are radios in the 1 watt or less range that are transmitting back from Jupiter on spacecraft. What about the Soviet built microphone in the U.S. Embassy seal - it was a hollow cavity that had microwaves bounced off it to get vibrations nearby? So turning up the broadcast signal to make the low power transmitter work at greater ranges isn't a problem. It will require picking the best frequency to work through the air, at some selected range. What is good, a mile? Last point, the amount of information transmitted could take a while depending on the wavelength used, the ELF system uses very long radio waves and so takes a long time to transmit messages - but it sends those signals through air, ground and water!

Posted by: Outlaw3 at July 10, 2003 07:25 AM

There are a number of different types of tags on the market, with some of the older tags running in the 30KHz-500KHz range and some of the newer ones in the 850MHz-950MHz and 2.4GHz-2.5GHz ranges. The amount of data contained within one is typically small (less than 2KB). In the case of these product identifier RFID tags, the tag will simply transmit a 128bit identifier when hit with RF energy.

The biggest problem with extending the range will be the sensitivity of the scanner, since these emitters don't have very effective antennas. Even so, as you mentioned, the idea that the range of the reader could be extended isn't something that can be easily dismissed (as the RFID folks would like us to do). Future advances in technology might enable longer distance reading. It wouldn't take a mile range to make this dangerous. Simply increasing the range to 30 or 40 feet could make a big difference (that'd be enough to read a tag from across a street or to make an unobtrusive reader work at a large store entrance).

Those in the RFID industry who claim that it will never be possible should be careful of making that claim. After all, would the inventors of the CRT ever have dreamed of van Eck Phreaking?

Posted by: Aubrey Turner at July 10, 2003 08:49 AM

Aubrey,

A quick question: would the RFID be disabled by placing a powerful magnet against the product for a couple of minutes?

You can respond via email, if you want.

Posted by: Kim du Toit at July 22, 2003 04:14 PM

Kim,

I sent this to you in email, but I thought I'd put it here as well, in case others have the same question.

No, it takes something that induces a high current in the tag to burn it out. According to what I've read, a magnet won't work. However, a rapidly pulsing powerful electromagnet might do the trick (it's the fluctuation in the magnetic field that induces the current). I don't think, though, that anyone has tried this EMP trick, since it would be hard to control (i.e. it might destroy other electronic equipment in the vicinity).

Posted by: Aubrey Turner at July 22, 2003 09:30 PM

Aubrey,my son is doing a science fair project on RFID tags.CAn you please give us an explanation on how the mecanism works.And if he should cover the tag by paper or foil would it still work?please answer quickly he has a time limit. Thank you .

Posted by: Audrey at October 22, 2003 05:20 PM
Site Meter