Is RFID tracking you?
July 10, 2006
By Daniel Sieberg CNN
Radio frequency identification has been heralded as a breakthrough in tracking technology, and denounced as the next Big Brother surveillance tool.
RFID sounds futuristic: A transmitter smaller than a dime embedded in everything from a T-shirt to human skin, communicating data over a short distance to a reading device.
The technology has been around for decades -- the British used it to identify aircraft as friend or foe during World War II, and factory warehouses have used it more recently to make shipping more efficient.
So why is it getting so much attention now? The short answer is that RFID has moved into more common corners of society.
Today, it can be used to identify missing pets, monitor vehicle traffic, track livestock to help prevent disease outbreaks, and follow pharmaceuticals to fight counterfeit drugs. Many of us start our cars using RFID chips embedded in the ignition key.
RFID chips, injected under the skin, can store a medical history or be used to control access to secure areas. The next generation of passports and credit cards are hotbeds for RFID. It could make bar codes obsolete.
However, hackers and analysts are exposing potentially serious problems. Hackers could disable a car's RFID anti-theft feature, swap a product's price for a lower one, or copy medical information from an RFID chip.
"The dark side of RFID is surreptitious access," said Bruce Schneier, a security expert with Counterpane Internet Security Inc.
"When RFID chips are embedded in your ID cards, your clothes, your possessions, you are effectively broadcasting who you are to anyone within range," he said. "The level of surveillance possible, not only by the government but by corporations and criminals as well, will be unprecedented. There simply will be no place to hide."
But Mark Roberti, editor of RFID Journal, a trade publication that claims independence from the RFID industry, said the long-term convenience and cost-savings outweighs the potential pitfalls.
"Technology is neither good nor evil," Roberti wrote in an e-mail responding to questions from CNN. "Technology is a tool. All technologies can be used in positive or negative ways.
"The Internet is a great boon to businesses and consumers, but some use it [unscrupulously]. RFID is no different. It will be bring tremendous benefits to consumers and businesses. The key is to find ways to maximize the benefits and try to limit any potential abuses."
Most RFID chips or tags are passive, meaning they contain no battery power and can transmit data only when zapped with a reader. Active tags, which are more expensive, can carry some battery power.
Prices for the chips can range from several cents to a couple of dollars apiece, depending on the application and whether they are ordered in bulk. The cost has limited RFID's appeal. To compete with barcodes, RFID chips need to be priced at under a penny each. The cost is gradually coming down, though.
The storage space is extremely small, typically about 2KB, and the data on the tags can be read by equipment from a few inches to several feet away -- and sometimes a bit farther.
A group of hackers at the 2005 DefCon technology convention in Las Vegas, Nevada, used an antenna attached to an RFID reader to scan the information on a tag nearly 70 feet away. RFID proponents downplayed the demonstration, saying the apparatus was impractical and wouldn't work if the information on the RFID tag were encrypted, which is more often the case.
"The kind of RFID that is becoming widely used has no power source, and can send information over tens of feet. Compared to, say, a cell phone, which transmits personal identity and location information for miles, RFID's potential for misuse and abuse is quite trivial," Kevin Ashton, vice president at ThingMagic LLC, a manufacturer of RFID readers, wrote in an e-mail responding to CNN's questions.
"That said, companies that make and use RFID have a responsibility to make sure the technology is developed and adopted in ways that make it secure and useful."
That responsibility was recently addressed by a best-practices manifesto composed by the RFID industry. Participating companies included Microsoft, IBM, Intel, Visa U.S.A. and Proctor & Gamble.
The manifesto is meant to assuage consumer fears about how data could be collected, shared and stored. Key parts of the document include an agreement to notify consumers about RFID data collection and give them a choice when it comes to gathering personal information. But the manifesto doesn't suggest any penalties for not complying, and the onus would likely fall to the Federal Trade Commission to investigate any claims of harm or wrongdoing.
"Credit card companies have huge incentives to secure the transaction: They need to avoid customer complaints, counterfeiting and billing disputes, so it seems reasonable to assume high levels of security will have to be built in before such a system would be widely accepted," wrote ThingMagic's Ashton.
A company in Cincinnati, Ohio, recently delved into new territory with RFID tags by chipping its employees.
CityWatcher.com provides video surveillance for clients and police. The information it collects is the company's biggest asset and needs to be kept in a room that has more security than a lock and key, CEO Sean Darks said. The answer was an electronic lock, and the company has given its handful of employees the option of using an electronic key or getting an RFID chip implanted in their arm.
"It can't be read, it can't be tracked, it doesn't have GPS," Darks said. "It doesn't emit a signal, I do not know where my employees are unless I call them on a cell phone -- your cell phone has more GPS capability than an RFID chip does."
VeriChip Corp. is a Florida-based company that makes the government-approved, human-implantable RFID chips. A certified doctor injects the chip, which is about the size of a grain of rice.
If done for medical reasons, the RFID chip would contain a random 16-character string of numbers or letters connected to that person's medical chart. That way, in an emergency, doctors could access a patient's history even if the patient was incapable of communicating. But the technology is not available at all hospitals, and not every doctor knows to look for the implanted chips.
A few CityWatcher.com employees opted not to have the procedure done, saying the whole idea makes them nervous. They were given a key chain that contained an RFID chip. Regardless, Darks says the idea helps maintain security in the building -- and he sees some humor in the situation.
"What we like to say at CityWatcher is it helps with employee retention, because employees don't like to leave their arm if they leave the company," he said.
But this human-implant trend worries privacy advocates like Marc Rotenberg with the Electronic Privacy Information Center.
"A lot of these technologies have very useful applications," he said. "They can help large companies keep track of products, which is why companies such as Wal-Mart use RFID chips in their inventory management system. A lot of pet owners are using chips to keep track of their animals if they're lost.
"But it really seems to cross a line when technology that's used for inventory management or keeping track of pets is then placed in human beings," Rotenberg added. "And that raises ethical issues and privacy issues and probably some legal issues. I think people are going to be concerned about who uses the chip and who has access to it."
Despite these concerns, others say there are huge benefits to using RFID.
"At least 30 million people carry an RFID tag on them every day in their car keys or in their access control card to get into their office building or to buy gas or to pay a toll," wrote RFID Journal's Roberti. "Everywhere RFID has been rolled out in the consumer environment, consumers have overwhelmingly embraced it."
One new consumer application is in credit cards. Consumers could simply wave a credit card containing a passive chip at an RFID reader to pay for their purchases.
While there is concern that hackers could remotely read the card information, supporters argue it would be easier for merchants, and the speed of the processing time could shave off more than a dozen seconds per transaction, which would add up. They also say transactions would be no more or less secure than they are today.
"That is, if you buy stuff today with a credit card, that information is stored in a database," Roberti wrote. "When or if RFID is used to record sales, data will go in a database, the same one in fact. If the government wants access to the RFID data or the bar code data, it's essentially the same thing."
The controversy and discussion about RFID technology will not end anytime soon. But both sides agree that a sizable dose of debate is needed to hammer out the kinks. Meanwhile, the technology is appearing in an increasing number of places -- though even if you look around, you still might miss it.
i spy