Monday, August 25, 2008

How RFID Tags Could Be Used to Track Unsuspecting People

Questions and concerns surrounding RFID technology, and what degree it could undermine the individuals right to privacy are complicated and largely "yet to be determined". At CFC, we believe that before we jump head first into the full fledged implementation of any technology that raises the kinds of questions this article will examine we should take a step back and do the kind of thorough review of the pros and cons first.

Then, based on what we find, put in place common sense regulations and safeguards...using the Constitution and our right to privacy as the most important factors in formulating public policy...rather than factors like so called "consumer convenience" and corporate profit.

With that said, this article in Scientific American by Katherine Albrecht is about as thorough an examination of RFID technology and the variety of possible ways in which it can be used for purposes that would literally put an end to the right to privacy as we know it today as you'll find anywhere.

Put it this way, do you think big business, the military industrial complex, and the government, with literally billions of dollars at stake, and an unimagined ability to monitor and control the public at large, will feel an obligation to protect your privacy? Of course not.

This leaves us only one recourse, establish rules and regulations NOW, before it's too late.

Albrecht writes:

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen.


In 2007 British security consultant Adam Laurie cracked the encryption code on a U.K. passport and “skimmed,” or remotely read, its personal information—while it was still sealed in its mailing envelope. Around the same time, German security consultant Lukas Grunwald copied the data from a German passport’s embedded chip and encoded it into a different RFID tag to create a forged document that could fool an electronic passport reader. Investigators at Charles University in Prague, finding similar vulnerabilities in Czech e-passports, wrote that it was “a bit surprising to meet an implementation that actually encourages rather than eliminates [security] attacks.”

Yet these demonstrated security problems have not slowed the adoption of RFID. On the contrary, the technology is being deployed for domestic ID cards around the world. Malaysia has issued some 25 million contactless national identity cards. Qatar is issuing one that stores the cardholder’s fingerprint in addition to personal information. And in what industry observers are calling the single largest RFID project in the world, the Chinese government is spending $6 billion to roll out RFID-based national IDs to nearly one billion citizens and residents.

There is an important difference, however, between other nations’ RFID-based ID cards and Homeland Security’s new driver’s licenses. Most countries’ contactless national IDs and e-passports have adopted an RFID tag that meets an industry standard known as ISO 14443, which was developed specifically for identification and payment cards and has a degree of security and privacy protection built in. In contrast, U.S. border cards use an RFID standard known as EPCglobal Gen 2, a technology that was designed to track products in warehouses, where the goal is not security but maximum ease of readability.


If the idea that corporations might want to use RFID tags to spy on individuals sounds far-fetched, it is worth considering an IBM patent filed in 2001 and granted in 2006. The patent describes exactly how the cards can be used for tracking and profiling even if access to official databases is unavailable or strictly limited. Entitled “Identification and Tracking of Persons Using RFID-Tagged Items in Store Environments,” it chillingly details RFID’s potential for surveillance in a world where networked RFID readers called “person tracking units” would be incorporated virtually everywhere people go—in “shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters, [and] mu­­se­­ums”—to closely monitor people’s movements.

According to the patent, here is how it would work in a retail environment: an “RFID tag scanner located [in the desired tracking location]... scans the RFID tags on [a] person.... As that person moves around the store, different RFID tag scanners located throughout the store can pick up radio signals from the RFID tags carried on that person and the movement of that person is tracked based on these detections....The person tracking unit may keep records of different locations where the person has visited, as well as the visitation times.”

The fact that no personal data are stored in the RFID tag does not present a problem, IBM explains, because “the personal information will be obtained when the person uses his or her credit card, bank card, shopper card or the like.” The link between the unique RFID number of the tag and a person’s identity needs to be made only once for the card to serve as a proxy for the person thereafter. Although IBM envisioned tracking people via miniature tags in consumer goods, with today’s RFID border cards there is no need to wait for such individual product tags to become widespread. Washington’s new driver’s licenses would be ideally suited to the in-store tracking application, because they can already be read by Gen 2 inventory scanners in use today at stores such as Wal-Mart, Dillard’s and American Apparel.


If RFID tags can enable an amusement park to capture detailed, personalized videos of thousands of people a day, imagine what a determined government could do—not to mention marketers or criminals. That is why my colleagues in the privacy community and I have so firmly opposed the use of RFID in government-issued identity documents or individual consumer items. As far back as 2003, my organization, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)—along with the Privacy Rights Clearinghouse, the Electronic Privacy Information Center, the Electronic Frontier Foundation, the American Civil Liberties Union, and 40 other leading privacy and civil liberties advocates and organizations—recognized this threat and issued a position paper that condemned the tracking of human beings with RFID as inappropriate.

In response to these concerns, dozens of U.S. states have introduced RFID consumer-protection bills—which have all been either killed or gutted by heavy opposition from lobbyists for the RFID industry. When the New Hampshire Senate voted on a bill that would have imposed tough regulations on RFID in 2006, a last-minute floor amendment replaced it with a two-year study instead. (I was appointed by the governor to serve on the resulting commission.) That same year a California bill that would have prohibited the use of RFID in government-issued documents passed both houses of the legislature, only to be vetoed by Governor Arnold Schwarzenegger.

On the federal level, no high-profile consumer-protection bills related to RFID have been passed. Instead, in 2005, the Senate Republican High Tech Task Force praised RFID applications as “exciting new technologies” with “tremendous promise for our economy” and vowed to protect RFID from regulation or legislation.

CFC has been actively supporting a host of California bills designed to regulate the use of RFID technology. As Ms. Albrecht points out, the most far reaching of these was vetoed two years ago by the Governor, and in an effort to appease him this year, some of the bills have been greatly watered down or abandoned altogether.

Nonetheless, progress is being made on this issue in the golden state, with the help of legislators like Senator Joe Simitian, and organizations like the ACLU, the Privacy Rights Clearinghouse, and many others. I posted on the latest news coming from the Legislature on the RFID regulation bills still alive in the legislature last week (One update to that post to mention: SB 29 has passed the Senate by a vote of 27 to 8, and now moves on to the Governor's desk).

Click here to read the rest of article in Scientific American.

1 comment:

Anonymous said...

More information about RFID uses in the videos here: