On RFID Tags & Privacy

For one of the first times in my college education, I have the option of writing a term paper on a topic that actually interests me. It's for a required computer science course about computing, society and professionalism. I will be writing a lengthy paper delving into the privacy implications of RFID tags. One of the prerequisites for the paper is that we must initially be undecided about the issue, which is where I stand right now.

What are RFID tags?

RFID tags are tiny electronic modules used to uniquely identify tagged objects or people over a wireless protocol. At the moment, they cost around 5 cents a piece when mass produced and are comprised of a chip and antenna in their most basic form. RFID tags are available in a variety of formats from paper based units to plastic encased ones while some are even ingestible or implantable.

Two types of RFID tags
Two forms of RFID tags.

Tag uses are extremely diverse. Wal-Mart uses them to track pallets and was able to get its suppliers to use RFID tags to make their supply chain more cost efficient. In that case, RFID tags are used to store proprietary tracking numbers, product codes, serial numbers and the like. The wireless characteristic of RFID tags makes them easier and faster to work with than bar codes, not to mention modern RFID readers (although I believe RFID interrogators is the preferred term with some RFID tags having read/write abilities instead of just ROM) are able to interact with multiple tags at once unlike bar code scanners. RFID tags also hold up to 128KB of memory currently - much more data than any bar code can hold.

Pharmaceutical companies are beginning to embed RFID tags into medicine containers, many countries have RFID-tagged passports, universities have begun issuing RFID-tagged student ID cards, Exxon Mobil and Visa have point-of-sale RFID tags to help consumers purchase items conveniently and an FDA-approved company has developed an implantable RFID tag to access one's medical records, with plans to expand to GPS-capable tags. You have no doubt come into contact with RFID tags in your daily life whether you're aware of it or not.

What's the problem?

RFID tags have incredibly handy uses embodying the spirit of doing things faster, cheaper and more conveniently. But do those boons of RFID tags outweigh the risks associated with having a ubiquitous RFID-tagged society? First off, you need to understand the technical aspects of interacting with RFID tags. There are low frequency passive tags which receive their power wirelessly from RFID readers and typically have a range of under 3 feet. Then there are active tags (generally high frequency) with batteries to sustain the microchip and transmit RF signals to a range of up to 30 feet but usually around 10 feet. Most consumer-oriented tags, like Exxon Mobil's SpeedPass, are passive and cheaper to manufacture. However, at the Defcon hacking convention in 2005, hackers were able to successfully read a passive RFID tag from close to 70 feet. Big Brother anyone?

While tags that deal with personally-identifying information employ encryption and authentication safety measures, they're not fool proof. Remember when the WEP encryption technology for Wi-Fi was secure? Neither do I. There will always be ways to circumvent these safety measures. For example, when using a point-of-sale RFID tag, the tag usually gives the reader a unique key code that it throws into an algorithm to see if it is legit. That's all kittens and daisies but what about when our Defcon friend intercepts the key code from 70 feet away with a man-in-the-middle attack and is then able to buy anything he wants? Granted it is more involved than this in reality with various encryption schemes, but there is definitely potential for malicious activity; activity that isn't possible to be done wirelessly with magnetic stripe credit cards.

One aspect of RFID tag privacy deals with taking personal information as described above, and another angle to RFID privacy deals with tracking people. Imagine that it is 10 years in the future; there are no bar codes, magnetic stripe usage has been overcome by RFID tags and everything is pretty much wireless. In a nutshell, everyone has an RFID tag somewhere on them. As such, stores, restaurants, banks, malls and cities in general will be massively outfitted with RFID readers. Take the opt-in IBM project codenamed Margaret for example:

As they pass through the doors, the card would alert a customer information system. Bank staff could personally greet high-net-wealth customers, or customers could be greeted by name by tellers, who would already have their account information on-screen when they arrive at the counter.

Projects like that are lending RFID tags to uses based around identifying people, likely making it easier for others to maliciously do the same. B&M stores could discover when you walk in with your tagged buyer rewards card and immediately see that you've spent 15,000 in plasma TVs in the last two months, making it all the easier for a salesman to bug you throughout your stay. I'd rather the store just consider me visitor #349 instead of Paul Stamatiou, tech guru likely to help customers and tell them to buy their electronics for cheaper online. If stores had the capability to recognize frequent customers, they could fill in detailed information about that person's history and preferences in a database.

That brings me to the next RFID privacy issue. MIT Professor Jerry Saltzer once said that privacy is a database correlation issue and he was entirely correct. What that means is that you give out little bits of personal information about yourself to various entities, but one entity never has all of your information. For example, Entity A might have a database listing your DOB and favorite color. Entity B's database has your SSN, address and last 10 DVDs rented. Entity C's database knows your mother's maiden name, the name of the high school you attended, your height, hair color and this goes on with numerous entities. All it takes for someone to know everything about you is access to the databases and a simple matching by your name or other personally-identifying parameter.

With RFIDs, this process is made much easier as logging your data evolves from a manual task to an automatic, wireless one. Companies would be able to create a detailed profile about you and your habits without your knowledge.

Overall

The things I have discussed regarding potential problems with RFID tags and privacy involved loose hypothetical situations. It is likely much harder to crack the encryption of a modern RFID tag than I made it appear. My main point is the potential for there to be an issue and with the current RFID tag trend predicting a surge of tag adoption in the near future, privacy issues need to be addressed now. Detailed personal information will always be encrypted and secured (although doing that costs more, so there is a monetary incentive for smaller companies to ignore encryption) but the RFID tag's unique key code and things of that sort can be picked off by any RFID reader without authentication (or at least that's the impression I have), thus turning the key code into an identifier for making sense of logged aggregate data.

Remember the time AOL accidentally released search query logs? The logs did not contain any users' names, but instead contained random id numbers. With those id numbers, it was easy for people to draw connections between queries and figure out who was who.

Now for the point of this article - where do you stand? Do you prefer the utter convenience that RFID tags bring to consumers or loathe RFID tags for allowing others to potentially track you? I'm not one to get paranoid over security measures but after doing considerable RFID research, the future of RFID uses makes me wonder what companies or tech savvy RFID hackers will know about me and my activities.

Society needs to find a middle-ground for the uses of RFID tags. They are great for supply chain inventory management and other industry uses, but I question how far we need to go with using RFID tags for personal and consumer needs.

For those interested in reading about RFID tags in more depth, I recommend taking a look at this book and this one.

Like it? Tweet it.

"On RFID Tags & Privacy" by @Stammy

Get new articles via email