RFID Chips Are Here - Your privacy is at stake

By Scott Granneman, June 2003

Bar codes are something most of us never think about. We go to the grocery store to buy dog food, the checkout person runs our selection over the scanner, there's an audible beep or boop, and then we're told how much money we owe. Bar codes in that sense are an invisible technology that we see all the time, but without thinking about what's in front of our eyes.

Bar codes have been with us so long, and they're so ubiquitous, that its hard to remember that they're a relatively new technology that took a while to catch on. The patent for bar codes was issued in 1952. It took twenty years before a standard for bar codes was approved, but they still didn't catch on. Ten years later, only 15,000 suppliers were using bar codes. That changed in 1984. By 1987 - only three years later! - 75,000 suppliers were using bar codes. That's one heck of a growth curve.

So what changed in 1984? Who, or what, caused the change?

Wal-Mart.

When Wal-Mart talks, suppliers listen. So when Wal-Mart said that it wanted to use bar codes as a better way to manage inventory, bar codes became de rigeur. If you didn't use bar codes, you lost Wal-Mart's business. That's a death knell for most of their suppliers.

The same thing is happening today. I'm here to tell you that the bar code's days are numbered. There's a new technology in town, one that at first blush might seem insignificant to security professionals, but it's a technology that is going to be a big part of our future. And how do I know this? Pin it on Wal-Mart again; they're the big push behind this new technology.

So what is it? RFID tags.

RFID 101

Invented in 1969 and patented in 1973, but only now becoming commercially and technologically viable, RFID tags are essentially microchips, the tinier the better. Some are only 1/3 of a millimeter across. These chips act as transponders (transmitters/responders), always listening for a radio signal sent by transceivers, or RFID readers. When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer.

Most of these "broadcasts" are designed to be read between a few inches and several feet away, depending on the size of the antenna and the power driving the RFID tags (some are in fact powered by batteries, but due to the increased size and cost, they are not as common as the passive, non-battery-powered models). However, it is possible to increase that distance if you build a more sensitive RFID receiver.

RFID chips cost up to 50 cents, but prices are dropping. Once they get to 5 cents each, it will be cost-efficient to put RFID tags in almost anything that costs more than a dollar.

Who's using RFID?

RFID is already in use all around us. Ever chipped your pet dog or cat with an ID tag? Or used an EZPass through a toll booth? Or paid for gas using ExxonMobils' SpeedPass? Then you've used RFID.

Some uses, especially those related to security, seem like a great idea. For instance, Delta is testing RFID on some flights, tagging 40,000 customer bags in order to reduce baggage loss and make it easier to route bags if customers change their flight plans.

Three seaport operators - who account for 70% of the world's port operations - agreed to deploy RFID tags to track the 17,000 containers that arrive each day at US ports. Currently, less than 2% are inspected. RFID tags will be used to track the containers and the employees handling them.

The United States Department of Defense is moving into RFID in order to trace military supply shipments. During the first Gulf War, the DOD made mistakes in its supply allocation. To streamline operations, the U.S. military has placed RFID tags on 270,000 cargo containers and tracks those shipments throughout 40 countries.

On a smaller level, but one that will instantly resonate with security pros, Star City Casino in Sydney, Australia placed RFID tags in 80,000 employee uniforms in order to put a stop to theft. The same idea would work well in corporate PCs, networking equipment, and handhelds.

In all of these cases, RFID use seems reasonable. It is non-intrusive, and it seems to balance security and privacy. Other uses for RFID, however, may be troublesome.

Visa is combining smart cards and RFID chips so people can conduct transactions without having to use cash or coins. These smart cards can also be incorporated into cell phones and other devices. Thus, you could pay for parking, buy a newspaper, or grab a soda from a vending machine without opening your wallet. This is wonderfully convenient, but the specter of targeted personal ads popping up as I walk through the mall, a la Minority Report, does not thrill me.

Michelin, which manufactures 800,000 tires a day, is going to insert RFID tags into its tires. The tag will store a unique number for each tire, a number that will be associated with the car's VIN (Vehicle Identification Number). Good for Michelin, and car manufacturers, and fighting crime. Potentially bad for you. Who will assure your privacy? Do you really want your car's tires broadcasting your every move?

The European Central Bank may embed RFID chips in the euro note. Ostensibly to combat counterfeiters and money-launderers, it would also enable banks to count large amounts of cash in seconds. Unfortunately, such a move would also makes it possible for governments to track the passage of cash from individual to individual. Cash is the last truly anonymous way to buy and sell. With RFID tags, that anonymity would be gone. In addition, banks would not be the only ones who could in an instant divine how much cash you were carrying; criminals can also obtain power transceivers.

Several major manufacturers and retailers expect RFID tags to aid in managing the supply chain, from manufacturing to shipping to stocking store shelves, including Gillette (which purchased 500 million RFID tags for its razors), Home Depot, The Gap, Proctor & Gamble, Prada, Target, Tesco (a United Kingdom chain), and Wal-Mart. Especially Wal-Mart.

The retail giant, the largest employer in America, is working with Gillette to create "smart shelves" that can alert managers and stockboys to replenish the supply of razors. More significantly, Wal-Mart intends for its top 100 suppliers to fully support RFID for inventory tracking by 2005. Wal-Mart would love to be able to point an RFID reader at any of the 1 billion sealed boxes of widgets it receives every year and instantly know exactly how many widgets it has. No unpacking, no unnecessary handling, no barcode scanners required.
RFID Issues

Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past. Some manufacturers are planning to tag just the packaging, but others will also tag their products. There is no law requiring a label indicating that an RFID chip is in a product. Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very property.

But let's not stop there. Others are talking about placing RFID tags into all sensitive or important documents: "it will be practical to put them not only in paper money, but in drivers' licenses, passports, stock certificates, manuscripts, university diplomas, medical degrees and licenses, birth certificates, and any other sort of document you can think of where authenticity is paramount." In other words, those documents you're required to have, that you can't live without, will be forever tagged.

Consider the human body as well. Applied Digital Solutions has designed an RFID tag - called the VeriChip - for people. Only 11 mm long, it is designed to go under the skin, where it can be read from four feet away. They sell it as a great way to keep track of children, Alzheimer's patients in danger of wandering, and anyone else with a medical disability, but it gives me the creeps. The possibilities are scary. In May, delegates to the Chinese Communist Party Congress were required to wear an RFID-equipped badge at all times so their movements could be tracked and recorded. Is there any doubt that, in a few years, those badges will be replaced by VeriChip-like devices?

Surveillance is getting easier, cheaper, smaller, and ubiquitous. Sure, it's possible to destroy an RFID tag. You can crush it, puncture it, or microwave it (but be careful of fires!). You can't drown it, however, and you can't demagnetize it. And washing RFID-tagged clothes won't remove the chips, since they're specifically designed to withstand years of wearing, washing, and drying. You could remove the chip from your jeans, but you'd have to find it first.

That's why Congress should require that consumers be notified about products with embedded RFID tags. We should know when we're being tagged. We should also be able to disable the chips in our own property. If it's the property of the company we work for, that's a different matter. But if it's ours, we should be able to control whether tracking is enabled.

Security professionals need to realize that RFID tags are dumb devices. They listen, and they respond. Currently, they don't care who sends the signal. Anything your companies' transceiver can detect, the bad guy's transceiver can detect. So don't be lulled into a false sense of security.

With RFID about to arrive in full force, don't be lulled at all. Major changes are coming, and not all of them will be positive. The law of unintended consequences is about to encounter surveillance devices smaller than the period at the end of this sentence.