RFID (Radio Frequency ID) has hit the news with the technology being introduced into U.S. passports. Because of this, I decided to research the controversy and did so in a previous post: RFID, A Necessary Evil; or an Invasion of Privacy?
This second post is meant to focus on the privacy issues (controversies) that surround this product. While this technology has definite security and supply chain potential, the potential for abuse is also great.
I suppose the use of these tags is inevitable, however we need to be proactive in developing legislation (laws) designed to prevent their abuse. Legislation rarely keeps up with technology and from a historical perspective there has been substantial abuse of other technologies, such as adware/spyware and keyloggers; which have been used for illegal purposes and legally (because of a lack of legislation) to invade personal privacy.
Simson L. Garfinkel wrote an article about this in "The Nation." Here are some excerpts:
So why did the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations ask for a voluntary moratorium on RFID technology in consumer goods? Because this use of RFID could enable an omnipresent police surveillance state, it could erode further what's left of consumer privacy and it could make identity theft even easier than it has already become.
RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.
Mr. Garfinkel's conclusion, which seems very sound, was:
Companies that are pushing RFID tags into our lives should adopt rules of conduct: There should be an absolute ban on hidden tags and covert readers. Tags should be "killed" when products are sold to consumers. And this technology should never be used to secretly unmask the identity of people who wish to remain anonymous.
For the complete article by Mr. Simpson, go to: The Nation: The Trouble with RFID.
Again, I used my friends at "Wikipedia" to find some examples of potential abuse that has already occurred:
The potential for privacy violations with RFID was demonstrated by its use in a pilot program by the Gillette Company, which conducted a "smart shelf" test at a Tesco in Cambridge. They automatically photographed shoppers taking RFID-tagged safety razors off the shelf, to see if the technology could be used to deter shoplifting.
In another study, uncovered by the Chicago Sun-Times, shelves in a Wal-Mart in Broken Arrow, Oklahoma, were equipped with readers to track the Max Factor Lipfinity lipstick containers stacked on them. Webcam images of the shelves were
viewed 750 miles (1200 km) away by Procter & Gamble researchers in Cincinnati, Ohio, who could tell when lipsticks were removed from the shelves and observe the shoppers in action.
In January 2004 a group of privacy advocates was invited to METRO Future Store in Germany, where an RFID pilot project was implemented. It was uncovered by accident that METRO "Payback" customer loyalty cards contained RFID tags with customer IDs, a fact that was disclosed neither to customers receiving the cards, nor to this group of privacy advocates. This happened despite assurances by METRO that no customer identification data was tracked and all RFID usage was clearly disclosed.
The controversy was furthered by the accidental exposure of a proposed Auto-ID consortium public relations campaign that was designed to "neutralize opposition" and get consumers to "resign themselves to the inevitability of it" whilst merely pretending to address their concerns.
The standard proposed by EPC global includes privacy related guidelines
for the use of RFID-based EPC. These guidelines include the requirement to give consumers clear notice of the presence of EPC and to inform them of the choice that they have to discard, disable or remove EPC tags. These guidelines are non-binding, and only partly comply with the joint statement of 46 multinational consumer rights and privacy groups.
If readers are easily accessible, or not protected properly from theft, there is also the potential that identity thieves could scan personal information. Whether or not, this is feasible is a matter of great debate, but as with all technology, even if it isn't feasible now, how long will it take for someone to create a way to do it?