Sunday, October 30, 2005

RFID, Abuse in the Private Sector?

"How would you like it if, for instance, one day you realized your underwear was reporting on your whereabouts?" California State Senator Debra Bowen (pictured on right).

RFID (Radio Frequency ID) has hit the news with the technology being introduced into U.S. passports. Because of this, I decided to research the controversy and did so in a previous post: RFID, A Necessary Evil; or an Invasion of Privacy?

This second post is meant to focus on the privacy issues (controversies) that surround this product. While this technology has definite security and supply chain potential, the potential for abuse is also great.

I suppose the use of these tags is inevitable, however we need to be proactive in developing legislation (laws) designed to prevent their abuse. Legislation rarely keeps up with technology and from a historical perspective there has been substantial abuse of other technologies, such as adware/spyware and keyloggers; which have been used for illegal purposes and legally (because of a lack of legislation) to invade personal privacy.

Simson L. Garfinkel wrote an article about this in "The Nation." Here are some excerpts:

So why did the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations ask for a voluntary moratorium on RFID technology in consumer goods? Because this use of RFID could enable an omnipresent police surveillance state, it could erode further what's left of consumer privacy and it could make identity theft even easier than it has already become.

RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.

Mr. Garfinkel's conclusion, which seems very sound, was:

Companies that are pushing RFID tags into our lives should adopt rules of conduct: There should be an absolute ban on hidden tags and covert readers. Tags should be "killed" when products are sold to consumers. And this technology should never be used to secretly unmask the identity of people who wish to remain anonymous.

For the complete article by Mr. Simpson, go to: The Nation: The Trouble with RFID.

Again, I used my friends at "Wikipedia" to find some examples of potential abuse that has already occurred:

The potential for privacy violations with RFID was demonstrated by its use in a pilot program by the Gillette Company, which conducted a "smart shelf" test at a Tesco in Cambridge. They automatically photographed shoppers taking RFID-tagged safety razors off the shelf, to see if the technology could be used to deter shoplifting.

In another study, uncovered by the Chicago Sun-Times, shelves in a Wal-Mart in Broken Arrow, Oklahoma, were equipped with readers to track the Max Factor Lipfinity lipstick containers stacked on them. Webcam images of the shelves were
viewed 750 miles (1200 km) away by Procter & Gamble researchers in Cincinnati, Ohio, who could tell when lipsticks were removed from the shelves and observe the shoppers in action.

In January 2004 a group of privacy advocates was invited to METRO Future Store in Germany, where an RFID pilot project was implemented. It was uncovered by accident that METRO "Payback" customer loyalty cards contained RFID tags with customer IDs, a fact that was disclosed neither to customers receiving the cards, nor to this group of privacy advocates. This happened despite assurances by METRO that no customer identification data was tracked and all RFID usage was clearly disclosed.

The controversy was furthered by the accidental exposure of a proposed Auto-ID consortium public relations campaign that was designed to "neutralize opposition" and get consumers to "resign themselves to the inevitability of it" whilst merely pretending to address their concerns.

The standard proposed by EPC global includes privacy related guidelines
for the use of RFID-based EPC. These guidelines include the requirement to give consumers clear notice of the presence of EPC and to inform them of the choice that they have to discard, disable or remove EPC tags. These guidelines are non-binding, and only partly comply with the joint statement of 46 multinational consumer rights and privacy groups.

If readers are easily accessible, or not protected properly from theft, there is also the potential that identity thieves could scan personal information. Whether or not, this is feasible is a matter of great debate, but as with all technology, even if it isn't feasible now, how long will it take for someone to create a way to do it?


Anonymous said...

Spyware is not only a major nuisance but as you said in you post a threat to privacy. This is far more threatening to users and it should not be treated as harmless. Looking forward to your follow up article.

DeRad said...

In my Networkworld Security Chief blog, I too ranted against the lack of security in RFID tags which are not only being installed on goods, but in people. Last October, the Federal government quietly approved RFID chip implants in humans which are being used experimentally for purposes of medical information and entertainment preferences. No encryption, and anyone with an RFID reader could gather the information off these chips they need to steal identities. The same would happen with our passport information - name and addresss and birthdate are enough information to become us. And what happens when they want to put even more info on said chips on passports, identity cards, and in human implants? Scary, scary, scary!

stormingamerican said...

I truly hope others are investigating this RFID usage. I have started to research it myself and have done a blog on the information I have found, and I will continue to post on this subject in the future. I am glad to see others are taking the notice and helping to get the information out about these chips.

The Nigerian Advance Fee Scam said...

nice post. i have a blog called

This blog alert the people from fraud scam or scammers. It gives basic tips to prevent form scam. So i wish to add my blog in ur blog.

RFID Tracking said...

I think it depends on the application, one should be warned about any RFID embedded feature before proceeding any action of trying or buying things with RFID.


Buy Leather Coats said...

hie i really like your post,its soo good.

Credit Card Protection said...

Electronic Pickpocketing Scam

Millions of new credit cards and passports contain tiny two way radios called RFID chips. This makes it easy for theives to employ electronic pickpocketing and scan your credit card numbers and other info without touching you.

Our RFID blocking products sold here will help prevent
this from happening to you.

About 100 million credit cards now have this contactless technology embedded into them. However, over the next 2-3 years, it is expected that credit card issuers will replace every single magnetic stripe credit and debit card with a new contactless smart cards. Why shouldn't they? These cards seem to make it all easier. So much easier that some folks are reading your credit cards before you even take them out of your wallet. For more Information Visit