Log In

Reset Password
BERMUDA | RSS PODCAST

RFID has potential to invade privacy

Radio frequency identification (RFID), which I have previously described as a transformational technology (along with nanotechnology) has the potential to also be a means of tracking us to levels unfrequented before.

That is why many security experts have called for strict controls and legislation on the use of the technology before companies and governments roll it out fully. That is why consumer protests led supermarkets in the US and the UK to stop using the technology at the retail level.

Faced by this blockage the RFID industry is just now getting around to drawing up voluntary ethical guidelines on the use of the technology. But until voluntary measures are made mandatory, I'm not going to rely on the good will of companies.

Such rules include requiring companies to inform consumers when an RFID device is attached to a good, or giving people the ability to disable or remove RFID tags when they don't want to be tracked.

RFID is an automatic identification method using radio frequencies. The technology relies on RFID tags, small objects that can be attached to or incorporated into a product, animal or person. The tags contain tiny antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Tags can be passive, which do not require a power source, or active, which do. The active tags have a longer range and larger memories than passive tags and hence have more privacy implications. Governments, of course, are highly interested. The latest is the Bush administration, which last week announced that all US passports would be implanted with the chips starting in October, 2006.

The RFID tags will hold personal information including the name, nationality, sex, date of birth, place of birth and digitised photograph of the passport holder.

Eventually, the government wants to add additional digitised data such as "fingerprints or iris scans".

The Bush administration claims the RFID chips will not harm privacy and will not be open to abuse by companies or nefarious others wanting to pick up on who we are.

Among democratic nations, the UK and Germany have announced similar plans.

It's interesting to see how the US government says it has addressed privacy concerns.

"It will only permit governmental authorities to know that an individual has arrived at a port of entry ? which governmental authorities already know from presentation of non-electronic passports ? with greater assurance that the person who presents the passport is the legitimate holder of the passport."

ID theft will be prevented through "antiskimming material" put in the front cover of the passport to lessen the threat of the information being surreptitiously scanned.

However technology has a way of catching up with so-called security measures. In fact it already has.

In my job as a food industry editor, I reported about a South African company, Trolley Scan, which claims it has invented a scanner that can read multiple RFID tags at a distance of 100 metres. What's more, the scanner was able to pick a single transponder out from a crowd of about 1,000 at a time, allowing users to accurately locate objects among multiple targets.

While this is great for warehouse logistics, it's bad news for "antiskimming material" that is built for less powerful scanners.

More promising is the inclusion of cryptographic keys inside the chip. The RFID chip will only release its contents only after a reader authenticates itself as being authorised to receive the information.

CNet notes that RSA Laboratories' Ari Juels, and University of California's David Molnar and David Wagner have warned that the design of the encryption keys is insufficiently secure. They said that the use of a "single fixed key" for the lifetime of the e-passport creates a vulnerability.

You be the judge. Their paper, Security and Privacy Issues in E-passports, is available as a PDF at: http://www.cs.berkeley.edu/~daw/papers/.