Information tags along everywhere you go

Critics worry about the security of RFID

By Liz F. Kay | Sun Reporter

May 11, 2008

Don't take a hammer to your new U.S. passport. And don't drill a hole in that credit card or zap it in the microwave.

Experts say these measures - recommended on some extreme Web sites as ways to safeguard privacy and security - are unnecessary for people concerned about the growing prevalence of Radio Frequency Identification tags.

The tiny silicon chips are embedded in credit cards, passports and other everyday items and can transmit data on where you go, what you buy and even who you are.

The devices include "smart" car keys, the no-swipe credit card on your key ring, the E-ZPass transponder on your windshield, the prescription bottle in your medicine cabinet, the blouse you buy at the mall and even the soles of your shoes.

The technology - originally designed to track cattle - now speeds up retail transactions, helps authorities confiscate pirated merchandise, identifies company employees, opens electronic locks and tracks shipments of goods through warehouses and stores.

Analysts estimate that RFID tag sales will reach more than $2.36 billion this year - mostly in automotive, security and financial applications.

But as RFID technology spreads and grows cheaper, critics say the tags and the signals they emit are increasingly likely to be abused: by those who would spy on your movements, steal your identity or even target you in a terrorist attack.

The concern has led to some paranoia - and Web sites full of bizarre advice on avoiding RFID snoops. But authorities are beginning to listen to RFID's serious critics.

The U.S. State Department, for example, incorporated metal shielding into the covers of new passports after critics demonstrated how information from the RFID tags embedded in the documents could be read clandestinely from a distance.

Last year, California legislators enacted a law prohibiting employers from forcing their employees to implant RFID tags in their bodies.

They and lawmakers in Wisconsin and other states were spurred into action by an Ohio company that tagged employees who worked with confidential documents - voluntarily, according to news reports.

But the real problem, critics say, is that RFID tracking is virtually invisible and undetectable by its subjects.

"A lot of this is done not only without the consumer's knowledge - it's beyond the grasp of most consumers how it works. Nontechnical people don't know what the risks are. They just want to buy things and have their privacy and credit card numbers protected," said Avi Rubin, a Johns Hopkins University computer science professor who worked with Massachusetts researchers to crack the encryption scheme of the ExxonMobil Speedpass in 2005.

Although he and many other computer security specialists say they don't believe the tags pose a serious threat today, they are concerned about the future.

"You can look at this at two different levels: whether it's worthwhile for you as an individual to fuss with wrapping your cards in some sort of sleeve, or looking at the systemic issue: how we got to a point where these cards do make this information available remotely," said Edward W. Felton, a professor of computer science and public affairs at Princeton University, whose graduate students became famous for penetrating the security of electronic voting machines.

RFID chips are encoded with digital information - which could be the inventory number for a pair of jeans, or a credit card number, an employee ID, or driver's license data, medical records or passport information.

When an RFID reader sends out an electromagnetic query, the RFID chip transmits the information. While the industry is selling RFID applications as diverse as radio dog-collars and fitness monitors, the technology has also spawned a tiny counter-industry of firms that produce metal-lined wallets, passport sleeves and other devices to shield RFID-enabled documents and credit cards.

Activist Web sites hawk anti-RFID T-shirts and other paraphernalia.

Even vocal RFID critics say the problem hasn't reached a crisis level - which makes it hard to argue their case.

Lee Tien, senior staff attorney for the San Francisco-based Electronic Frontier Foundation, said those who raise the alarm realize how it would have felt to warn the public about air pollution the day the Model T was introduced.