[ Features Index | Silicon Valley | Metroactive Home | Archives ]

Techsploits You're Wearing It By Annalee Newitz WHENEVER YOU TALK to somebody about radio frequency identification (fondly known as RFID), they always start by saying, "This is actually a really old technology." Invented about three decades ago, the time for RFID has come. RFID tech consists of two parts: a tag and a reader. The tag is a microchip with a teensy antenna on it that talks to the reader, which is a small device that takes whatever data the tag sends it and passes it along to a computer. If your RFID tag is in a piece of hospital equipment, for example, the reader might "talk" to it and tell a database, "The machine that goes 'ping' is in room No. 7." Then any hospital staff who query the database would know exactly where to get the machine that goes "ping." You may actually already be using RFID in your car if you have one of those devices that sends out a signal and debits your bank account when you drive through a toll booth. Cities like Boston, San Francisco and New York are making their toll booths compatible with RFID systems like E-ZPass and FasTrack. But the most promising applications are in retail. And this is what groups like the Auto-ID Center at the Massachusetts Institute of Technology are banking on. Auto-ID hopes stores will adopt RFID as the ultimate inventory tool and a safeguard against theft. With readers on every shelf, you could know every time someone removed a box of Wheaties from aisle 10. Potentially, every object in a store could have its own RFID the same way they all have bar codes now. But unlike bar codes, RFIDs can be read at a distance, and each tag has a unique identifier. For privacy advocates, the idea of having a "unique identifier" on everything they buy is a nightmare. If RFID readers become ubiquitous, this could mean that every time you pass by a reader, it could "talk" to your sweater and shoes. Match up credit card records with your sweater's ID, and presto, it's a system for monitoring your every move. Harvard psychology graduate student Katherine Albrecht has formed Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN, at www.nocards.org), devoted to fighting companies that want to put RFID tags in their products. Her latest target was Benetton, the clothing manufacturer, whose executives announced that they would be putting RFID tags in their clothes. After threatening a "Boycott Benetton" campaign, CASPIAN supporters were elated to hear that Benetton had withdrawn its promise to use RFID--at least for now. Meanwhile, Prada already uses RFID for merchandise in its New York store. The question is, are RFIDs all nastiness with no killer app? Simson Garfinkel, a computer security expert and consultant with Auto-ID, says that RFID will serve a useful purpose. He argues that the chips can be programmed with "kill code," or a single command to die. Sanjay Sarma, a professor of mechanical engineering at MIT and co-founder of Auto-ID, suggests that stores might send RFID tags these kill codes at the point of purchase, so that the devices would not be used for tracking. Garfinkel adds that one could be even more clever and just kill the RFID's unique identifier. Keeping other identifiers in the chip, such as what the item is, could be useful for people who are blind and want to use a reader to identify medicines in their cabinets. RFID tags could also aid robots sorting recycled materials, or people who want to ping their refrigerators to find out if they need to pick up some milk. Both Garfinkel and Sarma are quick to point out that Auto-ID has a committee of advisers researching the potential abuses of RFID, as well as exploring ways of getting the industry to deploy RFID in a manner that preserves privacy rights. Sarma recently published a paper (www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes_March_2003_lowres.pdf) in which he and his co-authors detail all the ways RFID could lead to privacy and security violations. Of course, not all RFID developers may be quite as concerned with civil liberties as the researchers at Auto-ID are. Intermec, the company whose IntelliTag RFID system was slated for Benetton shirts everywhere, makes no mention of privacy concerns in any of its four white papers on RFID and related technologies. "There's a huge privacy issue that's being ignored here," concludes Garfinkel, "and that's the RFIDs in [cars that use] E-ZPass. Those can already be used to track your movements everywhere." In fact, transit authorities in several cities use E-ZPass tags as a way to measure traffic flow. In other words, people are reading the RFID in your car without your knowledge. I'm just worried that flashy campaigns like CASPIAN's proto-Benetton boycott will distract us from the real issue: RFID is out there now. The cat is out of the bag. When are we going to start regulating it? Annalee Newitz ([email protected]) is a surly media nerd whose kill code seems to work best on trackball mice, television remotes and cell phones. Send a letter to the editor about this story to letters@metronews.com. [ Silicon Valley | Metroactive Home | Archives ]