As of the middle of last year, at least 17 states were considering legislation to limit the use of radio frequency identification (RFID) technology, up from 12 in 2005, according to an article “Rage Against RFID” in Washington Technology.
“People have this Hollywood view of RFID as being a chip implanted in a person, like in the movie ‘Mission Impossible III,’ and that person can be tracked by a helicopter five miles away,” Patrick Sweeney, CEO of Odin Technologies Inc. of Wilton, Connecticut, told reporter Ethan Butterfield. “That tends to scare people, and it gives them the wrong image.”
RFID chips are tiny microprocessors that, when activated by a nearby scanner, transmit previously embedded information. Despite all fears, no one has yet succeeded in forcibly implanting RFID chips in people, not even prison inmates or convicted child predators, two groups most often mentioned as candidates.
Tracks Things, Not People
At the same time, RFID technology is very much with us, especially in the product supply chain, and the sky has not fallen on privacy. That’s because RFID is predominantly used to track items, not people, a distinction those quick to call for bans and limits fail to see.
The Department of Defense, for example, now requires contractors to tag all parts with an RFID chip. This reduces waste, forces greater supplier accountability, and ensures correct parts are shipped to the correct places at precise times they are needed.
On the retail side, Wal-Mart pioneered the use of RFID-embedded pallets to track shipments from factory to store shelf, a process since adopted by Target and other competitors. RFID has proved especially useful in authenticating pharmaceutical products, keeping counterfeit drugs out of hospitals and clinics.
Yet fears persist that somehow RFID presents an unprecedented threat to individual privacy. I don’t wish to dismiss these concerns lightly, especially when it comes to government use of technology, but before legislatures rush to place limits, or an outright ban, on technology that has already proven itself extremely useful, a little understanding of RFID scope and capabilities is in order.
The ‘Flavors’ of RFID
RFID is not one-size-fits-all. The chips on a pallet at Wal-Mart are far different in cost and sophistication than the chips used in employee ID badges and access cards, point-of-sale fobs like Exxon’s SpeedPass, and the chips the U.S. government wants to place in passports and driver’s licenses.
Here are some of the variables:
The range at which they can be read. Different RFID chips are designed to be read at different distances. The chip in a tollway pass needs to have a range of about 15 to 20 feet, the distance between windshield and reader mounted in the toll lane. By contrast, RFID chips embedded in pallets or documents can be designed to radiate a signal that can travel to a reader only a few inches away.
The equipment that can activate them. RFID chips can be designed to activate and transmit only in response to a special code or signal from a scanner. This prohibits unauthorized scanners from accessing the information on the chip.
The type of information it contains. Most RFID chips contain a sequence of numbers that identify the item to a machine reader, as opposed to a human. This is why much of the concern over RFID chips in packaging is misplaced. Let’s say at some future date, you neglect to take an RFID tag off a pair of Levi’s jeans you just purchased. Let’s assume someone is prowling around with an RFID scanner. You walk by and the scanner picks up the digits off the tag. Assuming our information thief possesses the knowledge necessary to decode the meaning of those digits, all the tag will tell him is that you are wearing a pair Levi’s jeans–something he can discern with his own eyes–and maybe the date and location of their manufacture–information that has nothing to do with you.
Redundancy and encryption. Legitimate privacy concerns have prompted the government and private industry to use encryption algorithms in chips that carry personal ID information, as is being done on debit cards and Internet-based transactions today. Fears of identity theft through RFID use in passports and driver’s licenses are reflected in such essays as “The ID Chip You Don’t Want in Your Passport” by Bruce Schneier in the September 15, 2006 edition of the Washington Post.
Schneier frets that an RFID chip in a passport could be read by an ID thief with a home-made scanner. But he forgets the chip on the passport contains the same information as is printed on the passport. The chip, digital picture, and encrypted data make the document much more secure and counterfeit-proof. And besides, a thief hell-bent on getting personal data off your passport or driver’s license would find it easier and cheaper to pick your pocket or snatch your purse.
Threats Lie Elsewhere
That brings me to what I believe is the biggest problem about the policy response to electronic identity theft: the emphasis on regulating, or even banning, electronic transmission technologies like RFID when actual threats lie elsewhere.
For example, a law proposed in New Hampshire and Washington state–which would make retailers legally liable if they do not explain to consumers that a cellular phone, GPS receiver, or WiFi card emits a radio signal that can be received and tracked by another radio device and label the product accordingly–is patently absurd. That signal is the inherent reason the consumer is buying the radio product! The proposed law is an example of the “we-gotta-do-something” hysteria that surrounds RFID.
To date, more personal ID information has been compromised by lost laptops; lost and stolen disks, tapes, and flash drives; and stolen passwords. All of this is preventable through education and internal security policies that deter true threats. Consumers and businesses are much better served through reinforcement of common-sense methods of protecting personal and corporate property. For now, legislators need to give RFID the space to develop.
Steven Titch ([email protected]) is senior fellow for IT and telecom policy at The Heartland Institute and managing editor of IT&T News.