IBM is currently running a TV commercial where two guys are driving a delivery truck full of cargo to Fresno, Calif. The problem is, they’re lost. They’re actually on the road to Albuquerque, N.M. They don’t know that, but the boxes they’re transporting do, because they’re equipped with RFID tags. The tags notified IBM’s help desk that they’re headed in the wrong direction. “Maybe the boxes should drive,” says one driver to the other.
In this case, RFID was used to improve supply chain efficiency, but a technology that can not only tell what goods you’re carrying but also where you’re headed has some people worried. If it can be used to scan cargo, can it also be used to scan an individual? To determine his whereabouts, his blood type, his bank account number or what he had for breakfast?
The Electronic Frontier Foundation has spent several years investigating the potentially damaging impact a technology like RFID could have on society. Because RFID tags do not require line-of-site scanning technology, as barcodes do, they can be read from a distance. Tags also contain a great deal more information than barcodes.
The worry may not immediately be identity theft, says Seth Schoen, staff technologist for the EFF, but could be a problem in the future if RFID is used to store personal data as part of a passport or other form of ID.
Threats
RFID tags can be copied, claims Schoen, and cost pressures may cause businesses to cut corners when they’re rolling out RFID for various business applications.
“You might say that these threats derive from the fact that the RFID industry wants things to be as cheap as possible,” says Schoen. “And people haven’t necessarily thought through the implications of deploying a lot of tags without any security measures for a particular application.”
Several libraries are rolling out RFID for tracking books, he says, but they haven’t considered the possibility that the people carrying the books could also be tracked.
Bartek Muszynski, the president of Vancouver-based RFID consulting firm NJE Consulting Inc., says that most of the concerns about the technology are “significantly overblown.” But that isn’t to say that they don’t exist.
The level of detail that can be applied to an RFID chip is far beyond conventional barcoding means.
“When you buy a can of Coke with a barcode on there, all that will tell is that it’s a can of Coke. With an RFID tag, if you bought a sweater, it would not just tell that it’s a certain kind of sweater, it will tell you it’s sweater No. 2,000,456,” he says.
GS1, the international standards body that governs RFID requirements, has considered the potential for abuse and built in safeguards to prevent such abuse, according to GS1 Canada CEO Arthur Smith.
There is a “kill switch” built into an RFID tag that would render it virtually useless after it leaves a store, for example. Data on the tag is also encrypted. A more pressing concern for Smith right now is how different businesses will exchange data as they use RFID to track goods through a supply chain.
“People who are interested in the supply chain are worried about information ownership, information rights, access rights – part of the benefit that people talk about is transparency along the supply chain,” says Smith.
“‘Where are the goods? Where are my goods? Are they sitting in the manufacturing warehouse? Are they sitting on a truck?’ Right now we’re just going through some of those issues with the industry. Who has what access rights and how are we going to protect it?”
Manufacturers may be more concerned if Wal-Mart, or anyone else along the supply chain, has the ability to view their inventory levels rather than RFID hacks from the outside, he says. “Some of those issues are now just coming into place.”
Last year, IBM Canada opened the first RFID centre in Canada with the co-operation of GS1 Canada and several interested groups like the Canadian Council of Grocery Distributors. The centre was designed to showcase RFID as a means to supply chain efficiency, initially for agricultural products.
The leaders
In many respects, RFID is just like any other wireless technology, says Shai Verma, IBM Canada’s RFID practice leader.
“Any digital information that is transmitted over secure or unsecure wireless protocols and networks, there is always a chance that can be penetrated or hacked into. The challenge is, every system that’s developed has to have unique protocols to protect it. I think RFID is just the same,” he says.
“We have to stay active with this, because if we do get passive . . . there could be some negative impact.”
A kill switch is just one way in which a tag can be made more secure, he says. Other tags have a tear-off strip that would render them unreadable from anything more than a few inches.
The fallacy is that tags can be read from great distances, he adds, but in reality their maximum range is on the order of 20 or 30 feet. It is unlikely, he says, that a person could drive by your house and discover information about you by reading RFID tags.
“You can’t be driving down the street and pick up that this guy has a large screen TV or this guy uses Viagra because he has a bottle of Viagra sitting on his bedside table. It’s not possible,” he says, “or rather, it’s not probable.”
Bartek agrees that this kind of scenario is unlikely. “It’s not something someone with limited resources could do, like a hacker with a reader sitting somewhere in the corner. That is not, in my opinion, something to be concerned about,” he says.