How RFID Tags Could Be Used to Track Unsuspecting People

[Eugen Leitl]

http://www.sciam.com/article.cfm?id=how-rfid-tags-could-be-used&print=true

How RFID Tags Could Be Used to Track Unsuspecting People

A privacy activist argues that the devices pose new security risks to those
who carry them, often unwittingly

By Katherine Albrecht

If you live in a state bordering Canada or Mexico, you may soon be given an
opportunity to carry a very high tech item: a remotely readable driverbs
license. Designed to identify U.S. citizens as they approach the nationbs
borders, the cards are being promoted by the Department of Homeland Security
as a way to save time and simplify border crossings. But if you care about
your safety and privacy as much as convenience, you might want to think twice
before signing up.

The new licenses come equipped with radio-frequency identification (RFID)
tags that can be read right through a wallet, pocket or purse from as far
away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique
identification number. As the bearer approaches a border station, radio
energy broadcast by a reader device is picked up by an antenna connected to
the chip, causing it to emit the ID number. By the time the license holder
reaches the border agent, the number has already been fed into a Homeland
Security database, and the travelerbs photograph and other details are
displayed on the agentbs screen.

Although such benhancedb driverbs licenses remain voluntary in the states
that offer them, privacy and security experts are concerned that those who
sign up for the cards are unaware of the risk: anyone with a readily
available reader devicebunscrupulous marketers, government agents, stalkers,
thieves and just plain snoopsbcan also access the data on the licenses to
remotely track people without their knowledge or consent. What is more, once
the tagbs ID number is associated with an individualbs identitybfor example,
when the person carrying the license makes a credit-card transactionbthe
radio tag becomes a proxy for that individual. And the driverbs licenses are
just the latest addition to a growing array of btaggedb items that consumers
might be wearing or carrying around, such as transit and toll passes, office
key cards, school IDs, bcontactlessb credit cards, clothing, phones and even
groceries.

RFID tags have been likened to barcodes that broadcast their information, and
the comparison is apt in the sense that the tiny devices have been used
mainly for identifying parts and inventory, including cattle, as they make
their way through supply chains. Instead of having to scan every individual
itembs Universal Product Code (UPC), a warehouse worker can register the
contents of an entire pallet of, say, paper towels by scanning the unique
serial number encoded in the attached RFID tag. That number is associated in
a central database with a detailed list of the palletbs contents. But people
are not paper products. During the past decade a shift toward embedding chips
in individual consumer goods and, now, official identity documents has
created a new set of privacy and security problems precisely because RFID is
such a powerful tracking technology. Very little security is built into the
tags themselves, and existing laws offer people scant protection from being
surreptitiously tracked and profiled while living an increasingly tagged
life.

Beyond Barcodes

The first radio tags identified military aircraft as friend or foe during
World War II, but it was not until the late 1980s that similar tags became
the basis of electronic toll-collection systems, such as E-ZPass along the
East Coast. And in 1999 corporations began considering the tagsb potential
for tracking millions of individual objects. In that year Procter & Gamble
and Gillette (which have since merged to become the worldbs largest
consumer-product manufacturing company) formed a consortium with
Massachusetts Institute of Technology engineers, called the Auto-ID Center,
to develop RFID tags that would be small, efficient and cheap enough to
eventually replace the UPC barcode on everyday consumer products.

By 2003 the group had developed a working version of the technology and
attracted inB-B-vestB-ment from more than 100 companies and government agencies.
The tagsb promoters promised the tiny chips would revolutionize inventory
management and counterfeiting prevention [see bRFID: A Key to Automating
Everything,b by Roy Want; Scientific American, January 2004].

To kick-start government adoption of the technology, the General Services
Administration (GSA), a federal bureau that manages purchasing for other
government institutions, issued a memo in 2004 urging the heads of all
federal agencies bto consider action that can be taken to advance the [RFID]
industry.b Suddenly, virtually every agency, from the Social Security
Administration to the Food and Drug Administration, began announcing RFID
trials. 

During the same period, similar initiatives were under way around the world.
In 2003 the International Civil Aviation Organization (ICAO), a United
Nations agency that sets global passport standards, endorsed the use of RFID
tags in passports. ICAO now calls for their use in all scannable
be-passports.b Today dozens of countries, including the U.S., issue
e-passports with RFID tags embedded in their covers.

Since their debut, the new passports have been controversial on both privacy
and security grounds. In a 2006 report one ICAO official promised that
encryption measures would provide a blevel of protection [that] should
reassure the most anxious passport holder that his personal data cannot be
read without his knowledge.b

Security experts quickly proved otherwise. In 2007 British security
consultant Adam Laurie cracked the encryption code on a U.K. passport and
bskimmed,b or remotely read, its personal informationbwhile it was still
sealed in its mailing envelope. Around the same time, German security
consultant Lukas Grunwald copied the data from a German passportbs embedded
chip and encoded it into a different RFID tag to create a forged document
that could fool an electronic passport reader. Investigators at Charles
University in Prague, finding similar vulnerabilities in Czech e-passports,
wrote that it was ba bit surprising to meet an implementation that actually
encourages rather than eliminates [security] attacks.b

Yet these demonstrated security problems have not slowed the adoption of
RFID. On the contrary, the technology is being deployed for domestic ID cards
around the world. Malaysia has issued some 25 million contactless national
identity cards. Qatar is issuing one that stores the cardholderbs fingerprint
in addition to personal information. And in what industry observers are
calling the single largest RFID project in the world, the Chinese government
is spending $6 billion to roll out RFID-based national IDs to nearly one
billion citizens and residents.

There is an important difference, however, between other nationsb RFID-based
ID cards and Homeland Securitybs new driverbs licenses. Most countriesb
contactless national IDs and e-passports have adopted an RFID tag that meets
an industry standard known as ISO 14443, which was developed specifically for
identification and payment cards and has a degree of security and privacy
protection built in. In contrast, U.S. border cards use an RFID standard
known as EPCglobal Gen 2, a technology that was designed to track products in
warehouses, where the goal is not security but maximum ease of readability.

Whereas the ISO 14443 standard includes rudimentary encryption and requires
tags to be close to a scanner to be read (a distance measured in inches
rather than feet), Gen 2 tags typically have no encryption and only minimal
data safeguards. To skim the data from an encrypted ISO 14443 chip, you have
to crack the encryption code, but no special skills are required to skim a
Gen 2 tag; all you need is any Gen 2 reader. Such readers can be purchased
readily and are in common use in warehouses worldwide. A hacker or crimB-inal
armed with one could skim a border card through a purse, across a room, even
through a wall.

As of this past April, more than 35,000 Washingtonsecurity of such cards
could be compromised is just one reason for concern. Even if tighter
data-protection measures could someday prevent unauthorized access to
RFID-card data, many privacy advocates worry that remotely readable identity
documents could be abused by governments that wish to tightly monitor and
control their citizens.

Chinabs national ID cards, for instance, are encoded with what most people
would consider a shocking amount of personal information, including health
and reproductive history, employment status, religion, ethnicity and even the
name and phone number of each cardholderbs landlord. More ominous still, the
cards are part of a larger project to blanket Chinese cities with
state-of-the-art surveillance technologies. Michael Lin, a vice president for
China Public Security Technology, a private company providing the RFID cards
for the program, unflinchingly described them to the New York Times as ba way
for the government to control the population in the future.b And even if
other governments do not take advantage of the surveillance potential
inherent in the new ID cards, ample evidence suggests that data-hungry
corporations will.

Living a Tagged Life

If the idea that corporations might want to use RFID tags to spy on
individuals sounds far-fetched, it is worth considering an IBM patent filed
in 2001 and granted in 2006. The patent describes exactly how the cards can
be used for tracking and profiling even if access to official databases is
unavailable or strictly limited. Entitled bIdentification and Tracking of
Persons Using RFID-Tagged Items in Store Environments,b it chillingly details
RFIDbs potential for surveillance in a world where networked RFID readers
called bperson tracking unitsb would be incorporated virtually everywhere
people gobin bshopping malls, airports, train stations, bus stations,
elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters,
[and] muB-B-seB-B-umsbbto closely monitor peoplebs movements.

According to the patent, here is how it would work in a retail environment:
this sector can take off.b

Unfortunately, industry self-regulation has little force when it comes to
protecting the public from RFID risks. EPCglobal, the industry body that now
sets technical standards for RFID tags, also produced a set of guidelines for
the use of the chips in retail. The organizationbs recommendations require,
among other things, notice to consumers whenever products contain RFID
tagsbfor instance, in the form of a recognizable RFID logo. Yet when
Checkpoint Systems, a member company of EPCglobal, designed RFID tags to be
hidden in the soles of shoesbin clear violation of the organizationbs own
provisionsbMike Meranda, then president of EPCglobal, told me that since the
guidelines were voluntary, there was nothing he or his organization could do
about it.

The Washington State Department of Licensing reassures citizens that their
personal information is safe because the RFID tag in an enhanced driverbs
license bdoesnbt have a power sourceb and bdoesnbt contain any personal
identifying informB-ationbbeven though those facts have no bearing on whether
the card can be used for tracking. For some people, a false sense of
assurance provided by such official mollifications could be dangerous. The
National Network to End Domestic Violence, a group that vocally opposes the
use of RFID in identity documents and consumer products, has submitted
legislative testimony describing how abusers could use the technology to
stalk and monitor their victims.

Meanwhile the RFID train is barreling forward. Gigi Zenk, a spokesperson at
Washingtonbs licensing agency, recently confirmed that there are 10,000
enhanced licenses bon the street nowbthat people are actually carrying.b
Thatbs a lot of potential for abuse, and it will only grow. The state
recently mustered a halfhearted response, passing a law that designates the
unauthorized reading of a tag bfor the purpose of fraud, identity theft, or
for any other illegal purposeb as a class C felony, subject to five years in
prisone. Nowhere in the law does it say, however, that scanning for other
purposes such as marketingbor perhaps bto control the populationbbis
prohibited. We ignore these risks at our peril.

Note: This article was originally published with the title, "RFID Tag--You're
It".