One of the advantages of teaching in a good university is the opportunity to hear smart students talk to each other about complicated topics. This semester I’m teaching a graduate seminar in technology and privacy, to a group of about ten computer science and electrical engineering students. On Monday the class discussed the future of RFID technology.
The standard scenario for RFID involves affixing a small RFID “tag” to a consumer product, such as an item of clothing sold at WalMart. (I’m using WalMart as a handy example here; anyone can use RFID.) Each tag has a unique ID number. An RFID “reader” can use radio signals to determine the ID numbers of any tags that are nearby. WalMart might use an RFID reader to take an inventory of which items are in their store, or which items are in the shopping cart of a customer. This has obvious advantages in streamlining inventory control, which helps WalMart operate more efficiently and sell products at lower prices.
This sounds fine so far, but there is a well-known problem with this scheme. When a customer buys the item and takes it home, the RFID tag is still there, so people may be able to track the customer or learn what he is carrying in his backpack, by scanning him and his possessions for RFID tags. This scares many people.
The risk of post-sale misuse of RFID tags can be mitigated by having WalMart deactivate or “kill” the tags when the customer buys the tag-containing item. This could be done by sending a special radio code to the tag. On receiving the kill code, the tag would stop operating. (Any practical kill feature would allow a special scanner to detect that a dead tag was present, but not to learn the dead tag’s ID number.)
Killing tags is a fine idea, but perhaps the consumer wants to use the tag for his own purposes. It would be cool if my laundry hamper knew which clothes were in it and could warn me of an impending clean-sock crisis, or if my fridge knew whether it contained any milk and how long that milk had been present. These things are possible if my clothing and food containers have working RFID tags.
One way to get what we want is to have smarter tags that use cryptography to avoid leaking information to outsiders. A smart tag would know the cryptographic key of its owner, and would only respond to requests properly signed by that key; and it would reveal its ID number in such a way that only its owner could understand it. At the checkout stand, WalMart would transfer cryptographic ownership of a tag to the buyer, rather than killing the tag. Any good cryptographer can figure out how to make this work.
The problem at present is that garden-variety RFID tags can’t do fancy crypto. Tags don’t have their own power source but get their power parasitically from an electromagnetic “carrier wave” broadcast by the reader. This means that the tag has a very limited power budget and very limited time – not nearly enough of either to do serious crypto. Some people argue that the RFID privacy problem is an artifact of these limitations of today’s RFID tags.
If so, that’s good news, because Moore’s Law is increasing the amount of computing we can do with a fixed power or time budget. If Moore’s Law applies to RFID circuits – and it seems that it should – then the time will come in a few years when dirt-cheap RFID tags can do fancy crypto, and therefore can be more privacy-friendly than they are today. The price difference between simple tags and smart tags will be driven toward zero by Moore’s Law, so there won’t be a cost justification for using simpler but less privacy-friendly tags.
But here’s the interesting question: when nicer RFID tags become possible, will people switch over to using them, or will they keep using today’s readable-by-everybody tags? If there’s no real cost difference, there are only two reasons we might not switch. The first is that we are somehow locked in by backward compatibility, so that any switch to a new technology incurs costs that nobody wants to be the first to pay. The second is a kind of social inertia, in which people are so accustomed to accepting the privacy risks of dumber RFID technologies that they don’t insist on improvement. Either of these scenarios could develop, and if they do, we may be locked out from a better technology for quite a while.
Our best hope, perhaps, is that WalMart can benefit from a stronger technology. Current systems are subject to various uses that WalMart may not like. For example, a competitor might use RFID to learn how many of each product WalMart is stocking, or to learn where WalMart customers live. Or a malicious customer might try to kill or impersonate a WalMart tag. Smarter RFID tags can prevent these attacks. Perhaps that will be enough to get WalMart to switch.
Looking further into the future, the privacy implications of small, communicating devices will only get more serious. The seminar read a paper on “smart dust”, a more futuristic technology involving tiny, computationally sophisticated motes that might some day be scattered across an area, then picked up by passersby, as any dust mote might be. This is a really scary technology, if it’s used for evil.
Today, inventory control and remote tracking come in a single technology called RFID. Tomorrow, they can be separated, so that we can have the benefits of inventory control (for businesses and individuals) without having to subject ourselves to tracking. Tracking will be more possible than ever before, but at least we won’t have to accept tracking as a side-effect of shopping.
Erica,
I’m afraid that you are the one misinformed here. When you throw away your rights to privacy everything is acceptable, I guess. I suggest you start reading some security weblogs where all the “nerds” dream up what will happen in the far-far future; like a year from now.
The timeliness are loose, does it really matter if it happens today or in a year for the sake of this argument?
Tracking people by scanning the products they buy after they’ve bought them is deplorable. There is no benefit to the person whatsoever, imagined self-refilling refrigerators aside. But what about the effort to implant RFID chips into things other than consumer products? VeriChip is already implanting these into people to tag them directly, with the pretense that it makes medical emergency information available. Presumably this will morph into allowing cardless credit purchases. (Apparently similar systems don’t work so well in implanted pets, because there are two incompatible chip systems that may not read on the other company’s scanner – so that lost pets have been euthanized rather than identified.) Eventually such tags will find their way into currency as well, allowing tracking of even non-credit purchases. I can foresee a day when individuals will have their own burners to destroy the unwanted tags they bring home every day, scanners to be sure the job was done, and jamming devices to foil hidden scanners. Please assign these as class projects. 😉
But they won’t know what it means? I call bull here. What prevents me from going around with a reader and getting the serial numbers while I’m in the store, and noting what the items are? I wouldn’t even had to do this and look suspicious. If I’m malicious, let’s say I want to track people who buy TV’s. Yeah, I could follow them home, because it’s hard to hide them, or I could read the tags off of the TV, note the serial number down on a notepad that, shock, I have to make it look like I’m comparison shopping, and then just sit back and wait. Remember, people though bluetooth was really secure and shortrange, and then someone went around and made the bluetooth sniper rifle. I see a bunch of possible great uses to RFID especially in warehouse like stores where buying one thing may necessitate buying another on the opposite side of the store, but that doesn’t mean we should implement technology willy-nilly just because it’s there.
Erica (and others),
A simple Google search will show that EZPass records can be subpoenaed in court. That should make people think twice about using them. Here is an example:
http://www.law.com/jsp/nlj/PubArticleFriendlyNLJ.jsp?id=1090180335850
John
Erica,
Note that I discussed item-level tagging as the “standard scenario” in discussions of the technology. Everybody expects item-level tagging to happen, once the price gets low enough. The step from pallet-level or case-level tagging to item-level tagging seems inevitable, doesn’t it?
Tagging an item with “just” an ID number (as I described in the original post) is better than nothing but it certainly doesn’t solve the privacy problem. It still allows an individual tag to be tracked from one location to another or one day to another. And if the ID numbers encode information about the store, or the product category, or something else, that will convey more information. See the paper by Molnar et al about library RFID systems for details of how even randomish ID numbers can enable inappropriate tracking. Analogizing the RFID tag to a bar-code doesn’t help — nobody can read the barcode on my shirt surreptitiously while I’m wearing the shirt.
Are you really asserting that RFID readers are so unreliable that they don’t work realiable at more than a few inches range, or that they don’t work on humid days? I assume that bad guys will get readers as good as the ones WalMart has. If anything, the bad guys might be able to use bigger antennas.
The availability of larger, battery-powered, crypto-capable tags doesn’t much matter here, because those tags are too big and too expensive to be practical for tagging consumer items. Some day highly capable tags will be small and cheap enough to use for item-level tagging — hence the Moore’s Law discussion.
Your assertion that nobody has complained about SpeedPass, EZPass, PayPass, or similar systems is not correct. People like the convenience of these systems, but there is certainly concern about their privacy implications.
It’s distressing that people in the RFID industry assert that there isn’t a real privacy issue. There is an issue, and we should be talking about it.
@Erica:
People complain about EZPass and SpeedPass all the time. On the technical
weaknesses of the latter, look @ rfidanalysis.org, for example.
The tinfoil hat crew may assume the worst, but to blandly assume that Walmart won’t do evil is naive. They will do precisely as much evil as is in their long-term interest, I would say. You assert that that quantity is zero. Why?
In any case, Ed’s larger point is more interesting. With current-generation el cheapo RFID tags, we may wind up “stuck”. Maybe the tinfoil hat folks should lobby for a tax on non-crypto capable rfid tags to help the Walmart of the future make the socially optimal deployment decision. :^)
I use Walmart as a shorthand for profit-maximizing actors, as did Ed.
Many of the hypothetical scenarios proposed in this article are based on inaccurate assumptions and have no basis in fact. We are years away from goods at Wal-Mart being tagged at the item-level. It has been 3-years in the making for Wal-Mart to simply get their pallets and master cases outfitted with RFID tags, and that initiate is still not complete, and won’t be for at least another 2-5 years.
Furthermore, if one day retailers such as Wal-Mart do ever begin to implement item-level tagging, the information on the tag would simply be a serial number, similar to the number that is represented by a barcode. Should someone even be able to “read” this number, it would be meaningless, only a number, unless he had access to Wal-Mart’s databases. A tag on a shirt will not contain and transmit information such as, “Hanes T-shirt, Blue, Size L,” or any information about the purchaser or anything other than a simple serial number.
Going further with the assumption that item-level tagging will one day be a reality, tags and readers must be precisely configured to communicate with one another, and must operate in an environment that is condusive to the radio signals being transmited. Something as simple as a high humidity environment can make capturing a read impossible. Also, readers generally have a read range of a few inches to about 15 feet. To obtain greater read ranges using RFID technology requires more specialized and high-end tags and readers, which aren’t being used or even considered by retailers today. This severely limits the risk that any old regular Joe is going to be able to purchase an RFID reader and walk around scanning and reading things and getting private information. This fear, as far as I can see, is rather completely unfounded.
If I am to go on to point out futher inaccuracies; it should be noted that there are currently RFID tags available that do carrry their own power supply, so that tags do not require the power supplied by a reader to send out a signal. These tags also already have encryption capabilities and although more expensive, are currently in use in very specialized, security sensitive applications.
It is distressing that there has been so much controvery caused over such a promising technology. Most of the fears people have are based on inaccurate and untrue information, such as this, that is being dispersed about RFID technology. There are actually laws being passed in states, such as California, to inhibit the adotopion of RFID technology in certain industries. RFID has been around and has been in use for decades, without incident, and is only now gaining the attention of the masses because of more prolific implementations, such as Wal-Mart. Nobody has seemed to raise any complaints or have any problems with services such as the Mobile SpeedPass, the EZ Pass toll collection system, or the new MasterCard PayPass now becoming available at smaller retail outlets and McDonald’s drive through windows. All of these services which offers consumers increased convenience and security are based on RFID technology.
‘I hear it said that people who have nothing to hide need not fear this strangulation by technology of surveillance. And where are they, these people with nothing to hide?’
– Russell Baker, NYT columnist, 1998
Anonymous,
I know about the more current expensive, crypto-capable tags. The problem is that they’re not economically viable in the WalMart setting. Given enough time, cheap, crypto-capable tags will become available — hence the Moore’s Law argument.
(I made a conscious choice not to mention the contactless smartcard technologies in the original post. It seemed like a digression that would complicate the presentation without affecting the basic analysis.)
The reverse scenario is also happening: Nokia has already introduced two cell phone products which can read RFID tags (or to be precise, NFC tags; the 13.56 MHz variety). So instead of tagging the person and embedding the readers in the world, you give the readers to the person, and tag the world.
That should have some interesting consequences, and certainly makes it more sense to have universally readable tags (since those will be in public places).
Dr. Felten,
Interesting thoughts, but I find myself desperately wishing it will be true.
I personally don’t think most people care. Anyone else have the frustration of trying to get all their friends to use PGP, especially when they all use webmail and there’s no good interface for it? How about trying to explain why closed IM networks like MSN and AIM are bad, and why Jabber is better?
Near-zero uptake. I think most folks who’ve tried to do similar things have gotten similar results. As always, security is a trade-off. Most people seem to prefer simple, cheap, convenient.
Just some casual observations.
It seems there are two possible added reasons that readable-by-everyone tags might persist indefinitely. Firstly, there may be interests that actually appreciate and grow to use universally readable tags – police organizations, for instance, or data brokers like ChoicePoint. Secondly, there might be inertia on the side of sellers rather than consumers, in which businesses that have become accustomed to doing things a certain way don’t want to spend even a minimal number of man-hours in examining better solutions, and as long as ALL businesses use readable-by-everyone tags, nobody will lose sales because of them.
Finally, keep international considerations in mind. Some governments might require personally identifying chips be widely used with their IDs reported back to the government (China, say) while others may create privacy laws that restrict the use of personally identifying tags.
Oh, in contrast 190 khz tags are a few pennies each. It will be a very long time before contactless cards are in that range and you’d have to swap out all the readers again. Magstripe terminal replacement cost is what keeps smart cards from being widely deployed, there’s no way retailers will foot the bill for new RFID readers for privacy (no revenue).
Ed, Im sorry but you always seem to be behind in your understanding of what technology is actually in use today. There are two types of RFID, a 190 khz and 13 mhz version. Both are powered from teh field generated by the reader. Both have chips.
The 190 khz version is much simpler and responds with an AM version of its id. This is the one you are describing. The 13 mhz version (also called “contactless smart card”) is commonly used in public transit (Paris Metro, Tokyo Suica) and is a full microcontroller that can perform public key operations. The reason a secure microcontroller is used (despite the high cost: $2-4 per card) is to protect the revenue of the transit agency or bank.
No one will pay for privacy. Example, Zero Knowledge Systems. Loss of privacy only causes annoyance if you have nothing to hide (wife finds porn or you need to spend a few hours cleaning your credit report). People reinstall Windows all the time after getting tons of spyware and just accept it as part of having a computer. The only people really hurt by loss of privacy are those on the fringe (dissidents, whistleblowers) but it’s easy if you disagree with them to think their loss of privacy is a good thing.
http://www.homeport.org/~adam/shostack-bh-ams-privacy-final.pdf
Tags are just beginning to be cheap enough to put into every item. Wal-Mart (specifically) waited a few years to have them as cheap. Deadlines for mass deployment of RFID technology have been extended for 3 years now.
If you put _any_ extra features (like crypto) in a tag, they will have to wait 3 more years to deploy. They are not going to wait. The downsides you list seem to not be that significant compares to the benefits they get. Sure, the privacy of their customers are compromised, but do they care? And frankly, do the customers themselves care? After all, they got a good deal on those jeans… right?
Imagine the logistical hassle of syncing up your fridge/drier/etc to the same key as the cash register. Unless of course RFIDs could be reprogrammed dynamically, then the key could probably be held in some way on frequent buyer cards.
What about people maliciously walking through a store reprogramming the products? It would be nice to convince the checkout machine that the plasma tv is actually a t-shirt. Then companies would have a reason to upgrade to the better RFIDs (when available).
Fun topic though, must be a good class.