Skip Links

The Next Big Privacy Concern: RFID “Spychips”

RFID, we are closer to cradle-to-grave surveillance than most people realize.

By Ms. Smith on Tue, 07/27/10 - 9:11am.

Radio-frequency I.D. (RFID) tags are a convenient way to track items and cut costs for companies. But this technology is increasingly being used to track other things, like security badges — or even people — giving it the potential to cause a horrific erosion of privacy. Tracking people with smart tags, their shopping preferences, their activities, and their personal belongings sounds like something from a sci-fi thriller. But If you got your panties in a twist over Walmart's decision to track your undies via RFID smart tags, then you'll be doublely concerned at how close we are to cradle-to-grave surveillance.

RFID tags reached a tipping point with Walmart's announcement that, starting next month, the retailer will place removable "smart tags" on consumer goods. The RFID tags can be read by hand-held scanners to track inventory levels and keep a better eye on loss prevention. Recent drops in the cost per RFID tags have encouraged adoption of this technology. With Wal-Mart publicly embracing RFID, you'll see other retailers quickly fall in line.

The RFID revolution: in pictures

If your trash is filled with RFID tags, your trash could be exploited by cybercriminals (driving by with a RFID reader). Perhaps consumers should be advised to trash the offending tag before they leave Walmart parking lot? I’m honestly less concerned that cybercriminals will be cataloging an individual’s purchases via their trash than I am about RFID becoming "spychips" — using the RFID technology to track the whereabouts of citizens who have no idea they are being tracked. RFID chips are already embedded into passports and other everyday items. These potential-privacy-decimating spychips can be the size of a dust speck.

I’m not railing against all creative uses for RFID tracking. There are uses for it that aren’t intended to be violations of your privacy (though in the wrong hands, who knows?) A project called "RememberMe" was started earlier this year as a way of recording memories by tracking clothes and other objects by tagging them with an RFID tag and Quick Response (QR) codes. When the owners of the objects donate them to the shop, a research assistant would record brief stories about the donated objects into a microphone: where they acquired it, the memories attached and any associated stories.  Everyone that participates volunteers to do so — so no one’s privacy is violated in this case.

Food is tracked with RFID for freshness and any possible contamination. A company came out with the world's smartest coffee mug that was embedded with RFID to store the owner's account information, purchase habits, and preferences. Perhaps your business has utilized RFID tracking with products such as Microsoft's BizTalk RFID Mobile? Many companies now use RFID tracking, be it in employee badges or for product tracing.

When it comes to using RFID to track humans and our whereabouts, that's when my hackles get raised. Not that this is new either. In 2007, after newspapers reported on a controversial program designed to compile massive dossiers of data on most every American, the website for Total Information Awareness was taken down. People naturally freaked out at the privacy invasion.

But the idea is far from dead. How about if governments started using RFID to issue automated ticket violations? As part of a project called ASSET-Road, VTT Technical Research Center in Finland, has developed RFID license plate tracking. The project began in 2008 and will wrap in June, 2011. VTT attempts to detect traffic congestion but it also achieved the goal of “traffic violations detected in a flash.” And then Arizona-based camera vendor American Traffic Solutions (ATS) expanded upon that RFID technology by developing automated tailgating tickets as a feature that can soon be added to existing speed camera programs. Now add in this bit of info: There are also drivers licenses that "come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet."

Along similar lines is a company using RFID to track employees. An Indian company, Unity Infraprojects, uses RFID employee tags to keep track of so-called "ghost workers." The only way an employee gets paid is by a combination of RFID evidence and physical presence to collect daily payment.

And there are those taking this idea of tracking people a step further. RFID transponders can be embedded as a subdermal implant, similar to a microchip. Microchips for tracking our beloved pets are now common. Microsoft has HealthVault and Google has Google Health for e-health record management services and both are pushing for RFID medical bracelets. Between 2007 and 2009, RFID in the guise of VeriChip implants were given to hundreds of Alzheimer’s patients to help identify them and notify caregivers in case of an emergency. Since 2008, RFID infant protection systems have been placed on some infants at birth to prevent them from being abducted from the hospital or from being given to the wrong mother. A new RFID product, "guarantees that RFID will follow you straight to your grave." The palm-size stone tablet has an RFID tag that talks with mobile phones to direct users to an Internet memorial archive. And such uses for RFID are only the tip of the iceberg. Thing Magic, a company that builds embedded RFID readers, recently launched 100 Uses of RFID

In themselves, most of these are "valid uses" of RFID technology. Indeed RFID chips are often an embraced technology due to the good they could do for loss prevention. Then again, RFID technology can be the cause of security vulnerabilities. For instance, security badges with RFID chips can broadcast to the criminals where those badges are located. In an article about Fort Gordon stolen military IDs, embedded with RFID, Pentagon’s Counterintelligence Field Activity released a report stating, “The mere possession of a stolen card could, in fact, pose a security risk.”

Former NSA employee James Atkinson, still immersed in the world of intelligence and counterintelligence, said his business and government clients, "often fail to recognize security holes that to him seem big enough to steer a tank through." In regards to the missing RFID enabled military badges, Atkinson stated, “If a spy can get within 300 feet of where classified material is handled, he owns it. I mean, he owns it big time.”

At this year's HOPE hacker conference, the hackers showed both the good and the bad that comes when a person is attached to an RFID badge. “This badge knows what talks you go to. It knows who you talk to. It knows what places in the conference you go. It knows when you were there,” says Rob Zinkov, of the HOPE badge team. If you use that data to enhance your own conference experience, RFID is good. If someone else uses that data, unbeknownst to you, not good.

Extreme-range RFID tracking (hundreds of meters) will be explored and exploited during DEFCON. Also this year's DEFCON Badge was described as "a full-fledged, active electronic system. Pushing fabrication techniques to the limit and using some components that are so new they barely exist, the design of this year's badge took some serious risks." At last year's DEFCON,  some hackers were able to temporarily steal other hackers' and a fed's identity.  According to ThreatLevel, when a RFID "reader caught an RFID chip in its sights — embedded in a company or government agency access card, for example — it grabbed data from the card, and the camera snapped the card holder’s picture."

Location-aware apps are scary enough, based on GPS with the broad range they offer. But for the most part you still have to sign up for those. RFID is being implemented all around you. It has slowly been moving to mainstream. It can track infants to senior citizens with Alzheimer’s. In between it can track your clothes, your purchases, your car — even you. RFID is on the verge of tracking us all, cradle to the grave.

Like this? Check out these other posts:

Follow me and all the other Microsoft Subnet bloggers on Twitter @microsoftsubnet