Monday, August 25, 2008

RFID and Privacy: A Spy In Your Pants?

A few days ago, I found out that my university ID card has an RFID chip in it. A new floor of our building has labs equipped with RFID locks on the doors: little black boxes that light up red or green when you pass the right card next to them. I figured I'd have to go get some special new key fob or other to use the locks, but I was told, "Just hold your ID card near it." I did, and open sesame! I didn't even have to take the card out of my wallet. Some guys, like technicians with an armload of equipment, will just do the "butt-pass"—twist around so their back pocket gets close enough, and they're in.

This discovery aroused mixed emotions. I'm glad I don't have to go get any special new card, but on the other hand, why didn't anybody tell me that chip was in there? And what else could it be used for?

Turns out that these are not idle questions. In a special issue on privacy, this month's Scientific American carries an article by Katherine Albrecht, who heads an organization called Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN, for short). We are entering an era in which RFID chips—little inexpensive transponders that spit out data-bearing radio waves to a properly equipped interrogation unit—are spreading like fleas on a dog. Think of RFIDs as a kind of wireless barcode on steroids. Barcodes have to be out in the open to be scanned, and the data they convey is limited to the few numbers of the bar code. But you can attach an RFID chip to an entire pallet of goods in a warehouse, and as a forklift carries the pallet past an interrogator in the doorway, the inventory control system learns that everything on the pallet has gone out the door—no manual scanning.

The financial and logistical advantages of this sort of thing are obvious to shippers, warehousemen, and supermarkets, in fact retailers of almost anything. So RFID chips are popping up in a lot of places.

So where's the beef? One of the places they're showing up is in identification documents such as passports, private and institutional ID cards (such as my university card), and even driver's licenses. Several states, including Washington, Arizona, Michigan, and Vermont, are making such "enhanced" driver's license cards available. Is there any potential drawback to this? It turns out that the type of technology most states are adopting is the same basic kind that is used in warehouses. So anybody with the right equipment can read the data off the chip—according to Albrecht, there is no encryption involved, unlike a different RFID standard prevalent in Europe which includes encryption.

Well, engineers like to think of worst-case scenarios, so here goes my attempt. Say I have an enhanced driver's license with an RFID chip in it. Driver's license numbers are no big secret anymore—you're asked for them any time you write a check, typically. So here I am, wandering around the hardware store, and without speaking to a soul, without picking up a single item, an RFID sensor can figure out who I am, what aisle I'm in, call up my complete purchase record at that store (and maybe other kinds of stores too, for all I know), and figure out exactly what kind of stuff they ought to try to sell to me. I don't know about you, but I'm not sure I like this idea.

Now the way you react may say something about how old you are. Younger people, to whom YouTube, MySpace, and Flickr are just another part of life, tend to have different notions about privacy than older people do. You might feel pleased or special if a salesperson comes up and offers you stuff that is specially tailored to your past purchases. My main encounter with this kind of thing so far is on Amazon.com, which is constantly making wild guesses as to what kind of books I'd like to read, based on the books I've bought in the past. Most of the time its offers are either laughable or annoying, but every once in a while they hit on something good. All in all, though, I would not miss this feature a bit.

We are talking about what some would term an invasion of privacy. Privacy is a right without much of a historical pedigree, it turns out. The Wikipedia article on it says that the first serious consideration of a legal right to privacy was published in the U. S. only in 1890. Before then, it was so hard to duplicate and spread information that the question of personal privacy rarely arose. But now with the tap of a keystroke, you can spread intensely private information to millions of people worldwide. And with an unencrypted RFID chip on your person that has data such as your social security number, driver's license number, or (as an RFID card that China is reportedly trying to implement has), your religion, ethnicity, employment record, and how many kids you have, why, you've turned into one of those pathological bean-spillers that late-night bus-riders fear to encounter—the kind of person who will dump their most intimate secrets onto the first stranger who won't get up and run away. I don't know about you, but I don't want to be that kind of person, either by word of mouth or electronically.

What is the alternative? Effective regulation is one, either direct regulation of the kind and amount of data that can be put on RFID cards, requiring the data to be encrypted somehow, or even simpler things such as labels telling consumers that products have RFID tags on them. Trouble is, the public awareness of this technology is so low that labels would probably just arouse confusion or fear. A little fear can be a good thing. But knowledge is even better. Consider whether you should inform yourself more about RFID technology, and make up your own mind about what kind of information you want to be giving away without ever knowing about it.

Sources: Katherine Albrecht's article "RFID Tag—You're It" appears in the September 2008 issue of Scientific American. CASPIAN operates websites www.spychips.com and www.nocards.org. Also see my blog "I Spend, Therefore I'm Spied Upon?" for Jan. 11, 2007.

2 comments:

  1. These chips are both passive and unencrypted, meaning they will "talk" to any reader that attempts to "talk" to it, and you would never even know it. Some feel comfortable because the "readers" they are used to using their cards with may require you to put the card right next to it. That is a limitation of THAT reader, not the readable range of the chip. With the right reader, they can be scanned at 50 feet and more away (in theory, limited only by the readers power source). As readers become more ubiqitous (put at every road intersection, around every businesses door) all of that won't matter much anymore. Widespread use of these is a disaster waiting to happen.

    ReplyDelete
  2. I'm a TSU student also, and I think your article is great. Have you watched the documentary film zeitgeist? It talks about the possibility of RFID chips in humans and the manipulation that could possibly be aiming toward a one world government... the film starts out slow and addresses religion, but I recommend watching all of it. Knowledge is power!
    http://www.zeitgeistmovie.com/

    ReplyDelete