As an initial comment, I would just mention that RFID technology has plenty of useful applications that do not affect privacy. My dad, for example, has worked on RFID tags for security purposes in safeguarding nuclear materials. This is an easy case, of course, since no privacy interests are at stake. But RFID definitely seems like a case where it's the use, not the inherent technology, that matters.

The thing I think this paper does well is highlighting the real risks to privacy that RFID presents -- tracking, profiling, identity theft, and so on. It sounds like attempts at RFID implementation so far have been curiously casual, as if governments and others have not completely thought out the ramifications of what could happen if something goes wrong and the wrong people start using RFID readers. It almost seems like they are simply too distracted by RFID’s “cool” factor.

I do have to admit, though, that RFID is pretty cool (I’m surprised to learn that it’s actually been around for a while.) Sure, it’s silly, but I kind of want to see how Mini USA’s “Motorby” program will play out – the one in which special billboards will display personal messages for Mini owners who participate in the program and receive an RFID dongle. That’s harmless enough, right?

While Ozer is not entirely clear on the point, it seems that she would rely on alternative ID technologies until all the kinks and safety risks of RFID have been worked out. Of course, implicit in her paper also seems to be the contention that the risk will never be eliminated, no matter how elaborate the security layers are (as she notes, the more layers, the more opportunities for something to fail). Does this mean we should never give RFID a try?

I agree that there will always be some risk. The issue is whether it’s something we can live with. Wi-Fi might be a good analogy. Many people routinely use encrypted wireless networks to transmit personal data, including credit card numbers and e-mails, over Wi-Fi, despite the fact that any home wireless network can be cracked easily with the right tools. However, encrypting Wi-Fi is enough to deter most casual intrusions, and this satisfies most people. (I know-- the analogy is not perfect because the data you send over Wi-Fi is voluntary.) But what if all implementations of RFID take the best precautions available (and so far they haven't), and we manage (by legislation or otherwise) to increase the “visibility” of RFID chips and awareness of when data is being sent and received? Can RFID be made reasonably safe to use, and usher in a new era of where marketing is tailored to the individual consumer?

As a final point, I’m also curious about the “shield” technologies alluded to on page 46 of the manuscript in the part about tiers of protection. What are they, can they be made to work, and would they provide a solution to any of RFID’s shortcomings?

Eric:
As a final point, I’m also curious about the “shield” technologies alluded to on page 46 of the manuscript in the part about tiers of protection. What are they, can they be made to work, and would they provide a solution to any of RFID’s shortcomings?

My understanding is that passage refers to physical methods of blocking RF signals from reaching the RFID tag. The simplest such method is literally wrapping the tag in aluminum foil. Slightly more sophisticated approaches use pieces of metal or foil tailored to the size of the tag to be shielded. This forms what's called a Faraday cage around the tag, which prevents the tag from being read by any reader.

Real-world examples here include Skim Black, which is aimed at RFID in a credit card form factor:
http://www.akihabaranews.com/en/news-13075-Skim+Black+I+protects+your+electronic+money.html

Another example is the mylar bag that comes with FasTrak transponders in the Bay Area,
which was introduced to address driver concerns over CalTrans' expansion of FasTrak to include broad traffic monitoring:
http://grouper.ieee.org/groups/scc32/dsrc/news/index.html
(see reprinted NY Times article of August 23, 2002)

Finally, there is also the metal lining in the new U.S. e-passports.

Can these be made to work? In principle yes, but there are several practical problems that have shown up in real deployments. Generally, these methods work if the entire tag can be covered by metal. In entirely unscientific experiments with a bag of potato chips and a Prius RFID key fob, I've observed that failing to cover the entire chip sometimes leads to the reader still reading the device.

More interestingly, the people down at Flexilis Security in LA found that the US e-passport shielding fails to stop reading if the passport is even partway open, because the passport is shielded only on one side:
http://www.youtube.com/watch?v=-XXaqraF7pI

In the case of the FasTrak bags, the practical problem is that the standard way to use FasTrak is to mount it via velcro strip on your dashboard. Using the mylar bag requires detatching the transponder, putting it in the bag, and then remembering to take it out of the bag when you reach a toll plaza. This is inconvenient (not to mention a bit dangerous to do while driving).

A second issue that is common to FasTrak, Skim Black, and other detatchable shield devices is that they can be lost. Finally, there is the issue that a shield device leaves the default as the RFID tag being readable by anyone -- this is somewhat similar to the difference between "opt-in" and "opt-out" in marketing.

Still, let's say that we have a practically workable shield device. The main advantage of these devices is that they prevent surreptitious reading of the RFID tag while the shield is active. This is important, because it reduces the incentive to build a tracking infrastructure for that class of RFID tags.

Shield devices, however, do not prevent unauthorized reads of the tag when the shield is not active. This is a problem because the shield must be deactivated for the intended use of the tag. At that point, someone can read the tag or eavesdrop on the conversation between the reader and tag. This is of special concern when the tag contains high-value information, such as an e-passport.

Shield devices also do not ensure that the RFID tag is genuine. Without proper safeguards, RFID tags can be cloned, i.e. one can create devices that impersonate the RFID tag to the legitimate reader. Here's an ABC News video of a demonstration that happened in Sacramento last year connected with the efforts described in the paper:
http://www.youtube.com/watch?v=4jpRFgDPWVA
with more information here:
http://cq.cx/prox.pl

While a shield device would prevent someone from reading the RFID card, in many cases it takes only one read to perform a successful cloning. That means relying on a shield device alone to prevent cloning is a high risk, since a single person forgetting to use the shield can lead to a cloned card. This point is important because one of the selling points for RFID in the ID card space is that it will "add security." Depending on the specific type of RFID technology used, this may or may not be true -- it's important to drill down and find out exactly what is done to prevent cloning, and what is meant by "security" in such claims.

Eric:

Sure, it’s silly, but I kind of want to see how Mini USA’s “Motorby” program will play out – the one in which special billboards will display personal messages for Mini owners who participate in the program and receive an RFID dongle. That’s harmless enough, right?

Maybe. If the RFID dongle can be read only by Mini USA, then yes, it seems like a straightforward exchange between a customer and a company. We could certainly ask what Mini will do will that record of where its customers have been, but as long as there's enough transparency, OK.

What is interesting about RFID is that without proper safeguards, other people will be able to read that dongle as well. You or I or any third party can buy an RFID reader to determine if someone is carrying a Mini dongle or not, and obtain a unique identifier specific to that person. The range of such reading will most likely be at least the range Mini USA obtains for its billboards.

This kind of third-party read makes possible new applications based on tracking Mini customers in ways that were not envisioned by Mini USA or its customers when they entered into the exchange. The third party doesn't even have to tell the holder that his or her RFID has been read; it can just decide to give discounts, target ads, or whatever without giving notice.

Is that harmless? Probably depends on the application. We can speculate on such applications in a separate sub-thread if you like. :)

Is it actually possible to track Mini dongle holders this way? I don't know, because the details of the RFID used by Mini in this program aren't publically known. Someone with the right technical knowledge can figure it out given enough time examining the Mini dongle, but the answer isn't readily apparent to most Mini customers. It may not even be known to executives at Mini, depending on how their development process works.

Still, I think there is a difference between the following two propositions:

A) "I agree to let Mini USA track my movements for the sole purpose of displaying targeted advertising and personal messages."

and

B) "I agree to let Mini USA track my movements for the sole purpose of displaying targeted advertising and personal messages AND let any third party track my movements and discover I am a Mini USA customer, without notice, and with or without my consent or the consent of Mini USA."

Right now, I can't tell whether this is proposition A) or proposition B). There are technical methods that can make it closer to proposition A), but we don't know if Mini is using them.

Eric:
As a final point, I’m also curious about the “shield” technologies alluded to on page 46 of the manuscript in the part about tiers of protection. What are they, can they be made to work, and would they provide a solution to any of RFID’s shortcomings?

I tried to post a response to this earlier, but it is being held by the moderator. Here's a shorter response until that one is approved.

I think this part of the paper is referring to something that encloses the rfid device and creates Faraday cage blocking the transmission of radio waves. The simplest example is to literally wrap the tag in tin foil. (Potato chip bags work, too.)

Real-world deployments here include the mylar bag provided with FasTrak transponders, the protective metal "sleeve" proposed by DHS for use in the northern border PASS card, and the metal insert in the front cover of the U.S. e-passport. Of these examples, the FasTrak bag and PASS sleeve are "detachable," i.e. they are separate from the rfid tag itself. The e-passport shield device in contrast is not supposed to be removed from the RFID tag - you deactivate the shield by opening the passport.

The main benefit of such a shield device is that, while it is active, it prevents the tag from being read surreptitiously. For example, if you use a shield on your RFID credit card, it becomes difficult to impossible for me to steal your credit card number just by sitting next to you.

The main drawback of a shield device is that it provides no protection when the shield is down -- and you need to drop the shield for the intended use of the RFID tag. The kind of devices under discussion here can't make a distinction between "good" RFID readers and "bad" RFID readers. Therefore, it
doesn't address the threat of
eavesdropping and only marginally addresses cloning.
This is of most concern when the tag contains particularly sensitive data (e-passport, credit card) or will be used for access control (PASS card, building access, studdent ID).

There are also practical issues with shield devices. First, detachable shields may be lost; the AEA letter to DHS and the State Department specifically mentions this issue. Second, dropping the shield may be unwieldy -- for example, consider fumbling with a mylar FasTrak bag on the freeway. This tends to the shield being down by default. Finally, the shield itself may be defective; the people at Flexilis Security down in LA found that the e-passport shield fails if the passport is open even a tiny amount.

A more philosophical issue is that a shield device is an "opt-out" approach. The default for the RFID tag is to be readable at all times, and the shield prevents this reading. Such an approach places the privacy protection burden on the person holding the RFID.

Eric:

First of all, thanks for your comments. I know I'm a bit late in making mine, so it's really great to have you raise these good points. (I meant to say that earlier but it slipped my mind.)

In response to
But what if all implementations of RFID take the best precautions available (and so far they haven't), and we manage (by legislation or otherwise) to increase the “visibility” of RFID chips and awareness of when data is being sent and received? Can RFID be made reasonably safe to use, and usher in a new era of where marketing is tailored to the individual consumer?

First, the Identity Information Protection Act, as vetoed in 2006, takes exactly this approach. The Act did not put any kind of ban or moratorium on the use of RFID. Instead, we (I was involved in the negotiations) worked with industry representatives to write a bill that would encourage the use of secure RFID technologies, provide appropriate notice, established a process where the Legislature could obtain expert advice, and
do all this in a tech-neutral way.

Second, while there are fascinating things that can be done with RFID-tailored marketing, the main focus of this paper and the discussion it sprang from are different. Namely, should the government employ RFID in ID cards that people are forced to carry?

In this context, ushering in a new era of personalized marketing is less important. That may or may not be a good thing, but it's not the government's job. The justifications I've seen for RFID in ID cards, instead, often come down to two broad classes:

1) Increased security. There is a claim that using an RFID device makes the ID document more difficult to counterfeit or copy than the ID document without RFID. For example, the RFID in the e-passport is supposed to make copying a passport difficult.

2) Increased convenience. There is a claim that using RFID will speed up the process of checking IDs. For example, the PASS card uses an RFID technology readable at 20 feet because DHS wants to read the card and "pre-position" the holder's image at an inspection gate.

What makes things complicated here are that many different specific technologies go under the name "RFID." When evaluating claims like the ones above, therefore, it becomes important to get specific about the technology involved and the specific threats or benefits it
will address. Just talking about "increased security" may not be useful. For example, as the article points out, many basic forms of RFID actually don't provide any protection against cloning. Then we can do a cost-benefit analysis.

There are many benefits to RFID cards. Such as readers being able to be located in areas where magnetic strip readers cannot. Such as salt spray affected port locations or out it the rain. I think they are around to stay. That being said my company manufactures a simple sleeve or badgeholder to at least prevent your card from being read while it is in your wallet, purse, or pocket. http://www.idstronghold.com for more details.

Great post..

yes, great. thanks

Nice article! Thanks.

Good review. Very informative. Thanks!

Good article!

I do have to admit, though, that RFID is pretty cool (I’m surprised to learn that it’s actually been around for a while.) Sure, it’s silly, but I kind of want to see how Mini USA’s “Motorby” program will play out – the one in which special billboards will display personal messages for Mini owners who participate in the program and receive an RFID dongle

Viagra