RFID Arena

License to kill: RFID and privacy

Gravatar of Mirva Saarijärvi
26 September 2011

Researchers recently found that Apple’s smart phones and tablets record and store device owners’ movements for up to a year. A lot of people find that disturbing—so much so that the discovery made it to the top of U.S. talk shows’ agendas.

Researchers recently found that Apple's smart phones and tablets record and store device owners' movements for up to a year. A lot of people find that disturbing-so much so that the discovery made it to the top of U.S. talk shows' agendas. Does the idea of a big U.S. company tracking your every move bother you?

Privacy's a personal thing

Many people don't like it, and who can blame them? The information may only be used on an aggregate basis, but it's still a breach of privacy. Other people, however, couldn't care less. Many use social media applications like Foursquare to voluntarily report their location wherever they are. People treat privacy differently-and not just different people, but the same person in different contexts. Someone who locks away Facebook profile data to all but their closest contacts might very well leave every aspect of their professional history, personal details and other information open for all to see on LinkedIn.

Everyone's version of privacy is a little different. Unfortunately, less privacy is almost always tied to heightened security risk, and security is the battleground upon which this privacy reckoning is being fought. As with geo-location technology, privacy and security issues are also coming to the fore in the RFID sphere, where business-focused applications are beginning to bleed over into the consumer world.

RFID and privacy

Radio frequency identification is not a new technology, but it has only really begun to blossom in the last five years, as the science has matured and tag prices have dropped. "RFID tags can store tremendous amounts of information," says Jorma Lalla, CEO of RFID handset manufacturer Nordic ID. "You can also add data to tags as they travel, which is what makes them truly valuable. The information captured on tags during manufacturing or logistics processes is data that can be mined on an aggregate basis to see where efficiencies lie," he explains.Some tags are the size of seeds, while others are as big as books. Some are rugged enough to be immersed and dropped; others can take the form of an adhesive sticker. Tag costs vary tremendously depending on specifications-from a few cents to many Euros. Another advantage of RFID technology is that read/write tags allow some levels of information to be erased and new information written in.

Sniffing, eavesdropping and security

Several European and other nations have embedded RFID tags in passports. With a read/write RFID chip in place, governments can keep precise digital records of citizens' movements. That's all well and good for record keeping, but encrypted RFID information has, in a few cases, been clandestinely intercepted from several metres away. When customs officials scan passports, data is being decrypted and read-presenting an opportunity for signal eavesdropping.

The likelihood of passport data getting stolen is low, since a rogue reader can only pick up secured information when it's being read with an official device. But the same kinds of concerns are also being raised about more pedestrian uses of RFID. A second-hand RFID reader, bought online for as little as five dollars, can be outfitted with a high-power, clandestine antenna hidden in clothing or a backpack that will allow it to pick up nearby RFID information, for example on a credit card. Open source software can enable hackers to de-encrypt that information and use it in various nefarious ways.

Security playing catch-up to RFID implementation

But even if this RFID 'sniffing' isn't used to steal funds or identity, who wants the medications and other contents of their purse to be scanned? Or the size of their undergarments? Heikki Seppä, a professor with the VTT Technical Research Centre of Finland and known in European circles as 'Mr. RFID', believes that encryption and security are playing catch-up to RFID implementation.  "If you look at one kind of RFID use - that of nearfield communication (NFC) in mobile phones, security and consequently privacy work very well," says Seppä. "That's because encryption is not only built in, but there's also a chain of IDs that work together to form protection-mobile serial number, security pass code, SIM card serial number and NFC serial number. Together, this all forms a unique chain of identity," he states. "If you lose the phone, you can deactivate the SIM card via the Internet and it becomes unusable. Other applications don't have the same chain of IDs, and encryption is either nonexistent or easily cracked."

Encryption and security has not been a concern for traditional RFID processes. Many of Nordic ID's clients, for example, use RFID to track consumer items from point of production through to point of sale. "We have fashion retail clients who use RFID end-to-end throughout the supply chain," says Lalla. "They send manufacturers RFID-equipped care tags to sew into clothing, ensuring that all items are trackable at the item level." With total RFID integration, a worker can scan a carton or a pallet in a shop storeroom or in a warehouse and get an instant count of precisely what's in the order, right down to colour and size of garment. That helps guard against shrinkage, incomplete or erroneous orders, stock-outs and product counterfeiting.

Consumers benefit from RFID

That's all beneficial to manufacturers, but what about consumers? Those same RFID tags are designed to become unreadable after a couple washes, so there's no privacy problem there-but nor is there any consumer benefit. "RFID is only just starting to become useful to consumers," says Seppä. "But the Internet of Things is just around the corner. Imagine scanning a toaster with your cell phone to read receipt and warranty information. Or scanning your car to find out when maintenance is recommended. There are hundreds of possible uses."

Along with the increase in information comes privacy risk. If Stan the Stalker buys an RFID reader, can he scan the trash of the girl next door to see what she's eating and if there are condom wrappers in the bin? The short answer is…probably. But Stan could find that out now; he just needs to sort through the garbage. "The bigger problem is with things like scanning credit cards through a purse or a wallet," maintains Seppä. "The same thing can happen there as with passport eavesdropping. Except that it's much easier to do. Credit cards are everywhere."

The Internet of Things is coming, but security issues are not entirely resolved. Like in the early days of wireless large area networking and many other technologies that have matured, we still need to achieve a sufficiently hardened set of standards and protocols for the safe use of RFID in all applications.

This entry was written by Mirva Saarijärvi, posted on 26 September 2011 Bookmark the permalink. You can post a comment.

10 comments on “License to kill: RFID and privacy”

  1. Gravatar of AKAK
    Posted 26 September 2011 at 14:00:11

    The privacy issues are high when you think about the first layer of capture and storage of smart data, however the real dangers lurk in the problems of data proliferation. Particularly, through state and legislative data sharing frameworks, the profit motivation behind using legitimate data access for purposes other than intended and the dark arts of by-passing data protection legislation via data offshoring.

    Privacy issues need to be addressed, because when trust is completely destroyed, valid benefits cannot be realized.

  2. Gravatar of Mirva SaarijärviMirva Saarijärvi
    Posted 26 September 2011 at 16:01:17

    I agree with this totally. This is the reason why we wanted to bring this issue to the wider audience here and open the floor to discussion.

    The benefits of RFID are extensive but we need to remore the voodoo-label of the technolocy as well as address these privacy concerns.

    Floor is open! Give us your comments, opinions, views and we can together work through the uncertainties people might have!

  3. Gravatar of John JohnsonJohn Johnson
    Posted 26 September 2011 at 18:35:33

    Great summary of the privacy issues that still concern the industry. The RFID industry has made great strides in privacy issues- much less "noise" around privacy here in the U.S. I attribute this in part to the "cool" social media use case apps that have developed around Facebook, etc. These apps are appealing to a younger crowd, one that normally might question privacy concerns related to RFID. However, I believe the coolness factor of the technology is helping it to get past privacy issues. Still, more education must take place. For more information on our privacy articles, click here: http://rfid24-7.com/category/other-applications/privacy-legislation/

  4. Gravatar of TrevorTrevor
    Posted 27 September 2011 at 09:27:04

    There are many things that can be achieved in the design of an RFID application which can offer greater protections in terms of privacy, security and also health. Many of the steps to reducing the risks are easy to implement but are sadly often overlooked. Frustratingly many consider security as something super complex, and do not "close the front door" before "looking to lock the door, or fit a house alarm".
    A good application design must look beyond the immediate uses of RFID and make suitable provisions for security, privacy and health. Applications designed and implemented correctly need not be any more of a risk than a good lunch.
    The EC Recommendation works toward highlighting some of the key aspects of privacy and security that should be considered in the design ("privacy by design"), implementation and maintenance of an RFID application. The "common European sign" exists to support "privacy by design". Both of these are good references but there can be significant benefits to going further, sometimes with the resulting efficiency gains too.
    Credibility and confidence are two factors which affect RFID application adoption. Therefore privacy and security must remain an area of focus today and on into the future.

  5. Gravatar of Jessica SäiläJessica Säilä
    Posted 27 September 2011 at 12:16:03

    Some of us also view privacy a bit "uptight", if I may say so. I find this view: http://thenextweb.com/facebook/2011/09/26/why-i-am-not-paranoid-about-privacy-on-facebook-and-google/ refreshing.

  6. Gravatar of Mirva SaarijärviMirva Saarijärvi
    Posted 27 September 2011 at 14:52:10

    I also found an interesting article on mobility and privacy: http://www.mobilemarketer.com/cms/news/legal-privacy/11063.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+homepage-news+%28Mobile+Marketer++Homepage+Feed%29

  7. Gravatar of Tero RantaruikkaTero Rantaruikka
    Posted 04 October 2011 at 11:43:01

    As a consumer of both private and public services and products I would gladly take an RFID chip under my skin if it meant getting rid of cards and passwords. RFID technology would make my everyday life a lot easier and if that means releasing some information to companies or risking some mundane information leaking, so be it.

    I think privacy paranoia is a form of narcisim where the person thinks there private information is more valuable than it really is.

  8. Gravatar of Hanna ÖstmanHanna Östman
    Posted 05 October 2011 at 09:13:35

    I agree with you, Tero. Besides, if somebody really wants to follow your every movement, the everyday technology we are using today already allows this. So in fact, RFID doesn't really change our level of privacy, it just offers companies and governments a new way to retrieve the same information?

  9. Gravatar of George LukerGeorge Luker
    Posted 15 April 2012 at 19:14:47

    Very interesting article and topic on RFID and privacy concerns.

    Funny thing is, as you state in your article Apple iPhones and tablets, actually store information, up to a year, and its actually very sensitive information that is stored...

    RFID by all means is an identification technology, that can store information, but limited. In the case of the chipped passports, it is extremely low probability to actually read encrypted data.

    This is basically propaganda spread by the "Conspiracy Groups" and spreading fear about RFID and this technology, along with the identification theft.

    Just my two cents I needed to add, to a wonderful article.

    One last thing to leave on a funny note, the same people spreading the fear and propaganda on RFID and identity theft, use Apple iPhones, and iPAD's to post and communicate the important message.

  10. Gravatar of Mirva SaarijärviMirva Saarijärvi
    Posted 29 June 2012 at 11:13:34

    Hello George,

    You are right on the money there. :)

    Thanks for your comments!

    We prepared a video to share our thoughts some more, you can check it out here:
    http://www.youtube.com/watch?v=BKb6jzFcshY&feature=g-all-lik

    BR,
    Mirva

Post a comment

Keep in touch

Send me more info!
Send me a Newsletter!
Send me a Magazine!
Contact info