RFID and privacy: The delicate balance

Researchers recently found that Apple's smart phones and tablets record and store customers' movements for up to a year. A lot of people find that disturbingso much so that the discovery made it to the top of U.S. talk shows' agendas. Does that kind of thing bother you?

Privacy's a personal thing
Many people don't like the idea of a big U.S. company tracking their every movement, and who can blame them? The information may only be used on an aggregate basis, but it's still a breach of privacy. Others, however, use social media applications like Foursquare to report on their location wherever they are. People treat privacy differentlyand not just different people, but the same person in different contexts. Someone who locks away Facebook profile data to all but their closest contacts will leave every aspect of their professional history, personal details and other information open for all to see on LinkedIn.

Everyone's version of privacy is a little different. Unfortunately, less privacy is almost always tied to heightened security risk, and security is the battleground upon which this privacy reckoning is being fought. As with geo-location technology, privacy and security issues are also coming to the fore in the RFID sphere, where business-focused applications are beginning to bleed over into the consumer world. 

RFID and privacy
Radio frequency identification is not a new technology, but it has only really begun to blossom in the last five years, as the science has matured and tag prices have dropped. "RFID tags can store tremendous amounts of information," says Jorma Lalla, CEO of RFID handheld computer manufacturer Nordic ID. "You can also add data to tags as they travel, which is what makes them truly valuable. The information captured on tags during manufacturing or logistics processes is data that can be mined on an aggregate basis to see where efficiencies lie," he explains.

Some tags are the size of seeds, while others are as big as books. Some can be immersed and dropped; others can take the form of an adhesive sticker. Tag costs vary tremendously depending on specificationsfrom a few cents to many Euros. Another advantage of RFID technology is that read/write tags allow some levels of information to be erased and new information written in. 

Sniffing, eavesdropping and security
This is the kind of tag that several European and other nations have embedded in passports. With a read/write RFID chip in place, governments can keep precise digital records of citizens' movements. That's all well and good for record keeping, but encrypted RFID information has, in a few cases, been clandestinely intercepted from several metres away. When customs officials scan passports, data is being decrypted and readpresenting an opportunity for signal eavesdropping.

The likelihood of passport data getting stolen is low, since a rogue reader can only pick up secured information when it's being read with an official device. But the same kinds of concerns are also being raised about more pedestrian uses of RFID. A second-hand RFID reader, bought online for as little as five dollars, can be outfitted with a high-power, clandestine antenna that will allow it to pick up nearby RFID information, for example on a credit card. Open source software can enable hackers to de-encrypt that information and use it in nefarious ways.

But even if this RFID =sniffing' isn't used to steal funds or identity, who wants the medications and other contents of their purse to be scanned? Or the size of their undergarments? Heikki Sepp, a professor with the VTT Technical Research Centre of Finland and known in European circles as =Mr. RFID', believes that encryption and security are playing catch-up to RFID implementation. 

A security solution?
"If you look at one kind of RFID use that of nearfield communication (NFC) in mobile phones, security and consequently privacy work very well," says Sepp. "That's because encryption is not only built in, but there's also a chain of IDs that work together to form protectionmobile serial number, security passcode, SIM card serial number and NFC serial number. Together, this all forms a unique chain of identity," he states. "If you lose the phone, you can deactivate the SIM card via the Internet and it becomes unusable. Other applications don't have the same chain of IDs, and encryption is either nonexistent or easily cracked."

Encryption and security has not been a concern for traditional RFID processes. Many of Nordic ID's clients, for example, use RFID to track consumer items from point of production through to point of sale. "We have fashion retail clients who use RFID end-to-end throughout the supply chain," says Lalla. "They send manufacturers RFID-equipped care tags to sew in, ensuring that all items are trackable at the item level." With total RFID integration, a worker can scan a carton or a pallet in a shop storeroom or in a warehouse halfway around the world and get an instant count of precisely what's in the order. That helps guard against shrinkage, incomplete or erroneous orders, stock-outs and product counterfeiting.

Consumers benefit from RFID
That's all beneficial to manufacturers, but what about consumers? Those same RFID tags are designed to become unreadable after a couple washes, so there's no privacy problem there but nor is there any consumer benefit. "RFID is only just starting to become useful to consumers," says Sepp. "But the Internet of Things is just around the corner. Imagine scanning a toaster with your cell phone to read receipt and warranty information. Or scanning your car to find out when maintenance is recommended. There are hundreds of possible uses."

Along with the increase in information comes privacy risk. If Stan the Stalker buys an RFID reader, can he scan the girl next door's trash to see what she's eating and if there are condom wrappers in the bin? The short answer isprobably. But Stan could do that now; he just needs to sort through the garbage. "The bigger problem is with things like scanning credit cards through a purse or a wallet," maintains Sepp. "The same thing can happen there as with passport eavesdropping. Except that it's much easier to do. Credit cards are everywhere." While there is no doubt that the Internet of Things is coming, we still need to work out the parts that deal with privacy and security.


Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter