RFID

Through various channels, I have followed the development and deployment of Radio Frequency Identification (RFID) technology for a couple of years now and finally decided to write something about it. Let me start by stating that my position is one of passionate opposition to the use of this technology in specific applications.

RFID technology consists of tags (a chip, antenna and possibly a power source), and readers (handheld, mobile or stationary). Reading distance varies primarily due to whether or not the tag is powered, and the radio frequency used. Unpowered (passive) tags receive power from the radio signal of the reader. Their read ranges vary from 2 millimeters to several meters. Powered (semi-passive or active) tags currently have a maximum read range measuring tens of meters. When a tag comes into proximity of a reader, it transmits a unique identifier. The current EPCGlobal standard (1.6MB pdf) for RFID uses a 96-bit identifier, which is a large enough number to identify uniquely every consumer object in the world for the next 1,000 years.

That’s all most RFID tags do – transmit a number. What makes RFID technology so powerful are the databases that store information related to that number.

The PR line coming out of most corporations engaged in RFID projects enthusiastically extols heretofore unrealized efficiencies in the supply chain. The implication is that businesses will have a better, cheaper handle on their stuff as it moves from manufacturer to distributor to retail destination. This will result in the products you want being in stock, and cost savings that companies will no doubt pass on to consumers. Another frequently touted consumer advantage is automated checkouts – you won’t even need to take your purchases out of the cart.

The only cost to the consumer is the total elimination of privacy, and a ready-made infrastructure for a global surveillance society.

I am not exaggerating.

Privacy

Once tags become cheap enough (the target is 5 or fewer cents per tag) the goal of corporations is to tag merchandise at the item level. Every needle, no. Every package of needles, yes. Today’s bar codes uniquely identify classes of products. A bar code can identify a box of Cheerios as such, but cannot distinguish one specific box of Cheerios from another. RFID can, because of the size of the number used. In addition, a bar code requires unobstructed line of sight. Radio waves can be read through shopping bags, shelves, walls and floors.

The greatest benefit that item-level RFID tags offers businesses is the pinpoint insight it gives into the lives of consumers.

Try this on for size:

Sandra Soccermom (38 years old, divorced, 2 children, income bracket 40K to 50K) entered SuperMegaMart #1418 (the SuperMegaMart location she frequents 95% of the time, 2.5 miles from her residence) at 5:42pm EST 1/4/2006. At 5:44pm she removed a 20-pack box of Tampax Super Absorbent tampons from the shelf for 11.2 seconds, replaced it and picked up 20-pack box of Tampax Super Plus Absorbent tampons and placed them in her cart. At 5:46pm she removed a pint of Haagen-Dazs mocha almond fudge ice cream and placed it in her cart. Prior transactions show a high correlation between Sandra Soccermom’s purchase of feminine sanitary products and ice cream. Recommend marking up ice cream in 5% increments when feminine sanitary products are detected in cart, until price tolerance threshold for this consumer is determined. At 5:49pm she checked out, paid cash and used her SuperMegaMart Savings Club Card. The Tampax box was identified during a streetside garbage scan on 1/10/2006, suggesting use by an additional member of the household.

– A Brief Glimpse into MrPikes’ Fevered Imagination

This scenario is 100% realistic when one combines RFID with demographic information readily available from companies like Acxiom, ChoicePoint and LexisNexis, who are in the business of aggregating data from a variety of sources, then reselling it to businesses and the United States Government.

The garbage scanning part of the scenario is where most people end up backing away from me with nervous smiles. Please to note, the Supremes ruled that individuals have no reasonable expectation to privacy when it comes to garbage they have placed out for collection, and that police can search it without a warrant (see California v. Greenwood). Data collected from searching trash is something that marketers already pay for. RFID just makes it easy to hire some schmuck with a car-mounted reader to drive slowly through neighborhoods on garbage day for $6.00 an hour.

In the United States, data collected about you does not belong to you, it belongs to the entity that collected it. It can be purchased by anyone to whom the collector chooses to sell it. That includes your employer, or potential employer.

Several companies have successfully banned their employees from smoking, on or off company property. The reason cited most is the cost of health insurance. Imagine if the company for whom you work banned not only smoking, but eating certain foods or drinking alcohol (all legal activities, incidentally), using the same argument. The data collection that RFID enables makes it that much easier to enforce such policies. As for the argument that an employee is free to work someplace else, that argument only works if there are companies out there that do not have such bans today, or decide to implement them tomorrow.

RFID’s appeal to marketers is huge, the increase to the corporate bottom line is significant, and the benefit to consumers is entirely negotiable.

Of course, if Renfields like RFID Journal are to be believed, RFID not only offers big benefits to the consumer, it’s also necessary to preserve National Security. The following comes from their FAQ:

Are there any consumer benefits to RFID? Or do all the benefits go to the companies that use it?

There are many consumer benefits. Greater efficiency in the supply chain will reduce costs and improve efficiencies. Companies will pass some of these savings on to consumers to try to gain market share from less efficient competitors. RFID could be used by retailers to expedite returns and by manufacturers to manage warrantee claims and improve after-sales support of items such as computers and DVD players. RFID could also reduce the counterfeiting of pharmaceutical drugs and insure the integrity of products purchased by consumers. And RFID could be used to secure the food supply and prevent terrorists from sneaking weapons of mass destruction into a country through shipping containers.

Is it just me, or does playing the terrorist card this early in the game just stink of desperation?

The only attempt made to pacify privacy concerns (besides the empty promises of corporate shills) is a component of the RFID standard itself. The current protocol calls for readers to be able to issue tags a “kill” command. Once a tag is told to “die” it will no longer respond to interrogation from subsequent readers. This technological solution to the privacy issue is problematic for several reasons. Even stipulating that a killed tag can never be brought back from the dead, killing a tag runs counter to interests of business. It is therefore reasonable to expect that businesses will offer incentives to consumers to leave tags alive, or make it highly inconvenient to do otherwise (like inextricably linking tags to returns and warranties). In addition, killing tags at the point of sale does not address the data collected prior to checkout. Last, once RFID is deployed globally, any government at any time could make it illegal to kill tags (more on this in the Surveillance section).

Just as you can tell a lot about a given consumer from hus garbage, you can tell a lot about a corporation by examining its patent applications. IBM’s “Identification and Tracking of Persons Using RFID-Tagged Items” (USPTO patent pending 20020165758) says a lot about the less-publicized intentions for RFID. BellSouth’s “Radio-Frequency Tags for Sorting Post-Consumption Items” (USPTO patent pending 20040133484) deals with, that’s right, scanning your trash.

Surveillance

Ubiquitous RFID will effectively eliminate anonymity once and for all.

The data trail that people leave behind as they go about their lives grows as technology becomes more pervasive. It is already possible to track an individual’s movements via hus credit cards, transit cards (such as New York’s MetroCard or RFID-based automatic toll collection devices), cell phone, access control card (swipe or proximity cards that open doors), and publicly placed cameras.

There is a long list of criminal investigations that have effectively used evidence from all of these sources. An interesting example can be found here. I take no issue with accessing personal data, with a warrant, to prove a suspect’s whereabouts at the time a crime was committed.

Imagine that you have RFID tags embedded in the soles of your shoes. I’ll even stipulate that they were put there by a business strictly for the supply chain benefits. However, you paid for the shoes with a credit card, or you used a valued customer card, or you subsequently walked into a store wearing those shoes, and then purchased something in a way that identifies you. There is now a record in a database connecting your identity with those shoes. Now imagine an RFID reader at every highway onramp/offramp, tollbooth, subway entrance/exit and connected to every stoplight camera.

The hard part of putting any new technology infrastructure in place is running power and communications. With the exception of onramps and offramps, the power and communications for this is already there.

Federal agencies, per the 1974 Privacy Act, cannot legally collect or share data on individuals who are not suspected of a crime, or connected to an investigation, except to provide services like Social Security. However, there is nothing in the current law stopping them from hoovering up personal data from aggregators like Acxiom, ChoicePoint and LexisNexis (as mentioned in the Privacy section) by the terabyte.

When RFID is implemented in passports, driver’s licenses and state-issued identity cards, the whole public sector/private sector data collection loophole will be moot anyway. Backing away from me with a nervous smile? Save it for the homeless guy waving the broken bottle and go here.

The availability of this kind of data will chill Freedom of Assembly. This is a good right to have when meeting with friends to organize things like overthrowing your government because they’re a bunch of assholes.

So? Show up to your government overthrow meeting without any ID. That works fine until carrying identification is legally mandated. Okay, break the law. Well, you had better scan everything you wear to the meeting with a tag reader, lest your necktie rat you out. Did you buy that necktie with cash? Assuming that RFID hasn’t already been put into cash by the time that you bought the necktie, the FBI or whoever can still identify the necktie as being present at a subversive (i.e., terrorist) meeting. So the FBI starts a file on the necktie or, more likely, beret. It shows up the next time you walk through the door of your local 7-11 at 3am on a burrito run. The only transaction logged 15 minutes before or after the initial scan is from your debit card.

We enjoy some fantastic freedoms in this great nation that we, perhaps, take for granted because we’ve never known it any other way. Imagine having to go through a federal checkpoint when crossing from one state to another. Now, imagine being denied passage.

Conclusion

The fundamental argument against RFID is this:

Data that does not exist cannot be abused. Data that exists will eventually be abused. Any other discussion is about scope, and RFID’s scope is terrifying.

I encourage you to write to your government representatives about the RFID Right To Know Act. It calls for all RFID-chipped goods to be identified as such, which is about all we can hope to get out of a government that has a vested interest in seeing RFID deployed.

Katherine Albrecht and Liz McIntyre have written a fantastic book on RFID called Spychips : How Major Corporations and Government Plan to Track Your Every Move with RFID. This important book has caught some flak for using allegedly sensational, alarmist language. In fact, such criticism kept me from reading it for several months. All I can say is that I found the subject matter plenty alarming and the writers’ style engaging and witty. Keep up-to-date on www.spychips.com. Katherine and Liz sure are.

3 thoughts on “RFID

  1. A good companion book for Spychips would be No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society, by Robert O’Harrow. This latter book focuses on the massive databases that RFID tags are feeding, as well as the sophisticated correlation techniques applied to this information by the likes of Acxiom, CheckPoint, the NSA, and your local supermarket.

    MrPikes reply on January 15th, 2006 6:45 am:

    I’ve read No Place to Hide and recommend it highly. In addition to the information it provides about private sector data collection, it explores the information interchange between the private and public sectors. Public records are hoovered up by companies like Acxiom, enhanced with data correlated from other sources (your supermarket club card data, for example) and resold to federal agencies. This is what got Total Information Awareness, CAPPS2 and SecureFlight in trouble. There may be nothing in the law stopping federal agencies from buying data, but the Government Accountability Office (GAO) and Congress can specifically forbid agencies from using that data in funded programs, which is what they did in all three cases.

Comments are closed.