Capital Gazette wins special Pulitzer Prize citation for coverage of newsroom shooting that killed five

Information tags along everywhere you go

The Baltimore Sun

Don't take a hammer to your new U.S. passport. And don't drill a hole in that credit card or zap it in the microwave.

Experts say these measures - recommended on some extreme Web sites as ways to safeguard privacy and security - are unecessary for people concerned about the growing prevelance of Radio Frequency Identification tags.

The tiny silicon chips are embedded in credit cards, passports and other everyday items and can transmit data on where you go, what you buy and even who you are.

The devices include "smart" car keys, the no-swipe credit card on your key ring, the E-ZPass transponder on your windshield, the prescription bottle in your medicine cabinet, the blouse you buy at the mall and even the soles of your shoes.

The technology - originally designed to track cattle - now speeds up retail transactions, helps authorities confiscate pirated merchandise, identifies company employees, opens electronic locks and tracks shipments of goods through warehouses and stores.

Analysts estimate that RFID tag sales will reach more than $2.36 billion this year - mostly in automotive, security and financial applications.

But as RFID technology spreads and grows cheaper, critics say the tags and the signals they emit are increasingly likely to be abused: by those who would spy on your movements, steal your identity or even target you in a terrorist attack.

The concern has led to some paranoia - and Web sites full of bizarre advice on avoiding RFID snoops. But authorities are beginning to listen to RFID's serious critics.

The U.S. State Department, for example, incorporated metal shielding into the covers of new passports after critics demonstrated how information from the RFID tags embedded in the documents could be read clandestinely from a distance.

Last year, California legislators enacted a law prohibiting employers from forcing their employees to implant RFID tags in their bodies.

They and lawmakers in Wisconsin and other states were spurred into action by an Ohio company that tagged employees who worked with confidential documents - voluntarily, according to news reports.

But the real problem, critics say, is that RFID tracking is virtually invisible and undetectable by its subjects.

"A lot of this is done not only without the consumer's knowledge - it's beyond the grasp of most consumers how it works. Nontechnical people don't know what the risks are. They just want to buy things and have their privacy and credit card numbers protected," said Avi Rubin, a Johns Hopkins University computer science professor who worked with Massachusetts researchers to crack the encryption scheme of the ExxonMobil Speedpass in 2005.

Although he and many other computer security specialists say they don't believe the tags pose a serious threat today, they are concerned about the future.

"You can look at this at two different levels: whether it's worthwhile for you as an individual to fuss with wrapping your cards in some sort of sleeve, or looking at the systemic issue: how we got to a point where these cards do make this information available remotely," said Edward W. Felton, a professor of computer science and public affairs at Princeton University, whose graduate students became famous for penetrating the security of electronic voting machines.

RFID chips are encoded with digital information - which could be the inventory number for a pair of jeans, or a credit card number, an employee ID, or driver's license data, medical records or passport information.

When an RFID reader sends out an electromagnetic query, the RFID chip transmits the information. While the industry is selling RFID applications as diverse as radio dog-collars and fitness monitors, the technology has also spawned a tiny counter-industry of firms that produce metal-lined wallets, passport sleeves and other devices to shield RFID-enabled documents and credit cards.

Activist Web sites hawk anti-RFID T-shirts and other paraphernalia.

Even vocal RFID critics say the problem hasn't reached a crisis level - which makes it hard to argue their case.

Lee Tien, senior staff attorney for the San Francisco-based Electronic Frontier Foundation, said those who raise the alarm realize how it would have felt to warn the public about air pollution the day the Model T was introduced.

The EFF has opposed use of the technology on several fronts. And as a parent, Tien spoke against a proposal for an enhanced California driver's license that could broadcast the name, address, height and weight of drivers - such as his 16-year-old daughter.

But he doesn't oppose the technology itself. "I would honestly have no problem using RFID devices if I knew I could control who was going to read them," Tien said.

Dan Mullen, president of AIM Global, a trade association representing RFID and other data collection technology manufacturers, argues that most RFID tags don't contain personal information in the first place.

Even if they do, he said, personal data may be safer there than on a retailer's computer systems - given highly publicized breaches of those servers during the past few years.

"If somebody is looking to steal personal information, there are probably richer sources" than RFID tags, he said.

Mullen argued that RFID tags can enhance security, too. For example, they make it more difficult to forge documents - such as tickets to the 2008 Olympics. He also noted that critics voiced similar complaints when the bar code was first deployed.

But RFID skeptics note several key differences between the two technologies. The most important: Unlike a bar code, an RFID tag doesn't have to be visible for a sensor to detect it.

"You're making available over the airwaves something that's previously available only through line of sight," said Hopkins' Avi Rubin.

"The threat model changes. It's a lot more important to get the security right."

The distance at which an RFID tag can be read varies - from mere centimeters on no-swipe credit cards to hundreds of feet for tollbooth tags.

For many applications, Tien said, all you have to do is "follow somebody into an elevator. You're close enough."

Most RFID tags are passive - they don't carry their own power source but use the energy from the signal emitted by the reader to function. That eliminates the use of encryption to protect their data, Felton said.

"Encryption is a computation that requires more power and more time," he said. "Sometimes it can't be done at all, and other times it drives up the cost significantly."

Retailers often use RFID to manage inventory and prevent theft. But critics say the tags aren't required after consumers leave the store with their merchandise - often unaware that the tags are still functional. The tags can be disabled, but most stores don't bother.

On one hand, promoters say, retailers could keep RFID tags on clothing they've sold previously to identify regular customers as they enter a store and offer personalized service. On the other, critics say, an RFID tag embedded in a book might tell a snoop that a reader is carrying The Communist Manifesto or Catcher in the Rye in his backpack.

"You're no longer in control of who can know what it is you have," Tien said. "We're all for the retail industry being able to more efficiently manage their inventory.

"The problem is, once you buy this item, the RFID tagging is of relatively little value - other than these kinds of after-marketing, more invasive situations. You should be able to just have that tag be deactivated."

Critics note that it's relatively easy to conceal inexpensive readers - hand-held or smaller - that can pick up an RFID tag a foot or two away. They could create a trail of your movements - an almost Orwellian capability.

"We spend our lives going through doorways. We are constantly channeled through, well, channels," Tien said. "That's where you can be easily tracked."

Although credit card companies boast of their security and encryption, spokesmen for several major suppliers said there's no need to drill or microwave an RFID-enabled card.

MasterCard spokesman Chris Monteiro said customers can ask the issuer for a card that doesn't have an RFID chip - or a referral to a card program that doesn't use them. "It's the consumer's choice, depending on their interest and concerns," he said.

American Express spokeswoman Molly Faust said her company's RFID card chips use a different number than the credit card itself. "Someone could read the chip, but they can't read the number. It's a unique code number," she said.

If consumers are still worried, AmEx can deactivate the chip in cards that use them, such as its Blue or Clear cards.

It's one thing to attack a credit card - but messing around with a U.S. passport can earn you a fine or a prison term.

"If you mutilate it or alter it, you're violating a federal statute," said Cy Ferenchak, a spokesman for the U.S Bureau of Consular Affairs.

He said the passport's RFID chip is encrypted and can only be read when the book is open. "The information that's on the chip is printed on the front page of the passport book itself," he added. "If you lose your passport entirely, you're probably more vulnerable than walking around with a passport with a chip in it."

Prison aside, dodging RFID may cost some convenience. The EFF's Tien does not carry any contactless credit cards, nor does he have a FasTrak pass, the West Coast equivalent of Maryland's E-ZPass.

Hopkins' Rubin, on the other hand, has owned an E-ZPass in the past but doesn't need one for his current commute. He doesn't have a wave-by credit card, either.

"I'm actually much more concerned about security than I am about privacy," he said.

"While the first generation of RFID tags had a lot of security problems ... eventually lessons are learned and the importance of security is appreciated - and later generations will get it right."

liz.kay@baltsun.com

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
64°