Gillette Buys Half a Billion RFID Tags

prostoalex writes "Gillette announced its intent to purchase 500,000,000 RFID tags from startup Alien Technology. The company expects to introduce RFID tags into its pallets and cases, according to the article. Alien Technology was the first company to introduce an RFID tag with price lower than 10 cents, even though some people claimed it could not be done."

Cleanse me of my ignorance

[ArizonaBay]

The article read like a company press release and doesn't really cater to the uninitiated so, to those of you in the "know":

What exactly is an RFID tag and why would Gillette want so many of them?

Re:Cleanse me of my ignorance

[Dyolf+Knip]

Think of an RFID (Radio Frequency ID) as the next generation bar code. Ever seen that commercial with a rather shifty looking guy who walks around a grocery store, grabbing stuff off the shelves and sticking them into his overcoat and, obviously without paying for anything, is stopped by security guard on his way out who says, "You forgot your receipt". Essentially that. Stick an RFID tag onto the items in a store or warehouse, and it becomes simplicity itself to track them.

Another big difference is that there is a much larger address space available, one not limited by physical space on the object. They can track each and every item uniquely, not just the type.

I'm worried

[femto]

Reading the Auto-ID Centre website, they show a soda can with an RF tag attached. It seems the ultimate plan is to track individual items. Presumably everyday items such a clothes will be carrying RFID tags, which will be so small the consumer may not be aware of their presence? Does this leave the possibility open for tracking individuals without their knowledge? Surely a large antenna array, with high performance receivers, could track an RFID tag from much further away that its designed distance? Perhaps as far away as low earth orbit?

Re:RFID Security Is Problematic (At Least For Badg

[Hast]

I don't think identification of eg persons are the intended goal of RFID. But the vulnerabilities are interesting none the less.

If it replaces bar codes in stores then attacks could be "useful" if you want to shoplift. (I.e. just hide the item from the scanner.) Or if you want to see who bought a porno mag. But barcodes have zero security, and they seem to work quite fine.

Everything doesn't have to be cryptographic as long as you don't try to use one tech for all applications.

Re:RFID Security Is Problematic (At Least For Badg

[Effugas]

Hast--

As the rule goes, "Bad security is worse than no security, because with bad security, you think you're secure -- with no security, you know you're not."

It's not entirely true, of course, since there is no perfect security and thus everything posesses some degree of badness. But in the barcode case, people have responded to the triviality of shoplifting by attacking hard-to-remove ink and radio attachments to devices before sale. RFID systems are being sold as a replacement for this; everything will have a tag -- even after you buy it -- so the door will be able to sense you walking out of it with anything you might try to shoplift.

And yes, you yourself will have an RFID tag on your "Safeway Club Card" or whatnot; they'll cross reference who you are vs. what you purchased and alert if there's something expensive extra. Turns out it doesn't even need to be the club card from that store -- any ol' one will do, as they can silently interrogate your wallet while you're standing in line. (This is yet another reason for the squeeze tech.)

What's funny is that there's a decent cost to throwing on these security measures that'll be removed anyway, better to just make the authenticators ship with the goods and disposable. But you see, once it's convenient to keep after purchase, look what suddenly gets much more powerful...

Your statement about cryptography is quite accurate. But barcodes do have some major security to them, compared to radio systes -- line of sight.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Target and Walmart within 5 years

[chrysrobyn]

You put your loot in the cart. You walk up to the scanner. You swipe your credit card. You leave. No cashier to deal with. No lines. No need to even remove the items from the cart.

Great geek value, no question about that! Then, when you get to your car, you get to put all your stuff in the trunk, and don't have to worry about those meddling plastic bags. And when that soccer mom cuts you off in the Expedition and you have to take evasive manuvers, you get the really fun part when you get home! Collecting all your stuff from wherever it was!

Once nice thing about the system as it stands right now is that it's tuned for a major convenience, bagging, at the time of payment. No payment, no bags. This, I believe, will have an impact on the non-geek-value customer. Even the most convenient package to carry, the two liter bottle, is difficult to carry more than three at a time for 100 yards (any apartment people want to say how far it is up 3 flights of stairs?). Now my local store is only offering coke bottles in 3 liter -- heavier and bigger than my wifes hands can wrap around. (Also, incidentally, more expensive per liter than 2 liter if you do the math.)

Bags make groceries go 'round. That's why the store throws them in for free, and usually tries to put someone there who can supply the service of stuffing them. In the RFID method, I suppose, you could be handed a wad of bags as you walk in and just stuff as you go, but that involves planning and rework -- if you pick up bread or eggs first, now you have to shuffle to get those to end up on top.

Re:Badges: an example of pseudo-security

[Dog+and+Pony]

Now, we were required to wave the card *and* enter a 5-digit number -- which we all immediately wrote on the card. A message came down from data (in)security: "Don't write your number on your card!" The message was universally ignored.

Then you sir, are the problem. No system can be completely secured against the authorized users.

I've worked in a place where we had those cards too, only we could not just wave them, we had to put them in a slot. Out of say 30-40 people, noone wrote the number on the card. Noone stored the number next to the card, like in the same wallet.

If security gives you a rule to follow, you follow it even if you don't agree. Security may have reasons you don't grasp (and you don't seem too bright, more like a troublemaker).

You didn't follow the guidelines, and consequently, *you* made it possible for someone unathorized ot enter your workplace if they got a hold of your card. You and noone else. You.

Security to blame? I don't think so. They told you what to do. You chose to be stubborn and stupid about it.

Wise up, shape up, grow up. Thank you.

*Laughs* Silly.

[Effugas]

You need to get a bit more cynical, Mr. Pony. Ever actually *deployed* a security system?

Broken policies create noncompliance. Only two ways to define a broken policy -- a) the trusted refuse to participate, or b) the untrusted don't need to. You have to understand, it's not the job of your authorized users to spend all their time dealing with your security system. Since that's not their job, don't be surprised if they're not particularly willing to go along with arbitrary rules.

All security creates a cost for the legitimate user; the goal is to keep the cost heavily asymmetrical. In other words, those you trust are hurt a little, whereas those you distrust are utterly wiped out. A locked door still requires the legitimate user to wait while he pulls out a key, after all. Lock or not, that guy should be able to walk on in.

Turns out the best way to get people to use a security system is to install a new door -- some new functionality they've never seen -- but, oh yeah, it has this security limitation, but look! New door! New functionality!

I enjoyed your comment about security having reasons you don't grasp -- you don't seem to grasp how quantifiable noncompliance really is with various degrees of onerousness. Don't believe the hype :-)

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:who are these people...?

[error0x100]

Wow, good thing society has intelligent people like you in it, who are willing to analyze situations.

Come on, think about it logically for just two seconds: RFID needs a standard. The company that makes such a standard will make a LOT of money. Thus, there are groups investing heavily to try become *that* one company. Now, pretend you are one of those investors: do you think you are NOT going to want to heavily market and push your standard in any way possible in order to succeed?

If you really think about it, its actually highly unlikely that world DOESN'T "work like that". Its just logic. Its what anyone, you or me, would do in the same situation.

But oh yeah, 'the world is really this rosy place that nothing bad is ever going to happen to so all the freaks who think that bad things could happen are just paranoid'. Sure. Every human civilisation, and there have been hundreds, in the whole of history has collapsed or been destroyed by something (except perhaps for the Chinese). But oh yeah, 'ours is an exception, you can safely put tens of millions of people out of jobs and magically new jobs will re-appear, because things don't change in OUR civilisation, they're stable'.

Would you like to debunk any particular parts of my post, or rather just take a general "I don't want to think about anything" stance? Come on, if you don't agree with something I said, lets have some civilised debate: give me your *reason* to disagree.

Re:RFID is...

[OldMiner]

"Low-cost, passive chips like this have a range of only about 10 ft, however, so don't go too 1984."

Actually, they just have a range of 10 feet with the power supplied by, and with a receiver the sensitivity of, the default reader.
-----8

This crosses into an area beyond my knowledge, but I question how far you can do this. First of all, there is the issue with background radiation. You can only increase your sensitivity until the signal starts to equal the noise. And with the potential for a few thousand of these operating about at the same time, that's a lot of noise even neglecting that generated by other sources. Secondly, there is the question of how much power these devices can handle while still functioning properly. I imagine, if they don't want some vandal to easily destroy these devices by putting out a strong probing signal, there is a limit to the amount of power they will take in at a time. And even if they don't, the hardware itself will fail at a certain point. Therefore, you can only push the power you're throwing at these things to a certain point before it doesn't make a difference.

Given these two factors, I imagine there's a practical distance limit at which these devices will function. And considering this is the company that's found the cheapest way to make these things yet which Gillette is buying from, I'm guessing the practical limit isn't going to be terribly beyond the normal operating range.

Re:You have got to be kidding?

[dattaway]

Its more invasive than that. I work in a grocery wharehouse. There are electronic tags to monitor temperature, vibration and shock, humidity, air quality, time of travel, GPS, and all sorts of violations of privacy. What does this mean to you as a consumer? Your food is guaranteed to be fresh and not subject to conditions that would make it unsafe.

These sensors are everywhere. They help improve failures in distribution that costs shippers and consumers alike money.

Just be afraid when a bill is passed to push that national ID card as an injectable tag behind your neck. That's when you will find FAQ's on the internet how to build tin foil hats.

Re:What else will be tagged?

[TheShadow]

Yeah... because criminals will run right out to tag their handguns. Oh, and when someone steals my tagged handgun and kills someone, I'll get blamed. But, hey at least someone gets the electric chair right?

Re:Badges: an example of pseudo-security

Security to blame? I don't think so.

If it is easier to comply with security, than not comply, people will comply. If non-compliance is easier, non-compliance will be the norm.

The fault and blame for non-compliance belongs squarely to security, not those who do the non-compliance thing.

They told you what to do.

Well designed security policies do not rely on the end user being told what to do. They should rely on the end user automatically doing that which complies with the security policy. If it makes it harder to install the security equipment, so be it. If it costs a bit more, consider it a good investment.

You chose to be stubborn and stupid about it.

Security implemented a broken policy. Security is the one that is both stubborn and stupid.

Re:who are these people...?

[joib]

... What this is probably going to mean, 10 or 20 years from now, is that HUGE numbers of people in retail and distributing are going to lose their jobs to these little tags. ...

This technology is probably inevitable though. As technology improves, more and more people can have their jobs replaced by computers. I know somebody is going to reply by saying "but it just shifts the jobs to somewhere else, e.g. the people who create these tags and create and maintain the software". Sure, to a degree, but if you follow the trends to their logical conclusion, you get to a point where millions of low-paying jobs are getting lost and being replaced by maybe a couple thousand higher paying jobs. At some point, something will have to give .. all those people who end up losing their jobs will be the retailers customers themselves, so their business drops.


Social progress (measured as GDP increase, or something like that) has largely been driven by technological innovations. RFID, if (or when) deployed large-scale, will decrease the workforce needed in retail and distribution. Of course, as you say, all those same people will not get jobs developing RFID hardware & software. If that were the case, there would be no point in RFID, since there would be no net efficiency gain! What will happen is that workforce will be freed to do new tasks, which noone has come up with yet. Look at things from a longer time scale, and to think of the economy has a whole rather than just the retail part.

As an example, say about 200 years ago a significant fraction of the population (about 80%) were directly involved in agriculture (i.e. they were farmers). Today, thanks to technological innovations farming productivity has increased about 100-fold, and as a consequence a quite small part of the population are farmers (4-5% in western europe and presumably smaller in the USA as farms are bigger there). This has allowed a lot of people to do other things than plowing the ground. We don't have a ~70% unemployment rate (i.e. 80%-5%-overhead of producing and developing farming machinery), as your line of reasoning suggests.

The same goes for RFID tags (or say, the introduction of automation, robots and such, in industry). So yes, in the short term and on a personal level, it might be unpleasant. I.e. aunt Tilly working as a cashier gets the boot and as she has little education she has a hard time getting a new job. But for society as a whole on a slightly longer timescale, the efficiency improvement made possible by RFID will be beneficial.