Slashdot Mirror
RFID Industry Confidential Memos
An anonymous reader writes "Cryptome has learned www.autoidcenter.org (RFID flak) has made internal memos available for perusal at their site. Those RFID people sure have some interesting plans for the future. Who needs conspiracy theories, when you can hear it from the horses mouth? Weeeeee!"
FOR IMMEDIATE RELEASE
o verseers.pdf
July 7, 2003
RFID Site Security Gaffe Uncovered by Consumer Group
CASPIAN asks, "How can we trust these people with our personal data?"
CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) says anyone can download revealing documents labeled "confidential" from the home page of the MIT Auto-ID Center web site in two mouse clicks.
The Auto-ID Center is the organization entrusted with developing a global Internet infrastructure for radio frequency identification (RFID). Their plans are to tag all the objects manufactured on the planet with RFID chips and track them via the Internet.
Privacy advocates are alarmed about the Center's plans because RFID technology could enable businesses to collect an unprecedented amount of information about consumers' possessions and physical movements. They point out that consumers might not even know they're being surveilled since tiny RFID chips can be embedded in plastic, sewn into the seams of garments, or otherwise hidden.
"How can we trust these people with securing sensitive consumer information if they can't even secure their own web site?" asks CASPIAN Founder and Director Katherine Albrecht.
"It's ironic that the same people who assure us that our private data will be safe because 'Internet security is very good, and it offers a strong layer of protection'
http://cryptome.org/rfid/questions_answers.pdf
would provide such a compelling demonstration to the contrary," she added.
Among the "confidential" documents available on the web site are slide shows discussing the need to "pacify" citizens who might question the wisdom of the Center's stated goal to tag and track every item on the planet,
http://cryptome.org/rfid/communications.pdf
along with findings that 78% of surveyed consumers feel RFID is negative for privacy and 61% fear its health consequences.
http://cryptome.org/rfid/pk-fh.pdf
PR firm Fleischman-Hillard's confidential "Managing External Communications" suggests a variety of strategies to help the Auto-ID Center "drive adoption" and "neutralize opposition," including the possibility of renaming the tracking devices "green tags." It also lists by name several key lawmakers, privacy advocates, and others whom it hopes to "bring into the Center's 'inner circle'".
http://cryptome.org/rfid/external_comm.pdf
Despite the overwhelming evidence of negative consumer attitudes toward RFID technology revealed in its internal documents, the Auto-ID Center hopes that consumers will be "apathetic" and "resign themselves to the inevitability of it" instead of acting on their concerns.
http://cryptome.org/rfid/cam-autoid-eb002.pdf
Consumer citizens who are not feeling apathetic will be pleased to learn that the site provides names and contact information for the corporate executives who oversee the Center's efforts. Since the phone list isn't labeled "confidential," we're assuming that Auto-ID Center Board members are open to calls and mail that might help them better understand public opinion on this important subject.
Anyone interested in speaking with Dick Cantwell, the Gillette VP who heads the Center's Board of Overseers, for example, can find his direct office number listed on the Auto-ID Center's website here:
http://cryptome.org/rfid/226691160-list_board_of_
To experience the Auto-ID Center's security holes firsthand, simply visit the web site at http://www.autoidcenter.org and type "confidential" in the site search box. The Center encourages such site exploration: "Our website has Research Papers and other information that anyone can download for free. There is also a Sponsors Only area of the site, which includes information and materials not available to the public at large. We encourage you to visit our site frequently to stay up to date with the Center's many activities."
That's what my new cloths will be after I microwave them to ensure that no RFID devices remain functional.
Don't forget to put a cup of water in there too, to prevent mucking up the magnatron.
Damn, cryptome doesn't seem to be responding. The www.autoidcenter.org is an RFID promotion site and their web site search engine had a scope that included documents marked "confidential".
If you want to see them, go to www.autoidcenter.org
and type "confidential" into their site search engine.
Not sure if they're still up but that's the condensed version of the cryptome story.
Try a microwave oven. That will induce enough current in the device to melt/short its circuits.
Hopefully the thing the device is embedded in won't be harmed by the microwave.
Using your sig line to advertise for friends is lame.
I was able to grab the html only. None of the PDFs or PPTs linked to it:- docs.htm
The mirror is here:
http://krypton.mnsu.edu/~workmj/cryptome.org/rfid
RFID tags are read by a signal transmitted over the UHF band(400-930MHz). These signals are limited by the FCC to 500mW. At this power the RFID tags can not be read from a distance greater than 0.25 meters.
I picked a PDF at semi-random, and found a fairly damning one (not that thats hard to do on their site).
...)
:-)
Try http://www.autoidcenter.org/media/sarma.pdf
Look at page 21 (its a slide presentation).
The slide says:
---------
For privacy:One word
* Annihilate
* (obliterate, destroy, auto-destruct, kill
---------
I guess that neatly sums up their feelings on the privacy matter.
The rest of the presentation similarly outlines more of their evil plans for "World Domination".
Take it easy.
From the website search engine:
(Bold emphasis mine...)
Notice that this sample says "Confidential until September 2002". Now, unless you know for a fact that they were available for reading prior to September of last year, then there's really no problem unless they're talking about some sort of big-brother-esque system.
Now, this isn't saying that they're not. But, as seeing that Cryptome's
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
RFID Chips Are Here
RFID chips are being embedded in everything from jeans to paper money, and your privacy is at stake.
By Scott Granneman Jun 26 2003 09:15AM PT
Bar codes are something most of us never think about. We go to the grocery store to buy dog food, the checkout person runs our selection over the scanner, there's an audible beep or boop, and then we're told how much money we owe. Bar codes in that sense are an invisible technology that we see all the time, but without thinking about what's in front of our eyes.
Bar codes have been with us so long, and they're so ubiquitous, that its hard to remember that they're a relatively new technology that took a while to catch on. The patent for bar codes was issued in 1952. It took twenty years before a standard for bar codes was approved, but they still didn't catch on. Ten years later, only 15,000 suppliers were using bar codes. That changed in 1984. By 1987 - only three years later! - 75,000 suppliers were using bar codes. That's one heck of a growth curve.
So what changed in 1984? Who, or what, caused the change?
Wal-Mart.
When Wal-Mart talks, suppliers listen. So when Wal-Mart said that it wanted to use bar codes as a better way to manage inventory, bar codes became de rigeur. If you didn't use bar codes, you lost Wal-Mart's business. That's a death knell for most of their suppliers.
The same thing is happening today. I'm here to tell you that the bar code's days are numbered. There's a new technology in town, one that at first blush might seem insignificant to security professionals, but it's a technology that is going to be a big part of our future. And how do I know this? Pin it on Wal-Mart again; they're the big push behind this new technology.
Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past.
So what is it? RFID tags.
RFID 101
Invented in 1969 and patented in 1973, but only now becoming commercially and technologically viable, RFID tags are essentially microchips, the tinier the better. Some are only 1/3 of a millimeter across. These chips act as transponders (transmitters/responders), always listening for a radio signal sent by transceivers, or RFID readers. When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer.
Most of these "broadcasts" are designed to be read between a few inches and several feet away, depending on the size of the antenna and the power driving the RFID tags (some are in fact powered by batteries, but due to the increased size and cost, they are not as common as the passive, non-battery-powered models). However, it is possible to increase that distance if you build a more sensitive RFID receiver.
RFID chips cost up to 50 cents, but prices are dropping. Once they get to 5 cents each, it will be cost-efficient to put RFID tags in almost anything that costs more than a dollar.
Who's using RFID?
RFID is already in use all around us. Ever chipped your pet dog or cat with an ID tag? Or used an EZPass through a toll booth? Or paid for gas using ExxonMobils' SpeedPass? Then you've used RFID.
Some uses, especially those related to security, seem like a great idea. For instance, Delta is testing RFID on some flights, tagging 40,000 customer bags in order to reduce baggage loss and make it easier to route bags if customers change their flight plans.
Three seaport operators - who account for 70% of the world's port operations - agreed to deploy RFID tags to track the 17,000 containers that arrive each day at US ports. Currently, less than 2% are inspected. RFID tags will be used to track the cont
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
but the CONFIDENTIAL documents are all marked "CONFIDENTIAL until xxx 2002" or "CONFIDENTIAL until xxx 2001." Not such a gaping security hole, it seems.
Yes, the potential implications of RFID are creepy, but their planning for a marketing campaign sounds pretty much par for the course.
You'd have to catch and broadcast each style of RFID tag radio signal.
Inductive
Pulsed
Backscatter
Rebroadcast (differing frequencies for transmit and recieve...)
Etc.
Each one's completely different from the other in it's operation. And that just covers the RADIO portion of the systems. It doesn't cover the modulation or the encoding. There's a bazillion of those out there.
Yes, you could come up with a system that could jam/confuse each and every RFID reader nearby. But, it'd end up being something like the military's signal intelligence systems in size and complexity.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
A typical cordless phone is about 1/2 watt.(500mW).
/WORLD/ they can communicate with only a watt or less of power to work with.
With your logic, a 2 watt cellphone would have a range of about 4 feet.
Just to put things into further perspective, radio enthusiasts have contests to see how far around the
You've fallen victim to some of the strategies outlined in the articles this whole story is about. You've been pacified into believing radio waves are severely limited in range. And you believed it. Even going so far as to try to convince other people that a half watt of power is insignificant for distances greater than a meter, which is completely absurd.
You're repeating a meme. You have been "pacified" according to the gameplan set forth in the memos.
Let's see...who's got more lobbying money/access? Us (as individuals), or Walmart/Sears/Kmart/Target/Asda/Tesco?
Who do you think will win?
I guess you haven't heard of the ACLU, NRA, NAACP, AARP, or the various other special interest groups in this country. Special interest groups represent a group of people gathering their resources to fight for a particular cause. They can wield power as great or greater than any corporation. I'm not aware of any single organization that can completely turn an election like the NRA or AARP can. Corporations can only give money, but special interests can directly give VOTES.
You personally will not stop Walmart or Sears from implementing the tags directly in items but the EFF may! So donate and get involved!
Brian Ellenberger
There is a difference. With that cellphone the entire 2W is being used BY THE CELLPHONE. With an RFID reader a 0.5W signal is being transmitted FROM ANOTHER SOURCE and REFLECTED by the tag. Big difference there.
Read some of the documents on the site. They talk about scanning ranges of several meters.
http://www.rfidjournal.com/article/articleview/494 /1/1/
You really have to wonder about a group that claims to be fighting for consumer privacy but thinks its okay to breach someone else's privacy. Caspian's excuse is that the ease with which it obtained the material shows the center can't be trusted with sensitive information. You'd think that Katherine Albrecht, the group's founder, could come up with something better than that. The real conclusion one should draw is that the center is not the Machiavellian organization Caspian makes it out to be. If it were, it would spend a lot more on security.
1) Scanners are not too expensive (as long as you know which standard... small cheap tags == small cheap scanners). So you can scan and then sanitize your own goods
2) Scanners only work at personal-space encroaching range unless the RFID has a power source (which becomes easy to find). So at most you can be scanned in situations where you might find a metal detector.
3) Won't work from the outside of your car reliably, so toll booths are probably safe. ("Smart Tag" uses a battery and is on your windshield... exception)
While most people won't notice or care, motivated people are not without recourse. The big brother fear-factor may be overstated. I am not worried.
In fact, I'm excited. I can start using scanners to tag all my stuff and keep track of it without having to buy the tags. (me === scatterbrained) Wheee!
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
To make these things small enough to fit into clothes, you have to make the antenna size pretty small, which means range drops dramatically. I can't really see the privacy concern when you can only read these things from a couple of inches away.
You're not going to walking out the door with these things and be scanned. Currently the top of the range tags (which are very pricey) can be read with several other tags in the vicinity. There hasn't really been a way around this limit, so the tags that are being talked about by Walmart and Benetton are small tags with a read range of a couple on inches, not miles as some posters seem to think. And they won't be able to read if there is any tag in the read range. So to disable them, just stick another tag onto your clothing, and they won't read. No need for microwaves.
There were 68 documents available under a "confidential" search of the Auto-ID Center's website this morning. They did NOT say "confidential until [fill in date]" like they do now. The Auto-ID Center's first response this morning was to pull nearly all the documents with "confidential" in their descriptions off the site, then slowly replace them one by one, with new "confidential until" designations tacked on. Many other documents vanished and have not yet reappeared (nor are they likely to, considering their content). We have not yet had a chance to verify if the documents have changed in other ways than the new "sell by" dates they now carry. Cryptome has listed the original 68 "confidential" search results, as they appeared this weekend. As soon as the Cryptome site recovers, you can verify that there were few or no expiration dates on any confidential documents until well after the story broke today. You've got to hand it to the Auto-ID Center, though, for working overtime on damage control. The "confidential until" thing was a nice touch. p.s. Until it crashed, Cryptome had all 68 original documents available for downloading on its website.
There is nothing tiny about 100 watts, dolt. That's a lot of power.
;))
Granted that in realtive comparison to a regular FM station (anything from 5k up to 50k Max ERP, usually) it may not seem like a lot; but in fact, 100 watts is quite a bit of juice to be throwing around. Besides, the FCC watches the broadcast band more closely than any other.
The amount of energy emitted by RFID tags is in the milliwatts, if that. Depending on what band they are in, they could easily go unregulated. For example, most 900MHz cordless telephones operate in the middle of the amateur 900 MHz band. The amateur 900 MHz band is not regulated below 2 watts, therefore this is perfectly legal. (If I recall all this correctly.) For another example, most of those remote temperature sensors operate dead smack in the center of the amateur UHF band (~450MHz), also unregulated below a certain wattage. Hell, some of them dive straight in the middle of the UHF broadcast band without worries. (Don't quote me on any of this - it's been a while since I've studied my rules
There were 68 documents available under a "confidential" search of the Auto-ID Center's website this morning.
They did NOT say "confidential until [fill in date]" like they do now.
The Auto-ID Center's first response this morning was to pull nearly all the documents with "confidential" in their descriptions off the site, then slowly replace them one by one, with new "confidential until" designations tacked on. We have not yet had a chance to verify if the documents have changed in other ways than the new "sell by" dates they now carry.
Many other documents vanished and have not yet reappeared (nor are they likely to, considering their content).
Cryptome has listed the original 68 "confidential" search results, as they appeared this weekend. As soon as the Cryptome site recovers, you can verify that there were few or no expiration dates on any confidential documents until well after the story broke today.
You've got to hand it to the Auto-ID Center for working overtime on damage control. The "confidential until" thing was a nice touch.
p.s. Until it crashed, Cryptome had all 68 original documents available for downloading on its website.
I have seen RFID chips in the course of my previous employment, so I think I have some right to comment. The ones we settled on were a small package about 20 * 8 * 3mm., and had a working range of c.100mm. depending on the antenna. They were basically a few bits of non-volatile memory, with commands for read and write; some bits were read-only and {presumed} unique to any one device.
It's well known that RF can travel a long way, but what gives RFID devices their short working range is inherent in the design of passive transponders.
The RFID chip is entirely powered by the interrogating field. It "transmits" back to the interrogator by switching on and off a FET with just a resistor for a load, effectively altering its impedance. This will cause more or less current to flow in the transmitter {if the first law of thermodynamics holds}. There is a resistor in series with the TX oscillator power supply. The more current going out of the transmitter, the higher the voltage drop across that resistor.
At large separations, less power can be got into the RFID device anyway, and the difference between the "ON" and "OFF" states becomes less and less noticeable. The only way to improve matters is to add a bigger antenna to the RFID chip. According to well-understood and published theories, such an antenna would have to be big enough to be obvious in order to work.
What we really need is a law that makes it an offence for a store not to remove or disable any inventory-control devices in lawfully-purchased merchandise before it leaves the store. Add to that a requirement that a disposable product should never be sold at a lower price than its reusable analogue unless a recycling programme exists {meant for batteries, diapers and plastic cutlery but would catch anti-theft tags as a bonus}, just for good measure.
Je fume. Tu fumes. Nous fûmes!
Here is the index of all the research papers on their site. If you click the PDF links, it will ask you to log in first. The trick is to click on the "View Abstract" link and then there you click on the PDF link and voila, there you go!
This is a temporary mirror of the complete set of documents. Hopefully, this will seed the material to other permanent mirrors.
Two zip files, 11.6MB and 8.2MB:
RFID Confidential Documents
a RFID tag is a technological measure that effectively controls access to a work
No it's not. "Work" in the copyright sense means a literary work. This applies to household objects. Read up on the law. Really.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Any operation that takes place with RFID tags takes place under Part 15 of the FCC rules and regs. That is the same part that gives us permission to use 802.11${version} wireless networking, but requires that the general public take a back seat on these frequencies to ham radio operators (because we have licenses for these frequencies, and the general public doesn't)
Part 15 comes with two provisions:
In other words, by using the unlicensed section of the spectrum, the users of these devices are setting themselves up for interference from other users of the spectrum.
What I personally would like to do then is construct a set of 13MHz walkie talkies. Not really very practical devices on the whole, but they should work well enough at short range. You and a friend go shopping and just happen to key up the radio each time you pass through the door. You have the legal privilidge to do this, as long as you don't mind the interference to your signal from theirs. They must accept the interference to their signal from yours.
Technical note: The modulation on your walkie talkies should be something that is guaranteed to take up the entire 14 kHz width of the band specified under Part 15. Perhaps some form of digital voice. You need to occupy 13.560MHz +/-0.007MHz inclusive.
www.wavefront-av.com
Post links with HTML tags. It's easier for us all.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
penguinal.net/crankcase/
Since cryptome is slashdotted, it might be better to go back to the source:
As someone who has actually done some work with RFID tags, perhaps I can offer some insight to the uneducated masses at slashdot (though their ignorance causes these uneducated fools to cling to their beliefs and disregard fact, here goes...)
First of all, your lack of knowledge of the subject is apparent immediately. The effective range of the 915 MHz tags is barely 1.5 m in a laboratory setting. Once you introduce interference from several other sources, reflection from many surfaces, and several other real world factors, the range is significantly reduced. If that weren't enough, 915 MHz (the frequency of choice for industry at the moment) does not propagate very well through dense matter. Your credit card in your wallet is safe basically, unless you sit on an antenna (and i'm not sure that even that would work!). Your body actually acts as an antenna when you come in contact with the tags, so you in effect change the resonant frequency of the tags. Good job already!
Secondally, all these solutions to "fry" or "burn" the tags is are absurd. The tags are actually fairly delicate. The microchip embedded in the antenna label is often broken just in the handling of the tags. The tags that are being implemented by Walmart and the like are only made of an antenna made into a sticky label with a silicon chip embedded therein that holds the ePC (the RFID version of the UPC, also developed at MIT by the way). These tags are not powered so that the price is reasonable for the application. (this is another factor in the range. the gentleman who responded with the relationship between distance and power is also right on the money)
Thirdly, anyone worried about RFID doing anything that isn't already done in some form or another is fooling themselves. I am not paranoid or very well versed in conspiracy theories, but it seems that the video cameras in your local Sears (perhaps using some kind of face recognition software) could easily figure out that you are in their store looking at refridgerators several times. Or perhaps the people that work there? Also, radio waves are everywhere in today's society. Any health risk would only be posed by the RFID readers themselves (not the tags), but this risk is no higher than cell phones or other radio technology.
A note about security: The chips in the tags are WORM (write once, read many) and the information stored on the internet is XML based for a family of tags, so no actual personal information about the consumer is stored online. Believe it or not, companies are probably not interested in you personally or what you do. They can get what they need out of sales patterns and trends without affixing any kind of face to the purchase.
Anyway, what I've just said will probably do nothing to change the minds of those against the technology, as reasoning with unreasonable people is futile. I hope those of you that are open-minded have learned something as I have tried to only offer facts.