Slashdot Mirror
RFID Industry Confidential Memos
An anonymous reader writes "Cryptome has learned www.autoidcenter.org (RFID flak) has made internal memos available for perusal at their site. Those RFID people sure have some interesting plans for the future. Who needs conspiracy theories, when you can hear it from the horses mouth? Weeeeee!"
Will the clerk know what you aready are wearing down to your jocks size. I can see lots of good things with these tags but I can see lots of missuses too.
I wonder if govts will legislate to make it possible for us to op-out with these tags? Some tags maybe built into the products that it would be impossible for us to remove them. I think we need protection too.
FOR IMMEDIATE RELEASE
o verseers.pdf
July 7, 2003
RFID Site Security Gaffe Uncovered by Consumer Group
CASPIAN asks, "How can we trust these people with our personal data?"
CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) says anyone can download revealing documents labeled "confidential" from the home page of the MIT Auto-ID Center web site in two mouse clicks.
The Auto-ID Center is the organization entrusted with developing a global Internet infrastructure for radio frequency identification (RFID). Their plans are to tag all the objects manufactured on the planet with RFID chips and track them via the Internet.
Privacy advocates are alarmed about the Center's plans because RFID technology could enable businesses to collect an unprecedented amount of information about consumers' possessions and physical movements. They point out that consumers might not even know they're being surveilled since tiny RFID chips can be embedded in plastic, sewn into the seams of garments, or otherwise hidden.
"How can we trust these people with securing sensitive consumer information if they can't even secure their own web site?" asks CASPIAN Founder and Director Katherine Albrecht.
"It's ironic that the same people who assure us that our private data will be safe because 'Internet security is very good, and it offers a strong layer of protection'
http://cryptome.org/rfid/questions_answers.pdf
would provide such a compelling demonstration to the contrary," she added.
Among the "confidential" documents available on the web site are slide shows discussing the need to "pacify" citizens who might question the wisdom of the Center's stated goal to tag and track every item on the planet,
http://cryptome.org/rfid/communications.pdf
along with findings that 78% of surveyed consumers feel RFID is negative for privacy and 61% fear its health consequences.
http://cryptome.org/rfid/pk-fh.pdf
PR firm Fleischman-Hillard's confidential "Managing External Communications" suggests a variety of strategies to help the Auto-ID Center "drive adoption" and "neutralize opposition," including the possibility of renaming the tracking devices "green tags." It also lists by name several key lawmakers, privacy advocates, and others whom it hopes to "bring into the Center's 'inner circle'".
http://cryptome.org/rfid/external_comm.pdf
Despite the overwhelming evidence of negative consumer attitudes toward RFID technology revealed in its internal documents, the Auto-ID Center hopes that consumers will be "apathetic" and "resign themselves to the inevitability of it" instead of acting on their concerns.
http://cryptome.org/rfid/cam-autoid-eb002.pdf
Consumer citizens who are not feeling apathetic will be pleased to learn that the site provides names and contact information for the corporate executives who oversee the Center's efforts. Since the phone list isn't labeled "confidential," we're assuming that Auto-ID Center Board members are open to calls and mail that might help them better understand public opinion on this important subject.
Anyone interested in speaking with Dick Cantwell, the Gillette VP who heads the Center's Board of Overseers, for example, can find his direct office number listed on the Auto-ID Center's website here:
http://cryptome.org/rfid/226691160-list_board_of_
To experience the Auto-ID Center's security holes firsthand, simply visit the web site at http://www.autoidcenter.org and type "confidential" in the site search box. The Center encourages such site exploration: "Our website has Research Papers and other information that anyone can download for free. There is also a Sponsors Only area of the site, which includes information and materials not available to the public at large. We encourage you to visit our site frequently to stay up to date with the Center's many activities."
"Who needs conspiracy theories, when you can hear it from the horses mouth?" :)
Well, I can't now, thanks to Slashdot. Good job Slashdot, covering up RFID tag conspiracies.
Who needs conspiracy theories when we have conspiracy facts!
Things you think are in the Constitution, but are not.
From communications.pdf:
- Identify potential consumer road blocks/fears.
- Construct a proactive framework to minimise negatives arising.
- Assess consumer reaction if press develop scare stories and develop best messages to pacify.
Sounds like they forgot one step: PROFIT!
Karma: Meh (Mostly from meh.)
Other than some lingo, these memos (judging by the highlites) don't seem particularly bad. People are afraid of the health risks of RFID tags? Well, people are stupid. They're bombarded by radio waves every second of every day.
Some people will happily ignore reasonable explanations and cling desperately to their paranoid delusion. These people cannot be convinced otherwise. Rather they need to be brain-washed to get that stupid idea out of their head.
The "green tag" idea sounds like genius.
But an RFID conspiracy seems a little far to jump. The technology is in its infancy. It's not in everything, the opposite is true. But rest assured that an RFID Tag Canceler is in the works to milk money from the privacy obsessed.
I may get one myself...
I wonder if there's a patent.
-tom
It breaks my pluginses, my precious!
Well I went a-exploring:
Search for "1.Earn Trust 2. Collect Info 3.??? 4. Profit"
1 to 5 of 100 results for: "1.Earn Trust 2. Collect Info 3.??? 4. Profit"
Search for "We think we absolutely rock"
1 to 5 of 92 results for: "We think we absolutely rock"
Search for "You can't trust us with your personal data"
1 to 5 of 100 results for: "You can't trust us with your personal data"
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
The problem with microwaving clothing would be the shorts I have on right now, for example. They have a metal zipper. We all know what happens to AOL cd's when microwaved (if you don't know, try it. 5 seconds does wonders).
Be careful what you nuke.
----
Squirrel
Disabling an RFID will be tantamount to tampering with a product in a way it was not meant to be. Whether using the DCMA or some future bill it will become illegal to disable the RFID. You think I'm kidding, but I would not be surprised at all to hear this in the future.
Maybe though, the courts will recognize how utterly detremental the DCMA (and the like) are to this free society. Yes we give up a certain amount of privacy living in a free society(apologies for the American-Centric) but this does not mean that corporations have the right to track us or our products.
Bite me to any business that thinks I'll buy RFID products, I'll make my clothes out of hemp and be the nut in uncomfortable clothes if I have to be.
-- taking over the world, we are.
When I searched (minutes ago), and skimmed through the first half of the results, none of the documents was still confidential (newest one to expire ran through May 2003).
Admittedly, I'm too lazy to explore further, but it certainly appears that, at present, the "confidential" documents to be found aren't considered confidential any more.
That said, as I noted, I got 59 results; does anyone who hit it earlier recall more?
R David Francis
How hard would it be to build a RFID spoofing tool that emits gazillions of random RFID numbers whenever it is polled?
Oh well, what the hell...
RFID Chips Are Here
RFID chips are being embedded in everything from jeans to paper money, and your privacy is at stake.
By Scott Granneman Jun 26 2003 09:15AM PT
Bar codes are something most of us never think about. We go to the grocery store to buy dog food, the checkout person runs our selection over the scanner, there's an audible beep or boop, and then we're told how much money we owe. Bar codes in that sense are an invisible technology that we see all the time, but without thinking about what's in front of our eyes.
Bar codes have been with us so long, and they're so ubiquitous, that its hard to remember that they're a relatively new technology that took a while to catch on. The patent for bar codes was issued in 1952. It took twenty years before a standard for bar codes was approved, but they still didn't catch on. Ten years later, only 15,000 suppliers were using bar codes. That changed in 1984. By 1987 - only three years later! - 75,000 suppliers were using bar codes. That's one heck of a growth curve.
So what changed in 1984? Who, or what, caused the change?
Wal-Mart.
When Wal-Mart talks, suppliers listen. So when Wal-Mart said that it wanted to use bar codes as a better way to manage inventory, bar codes became de rigeur. If you didn't use bar codes, you lost Wal-Mart's business. That's a death knell for most of their suppliers.
The same thing is happening today. I'm here to tell you that the bar code's days are numbered. There's a new technology in town, one that at first blush might seem insignificant to security professionals, but it's a technology that is going to be a big part of our future. And how do I know this? Pin it on Wal-Mart again; they're the big push behind this new technology.
Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past.
So what is it? RFID tags.
RFID 101
Invented in 1969 and patented in 1973, but only now becoming commercially and technologically viable, RFID tags are essentially microchips, the tinier the better. Some are only 1/3 of a millimeter across. These chips act as transponders (transmitters/responders), always listening for a radio signal sent by transceivers, or RFID readers. When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer.
Most of these "broadcasts" are designed to be read between a few inches and several feet away, depending on the size of the antenna and the power driving the RFID tags (some are in fact powered by batteries, but due to the increased size and cost, they are not as common as the passive, non-battery-powered models). However, it is possible to increase that distance if you build a more sensitive RFID receiver.
RFID chips cost up to 50 cents, but prices are dropping. Once they get to 5 cents each, it will be cost-efficient to put RFID tags in almost anything that costs more than a dollar.
Who's using RFID?
RFID is already in use all around us. Ever chipped your pet dog or cat with an ID tag? Or used an EZPass through a toll booth? Or paid for gas using ExxonMobils' SpeedPass? Then you've used RFID.
Some uses, especially those related to security, seem like a great idea. For instance, Delta is testing RFID on some flights, tagging 40,000 customer bags in order to reduce baggage loss and make it easier to route bags if customers change their flight plans.
Three seaport operators - who account for 70% of the world's port operations - agreed to deploy RFID tags to track the 17,000 containers that arrive each day at US ports. Currently, less than 2% are inspected. RFID tags will be used to track the cont
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
With Walmart backing it -- it appears unstoppable.
Whoo hoo! Now I'll have an easy means to do my thesis!
My topic: Tracking the migratory patterns of trailer-park-dwelling white trash with radio signals.
The meteorology people are probably thrilled as well... no more trying to put instrument packages in a tornado's path, just zero in on the RFID tag in Cletus S. Yokel's sneaker, and track it when the tornado sucks him out of his double-wide.
The problem with microwaving clothing would be the shorts I have on right now, for example. They have a metal zipper.
WARNING: Do NOT microwave shorts before removing them from body. Side effects could include actually reading those spams that offer to help you grow larger body parts.
A typical cordless phone is about 1/2 watt.(500mW).
/WORLD/ they can communicate with only a watt or less of power to work with.
With your logic, a 2 watt cellphone would have a range of about 4 feet.
Just to put things into further perspective, radio enthusiasts have contests to see how far around the
You've fallen victim to some of the strategies outlined in the articles this whole story is about. You've been pacified into believing radio waves are severely limited in range. And you believed it. Even going so far as to try to convince other people that a half watt of power is insignificant for distances greater than a meter, which is completely absurd.
You're repeating a meme. You have been "pacified" according to the gameplan set forth in the memos.
That renaming bit works wonders. A (major) company I used to work for renamed a component of their data mining technology from "key" to "link", because what they were doing was illegal if the unique identifier for multisource consumer data was used as a key into a database table. Call it a "link", though, and you've bypassed the problem altogether.
The corporate legalists knew full well that anyone opposing a "key" would only know to refer to it by that particular name. If you change the name, the problem vanishes because now no one knows to object to it.
As we say at work, "You know you're doing something right when both sides are mad at you."
This technology has so much potential. I want to be able to remotely pay and walk right out of the store without waiting 15 minutes to check out two items; but I know that they're just going to use my purchases to send me more advertisements. RFIDs can give us information on our environment and we give it to them.
And that's the problem, exchange of information. After reading that article, these RFID manufacturers are already showing their lack of concern and ignorance how to secure their networks -- it's like a company that installs IIS and never patches, they're that clueless. And this technology needs to be secured right the first time; the last thing I need is yet another report of a bungling tech company leaking credit cards. It's not an MMORPG, where you get 8 months to fix, rollback and patch. This time it's worse, because a crack will not only expose financial data, but expose your personal location.
Now I don't do much to attract the ire of governments or corporations; I pay my bills, buy my music, and live my life in security. I don't worry about the gov collecting my info, because the government isn't coordinated enough to figure out what to do with it even if they had it. As a small potato, I worry more about the honesty of my fellow citizens. Store employees get caught scamming credit cards, and now, do we get to look forward to the future criminal "warscanning" around the neighborhood with his radio sensor, instantly detecting what valuables you have inside your house...
Somehow, we the community need to express our concern that the proper precautions are taken. This technology is coming, and the market potential is great. As end users, we need to demand an open access system, so that we might provide the checks and balances to keep the system honest. What else can I say, but whether we need to demand the government regulates an open system, or we use market forces to drive it into oblivion, the public can't let this slide.
A corporation has no power but that which a government has given it.
This is not the fault of corporations, but of governments, which have decided to offer up portions of their power to the highest bidder. One way they have done this is to charter corporations. This allows the ownership of companies to be diluted to the point of meaninglessness, so that the owners' accountability for their companies' actions are zero.
p.s. This is not a US problem, but a world problem. The two richest women in the world are European heads of state with nationalized petroleum corporations.
A Government Is a Body of People, Usually Notably Ungoverned
Disable?
Nah... too easy.
What I want to do is reprogram the suckers so when they scan my clothing I will be wearing a alarm clock on my head, have a 12 pack of Gillete Razors hidden in my shoes, answer to the name of Rover, have my shots for distemper, but due for a booster on rabies.
~Z
"I know what the capabilities of the RFID systems are these days and there's not currently anything that could do what the alarmists keep saying is possible"
According to this article the 500million tags that Gillette purchased "Alien Technology says its RFID tags can be read up to 15 feet away". And that is with the LEGAL readers the store is using. How far away can they be read with my illegal jiggawatt reader and directional antenna? How long will it take people to decode the 64-bit codes to determine which bits are brand/model/size/etc. and read the codes from great distances?
They do not plan on disabling the tags when you leave the store either since one of Wal-Mart's listed benefits for RFID tags is "hassle-free returns".
How long until I can point a directional antenna at your home and fire up my jiggawatt reader to determine if you have anything worth taking?
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
There were 68 documents available under a "confidential" search of the Auto-ID Center's website this morning. They did NOT say "confidential until [fill in date]" like they do now. The Auto-ID Center's first response this morning was to pull nearly all the documents with "confidential" in their descriptions off the site, then slowly replace them one by one, with new "confidential until" designations tacked on. Many other documents vanished and have not yet reappeared (nor are they likely to, considering their content). We have not yet had a chance to verify if the documents have changed in other ways than the new "sell by" dates they now carry. Cryptome has listed the original 68 "confidential" search results, as they appeared this weekend. As soon as the Cryptome site recovers, you can verify that there were few or no expiration dates on any confidential documents until well after the story broke today. You've got to hand it to the Auto-ID Center, though, for working overtime on damage control. The "confidential until" thing was a nice touch. p.s. Until it crashed, Cryptome had all 68 original documents available for downloading on its website.
Do we have any engineers in the house??
Three standard frequency bands (approx. 13MHz appears to be the longest range band) and a physically accessible antenna.
This sounds like a perfect opportunity for any engineers out there to create a tri-band transceiver with a "snort" function to cycle through the used bands, detect the feedback/absorbtion from the RFID antenna and then give it a very localised, high powered pulse or thousand at the appropriate frequency.
If you don't manage to fry the tiny componentry in a tag, it ain't turned on.
Any and all defensive mechanisms (micro-faraday cages, zener diodes, gas chambers, etc.) should either prohibitively raise the price per RFID or be easily overcome with a minor modification (slow ramp up times, gaussian (white noise) frequency distributions).
A far more interesting concept is surely the use of "throw-away" RF interference devices that could interfere with the use of RFID tags to such an extent that it is not viable for it's users (Walmart, I'm looking at you).
Perhaps you could even use their electrical wiring as your antenna (c.f. electronic vermin repellers).
Time to break out the soldering iron.
Quinkin.
Insert Signature Here
Any operation that takes place with RFID tags takes place under Part 15 of the FCC rules and regs. That is the same part that gives us permission to use 802.11${version} wireless networking, but requires that the general public take a back seat on these frequencies to ham radio operators (because we have licenses for these frequencies, and the general public doesn't)
Part 15 comes with two provisions:
In other words, by using the unlicensed section of the spectrum, the users of these devices are setting themselves up for interference from other users of the spectrum.
What I personally would like to do then is construct a set of 13MHz walkie talkies. Not really very practical devices on the whole, but they should work well enough at short range. You and a friend go shopping and just happen to key up the radio each time you pass through the door. You have the legal privilidge to do this, as long as you don't mind the interference to your signal from theirs. They must accept the interference to their signal from yours.
Technical note: The modulation on your walkie talkies should be something that is guaranteed to take up the entire 14 kHz width of the band specified under Part 15. Perhaps some form of digital voice. You need to occupy 13.560MHz +/-0.007MHz inclusive.
www.wavefront-av.com