Slashdot Mirror
Errant E-Mail Shames RFID Backer
An anonymous reader writes "An article appearing in Wired today describes how the The Grocery Manufacturers of America inadvertently sent an embarrassing internal email to anti-RFID consumer group CASPIAN"
← Back to Stories (view on slashdot.org)
Don't overreact. These are not the Diebold memos, it is just some woman who sent a non-funny joke back to the victim of the joke by accident. I don't see what the hubub is about. Granted, getting RFID awareness is good, but this story was a waste of time save for some of the info about RFID technology.
I hate sigs.
This story was covered in the Australian press a few days ago. Other sources report that the GMA has apologised, describing the acction as a "youthful indescretion".
a world in progress...
Batteries? Have you ever even read anything about RFID technology? They don't have batteries, which is the only reason for their limited range. They get power directly from the radio waves.
RFID tags in the packaging? They are now weaving them into of clothing, they are inside your tires, and in the handle of your razor.
Disable them? Try microwaving your tire...
The concern is that they don't deactivate themselves. And almost any RFID tag can be read by almost any RFID reader. So your boss can start checking how often you change your underwear, and indirectly can track you around the building by the tags in your clothing. Your car could be tracked at every intersection.
It's not that there is an inherent problem, it's just ripe for abuse, and big step towards slipping into a police state.
Most of us just don't want to get anywhere near there. There is most definitely a need for concern.
Reinard
Your sentence:
These aren't much useful after you purchase the product...
Should correctly read as:
Currently these aren't much useful after you purchase the product...
If all your garnments have built in RFID tags, it is just a question of installing RFID sensor all over the place, and have an uber-company evaluate all of the data, and your location can be tracked to a minitue detail. Would that worry you? (Than again almost everyone is toting a cellphone around - but at least that can be switched off)
See what happened to tolltags, remember that lawyer murdered about a month ago? His movements were track post-mortem through the tolltag...
Code poet, espresso fiend, starter upper.
Yes, that's true...I know a good bit of RFID tags use radio waves to operate, but if I remember correctly some of these actually power themselves...
Anyhow exactly does my boss know it's MY underware? For instance, if you use a badge reader, what keeps me from going in behind a co-worker? What about the tire thing...it would be much easier to simply track you with a <gasp> license plate...
The truth is, you can already be tracked, it's just that most of us are so boring it isn't worth the effort.
Imagine this scenario.
You buy a gift for someone from a store. The RFID scanner at the register identifies you by your previous purchases (that you're wearing/are on you/etc) while you slide your debit card in the reader. Then you give that gift to someone else.
That person goes shopping anywhere (because RFID data would surely be shared through some clearinghouse) and they use their debit card to make a purchase. If they're wearing your gift, the clearinghouse has now identified a relationship between you two.
They could develop a very comprehensive database of who is associated with who. Then the government gets their hands on the database, and finds out that you bought something for the future wife of some terrorist, and now you're in jail indefinitely without charges.
The connection between what is yours and what belongs to others is easily made when you pay for it with your credit card, or use your club card and pay cash. Sure some items like ties and underwear may be presents, but how often do you buy tires for someone else? Or conversely, this enables the interested parties, without effort to establish connections between people. Customer A bougth item I1 that is now being worn by Customer B. And suddenly people you have no relation to whatsoever know who bought you a tie as a present around Valentine's day.
Granted, your boss may not easily get access to this data if you are some small company, but the bigger that company is, the farther they can reach. And if you don't already know - you'd be surprised how willing large companies are to sell access to their customer databases.
The problem is that tracking license plates, cell phones etc, is - as you say - a huge effort that isn't worth it, not even for the government, unless you are a suspected murdere etc.
RFID tags make this much much easier - so much, that tracking the general public as a side effect is technically and financially plausible.
Reinard
A previously anonymous item of clothing, with a sewn-in RFID tag, has a potentially traceable history- where it was made, where shipped, warehoused at, retailed, who it was sold to, when, how much.
I imagine this would delight both law enforcement and attorneys alike. DEA too.
You almost have to wonder if, despite our best efforts, in twenty years time when RFID is presumably more prevalent, that there will be developed a system which generates a snapshot profile of a person based on what the RFIDs in their possession. Perhaps not as accurate as a fingerprint, but enough variability that it could assist law enforcement in finding a person better than facial recognition, for example.
Watch out racial profiling, here comes consumer profiling!
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Anyhow exactly does my boss know it's MY underware?
Assuming your company set up an RFID reader at the entrance for any of a number of reasons, every RFID tag on your body would activate and broadcast it's serial number. That code would most likely contain a manufacturer code, a product code, and potentially a unique serial number.
At the end of teh day you walk back up through the scanner. Maybe they are checking to make sure you aren't trying to sneek out with tagged company property. Rountine proceedure would be to subtract the list of ID's you entered with from the list of ID's you are trying to leave with.
So, one day the computer alerts the security guard that you are trying to leave with an ID code taht you didn't have when you came in. The code number pops up and an automatic search is done on it. The computer comes back with two hits on the search. The first hit is a match on it's internal database - that ID came in this morning whith Sue from accounting. The external database hit reveals that manufacturer code code is for Victoria's Secret, product code Lowrise V-string panties, black, size 5.
Security Guard shouts out in front of everyone: "Hey Bob! Whatchya doing with Sue's panties? Are they in your pocket or are you wearing them?"
He could quite easily pull up your history of ID tags for the year and see what brand(s) of under wear you wear, how many different pair you have worn, and yes, he could easily see how often you wear the exact same pair two or more days in a row.
RFID tags are already being embetted in the fabric of some peices of clothing. As RFID becomes common situations like I described above can become quite common. That daily RFID scan can be analized for any number of reasons, and the data can be extensive and invasive.
Every single store you walk into could preform such a scan. Obviously the "intended" purpose is to make sure that you don't walk out with unpaid merchandise, but once they've done that done that then all of the data is already in the computer it can trivially be used for any purpose at all.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
These aren't much useful after you purchase the product.
Oh, I dunno about that. I'm imagining that I'm in charge of the software that collects the RFID data. What I do is have the software note not only the articles that are placed on the counter at checkout, but also the tag number in the clothing that you're wearing as you leave the store. If any of those "extra" tags agree with articles that the store sells, with some low probability (1% or 5% maybe), the software adds it to your bill.
What I'm betting on is that you wouldn't even notice this. Even if you get a detailed statement that shows all your purchases, the fact is that you did buy that particular article. So it doesn't register, you skip over it, and I've just extracted a small amount of cash from your account. If you happen to notice it, our people are instructed to be very apologetic, and remove the charge without arguing.
Over a year, this could add a lot of money to the store's coffers.
It doesn't even matter if such charges are discovered an publicised. The news stories would just add to your image of the unreliability of all things computerish, while the store's cheerfully helpful staff would reassure you that all you have to do is bring it to their attention to get it fixed.
Unless you could get the source code subpoenaed, there's little chance you could ever fight this sort of larceny.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Granted the statement was an exaggeration, but so is yours. "The protocols used are generally not published"... there are several ISO standards (ISO 14443 A/B, ISO 15693, ISO 18000, EPC) that just about everybody uses, same with the frequencies. (125KHz (new), 148KHz (old), 13.56 MHz (probably most common for short range, the one I was referring to), 315 MHz (long range, expensive))
Check these out. They read just about any standard on 13.56MHz (and really, almost everybody uses that frequency).
If I had some more time I'd google around a bit, but I'd bet most of what you'll find (95%+) will be a variation of one of the above.
I bet you, if they don't already exist, it will be a short time until someone makes a universal RFID tag reader. It's not hard to scan a few frequencies and try a few different protocols. Especially for ReadOnly tags (again, the large majority) because the protocol will be a simple ping-pong.
Reinard
You obviously know a lot about this issue. I never did or even tried to dispute that.
I never claimed I knew all the ins and outs of this technology either. And as far as the technical aspects go, I don't have a problem admitting that I'm in a little over my head.
I've done my share of reading on it however, more so the social implications than the technical implementations. I'm not an electrical engineer, and didn't claim to be one. The statement I made seemed plausible conclusions to me, given what I see is available right now - from what I've read.
Now to your questions:
"""What makes you so sure "it's not so hard to scan a few frequencies and try a few protocols"?"""
If there are individual readers for each one, build a device that incorporates all of them try one at a time until you get an expected result. I'm not saying that's quickly done, or with little resources, but I bet you'd agree it's likely possible, and a large entitity (corporation/government etc) could bring up the resources. I'm saying it's not hard because it doesn't require inventing anything or depends on unproven technology. It's just a matter of combining existing technology.
"""Have you ever implemented an anti-collision search for any of those standards you mention?"""
No (although you already knew that). But what makes you think anti-collision is even necessary for my argument? Your examples ("Mobil Speedpass", keyless entry pass, garage entry pass) are probably all systems that would not function under collision situations, nor do they need to. There is a collision and you get bad data? Ignore it. Fully acceptable for those situations. The same would be true for RFID tags in tires. You get two in the reader area? - Ignore it, you'll get a good read at the next intersection.
"""Do you have any idea what the hardware and software requirements of doing a multi-protocol reader are?"""
No. Neither does anybody that doesn't have the resources to seriously consider and spec out such a project. And it's not really relevant to this discussion anyway. However, I doubt that they would be much larger than the combined requirements for each individual device - since at least some software and hardware parts will be usable for several of the individual readers.
"""The protocol is nothing like a simple 'ping-pong', whatever that is."""
With ping-pong i only meant transmit request (ping) and receive response (pong). I've never actually looked at the protocols in detail.
"""The tough part is the "anti-collision" part. What happens when there are two tags in the field? How do you ensure that only one tag responds so you can read it without RF interference?"""
Again, I'm no electrical engineer, but I would imagine something like a signal that causes random short delays in sending the response, and then repeat until you get a clear response from each tag. Or maybe each tag can be on one of X number of channels, that get scanned sequentially, greatly reducing the potential of collisions etc... Anyways, I know several devices on the market can do this, so this problem has already been solved, ie is technically feasible, so the argument about it is mute - it can be (and has been) done.
"""You're talking out of your ass. Admit it and either accept that you're scared of technology you don't understand, or learn about it then comment."""
Well I'll respond to that with a quote "Obscenity is the last refuge of the inarticulate motherfucker."
You're trying to say that I can't argue/discuss these things unless I'm an expert in the field and know every little technical implementation detail. If you don't see a flaw in that, please don't respond. I know you read this anyway.
This discussion was origianlly about the social effects of RFID tags, and whether concern about widespread implementation was justified. You picked up on a line that may have been technically a bit of a stretch (or even plain incorrect), but rea
Reinard
Which leads me to believe this (dumb) kid may have been acting on his own. Or his boss is REALLY fucking stupid.
Thanks for the links, but I still disagree on them. First of all, they're not exactly impartial sources -- hell, you even referenced the mothership of RFID fearmongers. The clothing tags they talk about in all the articles are attached to the clothing, but not inconspicuously weaved into them: "an antenna-bearing chip smaller than a grain of rice that's attached to the clothes' labels". It's pretty easy to rip off a label, I do it for comfort pretty often. That's a longshot from one hidden by being weaved into the cloth.
As for the tires -- GREAT! Being able to track tires like that should do wonders for safety. I have doubts that the tags will be readable at any great distance though. Besides, tracking cars is already pretty easy due to things called license plates. All kinds of red light cameras all over the world currently snap pictures of people running red lights, and use the license plate to ID them.
Now Gillette -- they ordered a few hundred million tags -- what makes you think they actually want to put them on the handle, as you claimed? Wouldn't it make more sense to put them on the packaging, so they're easier to track? Besides, Gillette doesn't care about rasors -- they sell rasor blades. In my informed opinion, there's no way they'll fit an RFID tag on the individual blades, the read range would be tiny, and it would be impractical. On the other hand, they might put one on the blade package -- is that really so bad?
Finally, there's the "significant distances" part. Under ideal conditions, you'll be lucky to get a read at more than 8 metres. With a wall in the way, or anything metal, or even metal too nearby, you'll get interference. I'm not saying it's impossible -- heck, there are devices that can see what's on your computer screen through a wall. On the other hand, the ability to do that is a long way off.
Year by year, privacy is changing. In the 1500s most people lived in small towns, where everybody knew everybody's business. On the other hand, you could be pretty sure that if you were inside your house with the doors closed, nobody could see inside. These days, most people enjoy relative anonymity inside their cities, and can buy things over the Internet without anybody knowing what they're doing. But, at the same time, credit cards can track purchases, and lots of electronic surveilance is now possible.
Sometimes when you gain convenience, you lose privacy. If I could get RFID-enabled tires, I'd love it. I could use an RFID reader to make sure that the tires were new from the factory, not refurbished ones from a car that had been in a wreck. Sure, there's some chance that someone might then track my car, but these days it's pretty remote. If it ever became a concern, I'd either change tires often, or buy RFID-tagless tires. When something threatens your privacy, you generally have an alternative. Phone taps? Get encrypted phones. Email snooping? Use PGP/GPG. People reading your computer screen over your shoulder? Get a privacy screen. HTTP cookies bother you? Use Privoxy. I'm sure the same will be true for RFID.
The fight shouldn't be about the availability of RFID tags, and RFID-tagged products, it should be about keeping your options open. It shouldn't be illegal to remove your underwear tags -- if they ever show up. It shouldn't be illegal to get non-RFID-tagged tires.
Anyhow, this is the type of debate I think is useful, where both people are informed, and backing up what they say. (Btw, if you doubt any of the engineering stuff I'm saying I can try to find a way to back it up, but it's out of first-hand knowledge, so I don't have references on hand). I just hate it when people say "RFID is eeeevil because it lets the Government track your Cornflakes!!!"