Slashdot Mirror
The Trouble with RFID
wintermute42 writes "Simson Garfinkel, author of Practical Unix & Internet Security along with Gene Spafford and Alan Schwartz,
has an article in The Nation on RFID tags. They're not just for tracking stuff. They can track you too."
No kidding. Life takes on a similarity to the chessboard. There are no surprises in chess, just players not quite working out all of the move combinations.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
And what if "your" too stupid not to spot the one they hid in the button of the shirt, or the sole of your shoes?
Sorry, but my karma just ran over your dogma.
You're thinking about this all wrong. Take off your tin-foil hats, nobody really wants to 'track' you.
Now, what companies will really be salivating over is the opportunity to market to you. If they can track all of the RFID tags on and around you, they can know so much about you that they can tailor advertising to you specifically. Just like Minority Report, only not so cool.
Just think of it as value adding. You're adding so much value to the coffers of manufacturers and advertisers!
Who didn't figure that RFID tags will be used to track us- the consumers? Hell, that may be even a better use for them than inventory tracking... They get about the perfect picture of what products we use, when and to an extent how. The marketers wet dream. And of course the definition of propriety will be stretched, bent and broken during the courtship of RFID tags.
:)
Now, I on the other hand, have a want for them. I think they could be fun to hack around with. That is, I want my PDA to be able to read tags, and then I'll get a bunch of them. I'll tag my house up, so that I can get location-based alerts. The kind of thing GPS would be too big and clunky- and not accurate enough- to do. I can come up with all sorts of fun things to use RFID tags for in my own life that have nothing to do with being "targeted" better.
Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
What is that quote? Man is born free yet everywhere he is in chains
I do not like the idea of having every last bit of privacy removed. Between the new camera's my state is installing on highways, with radar guns, that send you a ticket in the mail, to having banks sell personal information to thrid parties so they can call me at dinner to offer me a great price on a satelite dish, this is getting out of control.
While some may say that government will never, ever use any technology in an illegal way, I would just say they have done it in the past. Nixon broke into the dem's headquarters. Other presidents have bugged the phones of political groups like the black panthers. And this current president has the "Patriot Act".
It scares me to think what government could do. 1984 is looking less like fiction and more like a prediction.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Right, but nobody can track thousands of people simultaneously and find patterns and "alleged links with so-and-so" with a computer.
tasks(723) drafts(105) languages(484) examples(29106)
Happy Trails,
Erick
http://www.busyweather.com/
RFID on slashdot many times. Solution to this problem is simple. Avoid holding actual personal details on a central database. Yes, lets track what people buy and where they go, but only as an alias. IE, last month, 1287 people visited XYZ store in New York and purchased ABC jacket and then 376 of those people left the state. No need to log WHO they were. Simple really!
O'WONDERWe're working on it.
If you gents keep screeching about the profound dangers of RFID for every single article, interview or news tidbit that comes out, folks are going to start ignoring your input.
Hell, I look forward to the day I can just load up my cart with groceries and head out of the store without bothering to stop at a cash register. My purchases are already matched to my credit card account in their internal inventory anyhow, and I'm openly 'opting in' by using the system.
I wonder what Slashdot would have been like if it had started on an FTP site and not port 80:
"Coming dangers of the World Wide Web! Cookies! Server Logs! URLs! Protest now while there's still time!!!!!!!"
The problem is (as always was and always will be) how people use a technology.
RFID (or any other technology) is not necessary for a police state as demonstrated by many examples in the past.
You privacy can be (or most probably: was) violated without RFID too.
To protect your privacy you need a society that values privacy and have laws that express this. If you do not have that then you are swimming against the flow and your are doomed to failure, no matter if RFID is used or not.
I would like to point out Europe: there are privacy laws that basically say the following:
If you have such laws (and have them enforced) then there is no need to fear RFIDs - but if you don't have them, RFIDs should be the least of your worries.
Real life is overrated.
It would seem to me that all of the "take off your tin-foil hat" crowd are missing the obvious. Yes, I understand (and if you rtfa you'd see that the author does too) that the planned use of these tags are for very legitimate reasons, but hasn't anyone learned through history that abuse occurs? If some technology has the potential to be abused, then sooner or later, the government, spammers, advertisers or even Wal-Mart WILL abuse it and our privacy will be invaded. This isn't to say that laws governing the use of RFID tags will prevent abuse entirely, but lets at least TRY to prevent what we can before simply allowing these things to go into widespread use and abuse.
Just throw everything you buy from Wal-Mart in the microwave for a few seconds. I'm sure the RF static from the microwave should be enough to fry any circuits in your clothes.
If you can read this then I forgot to check "Post Anonymously"
Oh, come now. You really haven't read up on RFID, have you?
The RFID tags that we're talking about DON'T have batteries. Only active RFID tags do, and those are an extremely small percentage. Do you really think they would place an expensive battery powered RFID tag in every shoe?
-------
technomad
Who says the RFID tags are in the tags of the clothing? They could just as easily be woven along the seam.
What about how computers make media piracy much easier and convenient? Doesn't the point that RFIDs make tracking too easy because it becomes automatic through electronics also lead one to the conclusion that computers and more specifically ripping and sharing programs make it too easy to make copies of copyrighted material?
If RFIDs are not acceptable, how can the use of P2P networks for 'sharing' music be acceptable?
Can you justify it because in the first case it is specifically *you* who is losing freedom and in the second case it is *someone else* who is being affected adversely by your actions?
All I usually get is "Stores will build a database, and then Homeland Security will do, um, something." Followed by handwaving and dubious slippery slope arguments that usually imply a continent spanning sensor net that sounds like a cross between Tom Clancy and Vernor Vinge.
Someone connect the dots here. The article didn't do a very good job.
Or is this just modern mythology, like people hiding in their homes worrying about wererwolves and vampires and witches in centuries past?
--- Ban humanity.
Here's an idea for a new community project: Mega RFID Vest Library
Go to the dump where multiple people are throwing away RFID-laden products. Snag the lil suckers off discarded food products, garments, appliances, liquor bottles, baby food.
Sew them onto a vest.
Lots of `em.
When you walk through the scanner you'll be ...... 246 different people.
Then, trade vests with others in other cities, other countries!
"Provided by the management for your protection."
I apologize for, maybe, missing the point but after looking at a few portions of the article, I am beginning to wonder why. For instance:
:O
RFID isn't a household word today, but within the next few years manufacturers hope to put it into many household products.
Why would these be needed in 'household products'? I understand they want to track merchandise, but this could be accomplished by putting an RFID sticker on the bottom of the product. That way, you take it home and tear the sticker off when you take it out of the box.
Perhaps, for clothing, just put an RFID on the main tag. I've worked for a clothing store who used the locking pin security devices found in most stores. They work wonderfully, as you have to destroy the garment to steal it and it only costs a couple of thousand to enough of those things to last a lifetime. I do not see the flaw that needs a new product, not in regards to clothing.
Both Wal-Mart and the US military have already told their hundred largest suppliers that cartons and pallets must be equipped with unique RFID tags by January 2005.
This is what I would like to see RFID used for. This will really speed things up at distribution centers, as a forklift coming off a trailer will simple have to drive through the dock doors (assuming the sensor would be there) to put an entry in the company's database saying "this pallet entered the building", meanwhile the operator keys into the computer on his forklift the actual product count.
For people who will "bite" and say something about computers on forklifts, they have been around for over a decade. I know, I fabricated a prototype mounting platform for a small, wireless computer back in 92. They had blueish LED displays, and were shaped similar to an old RS Model 100 portable, but housed in a sturdy black metal case. I made a nice adapter for Crowne forklifts that allowed the operator to swivel, tilt, and adjust it to his/her most comfortable viewing position. Too bad I didn't know anything about patents back then. They started using this design at all their distribution centers, which equates to thousands of lift trucks.
I do not miss working for Kraft foods. We had weekly 'rallies' where the managers would have a guest speaker. The most memorable one was Penske (wealthy bastard) came to tell us what a great job we were doing, then proceeded to talk about efficiency for the next 45 minutes. More often than not, everyone left with a broken sense of pride due to wealthy investors talking to us like we were children. It seemed that after every meeting, new poop would appear on the bathroom walls.
As for government oppression...I dunno. If they CIA/NSA/FBI say they won't try to abuse to the technology, I won't believe them for a second. But at the end of the day, they don't have a financial incentive to make our lives miserable, and I think what they'll end up with is Terabytes upon Terabytes of almost entirely useless information. I suppose blackmail opportunities are a real threat (So, senator...in light of our recent discovery that you do in fact frequent adult book stores, do you still want to cut our funding?) but even those kinds of activities would have to be tempered by the consequences. Yes Nixon sent his boyz to break into Watergate...and look how it turned out.
Ah, but where do you buy the tin foil?
"If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
There are some great new product opportunities in the new RFID-enabled world.
RFID Super Scanner - Scan your surroundings and your stuff for RFID tags. Pinpoints the location exactly.
RFID Mega Zapper - A high energy directed radio energy impulse designed to fry the electronics in your RFID tags. Great fun for vandals in stores! Smack your enemy's wallet!
RFID Spoofer - A programmable device that returns the RFID code of your choice. Great for making a copy of you luxury car key! Or your neighbours. Have fun in stores after Zapping (TM) a RFID tag and replacing it with a Spoof(TM)!
RFID Data Miner - Build your own database of RFID tasks. Now you can do your own surveillance and track people. Also good in parking lots when you want to know what RFID code to feed into your spoofer for easy access to that nice car.
RFID Jammer - A fun little DOS device that emits radio frequences to blind RFID readers.
RFID Database Feeder - This device emits thousands of new random RFID codes every second. Great for filling the databases of those eager RFID code collectors.
I think most of these tools can be built easily and are not science fiction. If they can be built, they will.
Seriously, do you think RFID techniques makes the society more or less vulnerable for attacks?
)9TSS
Some are quick to say that the US Constitution guarantees no right to privacy.
But IMHO, the US Constitution embodies the 1793 State-of-the-Art of distrust of Government and other concentrations of power. That's the whole reason that there are three branches with checks and balances - mistrust of the institution of government. No matter how trustworthy those in power may be today, there's no guarantee that the next batch will be so. Checks and balances were put in place to provide trust - through mistrust.
Had the Founding Fathers been able to foresee the capabilities of electronic surveillance, they would have codified Privacy into the Bill of Rights. Instead, they did what they could, focusing on late-18th century concerns.
Had the Founding Fathers known of the potential concentrations of power known as multinational corporations, they would have codified some sort of separation of Business and State. Instead, they focused on what they knew, separation of Church and State.
The living have better things to do than to continue hating the dead.
Okay, when it's in the store, which the company owns, I can only say so much about it.
Moronic criminals? Not as much as you would think. They figured out very quickly that a shopping bag lined with duct tape would foil at least the early RFID readers. Car thieves in my area can break in & steal a car in a tenth the time a skilled mechanic can. Hell, they'll be the *ONLY* ones getting around this.
Long lines at checkout: Okay, throw away some more jobs. While we're at it, I see a pricing discrepancy at least every other time I'm at a grocery store...if you're just shoving a cart through the door, it's pretty hard to tell that you accidentally paid $22.47 for the Black cherry kool-aid (one of 39 packs in your cart).
Privacy is somewhat of an illusion, but that doesn't mean it's not worth TRYING to hang on to little bits here & there.
And think about just how far this can go. Eventually, there could be embedded RFID in every food we eat. As you're driving along, a roadside detector finds that the Big Mac & large fries have moved from the stomach to the small intestine, and changes a billboard ahead of you to advertise Wendy's, while activating a 1/4 watt FM transmitter to transmit ONLY to your car 'Getting hungry, Jim Farnagle? Wendy's is just half a mile ahead on the left! Make it in the next five minutes, get a free apple pie!
The issue is WHERE the line should be drawn. RFID is here to stay, and has some excellent uses. Pallets & tracking inventory - great use of 'em. But once I've purchased a product, the company that made the item, the company that distributed the item, the company that retailed the item, all of their 'business partners', and anyone else can (should) bugger off & mind their own business...go buy a congressman or something.
Whereas a UPC is a common identifier among like items I believe RFID contains globally unique identifiers that are de-registered at the store upon sale, so they shouldn't trigger anything. Maybe someone else can shed more light on this, but I think they probably considered this scenario.
-- Solaris Central - http://w
The problem with this article is the simple fact that they start out by talking about passive rfids and then switch to ways they can be abused that would only work on ACTIVE rfids. The big difference? One has a battery and broadcasts its number a significant range.
-- botsex is {grep;touch;strip;unzip;head;mount}
Also of note, one of the leading critics of RFID, Katherine Albrecht, issued this press release today:
February 5, 2004
German RFID Scandal: Hidden devices, unkillable tags found in Metro Future Store Germans say, "Nein! We wont be your versuchskaninchen"
"We won't be your versuchskaninchen." That's the message German privacy advocates are sending to executives at the Metro Future Store in Rheinberg, Germany after discovering RFID devices hidden in the store's loyalty cards. They also found that RFID tags on products sold at the store cannot be completely deactivated after purchase, despite Metro's claims.
"Versuchskaninchen" is the German word for guinea pig, which is how German consumers feel Metro and its partners have treated them since opening the Future Store last year to test experimental RFID applications on live shoppers.
The revelations came just one day after Katherine Albrecht, founder and director of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) toured the Future Store with a delegation of privacy experts from German advocacy group FoeBud, who sponsored her visit.
"We were shocked to find RFID tags in Metro's 'Payback' loyalty card," said Albrecht, after FoeBuD tested the cards with an RFID reader and discovered the tag. "The card application form, brochures, and signage at the store made no mention of the embedded technology and Metro executives spent several hours showing us the store without telling us about it."
"In retrospect, it's no wonder store employees appeared nervous when we asked to take a few of the cards with us," she added.
Vendors of RFID-enabled loyalty cards promote them as a way for supermarkets to identify shoppers remotely as they enter the store, using details of their identity and purchase history to pitch products to them and to track their movements and activities within the store. Prior to the Metro discovery, no major retailer had publicly admitted to using such cards.
In addition to the cards, Albrecht discovered that Metro cannot deactivate the unique identification number contained in RFID tags in products it sells. The use of unique, item-level ID numbers is one of the key privacy concerns surrounding the use of RFID tags on consumer goods.
"Customers are misled into believing that the tags can be killed at a special deactivation kiosk, but the kiosk only rewrites a portion of the tag, while leaving the unique ID number intact," she said.
Outraged German citizens are calling on Metro to put an immediate end to the trials.
"We are deeply disappointed at the Metro executives. They talked of an open dialog while hiding important facts from us," said Rena Tangens of FoeBuD. "We are calling for an immediate moratorium on further RFID testing as it is clear that Metro is not handling the technology responsibly."
Evidence of the RFID tag in Metro's "Payback" loyalty card, along with evidence of the incomplete deactivation of product tags, can be found on FoeBuD's website at http://www.foebud.org/rfid/.
Excellent idea. Make your RFID spoofer broadcast randomized data to fill their databases with crap and poison the well.
I have a question: how long before this system becomes unwieldy. If we're going to track every product sold worldwide, how big will the string have to be? Furthermore, at what point will a database of said string's become unwieldy, and at what point will it become worthless to maintain all that data?
The retail RFID plans I've seen don't have a unique serial number for every item. They have a unique serial number for every type of item, kind of like a barcode. Granted, that may pose some minor privacy issues of its own. But those problems are minor, and no worse than paying with a credit card.
More to the point, RFIDs have the potential to save businesses billions -- kind of like barcodes did. And, like with barcodes, those savings will most probably be passed to the consumer.
Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
Sales Pressure ...
...
... and you know that if they can, eventually they will. You only have to look at the ridiculous state of airline checks to see knee-jerk security at work (same name as known terrorist (even with different initial) - you ain't flying buddy). There are documented cases of this.
I don't have a problem saying no to sales people. I do take exception to being harangued, by name, from the moment I enter a store. My shopping day will be a lot more stressful if I have to say "Get the f*** away from me, I'm just looking" in every store I walk into. And if that sales person has been picked based on the type of salesperson you are most receptive to, it gets harder - I'm not talking the high schooler at radio shack here, but a well chosen personable salesperson, based on your previous buying habits (e.g. last sales were only with X, blew off salesmen Y, Z).
And it's the data sale that's not nice either. Bulk mail, UCE, will become more invasive, personalised to you, so you won't know off hand if it is spam.
Security
airline profiling - general purchase patterns (look, he bought fertiliser and gasoline), purchase locational patterns (look, he was in the area when these demonstrations took place). Don't accept luggage as gifts (traveller has bag that he didn't buy) -- I'm sure the Feds can come up with a few more.
Security reasons - bought "anti-american books" (anything by Michael Moore, Al Franken, etc), don't let into particular areas if the president is in town (such as his entire travel route for the day) - all they have to do is match you with any known RFID tags, and pull up a "book list" check (note that may include library books - thanks patriot act).
The list is endless
And it probably won't be intentional. The trouble is, these are generic patterns that a good agent will use to guide them. But you won't be dealing with a good agent. You will be arguing this with the minimum wage security guard who will follow directives blindly. You know it doesn't matter what you say or do, or whether it's obvious that the computer is wrong - they do what the computer says or lose their job, so you lose.