Meta-Blog

SEARCH QandO

Email:
Jon Henke
Bruce "McQ" McQuain
Dale Franks
Bryan Pick
Billy Hollis
Lance Paddock
MichaelW

BLOGROLL QandO

 
 
Recent Posts
The Ayers Resurrection Tour
Special Friends Get Special Breaks
One Hour
The Hope and Change Express - stalled in the slow lane
Michael Steele New RNC Chairman
Things that make you go "hmmmm"...
Oh yeah, that "rule of law" thing ...
Putting Dollar Signs in Front Of The AGW Hoax
Moving toward a 60 vote majority?
Do As I Say ....
 
 
QandO Newsroom

Newsroom Home Page

US News

US National News
Politics
Business
Science
Technology
Health
Entertainment
Sports
Opinion/Editorial

International News

Top World New
Iraq News
Mideast Conflict

Blogging

Blogpulse Daily Highlights
Daypop Top 40 Links

Regional

Regional News

Publications

News Publications

 
RFID: Your privacy at risk?
Posted by: McQ on Tuesday, January 01, 2008

One of the complaints of many civil libertarians, to include many of us on QandO, is that today's technology and the concerns about terrorism have combined to present an opportunity, through government, to seriously compromise your privacy. For instance, Arizona, Michigan, Vermont, and Washington have added RFID chips to their driver's licenses. If you have a US Passport, you probably already know they're tagged with these chips.

So what does that mean? Well, for the holders of those licenses, it means that someone withing a 30 foot range with the proper monitoring equipment is privy to the information contained therein.
Information contained will include name, DOB, physical characteristics, and a private identity number that will allow access to further information stored in the state's DMV database.
Now the semi-good news is that at the moment, in those four states, it's a voluntary situation. You have to volunteer to allow the state to include the chip. And the way it is being sold is that travelers with those chips will be able to cross the border without a passport per Homeland Security.

So, anyone else noticed the flaw in this plan? Let's say I'm a bad guy. And I have the proper monitoring equipment. And while you make a run to TJ for the day to grab some cheap whatever, I monitor and record your data? Yeah, you can figure out the rest. If the state can make these things so can the bad guys, and then, well, easy stuff to use it to penetrate border security without having to sprint across the Rio. Now you have a way of selling easy access to the US at a nice profit. And, given the info available on the chip, there's the possibility financial mayhem available to monitoring criminals as well.

Then, of course there's the opportunity for the government, should it decide to do so, to monitor you at places other than airports and borders. And no, I don't like that idea.

Are there legitimate uses for these chips. You bet:
Some uses, especially those related to security, seem like a great idea. For instance, Delta is testing RFID on some flights, tagging 40,000 customer bags in order to reduce baggage loss and make it easier to route bags if customers change their flight plans.

Three seaport operators - who account for 70% of the world's port operations - agreed to deploy RFID tags to track the 17,000 containers that arrive each day at US ports. Currently, less than 2% are inspected. RFID tags will be used to track the containers and the employees handling them.

The United States Department of Defense is moving into RFID in order to trace military supply shipments. During the first Gulf War, the DOD made mistakes in its supply allocation. To streamline operations, the U.S. military has placed RFID tags on 270,000 cargo containers and tracks those shipments throughout 40 countries.

On a smaller level, but one that will instantly resonate with security pros, Star City Casino in Sydney, Australia placed RFID tags in 80,000 employee uniforms in order to put a stop to theft. The same idea would work well in corporate PCs, networking equipment, and handhelds.
I have no problem with any of those applications to include the last, as long as the tags are disclosed and employees are aware they are there and understand their acceptance of such tagging is a condition of their employment.

And, if you've ever heard of tagging pets, well it is probably an RFID chip they're talking about (they're only 1/3 of a millimeter in size). I could even see tagging children's clothing so in the case of an emergency they'd be easier to locate.

However there are certainly some gray areas that need to be explored as well:
Michelin, which manufactures 800,000 tires a day, is going to insert RFID tags into its tires. The tag will store a unique number for each tire, a number that will be associated with the car's VIN (Vehicle Identification Number). Good for Michelin, and car manufacturers, and fighting crime. Potentially bad for you. Who will assure your privacy? Do you really want your car's tires broadcasting your every move?

The European Central Bank may embed RFID chips in the euro note. Ostensibly to combat counterfeiters and money-launderers, it would also enable banks to count large amounts of cash in seconds. Unfortunately, such a move would also makes it possible for governments to track the passage of cash from individual to individual. Cash is the last truly anonymous way to buy and sell. With RFID tags, that anonymity would be gone. In addition, banks would not be the only ones who could in an instant divine how much cash you were carrying; criminals can also obtain power transceivers.
Exactly what I want to do, make criminals more 'efficient' or letting government (especially with the "drug war" and civil forfeiture) knowing how much money I'm carrying.

I balk at tagging adults or "citizens" as well. Just too damn "Big Brother" for me. And yes, for those driver's licenses I mentioned, it is voluntary for now, at least among the states. You have to wonder, however, how long it will remain that way. And But isn't voluntary if you want a passport.

Of course there are ways to thwart the random monitoring of such chips such as those found in a passport or driver's license. But that's not really the point. Big Brother and assorted criminals will find this sort of ability too difficult to pass up. And it will be you who suffer the consequences. RFID use needs to be thoroughly considered before using and in any case where it carries a risk to an individual's privacy, it should be rejected. The government, nor any other entity has the right to broadcast my private information in a way anyone can monitor it (and possibly use it to my detriment) for their convenience.
 
TrackBacks
Return to Main Blog Page
 
 

Previous Comments to this Post 

Comments
RFID has been a thorn in the side of the computer security world for quite a long time. It’s far too easy to read the chips at distance... for instance, proof of concept has been shown on RFID chips in an airport check in lounge where someone with a briefcase containing the proper equipment was able to read everyone’s passport info.

Also, if you get a passport with a chip and the chip gets "broken" - well that’s okay then. So, the issue becomes - what’s the point? The bad guys will just break the chip and since the passport is still valid with a broken chip there’s no real protection at all - just the government making motions about keeping us safe.

Personally I bought a passport holder that shields my passport from RFID readers (since I got an updated PP after the RFID’s started being inserted) It may work, or it may not, but I figured if I could make it a bit harder for someone to steal my info - I’m all for it. *sigh*
 
Written By: Teresa
URL: http://technicalities.mu.nu
Remember when everyone was worried that people would be able to get your credit card information when you bought things on the internet?

(My Mom recently crossed over from fearing that to shopping on-line like crazy.)

In reality, a whole lot of people get their identity stolen when making a purchase at a physical store, or through their garbage.

Heck, in Taiwan, thieves put cameras around an ATM to take a photo of your card as you inserted it, and then videotaped your secret code entry.

It doesn’t take a guy with a lap-top and RFID tags to steal your data.

Yeah, I’d prefer my privacy, but if RFID tags let me go through a robotic customs scanner much faster than standing in a long, long line, I think I’ll live with some weirdo knowing my name and passport number.
 
Written By: Harun
URL: http://
Plus the market can pretty much solve this by making RFID resistant cloth to use in purses, passport holders, jackets, etc. Which sounds like its already happening. Same thing with Phishing - my spam filter blocks it mostly.
 
Written By: Harun
URL: http://
Yeah, I’d prefer my privacy, but if RFID tags let me go through a robotic customs scanner much faster than standing in a long, long line, I think I’ll live with some weirdo knowing my name and passport number.
Yup. And I have no problem with that if you choose to do it instead of the "choice" being made for you.
 
Written By: McQ
URL: http://www.qando.net/blog
Things like this are why I own a degaussing coil...
 
Written By: Scott Jacobs
URL: http://
So my cardkey at work has had an RFID chip in it for years (10+), but our card readers only work if you actually get the card next to it (< 3"). 30’? Is that more a function of the card chip or the reader antenna?

And isn’t this something that if done correctly (I know, government) with some public / private key system could be made secure? I’m not sure how you’d equip that many readers in a distrubuted system and get key management to work correctly, but I suspect it could be done. Of course I think we should look at that system anyways and deploy smart cards to make conterfitting impossible.
 
Written By: Ryan
URL: http://
"Of course there are ways to thwart the random monitoring of such chips."

Of course. We can just encrypt the information, just like the internet. That is why the internet and wireless networks are so safe.

Those shield thingees sound just dandy, and I am sure they will work just fine. As long as you never use your credit card to actually purchase anything. The next time you are in a Starbucks, for example, watch and see how many people use their credit cards for a purchase of $5.00 or so. Then look around and see how many people have their laptops open and are using Starbucks convenient wireless access point. That is where I would set up shop, were I a bad guy. Someone whips out their credit card to pay for a couple of lattes, and by the time they get home I have already run up a few thousand dollars on their credit card, sold their personal data to another crook, and moved on to another location.

 
Written By: timactual
URL: http://
Couple thoughts here related to what I think are accuracy concerns with this post:

1. Where did you get that 30’ number? As I understood it Passports and Driver Licenses use ’Passive’ RFID - in other words the RFID chip has no power supply and the response is generated by recieving a scan which then ’powers’ the reply to the scanner. So to retrieve such information you have to A. Scan a passport and B. be within about 4 inches of it to get a response... rogue readers claim to be able to reach 30cm or about 1 foot... here is a page talking about the chip (no battery...): http://travel.state.gov/passport/eppt/eppt_2498.html

2. The following is from Aug 2006, describing the encryption etc. on the assocatiate passporst: http://www.state.gov/r/pa/prs/ps/2006/70433.htm

3. You are way behind on having the government track you location and let’s face it RFID - especially passive - is a lame choice. All cell phones include GPS, in fact I’m pretty sure efforts are in the works to automatically use this information to call people in areas where there is an emergency evactuation needed (ex. wildfire) similar to a reverse 911, not only that but the infrastructure is already in place to track where you phone is - why create a less reliable system?

You seem to be reaching heavily and spreading rumors in this post, but perhaps I’m missing something?
 
Written By: BillS
URL: http://bills-opinions.blogspot.com/
I am (sadly) the RFID-guy for our 7 billion dollar company. For us, it’s still a solution in search of the right problem. So far nothing RFID does — reliably — can’t be done with optical scan of bar-codes. Also, both our barcode and potential RFID data capture tools vastly overwhelm our data analysis tools. That is, we’d have data on where EVERYTHING is, but we can’t KNOW where the 0/01% of our problems are, or what’s wrong, by queries against that data.

But even so I do training once a year and subscribe to much of the industry literature, and I’m here to say that the "30 foot" claim is a mistake. Comments above citing 30 inches and 30 centimeters are much closer the mark. It depends on whether we’re talking "active" chips (with big batteries) or "passive" chips (that draw power from the RF pulse that queries them. Panic if you want to, but panic based on the facts. A pickpocket that can get close enough will be able to scan your ID card. Otherwise, keeping inside a pocket with your own body between the scanner and the RF tag is pretty good security. (And, it turns out, why the US passport implementation was a failure. Design and experiment intstructed travelers to take out passports and "wave" at the scanner. Worked fine. But actual implementation did NOT put up the required instruction signs and management expected the scanner to essentially ’x-ray’ the travelers looking for the tag. HA! Read rates fell to single digits...)

Over zealous "Security" and tracking against your cell phone is a much greater ssue, if you want to panic for legitimate reasons. Read up on it.

All that said, it appears to mean the RFID industry now is right where Steve Wozniak and Jack Trammel were in the early 1980s. Home tinkers might want to get a hobby set up from "THING MAGIC" or similar provider. Sooner or later somebody will trip over the so-called killer-ap. The VisiCalc of RFID. It’ll probably be an Iraqi veteran. (Troops in Iraq are — er — "liberating" the active RFID off international sea-containers used by TRANSCOM and are applying to technology in ways that WalMart and Proctor and Gamble haven’t even imagined yet. When the troops come home, look for an economic boom...)







 
Written By: pouncer
URL: http://
Comments above citing 30 inches and 30 centimeters are much closer the mark.
A couple of points, the 30 foot requirement is a government requirement which grew out of the "Real ID" law (2005).

Secondly, the "SmartCard" commuters use, pasted on the windshield and used to debit tolls, use RFID technology and have a range well in excess of ’30 inches’.

Heck, back in 2003, RFIDs were being read at a distance of 5 feet.
Philips, on its part, has reassured consumers that the clothing can’t be tracked beyond Benetton stores and warehouses, as its chips have an operating distance of about 5 feet.
It is all a matter of the power of the monitoring device. And it isn’t hard to imagine if we were able to do 5 feet 5 years ago, that 30 feet isn’t possible now.
Over zealous "Security" and tracking against your cell phone is a much greater ssue, if you want to panic for legitimate reasons. Read up on it.
I’ve already "written up" about it.
 
Written By: McQ
URL: http://www.qando.net/blog
The state of Oregon already has a pilot program to install GPS in your car to track mileage and the location of those miles. This is to suppliment gas taxes. They will tax for total miles and surcharge for miles in congested areas.
The government will know when and where your car is going.
And then there is the effort to make us a cashless society.
We’ll have no privacy.
 
Written By: Rick
URL: http://
McQ,
You are correct, the Active RFID systems such as the ones used at toll roads do have a range of about 30’ that identifies your vehicle (in theory... in actuality you can move it from one vehicle to another and the toll roads in Orange county actually compare the id value with your license plate - which is why they flag it when someone else uses your id).

However your post implies that Passive RFID, such as those used in driver licenses and passporst has a 30’ range. It doesn’t and the reality is it won’t ever because of the limitations of the power involved.
 
Written By: BIllS
URL: http://bills-opinions.blogspot.com
BiLLS: I’ve been out of the electronic security game for some time now, but we used to employ NLJDs to power up passive devices giving them a "boost" that was more readily detectable. Don’t know if a similar tactic would be feasible for passive RFID but I’ll continue to shield my passport until I know that it wouldn’t.
 
Written By: Uncle Pinky
URL: http://
However your post implies that Passive RFID, such as those used in driver licenses and passporst has a 30’ range. It doesn’t and the reality is it won’t ever because of the limitations of the power involved.
Indeed it does and, in fact, they can be read up to 30’ away.
Not all radio frequency tags are created equal. Some have been designed for storage and encryption of data. Ultra high frequency (UHF) or vicinity tags, such as those DHS has selected for use in EDL/ID cards were intended for use in tracking packages, not people, according to Vanderhoff.

The chips can be read as far away as 30 feet, are not encrypted, and will transmit only an ID number, creating the need for a centralized database to store each individual’s actual data.

High frequency (HF) tags, referred to as smart cards within the industry, have a much shorter range, but can be encrypted. HF tags are already in use in ePassports.

RFID’s critics include DHS’s own Data Privacy and Integrity Advisory Committee. The committee issued a report on Dec. 6, 2006 listing a number of privacy concerns including:

- unauthorized access of information being transmitted

- potential use of collected information concerning an individual’s movements for purposes other than those stated by DHS

- potential “widespread surveillance of individuals, including U.S. citizens, without their knowledge or consent.”
And, of course, then there’s this:
At a briefing on Capitol Hill in July, Tres Wiley of Texas Instruments, demonstrated for lawmakers and staffers how easy it is to clone a UHF tag with just a few hundred dollars worth of commercially available equipment.
I’d again remind you the 30’ requirement is a DHS requirement from the RealID Law passed in 2005 and comes with all the inherent problems I’ve listed. Note too that the DHS’s own Data Privacy and Integrity Advisory Committee has a problem with it as well.
 
Written By: McQ
URL: http://www.qando.net/blog
I expect the most realistic mehtod to overcome these technologies will be to mimic the explosives industry.

After Oklahoma City, there was a push to put special microscopic plastic solor tags into any thing that could explode or could be made to explode. The explosive industry experts replied that putting such tags into fertilizer would spread this tags far and wide and contaminate the entire environment with these tags, rendering them useless.

I expect that there will be a RFID jammer that will transmit enough energy on enough frequencies to make it look like interference from other tags, rendering the RFID useless.
 
Written By: Neo
URL: http://
Thanks for the continued response and I agree there are technologies that can be read from 30’. However, when I read the text you quoated in your last response this is the sentence which stands out:
High frequency (HF) tags, referred to as smart cards within the industry, have a much shorter range, but can be encrypted. HF tags are already in use in ePassports.
Current passports and driver licenses are to the best of my knowledge, NOT readable from 30’, and your information seems to confirm this.

Yes the Dept. of Homeland security wants a national ID card with this characteristic but to the best of my knowledge that’s not currently in use in any of the aforementioned. Not only do Passports not contain or ship with this technology the states you list are only considering/approving plans, the technology is still not in place.

Of note the chips do NOT store the data you reference, again reading your last:
The chips can be read as far away as 30 feet, are not encrypted, and will transmit only an ID number
I still maintain there seems to be a significant difference in your post’s claims and the real-world limitations. To wit I agree with the first portion of your post that it would be easy to mimic or falsify such data on a per person basis but the issue is more of a random number then an actual retrieval of privacy data from the chip.
 
Written By: BIllS
URL: http://bills-opinions.blogspot.com

 
Add Your Comment
  NOTICE: While we don't wish to censor your thoughts, we do blacklist certain terms of profanity or obscenity. This is not to muzzle you, but to ensure that the blog remains work-safe for our readers. If you wish to use profanity, simply insert asterisks (*) where the vowels usually go. Your meaning will still be clear, but our readers will be able to view the blog without worrying that content monitoring will get them in trouble when reading it.
Comments for this entry are closed.
Name:
Email:
URL:
HTML Tools:
Bold Italic Blockquote Hyperlink
Comment:
   
 
Vicious Capitalism

Divider

Buy Dale's Book!
Slackernomics by Dale Franks

Divider

Divider