December 12, 2006, 1:50 PM — What bloggers are saying about the latest in information technology
RFID technology is here to stay, and in its most benign form, brings a lot of advantages. It's often used to great advantage in warehousing and inventory applications, for example. But it's when RFID technology transcends out of the factory floor and into our personal lives that we start to take issue, and rightly so. RFID isn't inherently evil. It's just a technology used to keep track of things. It's a great way for a manufacturer to keep track of how many pallets of which items they have in the warehouse. Before RFID, companies used other techniques and processes to keep tabs on their stock, RFID just made it a little easier and let the manufacturers save a little money. That's all well and good.
But there are two things to make clear: First, despite industry claims to the contrary, RFID is not a secure technology, and it should never be used to track anything sensitive. Second, it should never be used on people, or in personal identification of any type.
But regrettably, our government is moving away from being one which values the privacy of its citizenry, and seems bound to push this technology into places where it has no business being. An article in Wired points out just how easy it is to hack these things -- even the intrusive VeriChip that some people want to put into everybody's arms.
The Hacktivismo blog clues us in to something very alarming. An advisory committee to the Department of Homeland Security had drafted a report that said the government should not use chips for purposes of identification. The report said "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity." Unfortunately, the government had a different conclusion in mind, and the report remains in draft mode and has been deep-sixed.
One potentially very dangerous application is RFID-enabled credit and debit cards. These are the cards that you don't have to swipe through the machine, you just wave it near a point-of-sale terminal. Sure, the commercials make it sound like it's a wonderful convenience, but are you really that lazy that you can't take your debit card out of your wallet and slide it through the terminal? The RFID Consortium for Security and Privacy Blog reveals the dangerous flip side to this so-called convenience. And it's painfully obvious. If those RFID-enabled terminals can read that little card, then it's certainly within the realm of possibility that a malicious scanner could be nearby, also taking in your personal information without your knowledge or consent. The most alarming scenario is one where a data thief armed with a handheld scanner enters a crowd. The thief only needs to pass the scanner near the victim's pocket to harvest the information. It's a high-tech form of pick-pocketing, where the thief doesn't even have to physically touch the victim.
It is possible to impose stricter security on RFID, but the industry's not interested. Similarly, government initiatives to protect your privacy from RFID-based invasions have been shot down. The latest update of California's SB 768, the "Identity Information Protection Action of 2006", as reported in the PrivSecBlog notes that after the bill was passed, governor Schwarzenegger vetoed it. The Spychips RFID Blog goes into a little more detail, quoting the Governor from a 1990 US News interview, stating "People need somebody to watch over them. Ninety-five percent of the people in the world need to be told what to do and how to behave." It's frightening that the governor of California would believe such a thing. The bill, had it passed, would have provided protection to Californians against abusive people-tracking through RFID tags.
