An Unscientific Article on RFID and Privacy

By Mark Roberti

A renowned U.S. magazine has published an article by a well-known opponent of RFID that presents a one-sided view of the privacy and security issues associated with RFID.

  • TAGS

Scientific American, the oldest publication in the United States, boasts about all the Nobel laureates it has published since 1845 (more than 120), but it lowered itself by publishing a six-page opinion piece—dressed as a factual journalism—by Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). The article, included in an issue of the magazine entitled “The Future of Privacy,” raises some legitimate issues. It also ignores many issues and conflates unrelated facts in an effort to make RFID seem like a bigger threat to privacy than it is.

In her article, “How RFID Tags Could Be Used to Track Unsuspecting People”, Albrecht points to the security holes in some RFID tags and says that encryption used on U.K. and Czech passports have been hacked. But the story doesn’t explore the potential benefits of RFID-enabled passports, which include the ability to secure biometric data that confirms the holder is the same person the passport was issued to, or whether they are easier or more difficult to forge than passports without RFID.

Instead, the story focuses on the claim that consumers who receive government documents with RFID tags or knowingly or unknowingly purchase products with embedded RFID tags will be vulnerable to surveillance and “skimming”—surreptitiously reading data stored in an RFID tag without a person’s knowledge.

Albrecht’s main argument is that the serial number contained in an RFID tag—whether it is random or not—can be associated with the person carrying the tag and therefore used to track a person. An overzealous policeman could, for instance, ask to see your license and then the police could associate your name with the random serial number in a tag he read in your shirt. This could be stored in a database so that any time that random number in your shirt is read, the police would know it’s you (or someone wearing your shirt). Similarly, an unscrupulous marketer could read a tag in your shoes (if there were one) and associate it with your credit card when you check out at the front of the store. Next time the tag is read, you could be identified.

These are concerns that should not be dismissed. But what the article fails to point out is that they can be easily address and are being addressed (in no small part due to pressure from Albrecht). U.S. passports have a foil liner in the cover that prevents them from being skimmed, and companies have produced credit card-size shields that would prevent a tag in your license from being read.

As for reading tags embedded in clothing, that’s not going to happen because no one is embedding tags in clothes. They are putting the tag on the packaging or within the hang tag that gets cut off when you get the garment home. In fact, at our recent RFID in Fashion conference in New York City, someone in the audience asked about using RFID as an anti-theft device. One retailer speaking at the event said: “For it to be effective as an anti-theft device, it needs to be embedded in the item, [so it can’t be removed before it’s stolen] and that raises some privacy concerns, so we are not looking at that application.”

The article does not point out that the retailers that have deployed RFID in their stores are not associating RFID tags with personally identifiable information. Instead, Albrecht trots out the IBM patent filed in 2001 that describes a method of using RFID to track customer behavior without their knowledge as proof that companies want to track people without their consent. The result is that readers of Scientific American are told to use a seven-year-old patent application by a technology company as a sign of what retailers want to do, rather than judging retailers intentions by what retailers are actually doing.

Albrecht has always talked about what is possible and the “potential” for abuse. It’s true, RFID can be abused—just as fire, electricity, the Internet and computers can be abused. But what is the likelihood it will be abused? Albrecht apparently believes it is great. The facts would indicate otherwise.

In the article, Albrecht points out that “tens of millions of contactless credit cards and ATM cards containing RFID tags are in circulation, along with millions of employee access badges.” You could add to that tens of millions of car keys, 7 million Mobile Speedpass key fobs, and perhaps 20 million toll collection tags in cars. I estimate that at least 25 percent of the adult population in the United States already carries an RFID tag every day or has one on the windshield of their car, and there hasn’t been a single documented example of privacy invasion that I’m aware of (Albrecht’s 300-page book lacks a single example). At what point does the government and do marketers start abusing the technology? When 50 percent of the population is using RFID? Ninety percent?

Albrecht and other consumer advocates deserve credit for raising privacy concerns and making retailers more aware of the potential backlash from customers if they use RFID to monitor customer behavior without customer consent. But for RFID to be dangerous in the way she suggests, all of the following must be true:

  • Only companies and government agencies can purchase standards-based RFID readers (thereby preventing consumers from detecting tags hidden in their clothing and boycotting companies using RFID)
  • Only companies and government agencies can purchase electronics to detect RF energy (otherwise privacy advocates, journalists and even consumers would be able to expose hidden readers used to spy on people)
  • No one can figure out a way to jam or confuse RFID readers
  • No one who works for a company or government agency ever obtains evidence of spying with RFID (say, by snapping a digital photo of a reader used for spying) and e-mails it to the press or CASPIAN
  • Companies are willing to risk millions in sales, their relationship with their customers, and the prestige of their brand by spying on consumers

In fact, all of these are already untrue. (Although I haven’t seen any documented evidence of spying with RFID, CASPIAN was tipped off to early pilots that were not public even though no one’s privacy was infringed.) Scientific American would do well to let its readers know the facts, but I doubt it will.

There are certainly some serious issues related to privacy in what Scientific American calls “an age of terabytes and terror,” but RFID doesn’t actually have a lot to do with profiling or even tracking. RFID rarely provides any information relevant to consumer behavior that isn’t already collected, and an FBI agent who wanted to track terrorists would be far better off using either the GPS in the their cell phones or placing GPS tracking devices in their cars. Trying to read an RFID tag in their drivers’ licenses—even with a standards-based UHF tag that can be read from 30 feet—is not going to work very well. RFID is a short-range technology, and unless you have RFID interrogators absolutely everywhere, you can’t track people. In fact, tailing the person, a decidedly un-technical solution, would be more effective.

There’s also a place for Albrecht to warn consumers against the possibility of companies embedding RFID in products without their knowledge, but Scientific American isn’t it. Science is about positing a theory and then investigating evidence from the real world to prove or disprove the theory. If Albrecht applied the scientific method to her theory that the use of RFID in the things consumers carry or wear would lead to privacy invasion, she’d find the evidence from the real world indicates, so far, that that theory is false. It seems to me that if Scientific American wanted to write about RFID and privacy, that’s what it should have told its audience.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or click here.