I recently posted a blog criticizing PBS NewsHour for misinforming its audience regarding radio frequency identification. The report was about cyber-security and only touched on RFID, but it quoted hacker Chris Paget making sweeping generalizations that left viewers with the notion that they could be tracked and have financial information stolen from them without their knowledge, by someone using off-the-shelf radio equipment (see PBS NewsHour Misinforms Viewers on RFID).
We sent a copy of my blog to the station, and a producer contacted me for a follow-up interview. Producers admitted they really hadn’t looked deeply into the issues Paget raised, and said they would like to at least address some of my concerns in a post on their Web site. I give them credit for this—in the past, I’ve pointed out numerous factual errors in articles run by Canada’s Globe and Mail, the Los Angeles Times and Scientific American, but none of those publications have bothered to correct the public record.
NewsHour presented the gist of what I told them—which is that RFID is not a good long-range tracking technology, and that it will have myriad benefits for consumers as well as businesses (see Radio Frequency Identification Tags: Identity Theft Danger or Modern Aid?). Unfortunately, NewsHour didn’t bother to check the information Paget supplied, and his response to my criticism only compounds the erroneous view presented in the original broadcast.
The article on NewsHour‘s Web site says: “[Paget] says that since RFID usually works at only a few inches, the fact that he can read transponders from 200 feet is, in his estimation, ‘long distance.'” This is in response to my claim that the term “long distance” is hopelessly vague. But either Paget does not know that high-frequency HF “proximity” tags are designed to be read from only a few inches and ultrahigh-frequency UHF tags are intended to be read from 30 feet or more, or he is deliberately misleading the NewsHour team.
In a video filmed from a balcony in Las Vegas, Paget clearly indicates he is talking about UHF tags used by Wal-Mart and in PASS cards (see Chris Paget talks about long-range RFID tag reading), not proximity cards. What’s more, we reported two years ago that Mojix could read UHF transponders from a distance of 600 feet (see Mojix Takes Passive UHF RFID to a New Level).
The NewsHour article says: “[Paget] thinks with better technology, they can be read at several miles, eventually. He also says that radar principles are used, and that radar is designed to give direction and range, so that tracking of a person is completely possible—an allegation that Roberti disputes.”
So, if you are NewsHour, what you have told people is this: Be concerned, because one hacker believes that one day, tags will be read from miles away and provide directionality. This is very different from the original report, which said that the tags can be used to track people today.
Of course, all of this is really irrelevant. Reading tags from 200 feet instead of 20 feet doesn’t fundamentally constitute a threat. If you can read tags from only inches away and gain some useful information, that’s a bigger threat to privacy than reading useless information from miles away. And here is where NewsHour should have pressed Paget for more detail.
The story says, in response to my claim that nothing useful can be gleaned from the UHF tags he is reading, “Paget says that information on an RFID tag can be useful; the numbers that can be deciphered give away the state where the tag was issued, what type of card (credit card, Social Security, phone, etc.) it is. He claims that it is a start to build a database on a person.”
Let’s examine those claims. The numbers can determine what type of card it is? Really? He is reading a UHF tag. The transponders in credit cards are HF and cannot be read from 200 feet. Furthermore, there are no tags I know of that have Social Security numbers or phone numbers on them. How is he getting this information? And how, exactly, would someone start to assemble a database on a consumer? I invite Paget to write an article or agree to an interview to explain this claim, because if this is really possible, it is something the industry must address immediately.
The only legitimate issue here that I can see has to do with PASS cards and RFID-enabled driver’s licenses, which use UHF tags that were designed with minimal security because they were supposed to be utilized for tracking goods in the supply chain. You could read a tag from as much as 600 feet away with the proper equipment and potentially identify people at, say, a political rally. RFID Journal has made the point that government agencies need to take steps to ensure that individuals cannot be tracked with government-issued identity documents. The agencies have not always complied, however, so I would agree that there are privacy issues involving PASS cards and RFID-enabled documents that need to be addressed. (A little tinfoil around a license or PASS Card solves the problem.)
Lastly, the article says: “Paget says he’s not anti-RFID, as Roberti claims. Rather, he is against abuses where RFID is used in identification documents. He says the trade group that the RFID Journal represents has taken issue with his work before.”
First, RFID Journal does not represent any trade group, and second, the idea that he is not an opponent of RFID is absurd. He claims to be against abuses, but there have been no abuses. He’s making unsubstantiated—and, in some cases, clearly false—claims (such as that the technology can be used to gain credit-card data from a distance of 200 feet). That hardly makes him an objective observer.
If Paget were objective, and if PBS NewsHour had done its homework, both would realize that the RFID industry has already addressed the problem that Paget claims could happen “eventually.” This year, tags will be on the market that will allow retailers to mask a tag’s serial number, so if you were walking around with tagged items and Paget were up on his balcony, all he would be able to read would be random serial numbers or a string of zeros.
The RFID industry is also hard at work on a standard for employing encryption on UHF tags. Once this happens, you won’t be able to eavesdrop on UHF transponders in PASS cards or driver’s licenses (I’m assuming government agencies will use these new, secure transponders). Those tags are at least two years away. I can’t wait for them to arrive, but I know that even then, it will not be the end of this nonsense.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or the Editor’s Note archive.