RFID tags? Sinister chip or harmless piece of plastic and wire?
I’ve been on the side of the former for some time, but in the face of some objection from readers. A listener to a piece I did on the BBC World Service a few weeks back about the danger that RFID tags would give up too much information to anyone interested — shops, sleazeballs, governments, terrorists — wrote in to say:
Your correspondent seemed in danger of propagating the fiction that RFID tags can be read from a distance.
A RFID tag contains no power source. The read head, the device that interrogates the tag, actually transmits power to it to enable it in turn to transmit the information it contains. With most tags the range over which this will work is much less than a metre – in general the smaller the tag the smaller the range.
In other words when I am walking down the street it will not be possible for MI5 to determine where or when I bought the tagged pack of tomatoes I am carrying…
This prompted me to do a bit more digging, and I concluded thus in a reply I prepared at the time:
First off, distance is not really the issue. The reader, the machine that reads the RFID tag, could be placed anywhere — at entrances to shops, buildings, carparks, subways — to pick up information on those tags. The reader, therefore would simply pick up the information as a person passes it. In short, it’s not necessarily a question of whether MI5 is remotely trying to figure out the origin of your tomatoes from a rooftop, but that sensors placed around cities, installed for commercial, retail or government use, could easily gather this information without your knowledge.
Secondly, while it’s true that until recently RFID tags may only be readable by a normal reader within a few feet, many tags now can be read from further away. Others are already being developed that would be read over longer distances: Japanese manufacturer Toppan, for example, has just created an RFID chip that can be read 5 metres away. That’s across the room or street.
Thirdly, while it’s true that most RFID tags are passive (without a battery) some are active (with a battery inside) meaning that they can be read over much longer distances — between 100 and 300 ft (up to 100 metres) at present, I believe.
Fourthly, it’s quite possible to incorporate a reader with a high-gain antenna, in which case tags can be read at much greater distances; in some extreme cases, according to the online encyclopedia Wikipedia, up to several kilometres away.
Some of these items may not be commercially available yet, but it’s shortsighted to suggest that RFID technology is not improving so quickly that it will not reach the point where it becomes an important social issue, including MI5’s ability to gain access to your tomatoes.
Still, there’s clearly a lot of debate about this, and I was speaking to some RFID folk in Australia who say the security concerns are too far down the track to worry about, since RFID is still too young a technology to be really deployable. Reading a tag is still too tricky, apparently, for it to work properly in a commercial setting.
With all this in mind, it’s interesting to read Bruce Schneier in today’s IHT warning in no uncertain terms of the dangers inherent in the U.S. demand that countries issue passports with RFID tags in them. He points out the absurdity of arguing that RFID tags can only be read from a few centimetres away:
Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.
Bruce’s point is that this means the passports can be read by anyone who gets even vaguely close, leaving the holder vulnerable to anyone with an interest: “It means that pickpockets, kidnappers and terrorists can easily – and surreptitiously – pick Americans or nationals of other participating countries out of a crowd.”
His conclusion is unusually forthright:
The [Bush] administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.
Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.
I have no idea whether that bit about the Bush administration is true or not. It’s scary if it is, because it indicates that RFID is just the kind of technology we should be worried about. But for present purposes it doesn’t matter much: What matters is that we establish whether or not it’s possible to ‘snarf’ data from RFID tags in the same way Bluetooth experts have successfully showed the inherent dangers in Bluetooth-enabled phones. If someone can show that grabbing data from RFID tags at a reasonable distance is not just an academic exercise, maybe voices like Bruce’s will be heard in time to do something about it, whether it’s someone knowing my shoe size or my nationality.