RFID: Your privacy is up for grabs

Katherine Albrecht, co-author of “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID“, has written an article for Scientific American explaining how we inadvertently consent to lose our privacy and what’s being done about it on a federal level in the US and EU.

If you live in a state bordering Canada or Mexico, you may soon be given an opportunity to carry a very high tech item: a remotely readable driver’s license. Designed to identify U.S. citizens as they approach the nation’s borders, the cards are being promoted by the Department of Homeland Security as a way to save time and simplify border crossings. But if you care about your safety and privacy as much as convenience, you might want to think twice before signing up.

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen.

Although such “enhanced” driver’s licenses remain voluntary in the states that offer them, privacy and security experts are concerned that those who sign up for the cards are unaware of the risk: anyone with a readily available reader device””unscrupulous marketers, government agents, stalkers, thieves and just plain snoops””can also access the data on the licenses to remotely track people without their knowledge or consent. What is more, once the tag’s ID number is associated with an individual’s identity””for example, when the person carrying the license makes a credit-card transaction””the radio tag becomes a proxy for that individual. And the driver’s licenses are just the latest addition to a growing array of “tagged” items that consumers might be wearing or carrying around, such as transit and toll passes, office key cards, school IDs, “contactless” credit cards, clothing, phones and even groceries.

Speaking of “contactless” credit cards, the Discovery cable TV channel recently scuttled an episode of “Mythbusters” (where a team of scientists explore the veracity of stories sent in by viewers) which exposes how insecure RFID tags are. Boing Boing describes the clip thusly, “Mythbusters’ Adam Savage told the folks at the HOPE hackercon about how the Discovery Channel was bullied by big credit-card companies out of airing a program about how crappy the security in RFID tags is.”.

Years ago a university research team exposed the same story showing that by merely sitting in close proximity to someone with a Mobil SpeedPass gas keychain fob you can copy the information encoded on that device through the air (the “R” in “RFID” stands for radio) and replay that information at a Mobil gas station to get gas by posing as the SpeedPass owner. It would appear that credit card companies’ lawyers are more sensitive to bad public perception than Mobil is.

Update (2008 September 8): Adam Savage now says that Discovery Channel didn’t kill the RFID episode of “Mythbusters”, the show’s production company did. CNet news quotes a statement from Savage:

“There’s been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn’t on that story, and as I said on the video, I wasn’t actually in on the call,” Savage said in the statement. “Texas Instruments’ account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn’t get filmed, it’s so bizarre and convoluted that no one would believe me, but suffice to say…the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department.”

But this doesn’t really change the story in a significant way; no matter what group of people decided to kill the RFID Mythbusters episode, it appears that that episode won’t air. Trying to keep the lid on bad decisions about how to deploy RFID technology is futile and in no way benefits the public. The public is no more secure for the silence from Mythbusters and RFID “contactless” credit cards are out there with more on the way. So ask yourself: who does benefit?