Surpriv: RFID Surveillance and Privacy

Project Jumpstart, discussed in this article, is an effort by major pharmaceutical manufacturers to test item-level RFID tagging of drugs as an anti-counterfeiting/theft strategy.

In considering the surveillance issues, drugs are certainly a sensitive issue; on the other hand, it would be easy to “shed” the tags, as an end consumer. My question would be more toward the claims for anti-counterfeiting. Given that the means of detecting counterfeits won’t be through detecting a counterfeit tag–tags are easily copied–but in assessing the object’s claimed pedigree, it just seems too complex to work all that well. Any number of insiders could probably compromise such schemes fairly easily, for example; until and unless RFID reading throughout supply chains becomes highly pervasive, a great many products will sport pretty sparse pedigrees as it is.

As RFID becomes more pervasive, and if and when concerns re surreptitious monitoring arise, we should expect to see countermeasures emerge. Thus far we’ve got (1) shielding; and (2) spoofing. The former would include any means to block RF, from something as trivial as a Mylar bag, to as “trendy” as products from mobileCloak. The latter would include such technology as RSA’s “blocker tag.”

Clearly shielding will work, though it may raise some pain-in-the-neck issues, e.g., while CalTrans issued its customers Mylar bags to shield their toll payment transponders when not needed for paying tolls (and avoid being data points for later-installed traffic monitoring sensors), I’m sure they’re anticipating that most customers will just toss said bags into the drawer rather than juggle with bagging and unbagging the transponder while driving. (An interesting question for RFID and surveillance is whether or not one can easily detect the presence of shields, doing, for RFID, what X-ray screeners do in flagging X-ray shielded objects for hand searching.)

The concept of blocker tags is more interesting: the blocker tag, in the words of its creators, “spams” readers with a surfeit of signals, creating a blizzard of false reads. Blocker tags should be easily detected, then… not a stealthy countermeasure.

An interesting article, very much related to RFID, with a little analytical fleshing out:
http://story.news.yahoo.com/news?tmpl=story&cid=519&ncid=519&e=8&u=/ap/20040719/ap_on_re_us/theme_park_lines

The idea here is that the people hate waiting in lines at theme parks, so they can rent devices to inform them when it’s their turn to go on the rides. A lot like taking a ticket at the deli counter, and meandering nearby aisles if the wait is sufficiently long (and if the “Next Served” indicator is visible).

But a park operator (or the service operator, providing the devices on behalf of the park) would be crazy not to include geo-tracking in such devices: you’ve got a free vehicle (in the form of the park patron) for collection of behavioral data.

Not mentioned in the article is another upside of turning people into tagged objects which can be managed like “just-in-time” inventory: the ability to better disperse them in the park, for safety/security reasons. If you were looking to cause panic in America, sneak a bomb into a thick crowd queued up for the latest craze in theme park rides… if the crowd can be scattered out to other activities while they wait for rides, they’re less of a target (and more accessible to your refreshment stands).

A few years hence, we won’t be forking over $10 for a day’s rental of a scheduling device, we’ll just be authenticating our own [cellphone/PDA/e-wallet/etc.] device to the theme park’s management network, which will then handle all the notifications, alerts and alarms, and take our orders for any ancillary services happily and quickly for the duration of our visit…

“An Internet of Less-Than-Solid Things” is an essay on RFID News, considering how the EPC, when without physical RFID tags, and the Object Naming Service (ONS), may facilitate new applications and uses, e.g., assigning unique identifiers to intangible goods, or even services.

The article was picked up by Slashdot.

RFID users say no privacy law needed? http://www.net-security.org/news.php?id=5618

Well, in this case, RFID users in the sense of, “companies that intend to make use of RFID to monitor things,” and not Joe Citizen encountering and using RFID-enabled things.

Discussion of hearings in the U.S. Congress on RFID and privacy.

A bill by Sen. Debra Bowen that passed in the California State Senate dies in the other legislative chamber: http://www.rfidjournal.com/article/articleview/1015/1/1/

According to RFID Journal, “Opponents convinced the majority of the committee members that the timing for the bill (SB1834) was wrong and that the bill should not precede the actual installation of RFID in businesses and libraries. Opponents indicated in a letter to assembly members that it was inappropriate to pass legislation regarding a technology before it had been determined how RFID tags would actually be used.”

The FTC held a workshop on RFID, applications and implications for consumers, on June 21, 2004: http://www.ftc.gov/bcp/workshops/rfid/index.htm

As of today, there were 38 comments filed, including one from us: http://www.ftc.gov/os/comments/rfid-workshop/index.html

I’ll be actively posting to the Surpriv blog in the coming days; for various reasons we’ve been on hiatus.

At present new postings here are not open for comment, due to pernicious blog spam. If you’d like to be granted access to post or comment, drop me note at ross@stapleton-gray.com