Tune in to RFID – all secrets all the time!

Radio Frequency Identification tags, or RFID, is a burgeoning new technology about to find applications in many sectors. RFID is a tiny chip that broadcasts data into the open air around it, much like a miniature radio station. The widest early-adopter, Walmart, will print stickers with RFID chips embedded, affix the stickers to all merchandise, and will be able to catalog inventory simply by walking down each aisle with a RFID receiver. This will substantially reduce costs in inventory tracking, shipping, receiving, and service. Truly a fascinating and powerful technology.

In fact, the technology is so powerful that various governments are preparing to incorporate RFID into passports, drivers licenses, travel visas, and other forms of citizen identification. This is very bad news for said citizens.

The positive side of RFID in identification is that many assets, material or human, can be tracked without physical contact. This allows for more efficient handling of long lines of irate travelers. It also means that receivers require less servicing as there are no moving parts or points of physical contact.

This is where the good points end. The other ramifications point to catastrophes of liberty and security – the very points argued in favour of this technology.

Historically, Walmart employees had to enumerate inventory by hand, removing items from shelves in many cases to get an accurate count. RFID enables them to do so without any contact whatsoever; tagged stock not yet unloaded from trucks could potentially be counted without even opening shipping crates. It will also be possible to determine precisely what products customers are carrying, what aisles they browse and for how long, and what Walmart products they are wearing. Couple this with an RFID Walmart card (this is speculation but with valid potential) and individual customer profiling is just a scan away.

This is the fundamental problem with RFID applications in tracking people – it can be done without their knowledge or assent. Governments, airport security, and police can forgo the unpleasantness of a “papers please” customs booth by simply eliminating the vocal request (and your accompanying response). Your “papers” on your RFID-enabled passport will be broadcast 10 metres around you at all times, readable by anyone with the proper receiver.

This is the biggest problem with the plan. Anyone who owns a Microsoft operating system knows how frequently security vulnerabilities are exploited. These exploits are usually followed up by patches to close the vulnerability. This is possible because computers are variable entities, designed to allow functionality to be modified as is needed over time. RFID tags are one-way, static chips that cannot be changed at all. As soon as the encryption is broken, your ciphered data is open to anyone with a compatible reader.

This is the crux of my alleged catastrophe. This fundamental flaw enables identity thieves and terrorists to become more powerful, flexible, and fast than ever before.

Instead of pre-establishing fake identities, terrorists could capture the identity of someone who just bought a ticket on a desired flight and immediately assume that identity. If something goes awry and the identity is flagged, another identity could be procured momentarily. Walking from one side of an airport to the other would yield thousands of valid IDs ripe for plucking.

Instead of digging through garbage for VISA slips, identity thieves could stand behind a shopper in the checkout line, scan their RFID identity, and take note of the shopper’s purchases. The thief could then use these combined data to convince a higher-up at the store to surrender even more private information about the victim, which in turn could be used to flesh out this borrowed persona for all kinds of nefarious uses – to take out a loan in the victim’s name, apply for credit cards, sell the identity to other criminals, and much more.

If you’re American you’ll likely have an RFID-enabled passport by the end of the year. You won’t be able to fly without one, unlike recent years where Americans were not obliged to identify themselves at all in order to travel. Though you can’t fly without proving your identity, you may want to ensure your identity stays safe until you allow it.

Though the technology will be applicable to countless industries and private uses, it will be up to governments to understand and limit the technology to its intended task – transmitting innocuous data that is meaningless out of context; RFID was designed for use in closed systems such as companies or warehouses.


Many thanks to those who replied to my comment on the related article on Slashdot. You gave me some great ideas and I credit you for them. Especially slavemowgli who had particularly poignant thoughts.

By brian

About Brian Damage:

Who is Brian really?
I live in Toronto, Canada, and work for an IT firm. That's about as much real-world info I'm comfortable divulging here. What you read on my blog is the real Brian, but, for the sake of freedom of speech, I feel most comfortable leaving a gulf between my cyberspace and meatspace personae.

Who is Brian at work?
My ridiculous job title is "Marketing Specialist" since I wear so many hats at work. I'm a technical writer, a specialist in enterprise search technologies, an electronic forms designer, a newsletter author, system administrator... but I'm in the Marketing department so for the time being I'm stuck with this inauspicious title.

Who is Brian at play?

Who is Brian