This blog entry is a work in progress. Please give me feedback.
November 15th, 2003 marked the first RFID Privacy workshop. It was held at the MIT Media Lab and organized by Simson Garfinkel (Ph.D. student and author of Database Nation). Initial impressions were that it was larger than we expected, and it appears larger than the organizers expected too. The room for the very important events of breakfast and lunch could hardly contain the people. This was the first indication that it is a hotter topic than most people, including the organizers, thought.
There were two morning keynotes, from two opposite ends of the spectrum. Mario Rivas, executive vice president of Philips Semiconductors, gave the first talk about some of the business aspect of RFID. Most of this information wasn’t new to anyone who has followed RFID. Namely the facts that RFID can greatly improve the efficiency of supply chains and would be a boon to any retail store that has to occasionally do inventory. What was a little disturbing is how he glossed over security quite a bit. The comment was made that they have the best cryptologists working for them and are able to stay two steps ahead of the bad guys, but for many in the audience with a knowledge of cryptology, this did not calm our nerves. I’d much rather know how the data is encrypted between the reader and tag than to just know it is encrypted. A final good point that was made was the deployment of RFID devices. Many organizations have RFID cards that are used for entry, MIT does and so did IIT when I went there (both under the brand name of “Prox” cards). Also, many transportation agencies are deploying RFID passes, such as the London Transport and the Chicago Transit Authority. These are nice for the consumer because the cards don’t expire and value can be replaced if lost. They’re nice for the provider because they can track wherever you get on a train or bus.
Next up was Katherine Albrecht from CASPIAN, a consumer rights organization that seeks more assurances about the safety and privacy of RFID devices. A great amount of points were discussed about how manufacturers are relying on the complete apathy of consumers to push this technology through. Some of the largest threats are problems arising from hidden tags and the possibility of data aggregation. She also spent some time showing off some of the tags and showing how various companies like Wal-Mart have been using them in tests without telling people (this is yet another reason why you should boycott Wal-Mart, that and they only sell crap).
Matt Reynolds from ThingMagic was the next person up to talk, this was probably one of the most helpful talks and made me happy that I spent time getting my electrical engineering degree even though I’ll probably never use it. For complete details, please check out his slides. Basically the issue is this, with a 1W transmitter you will not be able to read any RFID chip from more than 20 meters away, the laws of physics just don’t allow it as you’ll get too much noise over such a distance. This is because for 915MHz tags (the most common) the power decreases with square of distance. For 13.56MHz it decreases with the distance to the sixth power. Furthermore, because we’re still sending radio waves they should be fairly easy to block by things like metal or big bags of water salt water (humans). Thus ramming an RFID tag in your armpit will effectively kill it. I’ll stress again, read the slides, they’ll make you feel better about how RFID is not this solution to/cause of all the worlds woes that one might think it is.
The initial session concluded with a panel discussion by the first three presenters. There wasn’t anything really new that was brought up at this point, just some clarifications and a nice slide form Katherine that showed the distances that various manufacturers claimed their tags could be read from.