FAQ on RFID and RFID privacy
A RFID (Radio-Frequency IDentification) tag consists of a small silicon microchip attached to an antenna. The chip itself can be as small as half a millimeter square – roughly the size of a tiny seed. Some RFID tags are thin enough to be embedded in paper. An RFID tag is capable of transmitting a unique serial number a distance of up several meters in response to a query from a reading device.
RFID tags are already quite common in everyday life. Examples include proximity cards used as replacements for metal door keys, SpeedPass® payment devices, and the small dashboard plaques for automated toll payment. Tens of millions of pets around the world have surgically embedded RFID tags that made it easier to identify them should they become lost.
RFID stands for Radio Frequency IDentification. An RFID tag transmits a unique identifier to a nearby reader via radio waves.
At present, basic RFID tags in small quantities can cost as much as $1.50. This cost is expected to drop very rapidly in the next few years, to $0.10 or less in quantity. Readers, likewise, are expensive at present, costing as much as several thousand dollars each. As they become a commodity item, their cost will also drop considerably.
An RFID tag may be read at a range of up to several meters (over ten feet). The read range of an RFID tag, however, depends greatly on its operational frequency and environment.
There are two key differences:
(1) An RFID tag can be read via radio. This means that it may be scanned through other objects, and often does not need to be specially oriented with respect to a reading device. RFID tags can sometimes be read at greater distances than barcodes as well.
(2) RFID tags transmit unique identifiers. A barcode indicates the type of item it is printed on, e.g., a package of razor blades. An RFID tag indicates not only the type of object it is attached to, but also a unique serial number.Thus an RFID tag can distinguish a given package of razor blades from every other one in the world.
Inexpensive RFID tags are passive, meaning that they lack batteries and obtain their power from the query signal of a reading device itself. More expensive active tags contain batteries. They are less robust than passive tags, but have greater read ranges and transmission power.
An inexpensive RFID tag can store very little information – only on the order of a few hundred bits. EPC tags (see below) will in many cases have no writeable memory at all. On the other hand, the unique identifiers contained in an RFID tag can act as a pointer to a database entry for the tag, much like a URL. This database entry can contain a great deal of information about the read history of the tag. Thus, in a sense, in a networked environment, a tag may be regarded as having a considerable amount of associated storage. This is very useful in recording, for example, the lifecycle of a product – its manufacturing location, way points and dates of shipping, and so forth.
In a limited sense, the answer is yes. An RFID tag will only emit a serial number in proximity to a nearby reader. Your identity is revealed by this process only if the owner of the reader knows that the serial number in question is in a tag that belongs to you. In principle, large databases that associate identities with tag serial numbers could make this possible. On the other hand, amassing such databases is a challenge in and of itself, and someday privacy-protection legislation might impede the ability of organizations to compile (and/or share) such databases.
It’s also important to keep in mind that RFID tags don’t always work. For instance, UHF tags (the kind likely to be most widely used) are virtually unreadable near the human body because of its high water content. Scanning RFID-tagged clothing is not necessarily an easy matter!
A UPC (Universal Product Code) is the sequence of numbers in a U.S.-standard barcode today. An EPC (Electronic Product Code) is a standard for data formats in RFID tags that is meant to replace that for barcodes. For example, an EPC-96 code has four components:
(1) A version number, indicating the tag type (e.g., 96-bit EPC Class 1);
(2) A domain manager, i.e., a number specifying the entity that administers the tag code, e.g., "ABC Sneaker Co".;
(3) An object class, i.e., a number specifying the type of product the RFID tag is attached to, e.g., "Model L high-top sneaker"
(4) A unique identifier, a number that, in combination with the other EPC components, uniquely specifies the tag (and object).
In addition, a tag contains two non-readable data elements: A 16-bit checksum (cyclic redundancy code) used to identify transmission errors, and a PIN, used for such operations as "killing," i.e., permanent disablement of the tag for privacy enforcement.
One company offers a surgically implantable LF RFID tag. It is about the size of a grain of rice. Proposed uses include storage of medical data, kidnapping deterrence, building access, and even implantable payment technology. This device transmits a unique identifier at a distance of up to several feet. It has provoked grave concern among privacy advocates.
There are many protocols for HF RFID tags, but the most prevalent at present is ISO/IEC 15693, a global standard compliant with the regulations of most nations. UHF tags are supported most notably by EPCglobal and also the emerging ISO 18000-6 standard. There is as yet, however, no truly international standard for such tags, as governmental regulations vary in this range of the radio spectrum.
Yes. A metal or foil-lined container that is impenetrable to radio-frequency waves is known as a Faraday cage. An RFID tag in a Faraday cage is effectively unreadable. It is also possible to jam the reading of RFID tags with devices that broadcast powerful, disruptive radio signals. Such jamming devices, however, will in most cases violate government regulations on radio emissions.
Yes. This is an effective approach, but a dangerous one. RFID tags can purportedly catch fire in microwave ovens.
Various media reports have suggested that there were plans in Europe to embed RFID tags in currency by 2005. It is the position of RSA Laboratories at this time that such a plan is highly unlikely in the next several years. Indeed, RFID tags do not seem likely to serve as a cost effective anti-counterfeiting measure at present. RFID tags might be used to help track currency. As explained in a scientific paper by RSA Laboratories, however, it is very difficult to provide tracking capabilities to law enforcement authorities without making those capabilities more generally available and thus jeopardizing privacy.
RFID is just one technology among a host of wireless devices. Different devices, however, pose different types of threats. In the case of mobile phones, information about your whereabouts (and calling patterns) is regularly available only to your service provider, a centralized and highly regulated source of information gathering. An adversary with special-purpose equipment would also have the capability of tracking your mobile phone, but this would require significant expertise and investment.
What makes RFID a more significant privacy threat in many ways than mobile phones is the fact that readers will be readily available and ubiquitously deployed. In other words, RFID readers will soon be an accepted element of everyday life (while eavesdropping equipment for mobile phones is unlikely to be).
RFID tags can help combat counterfeiting by providing a clearer and more detailed picture of the flow of goods. RFID tags, however, are themselves subject to cloning. This is particularly true of inexpensive RFID tags. Attaching an RFID tag to a valuable object may help establish its whereabouts in a supply chain, but may not serve as a reliable mark of authenticity.
Basic RFID tags only transmit identifiers in fairly close proximity to reading devices, and have no awareness of their geographical location in a global sense. More sophisticated and expensive devices, particularly those equipped with GPS (global positioning system) technology, are capable of providing continuous and fairly precise geographical data. RFID is a rudimentary wireless device; that is what makes it inexpensive and easy to deploy on a widespread basis.
Absolutely not. It is important to remember that technology can be not only a cause of erosion of privacy, but also a remedy for the problem. A well conceived and deployed technology can address the needs of different stakeholders in a balanced way. Scientists are working not only on making RFID more reliable and pervasive, but also on ways to make RFID privacy-friendly.