Edward Felten, known for his research on how public technology policy affects computer security and privacy, was the technology speaker at the U.S. 1 Showcase in 2003 (U.S. 1, August 20, 2003). Recently he wrote about the potential problems with RFID on his blog (www.freedom-to-tinker.com). His thoughts are reprinted here by permission:
One of the advantages of teaching in a good university is the opportunity to hear smart students talk to each other about complicated topics. This semester I’m teaching a graduate seminar in technology and privacy, to a group of about ten computer science and electrical engineering students. The other day Monday the class discussed the future of RFID technology.
The standard scenario for RFID involves affixing a small RFID "tag" to a consumer product, such as an item of clothing sold at Wal-Mart. (I’m using Wal-Mart as a handy example here; anyone can use RFID.) Each tag has a unique ID number. An RFID "reader" can use radio signals to determine the ID numbers of any tags that are nearby. Wal-Mart might use an RFID reader to take an inventory of which items are in their store, or which items are in the shopping cart of a customer. This has obvious advantages in streamlining inventory control, which helps Wal-Mart operate more efficiently and sell products at lower prices.
This sounds fine so far, but there is a well-known problem with this scheme. When a customer buys the item and takes it home, the RFID tag is still there, so people may be able to track the customer or learn what he is carrying in his backpack, by scanning him and his possessions for RFID tags. This scares many people.
The risk of post-sale misuse of RFID tags can be mitigated by having Wal-Mart deactivate or "kill" the tags when the customer buys the tag-containing item. This could be done by sending a special radio code to the tag. On receiving the kill code, the tag would stop operating. (Any practical kill feature would allow a special scanner to detect that a dead tag was present, but not to learn the dead tag’s ID number.)
Killing tags is a fine idea, but perhaps the consumer wants to use the tag for his own purposes. It would be cool if my laundry hamper knew which clothes were in it and could warn me of an impending clean-sock crisis, or if my fridge knew whether it contained any milk and how long that milk had been present. These things are possible if my clothing and food containers have working RFID tags.
One way to get what we want is to have smarter tags that use cryptography to avoid leaking information to outsiders. A smart tag would know the cryptographic key of its owner, and would only respond to requests properly signed by that key; and it would reveal its ID number in such a way that only its owner could understand it. At the checkout stand, Wal-Mart would transfer cryptographic ownership of a tag to the buyer, rather than killing the tag. Any good cryptographer can figure out how to make this work.
The problem at present is that garden-variety RFID tags can’t do fancy crypto. Tags don’t have their own power source but get their power parasitically from an electromagnetic "carrier wave" broadcast by the reader. This means that the tag has a very limited power budget and very limited time – not nearly enough of either to do serious crypto. Some people argue that the RFID privacy problem is an artifact of these limitations of today’s RFID tags.
If so, that’s good news, because Moore’s Law is increasing the amount of computing we can do with a fixed power or time budget. If Moore’s Law applies to RFID circuits – and it seems that it should – then the time will come in a few years when dirt-cheap RFID tags can do fancy crypto, and therefore can be more privacy-friendly than they are today. The price difference between simple tags and smart tags will be driven toward zero by Moore’s Law, so there won’t be a cost justification for using simpler but less privacy-friendly tags.
But here’s the interesting question: when nicer RFID tags become possible, will people switch over to using them, or will they keep using today’s readable-by-everybody tags? If there’s no real cost difference, there are only two reasons we might not switch. The first is that we are somehow locked in by backward compatibility, so that any switch to a new technology incurs costs that nobody wants to be the first to pay. The second is a kind of social inertia, in which people are so accustomed to accepting the privacy risks of dumber RFID technologies that they don’t insist on improvement. Either of these scenarios could develop, and if they do, we may be locked out from a better technology for quite a while.
Our best hope, perhaps, is that Wal-Mart can benefit from a stronger technology. Current systems are subject to various uses that Wal-Mart may not like. For example, a competitor might use RFID to learn how many of each product Wal-Mart is stocking, or to learn where Wal-Mart customers live. Or a malicious customer might try to kill or impersonate a Wal-Mart tag. Smarter RFID tags can prevent these attacks. Perhaps that will be enough to get Wal-Mart to switch.
Looking further into the future, the privacy implications of small, communicating devices will only get more serious. The seminar read a paper on "smart dust," a more futuristic technology involving tiny, computationally sophisticated motes of dust that might some day be scattered across an area, then picked up by passersby, as any dust mote might be. This is a really scary technology, if it’s used for evil.
Today inventory control and remote tracking come in a single technology called RFID. Tomorrow they can be separated, so that we can have the benefits of inventory control (for businesses and individuals) without having to subject ourselves to tracking. Tracking will be more possible than ever before, but at least we won’t have to accept tracking as a side-effect of shopping.