RFID? Theyre Already Following You

European wireless editor Guy Kewney has a strange feeling that he's being watched. He's probably right.

It isnt very often that Europeans suspect Americans of being pioneers in anything to do with wireless, but the growth of "contactless" credit cards could mean that the New World will leapfrog the Old World in mobile payments.

What isnt clear, is whether society--business society and private society--has calculated the "social control" implications of the resulting data explosion.

Of course, you only have to say, "RFID," and even quite techno-innocent people will blench, turn pale, and start chanting mantras about privacy. They are afraid of ghosts. They have this fearful vision of a future in which your clothes contain RFID chips and as you walk down the street sensors pick them up and report your location back to Big Brother.

Reality, naturally, is less exciting. For the few who have got all their information about RFID from strident activists with wide mouths and closed ears, these things only have a range of about three inches. And yet...reality may, after all, turn out to be even more exciting because these mobile payment gizmos look like theyre going to betray far more about their owners than you could possibly believe (unless you were working in the field, of course).

The background to RFID in mobile payments can be found in a hundred pilot projects around the world, according to Dave Birch of Consult Hyperion. "At a contactless card convention in London, Canadian security consultant Stefan Brands pointed out a few stark facts about the sort of data that was being collected, and asked some even more stark questions about "who is managing it?"

"The technology is already widely used in transportation: mass transit and road tolls," Birch observes. "Drivers put a vicinity tag on their dashboard to be read by roadside gantries, for example. But the use of these tags for other purposes is snowballing."

In particular, mobile payments, Birch emphasizes, are becoming the way forward for RFID.

What Americans perhaps dont realize, as they start to become aware of pilots like the Exxon-Mobil SpeedPass tags, is that such projects are far more advanced than in other countries, and are attracting financiers attention.

"In the UK and other countries were doing the chip and PIN migration; were catching up with France," Birch says. "All the boring old bank magnetic stripe credit and debit cards are being replaced by super new chip cards where push your card into a reader, and you punch in your PIN instead of signing. Millions are being rolled out, but its actually old technology."

In the US, says Birch, they still havent gone down that route. They may not ever do so. "Whats sitting behind this, is that the US may decide to skip over that generation because their online fraud levels are so much lower," he says. "Its because they have far more online point-of-sale terminals, They may go directly to contactless."

The trend now is to build these contactless cards into a wider and wider variety of devices. Mobile phones are an obvious example. At this stage, they arent used in phones; the fact that they have a radio in them which could link back to a credit agency isnt being used. But the phone networks--all of them--are swiftly becoming aware of the potential for taking their slice of the payment salami.

What users dont realize is just how powerful this data is. The intrusion level is just terrifying. One consultant who recently reported a stolen credit card told me this week about how he was summoned by his bank to go through the transactions and verify which were his, and which were the thiefs transactions.

"What was really, really scary," he said, "was the way they could track me through the town, with visits to the ATM, purchases at PoS terminals, and other data collected by other sensors. I was able to say which shops I visited, when I discovered the card was missing, and which shops I didnt visit, which must have been the thief. But the route was astonishingly detailed."

Amalgamate the data from the bank with the data from Exxon with the data from a transit system. Then add a loyalty card system, a mobile phone payment network, and a Government ID card system. The result: the State can track every citizen with far, far more detail than a simple RFID tracker could ever manage.

Were on the way--but we arent there yet.

In most mass transit rail systems, for example, contactless cards are having their teething troubles. Oyster, in London, is in the news for over-charging Tube travelers who dont wave their cards at the sensor if the gates are open. Octopus, in Hong Kong phones, started as a transit payment scheme, but already is being used in cake shops.

"The real pioneers are now stuck with the old technology," comments Birch. "For example, in South Korea they were way ahead, but they used infra-red and are now obsolete." The newer developments are proving very popular with consumers, but the privacy issues are invisible to them.

"Its probably quite right to worry about the intrusion effect," said Birch, "but the really important feature of this development is the way the payment authorization is being taken out of the hands of banks. Legal issues will change how things evolve in different territories. For example, the law in the European Community means you dont have to be bank to offer electronic money."

"Many players (including, crucially, retailers) are beginning to realize that contactless cards are more than a convenience for consumers," concludes Birch. "[They are also] a vehicle for finally realizing the long-touted benefits of the smart card revolution."

And, of course, for also realizing the long-feared risks of centralized data. Except that nobody seems to be looking that way.