Security Getting Trampled in the Rush to RFID

Opinion: In the push to put RFID everywhere, the risks are high and the rewards seem minimal.

One of my favorite pastimes is sitting in a busy public square on a beautiful day and doing a little people watching. And Im thinking that in a couple of years, people watching in busy areas will be even more informative and entertaining.

I can picture it now: There I am, sitting at a table at an outdoor cafe, my laptop—equipped with the latest wireless technologies—sitting open next to my drink.

Hey, look at that family of tourists, I would say to myself, wondering where theyre from. No need to wonder, I think ... just a second. ... Ah, yes, theyre from Italy—Milan, to be specific. Giuseppe, the father, is 48 and has recently traveled to France and Morocco.

Hmm, that group of kids seems kind of young to be out and about in the middle of a school day. Turns out theyre from the Winston Smith Middle School in the town of Oceania, and they should be sitting in math class in Room 101 right about now.

Wow, now theres an attractive woman. And it looks like shes been doing a bit of shopping. I wonder what she bought? Let me just run this decryption program I recently downloaded. Yowza! She sure has been shopping. I wouldnt want to have to pay that credit card bill.

Some of you may wonder how I could know all this any time in the near future. But, basically, I only need things to go the way they are going now—with businesses, governments and schools pushing for a world where RFID tags are everywhere, all the time, with no stopping to think about security or privacy issues.

Recently, a grade school in California tested a program in which students were required to wear badges during the day. What school administrators neglected to tell parents was that the badges contained RFID tags and were tracking students comings and goings throughout the school. After parents expressed their outrage, the school discontinued the test.

/zimages/2/28571.gifClick here to find out why the CIO of Harvard Medical School had an RFID chip embedded in his arm.

And the examples of the rush to RFID dont stop there.

The United States is moving full steam ahead to implement next-generation passports that will store passport holders personal identification information on an unencrypted RFID chip. The United States is also requiring all countries whose citizens dont need visas to enter the United States to have similarly equipped passports by this fall.

And now Visa is planning to use RFID in its next-generation credit cards—so that people can just wave their cards at a machine to make a $25-or-less purchase—although, unlike the U.S. government, Visa plans to include several layers of security and encryption.

For the record, Im not against the implementation of RFID tags. In some business areas—especially retail and supply chain—such tags can provide much value. But, as Ive stated in an earlier column, I do think this young technology is being rushed to market. Readers of my columns know that Im a big proponent of weighing potential risks versus potential rewards. So this push for RFID in so many sensitive areas of peoples lives confuses me because the risks are so high and the rewards seem so minimal.

For example, the U.S. government claims that RFID-enabled passports will speed processing and reduce fraud. Now Ive traveled abroad many times, and, in my experience, the process of showing a border officer my passport and getting it stamped takes about 10 seconds. Im not sure how—or if—RFID can speed that up. As for the fraud argument, digitally enabling something—especially without encryption—makes duplication even easier. I have little doubt that industrious fraudsters will have an easier time copying virtual passports than they do physical passports.

As for RFID on credit cards, remotely hacking credit cards will be tough, no doubt, but I wouldnt bet money on it being impossible. At any rate, Im sure that crooks will appreciate the ability to walk through a crowd with a small device and ring up a bunch of small charges.

Putting RFID in these and other areas where it just doesnt make sense is (almost) enough to make me believe the conspiracy theorists who see Big Brother behind the concept of the technology.

All I know is that I dont think we want to make it as easy to track people and steal information in the physical world as it is in the virtual world.

Labs Director Jim Rapoza can be reached at [email protected].

To read more Jim Rapoza, subscribe to eWEEK magazine.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.