. . . .
The Humanist Online A Magazine of Critical Inquiry and Social Concern .
Subscribe  |  Archive  |  Advertise  |  Write for Us  |  About Us .
. .
.
.
Essay Contest
Our annual contest is open to those ages 13 to 25. Enter your essay and win cash prizes!
Published by the:
American Humanist Association

Technology and Society

RFID Report

by Lisa Smith

Published in the Humanist, May/June 2005

Radio Frequency Identification (RFID) tags and some of the concerns regarding their uses were discussed in "Technology and Tomorrow: A Challenge to Liberty" by Brian Trent in the November/December 2004 Humanist. RFID is the generic term for technologies using radio waves to automatically identify people or objects. It is used like barcodes but considered superior because it doesn't need a direct line of vision to complete a scan. E-Z Pass toll collection on highways is an example of RFID. Key rings with buttons that release car locks are another good use of this technology. Newer cars that won't start unless the key fob is hanging from or at least being near the steering column is also RFID at work. These represent positive uses that provide benefits such as convenience and greater security.

In October 2004 the Food and Drug Administration approved an RFID tag for medical implants. Applied Digital Solutions (ADS) had previously been marketing its subcutaneous tags for nonmedical purposes, such as the implanted chips used for building security by Mexico's Attorney General and eighteen members of his staff.

People also use RFIDs for the novelty of being accepted into a trendy club or to complete very sensitive financial transactions. In March 2005 Hackensack University Medical Center in New Jersey began a clinical evaluation program of the ADS VeriChip System in its emergency department. The facility will implant in patients chips that contain a VeriChip ID number. The chip is to be used much like a medical alert bracelet and, having only the ID number stored on it, will link back to a VeriChip database that contains the patient's name, allergies, medical history, and insurance information. The FDA spent a year studying the chip-not just the health and safety issues but privacy concerns as well-before approving it.

My objection to the VeriChip, however, is that I don't see what is gained by placing the chip in my arm as opposed to giving me a bracelet with an RFID tag, like a medical alert bracelet. I understand that I might forget to wear it, but I'm disinclined to give up my dignity. And while the tags currently can only be read from a few inches, it doesn't mean that an unauthorized person won't find a way to get past that problem. And even though ADS appears to be doing things right, I don't trust that thieves won't find a way around the system and invade my privacy. I also want a way to control who can and can't scan me.

RFID tags were recently in the news when Brittan Elementary School District in California agreed to the idea of testing the InClass RFID system with students. InCom, the company that markets it, offered the school district "a couple thousand dollars" as compensation for the inconveniences of the testing. Furthermore, the district could likely earn royalties on future sales of the system. In its enthusiasm for the plan, the district failed to adequately explain to parents that the mandatory "ID badges" were actually tracking devices and perhaps went too far when, instead of having scanners only over classrooms doors to assist teachers with attendance (the stated purpose), they installed scanners over some bathroom doors as well. Some students and parents were understandably upset and, after receiving much negative attention, the program was scrapped when InCom pulled out.

Another planned installment for RFID tags is in passports and possibly driver's licenses. The tags that are planned for passports are supposedly readable only at two or three inches, but in fact they have been successfully read at up to thirty feet. This has caused some experts to wonder why the passports weren't designed to need contact with an examiner in order to be read, since this would make "skimming" impossible and wouldn't slow down the reading process. (Skimming is when someone other than the intended party reads a RFID tag, usually without the owner's knowledge.) The State Department's response is that the passport holders will have a shielding mechanism, like a foil case or something woven into the case, and someone skimming at a border station would be fairly noticeable. But this doesn't address other instances in which a traveler has to show his or her passport, such as when checking into a hotel, where someone skimming information may not be as easy to spot. We must also remember that technology is continually improving. Just because the scanner is awkward or expensive today doesn't mean it will be so in two years. We can't wait for better technology before we change the laws, lest we play into the hands of the identity thieves, as we have in the past

The same will be true if we have RFID driver's licenses. House Resolution 418-the "Real ID" bill that passed in the House-would require driver's licenses and ID cards to include a digital photograph, "anti-counterfeiting features," with a defined minimum set of data elements that the secretary of homeland security can redefine at his or her discretion, and undefined "machine-readable technology" that could be magnetic strips or RFID tags. The Department of Homeland Security would be charged with drafting the details of the regulation. Another piece of the bill would require states to link their Department of Motor Vehicles databases if they wish to receive federal funds. States would have to share all data fields printed on driver's licenses or ID cards along with complete drivers' histories. In short, we'd be creating a de facto national ID if this were to pass both houses and be signed by the president. And if your state didn't comply with the standards, you wouldn't be able to use your driver's license as ID for air travel within the United States.

The main problems with all of these uses are what little consumer education is made available and how offhand the implementations seem to be-especially given experience with the fast pace of technology and how quickly thieves adapt to such changes. A team of students at Johns Hopkins University has already "cracked" the Exxon SpeedPass. They can skim the SpeedPass and get the encrypted or encoded number. They then use software that decodes the number and hook up a device that tricks the gas pump into thinking it is reading the SpeedPass. The student team has also tricked an SUV with an anti-theft RFID device into starting up by using their skimmed and faked RFID tag. Their academic paper is available online at rfid-analysis.org/DSTbreak.pdf.

It took money, time, and expertise to break a system using encryption or code. But the proposed passport and driver's license systems don't include encryption because it would slow down scanning, make code sharing with other countries too difficult, and be more expensive. (As far as I know, the VeriChip is the only system that uses encryption. Stricter guidelines are necessary because medical information is involved.) So, for real passport security, one would have to wrap one's passport in aluminum foil and then be careful when showing it. What is always going to be of paramount concern is the security of the databases behind these systems--especially given the recent breaches of ChoicePoint and LexisNexis, two of the largest data information brokers. Both systems were hacked into and the personal records of about 450,000 people were exposed to identity theft. Such breaches have cost innocent people employment and housing, caused them to spend months trying to prove they aren't criminals, disenfranchised thousands of voters, and caused a many travelers great distress and delay. So the consequences of errors in any national data system must be considered and ways to address them need to be built into the system. Finally, we must also be aware of how long the data stays in the system, when the data is purged, and whether the government and private industry are maintaining these databases.

If schools track when students arrive and depart, that information has to be carefully guarded. The knowledge that student A always arrives alone at 7:50 a.m. and student B always stays late on a Tuesday night could be valuable to dangerous people. Also, the desire to track students beyond what is necessary for accurate attendance and safety must be strongly discouraged. It may be interesting to administrators to know when and how often students are using the restrooms, but is it worth the invasion of students' civil liberties? Similarly, if driver's licenses have RFID tags, do we scan protestors to track their activities and survey their political positions?

We're moving toward a surveillance society. The "Real ID" and the database it creates is a disturbing way of slipping a national identity card past the public (while insisting it is just a part of immigration law). The new passports are also a slick way of getting Americans used to an added level of surveillance for the tradeoff of an easier time getting through the airport and "homeland security." We must be aware that there is a database behind everything that monitors us. And it doesn't forget a thing.

Lisa Smith is information technology specialist for the American Humanist Association.
.
Copyright © 2002, the American Humanist Association