RFID privacy and security

RFID News has a straightforward, clear explanation of the issues with RFID security and privacy, presenting possible solutions.

One primary issue is that RFID readers and tags generally communicate using unencrypted messages. This means scanners can read them plaintext. However, adding encryption to the tag would increase its size, complexity, and cost.

Encryption would also mean that all readers would have to be able to decrypt (unless you specifically did not want this, like for passports) else the tag would be useless.

The State Department added several new levels of security to passports after getting huge flack.

1. Encryption: The information would be encrypted in the RFID chip.
2. Access Control: The key to decrypt the data would be encoded in the passport and could only be obtained by scanning the passport with an optical reader. The passport reader would then decrypt the information using that key.
3. The passport covers would contain a metallic mesh that would create a Faraday Cage, essentially rendering unreadable the RFID chip when the passport covers were closed.

BTW, some envision RFID in everything, like on clothes. Thus, your RFID-enabled washing machine would be able to determine how best to wash your clothes. (Would it refuse to operate, issuing stern warnings if you mixed white and colored clothes? Would there be an override button to tell the machine to shut and just wash the clothest?)

The conspiracy theory

The most aggressive privacy concern groups claim that governments could potentially gain access to all commercially controlled RFID databases and, therefore, have full access to the consumer, travel, and general habits of its population. Or governments could achieve this by deploying wide-area RFID infrastructures where all the activities of its citizens could be tracked, from what they buy, to what they read, to where they travel, to what they watch on videos.

Paranoid? Maybe… But privacy advocates need to keep the pressure on governments to insure that this never happens.

Another problem is compatibility across all systems. Wal-Mart requires vendors to put RFID tags on pallets shipped to them. Not all vendors have, at least in part because doing so means buying the same equipment Wal-Mart uses. But maybe CostCo uses a completely different system. Sounds like the early days of BBSing when modems from different vendors had competing standards and didn’t always talk to each other.