For just $20, you can be Big Brother, too!

And so can hackers, stalkers, private marketers, and terrorists! All of these potential predators may target radio chip identification technology, the kind used to charge road tolls, track your shopping habits, or validate your driver's license.
Crosscut archive image.

An RFID chip embedded in the page of a passport. (IndyMedia.org)

And so can hackers, stalkers, private marketers, and terrorists! All of these potential predators may target radio chip identification technology, the kind used to charge road tolls, track your shopping habits, or validate your driver's license.

Washington state, like the rest of the nation, is barreling along full-speed into the world of radio frequency identity (RFID) chips, which will soon be used in the new state "enhanced" driver's licenses and are being used to collect tolls on the new Tacoma Narrows Bridge. They are, in fact, being used in many products, from new U.S. passports to highway E-Z Passes to medical ID cards to store price tags. But concerns are being raised about the security of the technology and whether it could enable invasions of privacy by government, hackers, private companies, terrorists, stalkers, and pranksters. Some recent, sobering articles suggest that Washington policy-makers should take these concerns very seriously, and consumers should be wary until security and privacy concerns are addressed. The rush to create radio-chipped driver's licenses – approved by the Legislature and signed into law by Gov. Chris Gregoire this year as part of a federal pilot project – is of particular concern. An article in Wired gives an overview of the rapid expansion of RFID: RFID chips are everywhere – companies and labs use them as access keys, Prius owners use them to start their cars, and retail giants like Wal-Mart have deployed them as inventory tracking devices. Drug manufacturers like Pfizer rely on chips to track pharmaceuticals. The tags are also about to get a lot more personal: Next-gen U.S. passports and credit cards will contain RFIDs, and the medical industry is exploring the use of implantable chips to manage patients. According to the RFID market analysis firm IDTechEx, the push for digital inventory tracking and personal ID systems will expand the current annual market for RFIDs from $2.7 billion to as much as $26 billion by 2016. The problem is that the risks are considerable. According to eWeek.com: As if RFID chips in driver's licenses and passports weren't scary enough already, London's Royal Academy of Engineering is suggesting that someday a terrorist will be able to read personal details from a distance and, given the right antennas and amplification, set a bomb to go off when a particular person gets within range. It's already widely acknowledged that unencrypted data stored on an RFID chip in a passport can be read covertly by anybody with a pass-by reader. As the [American Civil Liberties Union] pointed out at Black Hat earlier in March, you can buy parts on the Internet to make a reader for as little as $20. Wired offers a look at the ease with which RFID technology is hackable. Not only can data be read, stolen, and manipulated, but cookies can also be placed on the chips to allow private parties to track you. Wired follows several people who show just how easy it all is. Aside from pranks, vandalism, and thievery, Grunwald has recently discovered another use for RFID chips: espionage. He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target's E-Z Pass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who's checking them out. With current proposals to expand road tolls throughout the Seattle area in the name of congestion pricing – meaning every vehicle would be carrying on trackable RFID transponder – that revelation is particularly scary. If Washington officials and policy-makers aren't scared yet, perhaps they should talk to their colleagues in California. There, a bill is working its way through the Legislature to limit the use of RFID. Kim Zetter of Wired reports: The bill, which California lawmakers believe is the first of its kind in the nation, would prohibit the use of radio-frequency identification, or RFID, chips in state identity documents such as student badges, driver's licenses, medical cards and state employee cards. The bill does make some exceptions for devices used to collect bridge and road tolls and tracking prison or mental health facility inmates, for example. But it would limit abuses by the government or unauthorized hackers: Concerns about RFID center around surreptitious scanning and tracking, since data on the chips can be picked up by either an authorized or an unauthorized reader without the knowledge of the person carrying the chip. For example, a student participating in a protest on a state university campus could be scanned by a campus policeman carrying a reader to track his political activities. Or, depending on the kind of data stored on the card, someone could read the data on a chip in order to clone it and create false documents. One of the incidents that sparked concern in California involved real students. Not hypothetical college protesters, but elementary school kids being used as RFID guinea pigs: In January, Brittan Elementary School in Sutter, Calif., began requiring students to wear photo ID cards embedded with an RFID chip containing a 15-digit number assigned to each student to track attendance. The school cut a deal with a local maker of the technology to test the tracking system and receive a percentage of profits if the company succeeded in selling the system to other school districts. But after a group of outraged parents protested the plan, the school dropped it. The federal government is also looking at RFID standards and pitfalls. According to eWeek.com, the "National Institute of Standards and Technology, a nonregulatory agency of the U.S. Department of Commerce, has published its guidelines for deploying radio-frequency identification." The agency also lays out concerns that are specific to the growth in use of the technology. The more widespread RFID is, the greater the potential for privacy abuses: As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location, and build personal profiles in ways that increase the privacy risk," wrote the report's author. In other words, RFID dramatically expands our capability to create and mine databases of personal information, travel records, shopping patterns, health records, and more. RFID is not the only problem. A report in USA Today on May 3 indicates that Homeland Security is studying the feasibility of installing all cell phones with a radiation, biological, and chemical detector tied to a national GPS system that would allow each phone to be tracked and located. And it isn't only ordinary citizens who are concerned about being tracked: even U.S. Defense Deartment contractors are getting jumpy, as with the recent Canadian coin surviellance scare. In short, we have not only Big Brother to worry about but potentially millions of his Little Brothers, as well.

   

Please support independent local news for all.

We rely on donations from readers like you to sustain Crosscut's in-depth reporting on issues critical to the PNW.

Donate

About the Authors & Contributors

Knute Berger

Knute Berger

Knute “Mossback” Berger is Crosscut's Editor-at-Large.