Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past. Some manufacturers are planning to tag just the packaging, but others will also tag their products. There is no law requiring a label indicating that an RFID chip is in a product. Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very property.
But let's not stop there. Others are talking about placing RFID tags into all sensitive or important documents: "it will be practical to put them not only in paper money, but in drivers' licenses, passports, stock certificates, manuscripts, university diplomas, medical degrees and licenses, birth certificates, and any other sort of document you can think of where authenticity is paramount." In other words, those documents you're required to have, that you can't live without, will be forever tagged.
Consider the human body as well. Applied Digital Solutions has designed an RFID tag - called the VeriChip - for people. Only 11 mm long, it is designed to go under the skin, where it can be read from four feet away. They sell it as a great way to keep track of children, Alzheimer's patients in danger of wandering, and anyone else with a medical disability, but it gives me the creeps. The possibilities are scary. In May, delegates to the Chinese Communist Party Congress were required to wear an RFID-equipped badge at all times so their movements could be tracked and recorded. Is there any doubt that, in a few years, those badges will be replaced by VeriChip-like devices?
Surveillance is getting easier, cheaper, smaller, and ubiquitous. Sure, it's possible to destroy an RFID tag. You can crush it, puncture it, or microwave it (but be careful of fires!). You can't drown it, however, and you can't demagnetize it. And washing RFID-tagged clothes won't remove the chips, since they're specifically designed to withstand years of wearing, washing, and drying. You could remove the chip from your jeans, but you'd have to find it first.
That's why Congress should require that consumers be notified about products with embedded RFID tags. We should know when we're being tagged. We should also be able to disable the chips in our own property. If it's the property of the company we work for, that's a different matter. But if it's ours, we should be able to control whether tracking is enabled.
Security professionals need to realize that RFID tags are dumb devices. They listen, and they respond. Currently, they don't care who sends the signal. Anything your companies' transceiver can detect, the bad guy's transceiver can detect. So don't be lulled into a false sense of security.
With RFID about to arrive in full force, don't be lulled at all. Major changes are coming, and not all of them will be positive. The law of unintended consequences is about to encounter surveillance devices smaller than the period at the end of this sentence.
No comments:
Post a Comment