RFID Privacy Happenings

The AIM "RFID FAQs, not Fiction" produced by the so called "AIM RFID Privacy Work Group"

http://www.aimglobal.org/technologies/rfid/rfid_faqs.asp

is also full of errors or misrepresentations:

e.g. they mistakenly claim radio frequency hopping as a security measure, when, in fact, just as with GSM mobile phones, the feature is more to deal with interference and reflected signals. An attacker does not have to build their own frequency hopping radio, they just need to buy or steal an EPC compliant reader.

The longer range UHF tags are not restricted to pallets, they have already been trialled on individual level consumer items.

They claim correctly that passive RFID tags do not emit much Radio Frequency energy and so are not a health risk, but they neglect to think about the effect on, say shop staff, exposed to dozens or hundreds of Readers on Smart Shelves or at every checkout till, day in, day out.

"Currently, a court subpoena is required to use private information such as cell phone records and credit card purchases. This information is strictly for use in criminal activities investigations" - no such court order is required in the UK, and in many other countries. The UK tax authorities have already asked for and have been given supermarket loyalty card data.

They neglect the "third party cookie" type RFID tag profiling possabilities, by claiming that other retailers will not be able to read any RFID tags that you are carrying or which are in your clothing.

They claim that RFID tags cannot be duplicated - it is probably not cost effective to do so, but their responses to readers can be faked or simulated as shown by the RSA Labs "blocker tag":

http://www.spy.org.uk/spyblog/archives/000206.html

How wouldn't it be cost-effective to duplicate tags? At worst the cost is a reprogrammable tag, and access to a reader to load in the new EPC value.

The anti-counterfeiting use of EPC RFIDs seems to reply primarily on examining the tag's (off-tag) recorded history... if you scan a tag in Berkeley, CA, and the databases tell you that the same tag was on an item sold in Tokyo an hour ago, you may have a counterfeit. Wonderful. But this does nothing for, say, uncovering a scam where I buy an expensive power tool, transfer its tag to some cheaper one, then take the cheap one back to Home Depot as a return (kind of the inverse of slapping bar codes for cheap products onto expensive ones and underpaying at checkout).

And such anti-counterfeiting strategies will be worthless if the person you're trying to scam has no access to the EPC system to perform a real-time lookup. I doubt this is going to cut down on the trade in fake malaria drugs in Africa.

"How wouldn't it be cost-effective to duplicate tags? At worst the cost is a reprogrammable tag, and access to a reader to load in the new EPC value."

Point taken.

Technically replacing a "5 cent" tag which is not reprogrammable (like most of the ones which have been trialled in supermarkets so far) with a more expensive "25 cent " reprogrammable tag is not cost effective. If the cost of either type of tag is only a small fraction of the value of the goods which are being tagged, the cost effectiveness of tag duplication is irrelevant.

If a global EPC "internet of things" does emerge, is it not more likely that instead of detecting counterfeits (which in the case of pharmaceuticals often has very high standard fake packaging) it will be used to enforce differential pricing policies for legitimate goods being traded in different markets i.e. to crack down on "grey imports" ?

Ironically, the very supermarkets which are keen on RFID tagging such as Tesco or WalMart have been involved in "grey import" battles over branded goods such as jeans or perfumes or pharmaceuticals, by using their bulk buying power in one country to supply their customers with cheaper genuine goods than the brand owners would wish in a particular market.