杏吧原创

Who’s keeping tabs on your tags?

Almost every item you buy will soon have a trackable radio tag, and anyone could be listening in...

AT FIRST they were little more than a wireless version of a barcode, mostly used for stocktaking. But from these mundane beginnings radio-frequency identification (RFID) tags are spreading, and they could soon be keeping tabs on every one of us. This has privacy advocates worried, and they are campaigning for safeguards to be built into the still-to-be-finalised standards for RFID.

Most RFID tags are nothing more than a simple combination of a chip and antenna, and act as a passive transponder. When prompted by a signal from a reading device, the tag sends back a digital code stored in its memory. The power the tag needs comes from the reader鈥檚 radio signal.

Unlike barcodes, which are the same for every item in a particular product line, every RFID tag is unique. This allows companies to keep track of individual items as they move down the supply chain. What鈥檚 more, because the readers use radio, they can read the chips from tens of metres away, and an entire shipment can be scanned in one go.

This instant stock-control technology is very attractive. The US Department of Defense wants its suppliers to adopt it by October, and the supermarket chain Wal-Mart wants its 100 largest suppliers to tag their goods by January 2005.

But the use of tags doesn鈥檛 stop in the warehouse. Last year Wal-Mart rigged one of its stores with a trial system that allowed researchers at Proctor & Gamble, which owns the Max Factor brand, to monitor people buying lipstick. Concealed readers triggered a CCTV camera whenever someone took a tagged lipstick off the shelf. And tags are beginning to find many other applications.

They are being used to automate the collection of tolls from motorists, for tracking luggage in airports, and one Spanish nightclub is even using tags implanted under the skin as membership passes.

It is applications like these that are ringing alarm bells with privacy advocates. They are concerned that anyone with a tagged item could be tracked wherever they go. Markus Kuhn of the University of Cambridge, who has been following RFID technology, speculates that the police might in future ask for logs from RFID readers when a crime has been committed, just as they now look at CCTV footage and seize mobile phone records.

Privacy campaigners are calling for new laws to protect people from excessive intrusion. The Electronic Privacy Information Center in Washington DC, for example, wants retailers to be forced to label products that are tagged, and for the tags to be deactivated at the checkout unless the purchaser explicitly consents to keeping it active. This would be done by building a 鈥渒ill鈥 command into the RFID standard, which could disable the tag.

Elizabeth Board of EPC Global in New Jersey, the organisation leading the development of standards for RFID, argues that it is too early to consider new laws, as many of the surveillance techniques people are worried about don鈥檛 even exist yet. 鈥淟egislation would also stifle innovation,鈥 she says.

An active RFID tag would provide proof of purchase, Broad adds, so if a consumer needed to return a faulty item but had lost the receipt the tag could be used instead. Similarly, tags could help to trace lost or stolen items, allowing a recovered stolen laptop be returned to its rightful owner. Board also plays down the idea that people鈥檚 movements could be tracked: just placing a tag near one鈥檚 body makes it very difficult to read, she says, because the water in the human body affects the signal.

Kill commands are also not necessarily a workable solution, according to Burt Kaliski, chief scientist of RSA Security in Boston, Massachusetts. Unless they are set up with some sort of PIN, then it would be possible for malicious individuals to kill all the tags in a company鈥檚 stock, possibly without even entering the building, he says.

Kaliski also points out that privacy is as much an issue for the companies supporting this technology as for consumers. RFIDs could make it possible for rival companies to monitor each other鈥檚 shipments. 鈥淎ll parties benefit from addressing these issues,鈥 he says.

One option would be to add what is being called a 鈥減rivacy bit鈥 to RFID tags, which would be activated when a product is purchased. This would prevent the tag giving its unique ID code to normal readers. Special readers, which might typically be used by the customer service desk, would still be able to read the tag, allowing it to be used as proof of purchase. However, use of these special readers would have to be strictly audited to prevent abuse.

Who's keeping tabs on your tags?