Backlash against RFID is growing

States lead the way as technology researchers express concern about security, privacy issues.

By Chris Zappone, staff writer

NEW YORK ( -- Civil rights and privacy rights groups have opposed radio frequency identification, or RFID, for years. But now, researchers in the field and some lawmakers are beginning to voice concerns about the security of the technology.

In the past year, twenty-two states have introduced legislation regarding RFID technology, which uses tiny radio transmitter chips, or "tags," that can be inserted in a pallet full of goods, a pair of jeans, or a passport.


The technology boosts companies' ability to keep track of inventory and equipment - a prospect that's been embraced by the likes of Wal-Mart (Charts, Fortune 500), Best Buy (Charts, Fortune 500), Kimberly-Clark (Charts, Fortune 500), maker of Scott tissues and Huggies diapers, and others. A host of tech companies are behind it as well.

However, a small but growing number of tech security experts and some state lawmakers fear RFID's unchecked deployment will lead not only to eavesdropping, forgery and hacking but also to a society in which an individual's privacy is compromised at every turn by the remotely readable objects they carry.

For these reasons, the California state Senate is mulling legislation that would prevent the use of RFID in drivers' licenses and public schools, and tighten security standards on state-issued documents that carry RFID, as well as outlawing surreptitious access.

"There is a backlash," said California State Sen. Joe Simitian, a Democrat and sponsor of some of the legislation. "Public concern will grow until there is a sensible set of privacy protections."

Simitian, who represents a Silicon Valley district and calls himself an avowed "booster of tech innovation," called RFID technology "great." But he readily admits to concerns about its uses. Simitian said he has pressed the issue with RFID industry leaders, telling them it's "in the industry's long-term interest" to address security concerns.

RFID's boosters are backing a $650 million industry that's expected to grow to $2.1 billion within four years, according to ABI Research. The industry has already seen ongoing consumer boycotts of companies such as Tesco and Procter & Gamble (Charts, Fortune 500)-owned Gillette over the use of RFID-chips in packaging, but so far adoption of the technology has been growing steadily and the industry is keen to nurture it.

"We're definitely aware of consumer and privacy concerns," said Jennifer Kerber of the Information Technology Association of America, a trade group. But Kerber said the industry is opposed to any "mandate" that would slow deployment of new generations of RFID. "Technology evolves so quickly these days," she said.

In fact, it's the gap between RFID security and would-be hackers' tools and methods that has Craig Schmugar, a threat researcher at security and anti-virus firm McAfee, so concerned.

"In general, the impression the companies have is slightly skewed to things being more secure than they've been proven to be," said Schmugar. "The emphasis is first on getting the technology widely deployed, and then security is secondary."

Ari Juels, research scientist at business security firm RSA, agreed.

"I don't think that RFID deployers are really coming to grips with the privacy concerns in a practical way, largely because barcode-type RFID tags probably won't reach the hands of consumers in a major way for some time," Juels said.

The technology can reveal what a person is carrying, Juels said, noting the devices are so small that some bearers may be unaware of them. Controlling who has access to RFID information is hard to manage without the right security protections; data can even be accessed by inexpensive readers bought at retail electronics stores, he added.

And it's not just the chips but the information they could contain that can be pulled into huge databases that's causing concern. Consumers already generate reams of such information that ends up in marketing databases.

The implementation of RFID-technology in government documents like passports, which started last August, or in driver's licenses in the future, has fueled calls for better privacy protections.

People in some parts of the country, meanwhile, seem to expect the worst from widespread RFID use. In April, North Dakota outlawed the "required" implantation of RFID chips in humans after Wisconsin passed a similar law in 2006.

RFID industry representatives say such fears, as well as worries about identity theft and fraud, are largely overblown.

There have been no reports of identity theft or fraud associated with the estimated 30 million RFID devices used for car theft prevention, road toll collection or corporate IDs in the United States, according to Mark Roberti of trade publication RFID Journal.

But there were few cases of viruses damaging computers until personal computers had become much more widespread, some experts noted. For this reason, privacy advocates would like to see something done before the technology - and its vulnerabilities - are in everyone's hands.

Bruce Schneier, security expert and author of "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," would like to see the sale of information gleaned from RFID tags outlawed, along with collection of data for any purpose other than its intended use, unless the tag holder gives permission.

The industry continues to oppose legislation.

Dan Mullen of the Association of Automatic Identification and Mobility said, "It's fairly premature to legislate against RFID. Many laws already translate to applications of RFID."

At the federal level, Congress has no legislation addressing RFID privacy and security issues, although an RFID Caucus was formed last July by Sen. Byron Dorgan (D-N.D.) and Sen. John Cornyn (R-Texas).

The caucus is "more educational than anything at this point" according to Dorgan's office, but it supports the use of RFID technology to help "strengthen homeland security and improve supply chains."

New laws or changes calling for privacy and security improvements in the deployed technology would probably bring higher costs as well.

Allowing users to permanently disable an RFID tag after purchasing a product or requiring consumers to activate an RFID tag before it functions, both ideas Schneier suggests, would likely add to a system's expense.

"Security affects price points of the technology," McAfee's Schmugar said. And security for RFID means not just the chips but the readers, and the databases processing and storing the information.

Simitian, the California lawmaker, predicts that it's only a matter of time before people become more knowledgeable about the privacy and security issues of RFID.

"I understand there's a certain amount of hand wringing when breaking new ground," said Simitian. "But I believe there's a long-term advantage to the industry in providing privacy protections." Top of page