4. Social Implications
The Internet of Things
The early evolution of RFID was not driven by any overriding vision, but by the specific requirements of specific applications, and the ingenuity of entrepreneurs and inventors attempting to meet those requirements. As noted above, different protocols were developed for different uses; most were incompatible and very little interoperability existed even at the higher protocol levels: that is, even the identifying information itself differed in format and content from one application to another.
In the late 1990's, a team of researchers at the Massachusetts Institute of Technology, led by Sanjay Sarma, Sonny Siu, and Eric Nygren, conceived of the idea of an Internet of Things to complement the computer Internet. The Internet is a network of networks, that enables any computer to communicate with any other computer using a globally-unique internet address. The Internet of Things was conceived of as a globally unique identifying number for every manufactured item, combined with one or more sensing technologies, chiefly RFID, to provide a window into the configuration of the physical world.
Underlying the Internet of Things is the concept of a single, globally unique Electronic Product Code or EPC. The EPC is the plausible successor of a variety of numbering systems in commercial use, including the ubiquitous Universal Product Code used to create bar codes for retail products. The EPC is intended to contain just enough information to uniquely identify an object and allow queries about that object to be directed to the appropriate target (typically an Internet server that contains information about the object, or knows which server has such information). The EPC is hierarchical, in the sense that the allocating organization (EPCglobal Inc.) grants unique identifiers to a subscribing organization, and that organization is then responsible for allocating model identifiers and serial numbers to ensure that every compliant EPC is globally unique (Figure 21). To administer the system of allocating EPC's, the organizations that manage the Universal Product Code (UPC and EAN, now merged into GS1) formed EPCglobal Inc., as a joint venture with the AutoID Laboratories that had come out of the early work at MIT.
Figure 21: An example of an Electronic Product Code (EPC), showing partition into a header portion describing the type of EPC and the allocation of bits to the various parts, an organization identifier, a class or model number, and a serial number.
Merely obtaining an EPC from an RFID tag (or a bar code or human-readable serial number) is not terribly useful if the EPC conveys no information about the object or its history. To complete the link between the physical and virtual world, EPCglobal has proposed a data architecture, in which Internet-based services enable organizations to locate and obtain data relevant to a specific EPC (Figure 22).
Figure 22: A simplified view of the EPCglobal Data Architecture. Subscriber organizations provide the infrastructure to encode and read tags as objects that are exchanged between the organizations; Internet-based services allow information about those tagged objects to be located and obtained through the network.
At the present time, the vision of ubiquitous networked identification of objects is being pursued by EPCglobal mainly in the retail global supply chain. To the extent that the vision is realized, the largest effects will be on the efficiency and adaptability of manufacturers and sellers of high-volume goods: improved visibility means reduced inventories and lower costs. At the time of this writing it is unclear to what extent networked awareness of physical objects will proceed beyond its current commercial focus and become, like the Internet, an expected part of our everyday lives.
Privacy and Security
Tags carry data. If an organization is relying on the data to guide its actions, it needs to ensure that the data is reliable, and not subject to modification by unauthorized people. If the data reveals aspects about an organization's operations that it might prefer to keep private, it needs to be able to limit access to that data. Individuals with tagged objects also face risks. The toll transponders that we knowingly place on our windshields to zip across the bridges can also be used to track individual automobiles from one way point to another and so enable traffic display signs giving drivers real-time routing information, or send a citation if the average speed of transit exceeds the legal limit. Retail objects that retain their tags could allow a shop owner to survey your preferences as you enter, or a thief to identify likely targets before striking. For both individuals and organizations to benefit from automated identification and RFID, tagged data needs to be reliable, secure, and controllable.
Tagged data faces various threats. Information can be skimmed from a tag which is read without the permission of the owner, or a legitimate exchange between a tag and reader can be subject to eavesdropping. Skimmed information can be used to extract a profile of a person carrying tagged items, even if that person's identity is not revealed. Unauthorized parties can potentially write false or misleading data into a tag. How are such threats dealt with?
The most reliable means of securing tag data is physical security: preventing tags from being read except when and where the owner of the object wishes them to be. Since the read range of passive tags is quite limited, skimming can be prevented by keeping unauthorized people far from the tags that are to be secured, but this is not always practical. Passive LF and HF tags are generally more secure because of their short read range. An attacker must be within a few centimeters to skim the information on such a tag. UHF tags may be readable and skimmable from 10-20 meters (30-60 feet) away, making it harder to provide physical security through facility security. It is also important to note that the range at which a reader signal is detectable may greatly exceed the range at which a passive tag can be read. For example, an HF reader may read an HF tag only out to 10 or 20 centimeters, but the signal from the reader can be readily detected (with appropriate equipment) from 5 meters away. Similarly, a UHF tag may only be readable out to 5 or 10 meters, but the reader signal could be detected from several kilometers away if the path to the attacker's antenna is unobstructed. That is, eavesdropping on a reader is much easier than skimming a passive tag. For best security, a protocol should avoid placing sensitive data on the reader's signal.
Shielding can also be used to prevent skimming. HF and UHF devices can be shielded by enclosing them in an electrically-conductive box or bag, or by placing a conductive shield very close to the antenna (within a millimeter or two). The current US ePassport includes a conductive cover to make the tag unreadable when the passport is firmly closed, although if the cover is partially open shielding effectiveness is reduced.
Alternatively, a tag can include a manual switch to limit access to the tag data except when the holder chooses to make it available (Figure 23). A tag that is no longer useful can be physically disabled by removing the antenna or breaking the IC, or rendered irrelevant by detaching it from the object it marked.
Figure 23: An RFID-enabled "smart" credit card can prevent skimming by ensuring that the tag is only active when the user presses the switch.
If physical security is inconvenient or impractical, one can also employ protocol security. The tag can require passwords or other authentication before returning its identification or other information. Password protection can also be used to prevent unauthorized changes in tag data. Communications between the tag and reader can be encrypted. Provisions can be made for rendering a tag non-functional using a KILL command.
Protocol-based approaches are always less reliable than physical security, because they are much more difficult to verify. A consumer can pass a tag by a "Kill" station on exiting a retailer, but how is the consumer to verify the tag is dead? Data protected by 128-bit encryption can be insecure if the key exchange mechanism is compromised, or the key is easily guessed. Users have no easy way of knowing what security is provided; for example, in a recent survey, researchers found that many commercial RFID-enabled credit cards they tested provided the cardholder name, account number, and expiration date in the clear (without encryption).
Protocol security also requires computational power, and thus extra power for the integrated circuit, in proportion to the complexity of the steps used. UHF tags, which must use minimal power to maintain their long read range and low cost, generally provide only simple security provisions. For example, the ISO 18000-6C (EPCglobal Class1 Generation 2) specifies password protection for locking memory locations and killing tags, and uses a simple coding arrangement for writing data to the tags that makes it hard to eavesdrop on a tag write. The cover coding scheme is summarized in Figure 24. The reader requests a random number from the tag to use as a key, and uses the key to encrypt its data by adding the key to the data in bitwise-modulo-2 fashion. The coded message is then transmitted to the tag. The tag merely adds the coded message to the key that it just sent to recover the data; since bitwise addition is very simple to implement, this costs little additional power. Cover coding is based on the assumption that an attacker can hear the reader but not the tag, and thus is reasonable secure against distant eavesdroppers. However, the 18000-6C standard does not provide for any authentication of tags or readers: any reader that can issue the right commands can read the tag EPC and other unlocked data. Researchers have suggested approaches for very low-power secure protocols but these have so far not seen wide implementation.
Figure 24: schematic depiction of the cover coding scheme used to secure 18000-6C data against interception.
Because the range of HF tags is short in any case, and within their range ample power is available, HF tags can implement more sophisticated schemes. Some HF tag integrated circuits support full authentication and sophisticated (and power-hungry) algorithms like the Advanced Encryption Standard (AES). Sophisticated security of this type results in substantial increases in tag cost and reductions in read range, but may be justified for critical applications such as establishing the pedigree of vital medications.
Protection of consumer privacy involves procedures and operational standards as well as technology. For example, EPCglobal has recommended guidelines for the use of RFID technologies in consumer products, including:
- Consumers should be notified when EPC technology is in use; tags should be clearly labeled as such;
- Consumers should have the option of killing or removing tags on items they have purchased;
- Consumers should have control over information about them that might be obtained from the EPC.
Existing laws may cover the use of RFID technology and related data. In the United States, a number of legal restrictions, particularly on the actions of government agencies, exist, including:
- The Privacy Act of 1974
- The e-Government Act of 2002, section 208
- The Federal Information Security Management Act
- The Health Insurance Portability and Accountability Act of 1996
Additional legislation regulating the use of RFID and protecting personal privacy is under consideration in many states in the United States, and in the EU and Japan.