SAN FRANCISCO -- Adoption of radio frequency identification (RFID) technology could stall if lawmakers overreact to security and privacy concerns by legislating the technology, according to a group of experts who discussed the issue Tuesday at RSA Conference 2007.
While legislation could eventually protect consumers from overambitious enterprises using the technology to glean insight on consumer habits, the speakers said, it could also make RFID too costly, hindering adoption by retailers and manufacturers. In addition, researchers are still unclear how to address security issues while keeping down the price of the tags used to label pallets and items.
"We see that people are comfortable with the technologies that they know," said Daniel Caprio Jr., president of the Progress and Freedom Foundation, a Washington think tank. "Our challenge is to present this technology in a way that we talk about it in real terms with the challenges and opportunities related to privacy and security, but also by educating the public to raise their comfort level."
RFID, the use of tiny computer chips containing unique identifiers to track goods in the supply chain, has been adopted by a number of manufacturers and distributors who do business with retail giant Wal-Mart Stores Inc. and some agencies within the federal government. While to date the technology has been used mostly for benign purposes on the consumer level -- in animal identification, highway toll speed pass systems, U.S. passports and auto anti-theft devices -- privacy experts insist that the technology is ripe for abuse.
The most widely used tags are supported by EPCGlobal, an organization set up to boost adoption and standardization of Electronic Product Code (EPC) technology. The EPC tags are currently the most cost effective, at about 13 cents each, but they have no ability to contain the cryptography that's essential for access control and data confidentiality, said Juels, who is researching RFID security for RSA Laboratories. While researchers develop ways to boost data security in tags, he said legislators shouldn't take action.
"Technologically prescriptive legislation is inappropriate and likely to be ineffective and likely to hamper technology with enormous promise," Juels said "Scientists at this point don't know the right solutions to privacy and security problems in RFID infrastructure and its equally or more difficult for legislators to anticipate them, so legislation that includes specific prescriptive technological provisions is likely to be self defeating."
To address privacy and security concerns, scientists are developing a blocker tag that would spam an unauthorized tag reader. Researchers are developing ways to calibrate power in RFID chips to enable a kill switch for the tiny tags. Juels said scientists are also working on a way to shoehorn layers of security functionality onto the standard EPC tag.
Even without encryption and other security features, RFID use is rising, led by the federal government, which has been using it for years. First used by World War II bombers to identify friendlies, today the Department of Defense uses the technology to track shipments of supplies in war-torn areas. The Department of Homeland Security also uses the technology within the Federal Emergency Management Agency to track shipments during a crisis.
Officials from China have approached the U.S. federal government seeking standards for RFID chip production, said Cresanti, who serves as chief privacy officer for the department of commerce and chief co-chairman for the intergovernmental agency working to coordinate and understand RFID use in the federal government.
"I'm not sure we're ready to act," said Cresanti of the Chinese request. "The United States government generally doesn't set standards. We're one of those few places in the world where a myriad of standards evolve through industry working groups. … Often the deciding factor in that process is consumer adaptation and consumer interest in moving ahead."
Some groups worry that future uses of RFID could include ways to tag or embedded in a person's body to track individual. Delray Beach, Fla.-based VeriChip Corp. is currently planning to sell a technique to embed a tiny implant to help hospitals identify critical patient information or keep elderly from wandering off. That company plans an IPO this month. Some retailers in Europe also testing the technology to track customers throughout their store and understand their buying habits, said Stevens, who heads an organization consisting of a number of organizations, including private companies and government departments that collaborate on the development of solutions for their privacy, identity, data protection and freedom of information concerns.
"As long as that's authorized and consensual, we don't have an issue here," Stevens said. "It's when we start achieving unauthorized nonconsensual information we get into trouble."
He said RFID vendors, which create the software and hardware that collect RFID data, should put in place codes of conduct and other standards to monitor and self regulate the use of the technology.
"Governments are steering towards a legislative approach to this because they want the tech and they want to control it and they want to be seen to be doing something," Stevens said.
"It's up to industry now to work with the government and actually kick back against this gently," he added. "If we could get effective self regulation mechanisms to police ourselves, we will avoid some counterproductive legislation."
Dig Deeper on Information security laws, investigations and ethics
UK and Dutch passports can be hacked using brute force because they use short keys to protect the information on their embedded RFID chips, an RFID expert...
SearchSecurity.com caught up with Juels at the 2009 RSA conference to discuss RFID, advances in multifactor authentication, cloud computing security, and his first novel, Tetraktys, which was launched at the conference.