It looks like RFID panic is percolating a bit again. Wired has an article in the current issue about how easy it will be to hack RFID tags, and Gizmodo recently reported ominously hat Levi’s will be tagging its jeans. Most of the privacy concerns are the same as those I’ve refuted in the past; RFID is not GPS and it won’t let you pinpoint someone’s position. However, I’m curious about one new claim the Wired article raises:
Grunwald has recently discovered another use for RFID chips: espionage. He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target’s E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who’s checking them out.
I’m curious for more information on how this is done. To my knowledge, cookies are just static strings of text that can be used to uniquely identify a browser each time it comes back to a site. In that sense, an RFID chip is itself a cookie. An HTTP cookie isn’t written to and doesn’t contain a list of all the sites you’ve visited, so how can an RFID cookie tell a stalker all the toll plazas you’ve been to? Also, can all RFID tags take cookies? Beyond those questions, I’m not sure how a stalker is helped by knowing where his target has been. He would only know which toll plazas were crossed, not what a target’s ultimate destination was, and certainly not their current location. With the library book example, the same questions apply. But assuming that the RFID chip is written to, is the patron’s name inserted into the surreptitious cookie whenever the book is checked out? Why would the library’s software do this? Why would it insert a name and not an ID number? If it’s an ID number, then wouldn’t the stalker need access to the library database to cross-reference the patron’s name? If the stalker has access to that database, why not just look up the check out information there?
At least I’m glad to see that both the Gizmodo and Wired stories acknowledge a privacy threat from government and not just from retailers and other private companies. Privacy activists have concentrated on the perceived threat of commercial RFID use when the real threat is their use in government-mandated IDs.
Comments on this entry are closed.