Radio frequency identification tags emit a radio signal that contains the information stored on the chip. When used inappropriately, they risk consumer privacy, allow hackers to access sensitive personal information, and track innocent individuals’ movements.
What is it used for?
Companies and government agencies use RFID to track people and inventory as they move. Many types of consumer products, from computers and mp3 players to clothing and pharmaceuticals, contain tiny RFID tags that allow companies to track them through the supply chain. Similarly, tags embedded in passports allow the government to track how those things move. Moreover, many agencies require employees and visitors to carry RFID-enabled identification cards, which contain a person’s name, employment number, address, or telephone number. Many transit agencies now use RFID-enabled payment cards. A few school districts have even proposed outfitting students with RFID chips in their clothing or school IDs to take attendance and track student movements.
How It Works
Many companies began using RFID in the 1980s to track items through lines of production. Governments quickly recognized the law enforcement potential of the technology.
- An RFID system has two parts: the tag and the reader. The tag is attached to an object or person and contains a chip with some piece of relevant information. The reader activates the tag in order to read and display the information contained on the chip.
- Most RFID tags are “passive.” They contain no independent power source and emit a signal only when activated by an RFID reader. These signals can travel upwards to a 150 feet, and easily pass through walls and doors.
The chips in these tags may contain sensitive information unique to the individuals carrying them. Companies and agencies often write names, social security numbers, home or work addresses, or contact information into the chips.
Civil Liberties Concerns
Skilled hackers can covertly activate and read RFID scanners from a distance. The potential for abusive tracking of individual movements is significant. If a hacker manages to link a person with a unique RFID tag number, he could track that person without their knowledge or consent. Even generic item tags could associate the people carrying or wearing them with events like political rallies or worship meetings. Without significant precautions, RFID could make children more vulnerable to stalking, tracing, and even kidnapping. As the ACLU of Northern California has pointed out, “[s]omeone who wants to do children harm could potentially sit in a car across the street and scan” the students’ RFID signatures without teachers, parents, or students ever knowing.
Hackers have stealthily “cracked and copied” (that is, hacked and stolen) information. Known targets include RFID chips in commercial building security access cards, U.S. passports, and Dutch and British e-passports. Hackers famously cracked California state legislature ID cards, allowing them access to certain rooms restricted to legislators and staff. Hackers have even breached chips implanted in humans.
How Prevalent Is It?
RFID is gaining prevalence within the government. Tags are present in all new U.S. passports, contained in our Washington state enhanced driver’s license, often used in access cards for government buildings and frequently used in public transit payment cards A few school officials have proposed the idea of tracking students with RFID chips. RFID tracking of students would enable teachers and administrators to watch students in their peer groups, visiting the school nurse or counselor, or even making a trip to the restroom.
Examples Of Use
Location: Interstate 5 US-Canadian Border Crossing, WA
Hacking the Enhanced Driver’s License
In 2008, Washington became one of the first states in the country to begin issuing the Enhanced Driver’s License, which streamlines U.S. citizens’ passage across national land borders without a passport. The state implants the EDL with a small RFID tag whose signal contains a number unique to its owner. At U.S.-Canadian and U.S.-Mexican crossings, border guards compare the name and face on the EDL against the name and face linked to the number. In 2009, researchers at the University of Washington proved the card’s vulnerability. The team hacked and cloned EDL tags using an RFID “sniffer” built at home for about $250. Although the EDL tag itself contains only a number (no names, addresses, etc.), law enforcement and private companies can use it to track your movements. If a hacker does link the number to your identity, he could find a great deal of sensitive information by watching your movements.
“The right of the people to privacy is recognized and shall not be infringed. The legislature shall implement this section.”
Article 1, Section 22 of the Alaska Constitution.