The University of Arkansas engineering researchers have discovered how to digitally “fingerprint” radio frequency identification (RFID) chips or tags. (RFID technology transmits data wirelessly from a chip or tag to a reader.)
Dale R. Thompson and Jia Di “refer to the system as a fingerprint because they discovered that individual tags are unique, not because of the data or memory they contain, but because of radio-frequency and manufacturing differences.” Thompson says that the digital fingerprints are necessary because, “it is easy to clone an RFID tag by copying the contents of its memory and applying them to a new, counterfeit tag, which can then be attached to a counterfeit product – or person, in the case of these new e-passports.” RFID fingerprints would prevent such RFID tag-counterfeiting.
There have been substantial problems with the security of RFID tag (see below). However, as security expert Bruce Schneier points out in his post on the research, it is more likely that RFID fingerprint technology would be used as a surveillance mechanism. “Even if the communications is fully encrypted, this technology could be used to uniquely identify the chip,” he says. And, depending on the data on the RFID tag, it is possible to identify the individual carrying the tag.
Earlier this year, Chris Paget, a hacker released a video showing how he was able to remotely scan, gather ID information, and clone “passport cards” and “enhanced driver’s licenses.” Paget used cheap, off-the-shelf technology, “a Matrics antenna and a Motorola reader he’d bought on eBay for $190″ in order to “read the identity cards of strangers, wirelessly, without ever leaving his car,” the Associated Press reported. “Within an hour, he’d ’skimmed’ the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet.”
Paget’s experiment comes as governments are increasingly using wireless RFID technology in identification documents. Academic researchers have detailed (pdf) security and privacy vulnerabilities in the federal government’s “passport cards” and “enhanced driver’s licenses,” which the federal government deploys in conjunction with some state motor vehicle departments.
In May, the European Union issued a recommendation and set out principles for privacy and data protection in the use of RFID technology, which include:
- Consumers should be in control whether products they buy in shops use smart chips or not. When consumers buy products with smart chips, these should be deactivated automatically, immediately and free-of-charge at the point of sale, unless the consumer explicitly opts-in by asking to keep the chip operational. Exceptions can be granted to avoid unnecessary burden on retailers, for example, but only after an assessment of the chip’s impact on privacy.
- Companies or public authorities using smart chips should give consumers clear and simple information so that they understand if their personal data will be used, the type of collected data (such as name, address or date of birth) and for what purpose. They should also provide clear labelling to identify the devices that ‘read’ the information stored in smart chips, and provide a contact point for citizens to obtain more information.
- Companies and public authorities should conduct privacy and data protection impact assessments before using smart chips. These assessments, reviewed by national data protection authorities, should ensure that personal data is secure and well protected.