RFIDAPPLICATIONS, SECURITY, AND PRIVACY

Edited by

Simson GarfinkelBeth Rosenberg

VV Addison-Wesley

Upper Saddle River, NJ • Boston • San FranciscoNew York • Toronto • Montreal • London • Munich • Paris • MadridCapetown • Sydney • Tokyo • Singapore • Mexico City

CONTENTS

Foreword xxiPreface xxvAcknowledgments xlvii

Part I Principles l

Chapter 1 Automatic Identification and Data Collection:What the Future Holds 3Dan Müllen, Bert Moore

Introduction 3A Brief History of AIDC 4

Bar Codes 4Magnetic Stripes and MICR 5Radio Frequency Identification 5

The "Industry" That Isn't 6The Interconnected World 7Clear and Present Benefits 8

Manufacturing 8Distribution and Inventory 8Retail 9Document Tracking 9Security 9Food Supplies 10Healthcare 10

vi CONTENTS

Future Applications 11Sensor-Enabled RFID 11Pharmaceutical Authenticity 11Product Authenticity 12Intelligent Items 12Data Exchange 12

Conclusions 13

Chapter 2 Understanding RFID Technology 15Simson Garfinkel, Henry Holtzman

Introduction 15RFID Technology 15

The Elements of an RFID System 16Coupling, Range, and Penetration 23

RFID Applications 27Supply Chain Visibility and Inventory Management 27Implants 29VeriChip and Mark of the Beast 35

Conclusions 35

Chapter 3 A History of the EPC 37Sanjay Sarma

Introduction 37The Beginning 37

The Distributed Intelligent Systems Center 38Meanwhile, at Procter & Gamble 39

A Mini-Lecture: The Supply Chain 40The Auto-ID Center 41

The Cheap Tag 43"Low-Cost" RFID Protocols 44"Low-Cost" Manufacturing 46The Software and the Network 47Privacy 48Summary: The Ultimate Systems Problem 50

Harnessing the Juggernaut 50The Six Auto-ID Labs 51The Evolution of the Industry 52The Creation of EPCglobal 53

Conclusions 54

CONTENTS vii

Chapter 4 RFID and Global Privacy Policy 57Stephanie Perrin

Introduction 57Definitions of Privacy 58

Definitions of Personal Information 58History of Current Privacy Paradigm 59

Mapping the RFID Discovery Process 62Functions and Responsibilities for Chips, Readers, and Owners . . . . 64

Privacy as a Fundamental Human Right 65Constitutional Rights 68

Privacy Through Data Protection Law and Fair Information Practices... 69A Brief History of FIPS 69Accountability 71

Responsibility in Individual RFID Scenarios 71

Identifying Purposes 73Consent 74Limiting Collection 75Limiting Use, Disclosure, and Retention 75

Accuracy 76Safeguards 77Challenging Compliance 80

Conclusions 80

Chapter 5 RFID, Privacy, and Regulation 83Jonathan Weinberg

Introduction 83Some Current and Proposed RFID Applications 84Whither Item-Level Tagging? 86Understanding RFID's Privacy Threats 88Conclusions 92

Chapter 6 RFID and the United States Regulatory Landscape 99Doug Campbell

Introduction 99Current State of RFID Policy 101

Individuais 103Business 103Government 104Miscellaneous 104

viii CONTENTS

RFID Policy Issues 105Privacy 105Integrity and Security of the System 108Government Access 108Health Impact 109Labor Impact 109Spectrum Conflicts 110Use of RFID Technology to Limit Product Functionality 110

Government Versus Individual Context 111Business Versus Individual Context 114

Policy Dialogue Dynamic 116Industry Leadership 119Options for Government Leadership 120

Congress 120Federal Trade Commission 122

Snapshot of Current Status 124Policy Prescriptions 126The Case for, and Limits of, EPCglobal Leadership 130

Other Industry Alternatives? 131Current EPCglobal Policy 132

Conclusions 133

Chapter 7 RFID and Authenticity of Goods 137Marlena Erdos

Introduction 137A Few Important Concepts in Authentication 138

Authentication Involves Secret Data 138The "Key Distribution" Problem 139Stolen Keys and Revocation 139Comment on Authentication Costs 139

Authenticity of Tags and Authenticity of Goods 140Authenticity of Goods and Anticounterfeiting Measures 141

Injection of Counterfeit Goods into the Supply Chain:Two Scenarios 141

How Authenticatable Tags Could Help 143Switching the Security Bürden 143

Authentication of Readers 144Authenticating Readers to Tags 144

CONTENTS IX

Authenticating Readers Within an Enterprise 145Authentication of Users Across the Supply Chain (Federation) 145

Bürden on System Administrators 146Bürden on Users 146The Answer Is Federation 147

Conclusions 147

Chapter 8 Location and Identity: A Brief History 149Michael Curry

Introduction 149Place and Identity in a World of Habits and Symbols 150Locational Technologies 152

Ptolemy and the Development of Classified Space 152Getting Addressed 154

Rethinking Identity: Beyond Traits and Names 157On RFID 160Conclusions 161

Chapter 9 Interaction Design for Visible Wireless 163Chris Noessel, Simona Brusa Pasque, Jason Tester

Introduction 163The Role of Interaction Design 164A Common Vocabulary 164Designing and Modifying WID Systems 166

Disclosure at Read 166Disclosure of Use 170Read Range 171Identifiable Readers 172Permissions-Based Tags 174Physical Remedies to Opt Out 175

Conclusions 176

Part II Applications 177

Chapter 10 RFID Payments at ExxonMobil 179Simson Garfinkel

Introduction 179Interview with Joe Giordano, ExxonMobil Corporation 182

CONTENTS

Chapter 11 Transforming the Battlefield with RFID 189Nicholas Tsougas

Introduction 189Logistics and the Military 190Conclusions 198

Chapter 12 RFID in the Pharmacy: Q&A with CVS 201Simson Garfinkel, Jack DeAlmo, Stephen Leng,Paul McAfee, Jeffrey Puddington

Introduction 201CVS and Auto-ID 202Project Jump Start 203RFID in the Store 205Making RFID Work: The Back End 205

Chapter 13 RFID in Healthcare 211Kenneth Fishkin, Jay Lundell

Introduction 211The Hospital 212

Tracking People and Objects 212Safeguarding Equipment Use 213Assisting Medical Personnel 214

Home Eldercare 216Activity Monitoring and "OKness" Checking 217Criteria for Different Types of "OKness" Systems 219Applications for Assisting the Elderly 220

Challenges 221Radio Frequency Health Issues 221Standards 223Privacy, Security, and HIPAA 223

Conclusions 226

Chapter 14 Wireless Tracking in the Library: Benefits,Threats, and Responsibilities 229Lori Bowen Ayre

Introduction 229RFID System Components and Their Effects in Libraries 230

Tag 230Reader 231

CONTENTS XI

Application 232RFID Standards 233RFID in U.S. Libraries 234

Penetration 234Library Problems Addressed by RFID 234Cost of Implementing RFID System in Libraries 235Role of Librarians 236Privacy Protections for RFID by Industry and

the Government 237Best-Practices Guidelines for Library Use of RFID 239

Educating the Public 240Conclusions 241

Chapter 15 Tracking Livestock with RFID 245Clint Peck

Introduction 245RFID Has to Prove Itself 247Putting RFID to Work 248RFID and Livestock Marketing 249

Traceback and RFID Standardization with Livestock 250Auction Markets: A Critical Component 251

RFID World Livestock Roundup 253Australia 253Brazil 253Canada 254European Union 254France 255Japan 255New Zealand 256United Kingdom 256

Part III Threats 257

Chapter 16 RFID: The Doomsday Scenario 259Katherine Albrecht

Introduction 259RFID Tags and the EPC Code 260A Ubiquitous RFID Reader Network 263

xii CONTENTS

Watching Everything: RFID and the Four Databases It Will Spawn . . . 265

Database #1: The "Where-Did-This-Come-From?"Manufacturer's Database 266

Database #2: The "What-Is-This?" EPC Database 267Database #3: The "Who-Bought-It?" Point-of-Sale Database . . . 268Database #4: The "Where-Has-It-Been-Seen?" Post-Sale

Surveillance Database 270Corporate Abuse 271Government Abuse 272Conclusions 273

Chapter 17 Multiple Scenarios for Private-Sector Use of RFID 275Ari Schwartz, Paula Bruening

Introduction 275Scenario 1: "No One Wins" 277Scenario 2: "Shangri-La" 278Scenario 3: "The Wild West" 279Scenario4: "TrustbutVerify" 280Conclusions 281

Chapter 18 Would Macy's Scan Gimbels?: CompetitiveIntelligence and RFID 283Ross Stapleton-Gray

Introduction 283

In-Store Scenarios 283

Consumer Technology as a Means of Intelligence Gathering . . . . 284Other Sources of Competitive Intelligence 285

So, Who Wants to Know? 286The Value of Functional Tags on the Shelves 286Qui Bono? 288

Dead Tags Teil No Tales 289

A Recoding Strategy 289Conclusions 290

Chapter 19 Hacking the Prox Card 291Jonathan Westhues

Introduction 291Reverse-Engineering the Protocol 292

WhyltWasn'tVeryHard 294

CONTENTS XIII

Security Implications 295Protecting Against These Types of Attacks 297Conclusions 300

Chapter 20 Bluejacked! 303Pius Uzamere II, Simson Garfinkel, Ricardo Garcia

Introduction 303Bluetooth 303

Bluetooth's Background 306Bluetooth Profiles 309Untrusted Versus Trusted Pairing and Discoverability 312Current and Speculative Bluetooth Implementations 315

Bluetooth Security and Privacy Attacks 316Cracking Bluetooth 317Bluetapping 322Locational Surveillance 323

Conclusions 325

Part IV Technical Solutions 327

Chapter 21 Technological Approaches to the RFIDPrivacy Problem 329Ari Juels

Introduction 329The Technical Challenges of RFID Privacy 331Blocker Tags 332Soft Blocking 335Signal-to-Noise Measurement 336Tags with Pseudonyms 336Corporate Privacy 337Technology and Policy 338Conclusions 338

Chapter 22 Randomization: Another Approach to RobustRFID Security 341Michael Arneson, William Bandy

Introduction 341The Problems in RFID Security 341Conclusions 343

xiv CONTENTS

Chapter 23 Killing, Recoding, and Beyond 347David Molnar, Ross Stapleton-Gray, David Wagner

Introduction 347RFID Recoding and Infomediaries 349

Applications Prevented by Killing 349Recoding and Electronic Product Codes 350

Infrastructure Issues 352Protecting the Kill Switch 352Recoding, Rewritable Tags, and Vandalism 353The "Subthreshold" Retailer 354Who Pays? 354

Conclusions 355

Part V Stakeholder Perspectives 357

Chapter 24 Texas Instruments: Lessons from SuccessfulRFID Applications 359Bill Allen

Introduction 359Toll Tracking: Who Knows Where You Are Going? 360Contactless Payment: Are Safeguards Already in Place? 361RFID and Automotive Anti-Theft: Staying Ahead of the

Security Curve 363How and What We Communicate 364

Listen to the Consumer 365Protect Data 365Empower the Consumer 365

Conclusions 366

Chapter 25 Gemplus: Smart Cards and Wireless Cards 367Christophe Mourtel

Introduction 367What Is a Smart Card? 367Smart Card Communication and Command Format 370Card Life Cycle 371Smart Card Applications 372

PayTV 372Mobile Communications 372

CONTENTS xv

Electronic Cash 373OtherApplications 373

"Contactless" Cards 373Protocols and Secure Communication Schemes 374Constraints of Contactless Products 375

Speed and Working Distance 376Interoperability 376

Contactless Products and the Contact Interface 377Communication 377Physical Security 379Software Security 380

Conclusions 380

Chapter 26 NCR: RFID in Retail 381Dan White

Introduction 381PaymentApplications 381

Current Installations 382Food Ordering 382

Inventory Management Applications 383Out-of-Stocks 384Theft Prevention 384Electronic Shelf Labels 385Technical Limitations 385Cost and Installation Limitations 386Misplaced Inventory 386Product Locator 387Back Room 388Mobile Systems 388

Hybrid Scanners 389Traceability 389Perishable Products 390Recalls 390No More Receipts 390Technology Analysis 391

Privacy Concerns 392RFID Portal 393Conclusions 395

xvi CONTENTS

Chapter 27 P&G: RFID and Privacy in the Supply Chain 397Sandy Hughes

Introduction 397Procter & Gamble's Position 398RFID Technology and the Supply Chain 399

Internal P&G Protocols 406External P&G Protocols 406Supply Chain Dependencies 407

Global Guidelines for EPC Usage 408Consumer Notice 408Consumer Education 409Consumer Choice 410Record Use, Retention, and Security 411

Conclusions 412

Chapter 28 Citizens: Getting at Our Real Concerns 413Robert Ellis Smith, Mikhail Zolikoff

Introduction 413Prior to the Point of Säle 414After the Point of Säle: Nonconsumer Goods 414After the Point of Säle: Consumer Goods 415After the Point of Säle: Privacy Interests 416

Possible Scenarios 418Eliminating the RFID Threats to Privacy 419

Mitigating the Threats: "Continue Activation" as theDefault for Nonconsumer Goods 420

Mitigating the Threats: "Continue Activation" as theDefault for Certain Consumer Goods 421

Mitigating the Threats: "Deactivation" as the Defaultfor Sensitive Products 422

Hybrid Products 422Enforcing This Scheine by Law 42 3The CALEA Experience 423On the Other Hand: The Electronic-Funds Experience 425Mitigating the Threats: Different Frequencies 426An Additional Consideration: Chip Security 427

Conclusions 428

CONTENTS XVII

Chapter 29 Activists: Communicating with Consumers,Speaking Truth to Policy Makers 431Beth Givens

Introduction 431RFID Characteristics That Threaten Privacy 432

Proposed Technology-Based Solutions 43 3Is Consumer Education the Answer? 434

Calling for a Technology Assessment 434

Conclusions 437

Chapter 30 Experimenting on Humans Using AlienTechnology 439Peter de Jager

Introduction 439The Surveillance Society: It's Already Here 440A Trick to Overcome Resistance 440

Constituents to Change—and to Stasis 442Privacy Advocates Own This Story 444Privacy, Change, and Language 444How to Make Consumers Demand Change (and RFID) 447

Conclusions 448

Chapter 31 Asia: Billions Awaken to RFID 451Bimal Sareen

Introduction 451Factors Separating Western and Asian RFID Experience 451

Privacy: Western Luxury or Western Construct? 452RFID as the Lightning Rod of Privacy Activists 453The Indian Perspective on Personal Privacy 453Other Asian Countries' Views on Privacy 454

The Extant Paper Database and Electronic Credit Card Systems . . . . 45 5A Cultural Predisposition to Technology Adoption? 455Establishment of National Identities 455

A Complex Interplay of Social Systems and Technology 456

RFID in India 456Local Deployments of RFID in India 457A Positive Outlook for Retail and Industry 458E-Governance Applications 458

xviii CONTENTS

A Strategie Position 459Government Adoption, Not Regulation, for RFID 459India-Specific RFID Deployment Concerns 460RFID in India: Summary 461

RFID Across Asia 461China 461Hong Kong 462Japan 463South Korea 464Malaysia 464Singapore 464

Conclusions 465

Chapter 32 Latin America: Wireless Privacy, Corporations,and the Struggle for Development 467Jennifer Torres-Wernicke

Introduction 467An Overview of Wireless Services Penetration into

Central America 468Spread Spectrum 468WiFi 469RFID 469

Pervasiveness of Telecommunications in Central America 470Panama 470El Salvador 471Costa Rica 471Guatemala 471Honduras 472Nicaragua 472

Privacy Concerns 473Old Assumptions in a New World 473The Author's Experience Living in El Salvador 474

An Overview of Privacy Across Latin America 475A Word on the U.S.-Mexican Border 476What About the United States? 477

Conclusions: Privacy, Poverty, and the Future 477

CONTENTS xix

Appendixes 479

Appendix A Position Statement on the Use of RFID onConsumer Products 481

Appendix B RFID and the Construction of Privacy:Why Mandatory Kill Is Necessary 497

Appendix C Guidelines for Privacy Protection on ElectronicTags of Japan 507Takato Natsui

Appendix D Adapting Fair Information Practices toLow-Cost RFID Systems 515Simson Garfinkel

Appendix E Guidelines on EPC for Consumer Products 525EPCglobal, Inc.

Appendix F Realizing the Mandate: RFID at Wal-Mart 529Gus Whitcomb, interviewed by Simson Garfinkel

Index 535