8.6 Radio Frequency Identification (RFID) Technology
8.6.1 Defining RFID
RFID technology facilitates the identification of objects, animals and people by using radio waves. RFID is an electronic identification device and is classified as an automatic identification tool along with biometric systems (Schmidt, 2007: 249). RFID can be used to store information beyond what is simply needed to identify individuals, which has potentially profound implications. A RFID system is made up of three main components:
- the RFID tag or transporter, carries object identifying data
- the RFID reader, or transceiver, reads and writes tag data
- the back-end database associates records with tag data collected by readers
Every person or object that needs to be identified through an RFID system must have a tag physically attached. The tag reader gathers information from tags by sending out a radio frequency signal and a tag will respond to the signal by sending back identification information and/or other stored data. The reader converts data from the tag into digital data and this is sent through to appropriate agencies where either automated identification process occurs or there is human processing of the data. RFID readers and tags must be tuned to the same frequency and the range between the two devices depends on whether the tag is active - has an internal power supply, or passive - draws power from the field created by the reader. There are obvious threats to RFID systems that stem from physical attacks on the tag or reader devices but a number of other potential security and privacy threats have been identified including (adapted from Rieback et al, 2006: 65-66):
Sniffing: RFID tags are indiscriminate and could potentially be readable by any compliant reader therefore providing the potential for unauthorised readers scanning tags. Unrestricted access could mean personal information such as a person's medical predispositions could be extracted and used to inform insurance coverage.
Tracking: RFID technology could be used to track individual's movements through the use of strategically placed readers and this provides the opportunity for governments to monitor the movement of individual or groups.
Spoofing: Authentic RFID tags could be produced and attached to objects that could subsequently be used to falsify the identity of goods or gain unauthorised access to services.
Replay attacks: Replay devices can intercept and retransmit RFID queries from readers or tags which could be used to abuse various RFID applications.
Denial of Services: Tags can be removed from items or people or aluminium foil can be used to block RFID systems disrupting the system and subsequently causing systems to record useless data and discrediting the technology.
The first widespread commercial usage of RFID began in 1987 for electronic toll collection in the United States and the 1990s saw the widespread use of RFID to prevent shoplifting (Schmidt, 2007). RFID has been used across a number of security areas including anti counterfeiting (Tuyls and Batina, 2006), monitoring the movement of people into and out of buildings, preventing the unauthorised taking of goods (Bvoulard, 2005) and monitoring the movement of offenders through electronic tagging which are considered in more detail below.