News

Zombie RFID tags may never die

May 17, 2004

SAN FRANCISCO--As retailers look at the potential of radio frequency ID (RFID) to track merchandise and consumer behavior, privacy campaigners want to make sure that hardcore data protection is implemented along with the new tagging technology, according to an article on ZDNet.

At the heart of the debate is exactly the tracking chips need to be turned off of killed. Since RFID tags can be read by a store or by an unrelated third party with the proper technology privacy proponents want them to be shut down after the point of purchase.

Kill commands for RFID tags do exist. The idea is that when a shopper passes a certain point, any active RFID chip essentially shuts itself down. The idea seems simple enough but is there a reason why retailers would want to keep the tags active once they've left the store?

Burk Kaliski, chief scientist and director of RSA Laboratories, believes there's a strong case for chips that never die. That doesn't mean always-on though. They would be more zombie than normal chip--alive but not capable of doing anything without being activated.

When the chips leave the store, they should be switched from non-private to private so they remain intact and in some select instances can be returned to readability, but otherwise are immune to shop-scanning, he said.

Introducing kill commands, Kaliski said, would "discourage innovation" and would be "counterproductive".

There are indeed uses being touted for zombie tags. Taking goods back to a shop, for example, would be easier; recalling faulty or dangerous goods would be simpler; and distributing pharmaceuticals could be made safer by using RFID to scan for potentially harmful combinations.

But according to Katherine Albrecht of privacy group Consumers Against Supermarket Privacy Invasion and Numbering (Caspian), the disadvantages far outweigh the benefits.

"Whoever made the tag is the entity that can reactivate it... that's even more dangerous [than kill-command chips]. If you believe a chip is dead, you don't take common-sense precautions to protect your privacy," she said.