A privacy activist argues that the devices pose new security risks to those who carry them, often unwittingly

By Katherine Albrecht

Scientific American Magazine -  August 21, 2008

If you live in a state bordering Canada or Mexico, you may soon be given an opportunity to carry a very high tech item: a remotely readable driver’s license. Designed to identify U.S. citizens as they approach the nation’s borders, the cards are being promoted by the Department of Homeland Security as a way to save time and simplify border crossings. But if you care about your safety and privacy as much as convenience, you might want to think twice before signing up.

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen.

Although such “enhanced” driver’s licenses remain voluntary in the states that offer them, privacy and security experts are concerned that those who sign up for the cards are unaware of the risk: anyone with a readily available reader device—unscrupulous marketers, government agents, stalkers, thieves and just plain snoops—can also access the data on the licenses to remotely track people without their knowledge or consent. What is more, onc　 e the tag’s ID number is associated with an individual’s identity—for example, when the person carrying the license makes a credit-card transaction—the radio tag becomes a proxy for that individual. And the driver’s licenses are just the latest addition to a growing array of “tagged” items that consumers might be wearing or carrying around, such as transit and toll passes, office key cards, school IDs, “contactless” credit cards, clothing, phones and even groceries.

RFID tags have been likened to barcodes that broadcast their information, and the comparison is apt in the sense that the tiny devices have been used mainly for identifying parts and inventory, including cattle, as they make their way through supply chains. Instead of having to scan every individual item’s Universal Product Code (UPC), a warehouse worker can register the contents of an entire pallet of, say, paper towels by scanning the unique serial number encoded in the attached RFID tag. That number is associated in a central database with a detailed list of the pallet’s contents. But people are not paper products. During the past decade a shift toward embedding chips in individual consumer goods and, now, official identity documents has created a new set of privacy and security problems precisely because RFID is such a powerful tracking technology. Very little security is built into the tags themselves, and existing laws offer people scant protection from being surreptitiously tracked and profiled while living an increasingly tagged life.

Beyond Barcodes
The first radio tags identified military aircraft as friend or foe during World War II, but it was not until the late 1980s that similar tags became the basis of electronic toll-collection systems, such as E-ZPass along the East Coast. And in 1999 corporations began considering the tags’ potential for tracking millions of individual objects. In that year Procter & Gamble and Gillette (which have since merged to become the world’s largest consumer-product manufacturing company) formed a consortium with Massachusetts Institute of Technology engineers, called the Auto-ID Center, to develop RFID tags that would be small, efficient and cheap enough to eventually replace the UPC barcode on everyday consumer products.

By 2003 the group had developed a working version of the technology and attracted in­­vest­ment from more than 100 companies and government agencies. The tags’ promoters promised the tiny chips would revolutionize inventory management and counterfeiting prevention [see “RFID: A Key to Automating Everything,” by Roy Want; Scientific American, January 2004].

To kick-start government adoption of the technology, the General Services Administration (GSA), a federal bureau that manages purchasing for other government institutions, issued a memo in 2004 urging the heads of all federal agencies “to consider action that can be taken to advance the [RFID] industry.” Suddenly, virtually every agency, from the Social Security Administration to the Food and Drug Administration, began announcing RFID trials. 

During the same period, similar initiatives were under way around the world. In 2003 the International Civil Aviation Organization (ICAO), a United Nations agency that sets global passport standards, endorsed the use of RFID tags in passports. ICAO now calls for their use in all scannable “e-passports.” Today dozens of countries, including the U.S., issue e-passports with RFID tags embedded in their covers.

Since their debut, the new passports have been controversial on both privacy and security grounds. In a 2006 report one　 ICAO official promised that encryption measures would provide a “level of protection [that] should reassure the most anxious passport holder that his personal data cannot be read without his knowledge.”

Security experts quickly proved otherwise. In 2007 British security consultant Adam Laurie cracked the encryption code on a U.K. passport and “skimmed,” or remotely read, its personal information—while it was still sealed in its mailing envelope. Around the same time, German security consultant Lukas Grunwald copied the data from a German passport’s embedded chip and encoded it into a different RFID tag to create a forged document that could fool an electronic passport reader. Investigators at Charles University in Prague, finding similar vulnerabilities in Czech e-passports, wrote that it was “a bit surprising to meet an implementation that actually encourages rather than eliminates [security] attacks.”

Yet these demonstrated security problems have not slowed the adoption of RFID. On the contrary, the technology is being deployed for domestic ID cards around the world. Malaysia has issued some 25 million contactless national identity cards. Qatar is issuing one　 that stores the cardholder’s fingerprint in addition to personal information. And in what industry observers are calling the single largest RFID project in the world, the Chinese government is spending $6 billion to roll out RFID-based national IDs to nearly one　 billion citizens and residents.

There is an important difference, however, between other nations’ RFID-based ID cards and Homeland Security’s new driver’s licenses. Most countries’ contactless national IDs and e-passports have adopted an RFID tag that meets an industry standard known as ISO 14443, which was developed specifically for identification and payment cards and has a degree of security and privacy protection built in. In contrast, U.S. border cards use an RFID standard known as EPCglobal Gen 2, a technology that was designed to track products in warehouses, where the goal is not security but maximum ease of readability.

Whereas the ISO 14443 standard includes rudimentary encryption and requires tags to be close to a scanner to be read (a distance measured in inches rather than feet), Gen 2 tags typically have no encryption and onl　 y minimal data safeguards. To skim the data from an encrypted ISO 14443 chip, you have to crack the encryption code, but no special skills are required to skim a Gen 2 tag; all you need is any Gen 2 reader. Such readers can be purchased readily and are in common use in warehouses worldwide. A hacker or crim­inal armed with one　 could skim a border card through a purse, across a room, even through a wall.

As of this past April, more than 35,000 Washington State motorists had signed up for en­­hanced driver’s licenses, and other border states, including Arizona, Michigan and Vermont, have agreed to participate in the program. New York State will begin making the new licenses available to its residents after Labor Day.

But the possibility that the security of such cards could be compromised is just one　 reason for concern. Even if tighter data-protection measures could someday prevent unauthorized access to RFID-card data, many privacy advocates worry that remotely readable identity documents could be abused by governments that wish to tightly monitor and control their citizens.

China’s national ID cards, for instance, are encoded with what most people would consider a shocking amount of personal information, including health and reproductive history, employment status, religion, ethnicity and even the name and phone number of each cardholder’s landlord. More ominous still, the cards are part of a larger project to blanket Chinese cities with state-of-the-art surveillance technologies. Michael Lin, a vice president for China Public Security Technology, a private company providing the RFID cards for the program, unflinchingly described them to the New York Times as “a way for the government to control the population in the future.” And even if other governments do not take advantage of the surveillance potential inherent in the new ID cards, ample evidence suggests that data-hungry corporations will.

Living a Tagged Life
If the idea that corporations might want to use RFID tags to spy on individuals sounds far-fetched, it is worth considering an IBM patent filed in 2001 and granted in 2006. The patent describes exactly how the cards can be used for tracking and profiling even if access to official databases is unavailable or strictly limited. Entitled “Identification and Tracking of Persons Using RFID-Tagged Items in Store Environments,” it chillingly details RFID’s potential for surveillance in a world where networked RFID readers called “person tracking units” would be incorporated virtually everywhere people go—in “shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters, [and] mu­­se­­ums”—to closely monitor people’s movements.

According to the patent, here is how it would work in a retail environment: an “RFID tag scanner located [in the desired tracking location]... scans the RFID tags on [a] person.... As that person moves around the store, different RFID tag scanners located throughout the store can pick up radio signals from the RFID tags carried on that person and the movement of that person is tracked based on these detections.... The person tracking unit may keep records of different locations where the person has visited, as well as the visitation times.”

The fact that no personal data are stored in the RFID tag does not present a problem, IBM explains, because “the personal information will be obtained when the person uses his or her credit card, bank card, shopper card or the like.” The link between the unique RFID number of the tag and a person’s identity needs to be made onl　 y onc　 e for the card to serve as a proxy for the person thereafter. Although IBM envisioned tracking people via miniature tags in consumer goods, with today’s RFID border cards there is no need to wait for such individual product tags to become widespread. Washington’s new driver’s licenses would be ideally suited to the in-store tracking application, because they can already be read by Gen 2 inventory scanners in use today at stores such as Wal-Mart, Dillard’s and American Apparel.

A tracking infrastructure will become increasingly fruitful to marketers as more people begin carrying, and even wearing, RFID-tagged items. At present, tens of millions of contactless credit and ATM cards containing RFID tags are in circulation, along with millions of employee access badges. RFID-based public-transit passes, widely used in Europe and Japan, are also coming to U.S. cities. IBM’s person tracking unit is still onl　 y a patent, but an English amusement park called Alton Towers provides a living illustration of RFID’s tracking potential. On entering the park, each visitor is offered an RFID wristband encoded with a unique ID number. As people enjoy the attractions, a network of RFID readers placed strategically throughout the park detects each wristband as it comes within range and triggers nearby video cameras. Candid footage of each individual is stored in a file labeled with the wristband ID number, then made available to the customer on a keepsake DVD at the end of the day.

Protecting the Public
If RFID tags can enable an amusement park to capture detailed, personalized videos of thousands of people a day, imagine what a determined government could do—not to mention marketers or criminals. That is why my colleagues in the privacy community and I have so firmly opposed the use of RFID in government-issued identity documents or individual consumer items. As far back as 2003, my organization, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)—along with the Privacy Rights Clearinghouse, the Electronic Privacy Information Center, the Electronic Frontier Foundation, the American Civil Liberties Union, and 40 other leading privacy and civil liberties advocates and organizations—recognized this threat and issued a position paper that condemned the tracking of human beings with RFID as inappropriate.

In response to these concerns, dozens of U.S. states have introduced RFID consumer-protection bills—which have all been either killed or gutted by heavy opposition from lobbyists for the RFID industry. When the New Hampshire Senate voted on a bill that would have imposed tough regulations on RFID in 2006, a last-minute floor amendment replaced it with a two-year study instead. (I was appointed by the governor to serve on the resulting commission.) That same year a California bill that would have prohibited the use of RFID in government-issued documents passed both houses of the legislature, onl　 y to be vetoed by Governor Arnold Schwarzenegger.

On the federal level, no high-profile consumer-protection bills related to RFID have been passed. Instead, in 2005, the Senate Republican High Tech Task Force praised RFID applications as “exciting new technologies” with “tremendous promise for our economy” and vowed to protect RFID from regulation or legislation.

In the European Union, regulators are at least examining the situation. The European Commission—the executive arm of the E.U.—has acknowledged the potential for serious privacy problems with RFID and opened a public comment period earlier this year. As of July, when this issue went to press, recommendations stemming from the public comments were set to be released later in the summer, but expectations for any consumer-privacy regulations were low. In a March 2007 speech, E.U. commissioner for information society and media Viviane Reding announced that the commission would not regulate RFID but instead would allow businesses to regulate themselves. “I am here to tell you that on RFIDs, there is not going to be a regulation,” she said. “My view is that we should underregulate rather than overregulate so that this sector can take off.”

Unfortunately, industry self-regulation has little force when it comes to protecting the public from RFID risks. EPCglobal, the industry body that now sets technical standards for RFID tags, also produced a set of guidelines for the use of the chips in retail. The organization’s recommendations require, among other things, notice to consumers whenever products contain RFID tags—for instance, in the form of a recognizable RFID logo. Yet when Checkpoint Systems, a member company of EPCglobal, designed RFID tags to be hidden in the soles of shoes—in clear violation of the organization’s own provisions—Mike Meranda, then president of EPCglobal, told me that since the guidelines were voluntary, there was nothing he or his organization could do about it.

The Washington State Department of Licensing reassures citizens that their personal information is safe because the RFID tag in an enhanced driver’s license “doesn’t have a power source” and “doesn’t contain any personal identifying inform­ation”—even though those facts have no bearing on whether the card can be used for tracking. For some people, a false sense of assurance provided by such official mollifications could be dangerous. The National Network to End Domestic Violence, a group that vocally opposes the use of RFID in identity documents and consumer products, has submitted legislative testimony describing how abusers could use the technology to stalk and monitor their victims.

Meanwhile the RFID train is barreling forward. Gigi Zenk, a spokesperson at Washington’s licensing agency, recently confirmed that there are 10,000 enhanced licenses “on the street now—that people are actually carrying.” That’s a lot of potential for abuse, and it will onl　 y grow. The state recently mustered a halfhearted response, passing a law that designates the unauthorized reading of a tag “for the purpose of fraud, identity theft, or for any other illegal purpose” as a class C felony, subject to five years in prison and a $10,000 fine. Nowhere in the law does it say, however, that scanning for other purposes such as marketing—or perhaps “to control the population”—is prohibited. We ignore these risks at our peril.

Note: This article was originally published with the title, "RFID Tag--You're It".

By Kent Bernhard Jr.

August 25, 2008
Biofuel Research

It’s a blazing hot Columbia, S.C. afternoon, humid enough to drown an alligator. We’re out at a creek bank beside a city street, looking at grass.

It’s not just any grass. This stuff’s at least eight feet tall, and the guys I’m with are hoping this grass can make them a lot of money.

The grass is named “Arundo Donax,” and two of the men I’m with, University of South Carolina professor Laszlo Marton and his colleague Mihaly Czako, have come up with a way to grow lots of it in one　 place, something that onc　e was very difficult, if not impossible.

The other folks with us represent Biomass Gas & Electric of Atlanta. They’re wagering these grasses could be one　 of the next big things in energy.

Biomass has entered an exclusive deal to license the genetic-engineering technology Marton and Czako have developed. The company is spending more than $1 million to help fund research on micropropogation of Arundo and some fifty other perennial grasses, and has committed to funding five years of further research.

Already, the company is planning two electric plants in Florida using Arundo Donax as feedstock. And earlier this month Biomass Gas & Electric reached a technology-transfer agreement with ProSystem Group of Hungary. The Hungarian group will be able to use the grass propogation technique in Hungary and sell the grass for energy throughout the European Union. In return, Biomass Gas & Electric will be able to use PSG’s hardware in the grass micropropogation.

“We’ll be growing something that’s akin to a coal field,” says Michael Birch, the expat Brit who helped bring Biomass and the researchers together. The former World Bank official is now head of the Biomass Gas & Electric’s agricultural biotech side — contracting with agricultural companies in Florida that will plant 20,000 acres of Arundo.

Biomass Gas & Electric CEO Glenn Farris says the project will be, at the least, carbon neutral, since the plants will absorb as much carbon dioxide while growing as they will give off when they are used for fuel.

“It’s a wonderful management technique,” Farris says.

In Florida, Farris expects the contractors to start planting Arundo by the end of this year. It will take about two years to establish a crop of the grass, and after that, the Arundo can be harvested as often as twice a year in certain climactic zones, such as Florida and Texas.

About 20,000 acres of the grass can yield enough energy to fire a 75 megawatt power plant for a year.

While companies have known for years that grasses like Arundo can be used as feedstock for electricity generation, they haven’t been able to grow enough to make a large-scale operation practical. With the technology developed by the South Carolina team, though, mega plantations are possible.

Biomass Gas & Electric is building three biomass gas to electric plants in Florida and will sell electricity from those 75-megawatt power stations to the Florida Power & Light. Of the three, two will use Arundo as fuel. The other will use more traditional energy sources, mostly wood waste.

Long journey to a deal

Llaszlo Marton, 60, has been working with grass for a very long time. Since 1990, he’s done that work in a laboratory at the University of South Carolina.

“Since my student years I am working with plants,” says Marton, a Hungarian who grew up in the Romanian region of Transylvannia who jokes upon our meeting that he doesn’t drink blood. “I was basically working on basic scientific problems. When I got (to USC), I continued that but I started to look at more green projects.”

Through years of painstaking research, Marton, Czako and their colleagues developed the micropropogation technique. At the most basic level, the technique allows for millions of embryonic plants to be cultivated. Without the technology, it would be well-nigh impossible to transplant such a large field of the grasses.

“It is a cell culture like stem cells,” Marton says. “Plants don’t normally do that.”

Marton and his colleagues now have cultures of 50 different grasses, and some of the cultures are 12 years old.

Originally, Marton tells me, he’d thought the grasses could be used in wastewater treatment and soil remediation. But things changed as more companies like Biomass Gas & Electric started looking for new ways to generate energy.

Meanwhile, Birch, following a career with the World Bank, was living near Oak Ridge, Tenn., and observing the lay of the land for energy in the U.S. “I wanted to find a niche. I wasn’t quite sure what it was,” he says.

In 2004, he learned about Marton’s and Czako’s work and contacted the University of South Carolina Intellectual Property Office. “I then beat my way to their doors,” he says. “I was basically the first person who came to their front door.”

But Birch was not yet connected with Biomass Gas & Electric, and it would take years to bring the deal together so the grass would actually be grown for power. The reasons: Biomass Gas & Electric had to negotiate its contracts to supply electricity for a large utility; regulatory hurdles had to be jumped; and attitudes toward growing your own crops for energy had to change.

That change has taken place on a broad scale onl　y in the past couple of years, as energy prices have spiked and concern over global warming has grown.

“At least people are listening,” says Birch, “and up until a few years ago, people weren’t listening.”

A business takes shape

Companies are working on using everything from animal waste and grease to methane from landfills as fuel for electricity generation. They’ve long used wood waste.

But Glenn Farris believes the ability of his company to grow its own fuel could help differentiate it as the field gets more crowded. “In some markets where it warrants it, we would be able to more closely control our own feedstock, which gives more security to our company and … our investors,” he says. “We also believe we could become a provider of feedstock. We see the potential agricultural opportunity as being a very big difference.”

Biomass can be used to fire plants in much the same way as natural gas or coal, for baseload power. That means, unlike solar or wind farms, the plants can be used as fuel at any time. And, with the technology his company has licensed, Farris believes biomass can be scaled to the size of some nuclear or coal power stations.

“I believe the business is shaping as we speak,” Farris says. “We don’t know all the answers yet but there’s a business out there shaping up.”

Farris foresees a day when a 500,000-acre plantation could be growing fuel for a 2-gigawatt plant. And now is the time to be in the business, Farris says.

Despite recent tumbles in gas prices, the cost for a barrel of oil continues to hover well above $100, and that doesn’t begin to count the cost to the U.S. of policing the Middle East to protect the West’s oil supplies. The price of coal, still by far the cheapest fossil fuel has also been rising, as has that of natural gas.

And the cost of using coal is going to rise further. Concerns about global warming have already led to caps on greenhouse gasses in Europe and are likely to spark a similar system in the U.S. That means emitting carbon dioxide, now free, will have a cost in the future, and the financial world is already calculating that cost when it comes to loaning money for new coal plants.

Even without carbon costs in the equation, Farris says, the cost of energy generated in one　 of his company’s plants is on par with “clean” coal. And while he doesn’t necessarily expect the grasses his company uses dominate the market in the way that coal does, he does see plenty of opportunity.

After all, Farris says: “Biomass is ready today and we’re ready to go.”

Alcatel-Lucent, Cisco, Clearwire, Intel, Samsung, Sprint Ally to Form WiMAX Industry Patent Pool