RFID 'kill' feature aims to soothe privacy fears

RFID 'kill' feature aims to soothe privacy fears
Paris - Concerned over public perceptions that radio-frequency identification chips are an invasion of privacy that could track an individual's buying habits, several chip makers are building a "kill" command into their upcoming RFID chips. Initial prototypes with the feature, which effectively removes a chip's ability to communicate, are expected to be available in June.

The kill feature ar-rives as Italian clothier Benetton Group has backpedaled from a plan to embed RF-ID labels, based on Philips Semiconductors' I.Code chips, in millions of its garments. After the plan was made public, a backlash ensued that led to the formation of Boycott Benetton, a group that opposed the clothier's and others' planned use of RFID tags to track products through the manufacturing and supply chains. Benetton now says it is reevaluating the plan's "potential implications relating to individual privacy."

Technology companies' responses to the Benetton flap range from protests that it's much ado about nothing to promises that consumers' privacy concerns are paramount. While acknowledging that privacy is a hot-button issue, many said they believe it won't be a showstopper for RFID tags, particularly in light of the development of protocols that can disarm the chips' communications capability once tagged merchandise is in consumers' hands.

It's highly unusual for chip companies to consider such "self-destructive technology because it's shooting yourself in the foot," said Kevin Ashton of the Massachusetts Institute of Technology. Ashton is executive director of the Auto-ID Center, which is designing an infrastructure for RFID technology that includes a kill command as part of the protocol specs. But when it comes to encouraging marketplace acceptance of RFID tags, the industry may have to be willing to kill its chips in order to save them.

Opponents of RFID tagging say the tags make it theoretically possible to "profile" a consumer remotely, by linking the data on a garment, for example, with the purchaser's credit card information via the retailer's database and then cross-referencing that to the credit card company's database to obtain a broader picture of buying habits. But that scenario is unlikely "unless you live in a totalitarian state with a perfect information architecture-or in a Hollywood movie," quipped Ashton.

Eye-opener: Boycott Benetton laid bare the RFID privacy controversy. Can self-destruct tags put it to rest?

Even so, Ashton acknowledged, "you have to take privacy and security concerns incredibly seriously. As scientists, engineers and industrialists, you can't leave holes [open] to possible attacks"-even impractical ones-because if privacy fears keep people from using a technology, "the technology fails."

Thus the Auto-ID Center research group, which involves three universities and scores of companies, has developed a kill-command feature for its Electronic Product Code (EPC) spec, which Ashton said is approaching recommended-standard status. Three Auto-ID Center sponsors-Alien Technology (Morgan Hill, Calif.), Matrics Inc. (Columbia, Md.) and Philips Semiconductors (Eindhoven, the Netherlands)-say they will have kill-command-equipped RFID chip prototypes ready by summer.

Dirk Morgenroth, segment marketing manager for RF tag and label ICs at Philips Semiconductors, said the company plans a late-second-half launch for a full-production version of a kill-command-equipped, EPC-compliant I.Code RFID chip.

Of course, it has always been possible to deactivate an RFID tag by brute force, for example by breaking an antenna or applying a high voltage to the tag. But under the Auto-ID spec, the kill-command feature is "not an afterthought-it is very much a part of the whole system," said Steve Hodges, acting director of Auto-ID Centre Europe, which is associated with the University of Cambridge, England.

The group's researchers developed a password-associated kill command as a part of its RFID protocol specs. Just as a read, write or be-silent command can be sent to any RFID tag from a reader, a command could be sent that would instruct the chip to self-destruct, said Daniel Engels, director of the Auto-ID Center in Cambridge, Mass. A chip so instructed would either blow a fuse or set its memory at a value that would render it permanently unable to communicate. While the Auto-ID Center's proposed spec issues a standard command to deactivate the chip, it's up to tag designers to decide how the physi-cal deactivation will occur, Engels said.

Alien Technology has already developed a kill-command-equipped prototype chip compliant with the Auto-ID Center's UHF class 1 specification. Matrics, meanwhile, is working on a prototype based on the UHF class 0 spec, and Philips' prototype will be based on a 13.56-MHz spec.

It takes "only an order of tens of transistors to add a feature to decode a kill command and implement the code," said Engels.

Philips' Morgenroth said he doesn't expect a cost premium to accompany the kill feature.

Whether adding a self-destruct command to an RFID chip is enough to satisfy consumers' privacy concerns remains to be seen. Also yet to be worked out is whether the kill function should automatically be implemented at the point of sale or whether the burden should fall to the consumer-who may not even be aware that the item purchased bears an RF tracking tag or what the implications of that tracking capability are.

Product tracking: An electronic product code is embedded in 400-micron2 RFID smart tags to track a soda can from the factory to the retailer. Privacy advocates worry that the tracking can continue well after the product has been purchased.

Worst-case fantasies
Bill Allen, marketing and communications manager at Texas Instruments Inc.'s RFID group, said he believes consumers should be able to opt out of RFID programs via mechanisms like the kill command, although he called the worst-case scenarios of privacy breaches "fantasy."

"Privacy is already challenged everywhere-with video surveillance cameras, mobile phones, GPS and credit cards," said Bodo Ischebeck, senior director for Identsystems in the Secure Mobile Solutions business group of Infineon Technologies AG. "This [RFID issue] will go away very quickly."

At the same time, Ischebeck cautioned, "Just because an engineer said he has just deactivated your RFID tag, would you believe him? I wouldn't trust an engineer, because there is no way to prove it." The surest way to respond to privacy worries is to "take a pair of scissors and cut off the RFID tag yourself. Trust no one," he said.

What's more, not all RFID chips on the market today are EPC-compliant. TI's Allen predicted that it would be at least one to two years before EPC is formally adopted by the International Standardization Organization.

In the meantime, said Philips' Morgenroth, "a quick fix can be achieved by making the kill command an optional command within the ISO standard."

Philips plans to suggest that the ISO make the kill command part of the mandatory command set that defines the communication protocols between RF chips and readers. But Morgenroth noted that other kill solutions could emerge and be embraced as part of other industry standards for certain applications. Erasing the chip's memory at the point of sale, for example, might be a simple way to go, he said.

Auto-ID Center's Ashton said that the center has created an independent policy council to explore the development of a privacy policy. At a minimum, he said the policy will give the customer the option to kill tags at checkout.

Despite differences in opinions, the industry does seem to agree that now is the time to explore all the privacy issues related to RFID. TI's Allen noted that AIM, a global trade association that addresses automatic identification, data collection and networking in mobile environments, is setting up a committee, which Allen has been asked to lead, "to look into privacy issues, make recommendations and build industry consensus."