2007-03-15 RFID: "Et tu, Brute?" -- Killing Some RFID "Truths"

Comes out on the Ides of March, the date on which Julius Caesar was reportedly murdered in the Forum by the Senators of Rome "for the good of Rome," it seems appropriate to try to "kill" some widely held "truths" about RFID.  Since "RFID Connections" tends to explain the benefits of RFID, this may be seen as "traitorous" -- but it needs to be done "for the good of the industry."  Because telling the truth about RFID is the true purpose of this e-newsletter.

Myth 1: RFID has "matured."  Untrue.  Even bar code technology is still evolving more than 30 years after it was introduced in retail grocery.   In fact, AIM's Technical Symbology Committee is currently working on two new symbologies.   RFID is a technology that continues to improve and evolve.  Rather than "mature," it should be considered to be "stable" insofar as there are numerous international standards defining different RFID technologies.  But it will continue to grow and improve with greater potential and security features for the foreseeable future.

Myth 2: Data on RFID tags/cards is secure.  Untrue.  In fact, there is little today that is truly "secure."   Inherently, public domain RFID tags/cards that conform to international standards can be read by any conforming reader.  Many tags/cards can also be written to using the appropriate equipment.   But that's the whole idea behind the use of RFID in an open system.  However, RFID tags/cards can be made secure by the use of authentication, encryption and a growing list of other techniques or technologies.   There are at least two new encryption techniques that can be used for "basic" Gen2 UHF tags and that do not require on-board intelligence.  There is a card that requires the user to physically activate it by pressing a specific location on the card before it can be used.  And there are other techniques that range from relatively simple to extremely rigorous.  Further, assuming that the holder of an RFID card/tag is authorized to use it, for access control for example, does not provide security. Additional validation such as a PIN or biometric information is required for secure implementations that protect privacy or access.

Myth 3: RFID poses no threat to privacy.  Untrue.  Any technology can be misused or applied in an unthinking manner. Just as a hammer, for example, poses little risk to an individual, it can be used to intentionally or unintentionally harm or even kill someone.  Thus, it is not a technology or tool itself that is the problem but the way in which it is implemented that could pose privacy risks.  Deploying long-range or unsecured "open system" RFID tags/cards for applications that contain personally identifiable information (PII) could expose the holder to identity theft.  Measures to secure access to the data on the tag/card must be employed (see Myth 2).

Myth 4: RFID prevents counterfeiting.  Untrue.  RFID can be used to help prevent counterfeit, adulterated or "gray market" goods from entering the supply chain but unless there are systems in place to allow distributors, retailers or end users to verify the validity of the data on the RFID tag, data on the tag is meaningless.  Just as pharmaceutical manufacturers go to great lengths to include visible (e.g., holographic seals) and covert (e.g., UV or IR printing or seals) on their products, unless the distributor, retailer or end user is aware of them and knows what they should look like, these measures do nothing to ensure authenticity or product integrity.  The same is true for RFID.  RFID can be a valuable tool but it is not the whole solution.

Myth 5: RFID is non-line-of-sight readable.  Misleading.  Most people interpret the non-line-of-sight statement to mean that RFID can "read around corners."  While low frequency RFID can read tags on the inside of a pallet, for example, in general, the higher the frequency, the less capable RFID is of reading through obstructing materials.  And it's difficult to truly "read around corners." It's true that some higher energy signals can be reflected off surrounding materials so that signals from tags that are, in fact, "around the corner" can be received by the reader -- but this is typically an undesirable event and one that can not generally be exploited intentionally.  The most commonly used UHF tags must be oriented to the reader so that they're "visible" (to a transmitted radio wave) -- but they can be inside a corrugated container or behind a label.  While this statement is generally used to differentiate RFID from optically based codes, it causes confusion among consumers and may raise false expectations on the part of users.

Myth 6: RFID tags cannot be counterfeited.  Half truth.  Many RFID chips are programmed at the factory with a unique Tag ID that contains a code representing the manufacturer and manufacturer-assigned serial number.  This code is separate from any encoded header or user data.  If this unique Tag ID is read by the system, it can prove the authenticity for the tag -- as long as the Tag ID is recorded in the system.  (This does not validate the data however.  Data must be locked to provide security.)  However, some Gen2 UHF tags that conform to the EPCglobal standard contain only a manufacturer code and lot/batch number.   These tags can be used to duplicate a damaged or disabled tag but they can also be used to counterfeit valid tags. In addition, some chip manufacturers offer chips where the Tag ID is user-programmable -- removing any assurance against duplication.  While these are typically beneficial in a wide variety of applications, systems that need security should not employ tags/cards that use the same frequency and protocols as these "blank" chips.

While the Roman Senators managed to kill Julius Caesar on the Ides of March, his legacy -- and his myth -- lived on.  It is my hope that, with your help, we can "kill" these myths and ensure that they do not live on to haunt the successful RFID implementations that surely lie ahead.