RFID moves into new arenas, still raises privacy issues

On Boeing's 787, the next-generation jet the company is developing, thousands of parts will contain tiny tags that store and communicate their maintenance history.

As the plane sits on the tarmac between flights, Boeing envisions a worker with a handheld scanner walking down the aisle quickly assessing the number of life preservers on board, for example, or the expiration dates of oxygen bottles.

The data on the tags, stored on a microchip, is beamed wirelessly through radio signals.

The same radio-frequency identification, or RFID technology, is being added to millions of credit cards this year. Chase Bank's MasterCard and Visa cardholders can pay for prescriptions, hamburgers and movies by simply holding their cards within 2 inches of a payment terminal.

With no signature or password required, the "contactless" cards cut down on wait times. The bank says its new "blink" system is faster than paying by cash.

As RFID comes of age, the technology is transforming large tasks to small ones.

It is moving into a wide range of applications, including passports, visas, government-access badges, military supplies, prescription drugs and children's school ID cards. It can help route supplies around the world or keep track of vital medical information.

Promising as it is, however, the technology is relatively untested. Its ability to track individual items, or people, wherever they go has raised privacy and security issues.

"The technology is quite versatile — that's one of its strengths from an industry standpoint," said Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a nonprofit civil-rights advocacy group.

"It's also one of the difficulties from a privacy standpoint. How do we do this right? Every application is different, so it's hard to use a generic, one-size-fits all approach."

While RFID technology has advanced quickly in the past year, critics say the response by governments and the RFID industry to privacy concerns has been sluggish.

"The industry really does care about looking good on the privacy issue, but it doesn't want to seriously... deal with privacy issues in a meaningful way if dealing with those issues means putting deployment on hold," said Simson Garfinkel, a computer-security expert who has written extensively on RFID.

Garfinkel and others back a voluntary moratorium on using RFID tags on individual consumer items until a full assessment of the technology can be done.

Calif. considers bill

In California, the state Senate is considering a bill to impose a three-year waiting period before any RFID tags can be put into widely used government-issued cards, such as driver's licenses.

The bill also requires technical protections to control surreptitious reading of personal information on the cards.

Here in Washington state, the House Committee on Technology, Energy and Communications is scheduled to hold a work session to study RFID on Dec. 2.

For Boeing, privacy isn't the issue, rather it's monitoring equipment and parts. The company collaborated with the Federal Aviation Administration (FAA) to certify the use of the new technology aboard planes.

RFID can help manage many of the parts that are routinely removed and replaced at the gate, such as flight-control computers, data recorders and other black boxes, said Kenneth Porad, program manager of the automated identification program at Boeing Commercial Airplanes.

Retrieving data

A 64-kilobyte chip on the RFID tag can be used to store and retrieve information on the part, such as its origin and service history, as well as any modifications and troubleshooting information.

Right now, finding that kind of information would require a search of several different databases, Porad said.

With RFID tags, "all of that stuff will be available to a line mechanic on the tarmac," he said.

The FAA said it has seen a sharp increase in requests by civil and military users to adopt RFID technology on aircraft for things such as inventory control and baggage monitoring.

"The FAA has concerns that RFID devices could fail in a manner that would interfere with equipment on the airplane necessary for continued safe flight and landing," the agency stated in a May policy memo.

After testing the devices, the FAA approved the use of so-called "passive" RFID tags, which have no power source of their own and emit data only when they are queried by a reader.

However, the FAA said further tests would be needed to determine whether active or battery-assisted tags could be used on board planes. It restricted the use of RFID to ground operations.

Boeing tested passive RFID tags aboard FedEx MD-80 planes in 2003 and again this year.

The tests showed that the tags did not interfere with any of the systems on the aircraft and they had no failures in reading the data correctly.

"We're done proving the concept," Porad said. "We're ready to deploy on the 787."

Porad predicts that the technology will save airlines money by cutting the time it takes for routine inspections from hours to minutes.

Boeing is holding a meeting with suppliers later this month to discuss requirements for putting RFID tags on parts, pushing for the tags to be developed in time for the first 787 deliveries in 2008.

Airbus is also planning to use RFID, and the two companies are cooperating on a common standard, Porad said.

The cost of the new aerospace-grade tag is unknown, but Boeing has a target price of $15 each.

While using RFID may make sense for aerospace parts, it doesn't make sense for everything, said Tien of the Electronic Frontier Foundation.

People should be asking whether the benefits of using RFID outweigh the risks of sending sensitive information through the air, he said.

Avoiding pitfalls

In the case of Chase's blink cards, the company took steps to avoid pitfalls of earlier wireless payment tags.

In January, a team of graduate students at Johns Hopkins University hacked into a popular RFID system to pay for gas and deter vehicle theft.

The technology employed by Chase uses a higher level of encryption — 128 bits — and a dynamic code that changes with every transaction, said Chase Senior Vice President Tom O'Donnell.

The card does not transmit personal information, only encoded data necessary for the transaction, he added.

"We know the solution was engineered to do two things: support a faster and easier way to pay and make sure that was a safe and secure process," he said.

After the cashier rings up a sale, the customer holds his card within 2 inches of a special reader device. The reader sends a radio signal to the card, which responds with encrypted data and a dynamic code.

The reader sends that information along to the credit-card company, which verifies the data and passes an OK back down the line. Only one card can be read at a time.

Chase is so convinced about the merits of contactless payments that it issued replacement credit cards with contactless payment capability to its 2 million customers in Georgia and Colorado.

The company plans to switch more of its 95 million customers over to the new cards this year.

Retailers join in

Several thousand retailers are accepting the cards, including 7-Eleven, KFC, Walgreens, CVS and Regal Cinemas.

If no password or signature is required, the cards could be more vulnerable if they're lost or stolen.

But Chase says its customers bear no liability for unauthorized purchases. And since the technology is designed to work best where speed and convenience matter, those tend to be low-priced transactions.

"There's really not a lot of fraud around people buying hamburgers, cups of coffee or shaving cream," O'Donnell said.

Kristi Heim: 206-464-2718 or kheim@seattletimes.com