Issue No.06 - November/December (2005 vol.3)
Published by the IEEE Computer Society
Martin Libicki , RAND Corporation
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.142
A review of the book, "RFID Applications, Security, and Privacy," edited by Simson Garfinkel and Beth Rosenberg.
For those concerned about security and privacy in radio frequency identification (RFID) technology, RFID Applications, Security, and Privacy is the book for you. It covers RFID technology from every conceivable angle, including privacy and security, application, technical solutions, and economics. It's an outgrowth of a workshop convened on 15 November 2003 to hear presentations from 15 technologists and privacy activists. From the fact that it now contains a preface, 32 chapters, and six appendices, we can infer that its creation didn't stop when the conference adjourned in favor of dinner.
As with any large compilation, the quality varies greatly. Whereas the preface and first two chapters are well-written and complete, the chapter on privacy and regulation is a bit tedious; although it does comprehensively examine the current legal climate surrounding RFID technology, it's too long. Some of the case studies are worthwhile because they present useful ideas, notably the description of the ExxonMobil Speedpass system, and the reports on pharmacies and hospitals using RFID for inventory control. The three essays on technical solutions, although somewhat dense, are worth reading for those interested in exactly how RFID works. Of particular note is the chapter on hijacking Bluetooth connections, which is a valuable reminder of how insecure the technology still is.
Somewhere in the book is a tight 100-page monograph that could've wrapped everything worth knowing about RFID into a succinct argument on the pros and cons of the technology. Were such a monograph to beep itself into recognition (after being scanned by an RFID tag reader), it would undoubtedly mention that the policy issues associated with RFID used for identification purposes differ greatly from those associated with inventory control. In the former case, consumers are usually aware of the RFID embedded in items such as security cards and implants. In the latter case, consumers might be unaware that their purchases are tagged with RFID. Security and privacy concerns, such as whether and when to kill the RFID, are important issues addressed in the chapter showing how easily most RFID tags can be cloned.
The book's greatest shortfall is the lack of attention paid to economic issues (beyond the oft-repeated refrain of how common RFID is becoming as production costs decrease). The cost of obtaining personal information is decreasing while the relative ease of accessing this information is increasing, leading to the public's justifiable fear over the erosion of privacy. However, stealing information from random people through RFID devices not only requires buying, installing, and maintaining RFID readers, but also requires the substantial and error-prone correlation of data in some fairly hefty databases. Security and privacy are measured values and it would be helpful to see some back-of-the-envelope calculations that would suggest what the economic gains would be compared to the costs.
Martin Libicki is a senior management scientist at the RAND Corporation. His research interest is in the application of information technology to security issues. Libicki has a PhD in city and regional planning from the University of California, Berkeley. Contact him at email@example.com.