Radio frequency identity (RFID) is attracting the attention of a growing number of firms, particularly those in the retail sector. Many firms have announced trials and even implementation of the technology, while others have put projects on hold. Current concerns appear to centre around standards and whether or not the technology will deliver on its promises. Much like the early internet gold rush, security is something that is easily overlooked. Burt Kaliski, chief scientist at RSA Security, talks to Computing about some of the challenges facing firms.

There has been a lot of focus on companies neglecting to make wireless networks secure. Is the same thing happening with RFID?

Think about a typical deployment for RFID in, say, a warehouse. You'd have 100 readers that are scattered around the warehouse, in the loading docks, the shelves, in a forklift, and so on. Most likely, these readers are going to be connected via a wireless network. So to begin with, if you don't have a secure wireless network, then any eavesdropper that comes by can just listen in to the communication going on between the readers. You have a real-time feed of warehouse operations that is open to the outside.

Another challenge is around how to get the security set up in the first place. For instance, what happens when the forklift crashes into one of the readers? You've got to take it off the wall and replace it, because the whole assembly line will stop now that it's all RFID-enabled. In the time that it takes the technician to switch the reader, does he have any time to do anything about enabling security? Maybe if the replacement readers were preconfigured it?d be okay, but I don't think companies are thinking about that right now. And if there's not some provision for security, then how do we know that the right reader has been put up on the wall? If a competitor came in and put their own reader on the wall, it could effectively be a double agent, reporting data both into the company's database and out to a competitor's system.

It may not seem like a real threat at this point, but if we're going to build infrastructure that's going to last for ten or twenty years, then we ought to ensure that it's not corrupted before it's even started. A second issue is that some of the current readers actually tell the world all the tags that they happen to see, due to their technical design. But the problem with this technique is that even though tags can't be read over a long distance, readers can. So when you?re looking for these tags, they're also telling the world what tag you're looking at. So the same protocol that makes it very convenient to read a lot of tags at once also becomes a substantial privacy flaw or opportunity for industrial espionage.

My understanding of tags is that most of them only hold a unique product code, and information about the product held on a corporate database. So, where does the risk come in for firms?

There's a couple ways to look at that. One way that the tags are labelled is much like barcodes. The full electronic product code would hold the manufacturer, product type and serial number. In that case, although information about the specific product is kept online, there's enough information on the code to say who the manufacturer is and what type of product it is. Let's say an employer is looking for what medication employees had with them, for whatever inappropriate reason, they would be able to see who had what type of product on them. Or perhaps if a retailer wanted to profile its customers, it could do associations based on, say, what kind of shoes you wear when you come in.

Those seem like relatively unfeasible examples right now.

Right, but the decisions we make today will influence what happens in the future. I don't think anyone in the privacy community is particularly concerned about being spied on right now, it's all about what's possible later on. Right now, the standards are being built and the infrastructure is being put in place, which means that it will be very hard to change these things in five to ten years. And right now in supply chain applications, when we're talking about scanning things being shipped and received, there's certainly some intelligence that could be gathered just by seeing that the identifier is the same at both ends of the supply chain. If I wanted to monitor my competitor's activities, in terms of who they're shipping to and receiving from, I only need to put enough readers at all the loading docks of their partners and so on. If the identifiers could change from start to finish, this wouldn't be a problem, but right now they don't. Readers are going to get much cheaper in the future, with companies already talking about putting them into mobile phones. If they get that cheap, it'll be very easy to put rogue readers into the operation. If the data can easily be collected and aggregated, then you could potentially be giving out a competitive advantage. If this is not a concern in the retail supply chain, then it really ought to be a concern in military operations and so on.

How do the large companies currently testing RFID feel about this? Are they thinking about this at all?

I think they're becoming increasingly aware of it. The privacy issues have made everyone nervous. That should have been anticipated, but in all the excitement it got overlooked. The primary focus for the industry right now is getting things to work, while the second issue is about driving down the cost. We hope to see privacy and security issues as number three, so that they can get built into the next generation of standards.

That focus is still to come, isn't it? It's certainly not a prevalent concern right now.

The security aspects tend to get overlooked in discussions right now. The main thinking is that it's just a privacy issue. This is mainly a retail deployment, but that's not where the rollout is happening right now, it's in the supply chain. And people think there's no privacy issue in the supply chain, so they don't worry about it. We're trying to draw more attention to the security issue right now. The key challenge is that security costs money, so it's got to be justified. However, it costs much more to add security later on than if you do it up front and build it in.

When it comes to privacy, today's solution is simply to deactivate the tag. Some proposals being considered suggests telling merchants to deactivate tags at the point of sale, but I think that that just eliminates the point of the technology. RFID enables a connection between the physical world and the virtual world, so deactivating the tag removes any potential benefits that could be gained outside the store. But that's really the only practical way right now to give the consumer confidence about their privacy right now. What?s needed is a middle state, where a tag can be marked private so that it's not monitored outside the store, but if you returned the item to the store, it?d immediately be entered into the system. You could have it deactivated if you wanted to, but you wouldn?t necessarily have to lose out on any benefits.