From passports to supermarket shopping, RFID is making inroads into our daily lives. Mark Mayne looks behind the big brother myths.

Over the years, radio frequency identification (RFID) technology has inspired fear and expectation in almost equal measures. It has been said that the tiny chips are part of big brother's next tracking plan, will let the supermarkets know what is in our fridges, speed up your journey to work and let you into your office. That's the hype, but what is the reality?

The main area of RFID deployment is currently in supply-chain management. Chips are stuck on to the units - boxes, pallets, cars etc - allowing them to be tracked from origin to destination. This is an attractive concept for retailing giants such as Wal-Mart and Tesco, who have started to deploy RFID technology. Heathrow airport is set to run a pilot baggage-tracking programme using the tags, the largest rollout in Europe.

Why then doesn't every product in the world have a chip? "Adoption isn't as high as it could be, and the issue is no longer awareness," says Rob McGregor, business development manager at retail information systems supplier Toshiba Tec Europe. "The question we get asked now is how to implement RFID to solve business problems. Costs have been firmly established, and some read rates are as high as 99.9 per cent. There are also very few security issues in the retail market. Standard tags only contain a random number, just like a barcode, so there is little for consumers to fear."

Research by Gartner indicates that retailer uptake of RFID in Europe has actually slowed over the past year. The relatively high cost of tags, uncertainty over the evolution of tag standards and the need to improve data synchronisation are given as reasons for the slowdown.

Aside from the costs of the chips themselves, there are specific problems in the European RFID market. Even within the EU, radio frequency regulations are not synchronised, so a European retailer cannot yet deploy the same frequency tags for all jurisdictions. This fact raises the spectre of additional investment in resources and logistical effort that is not needed for barcodes. "US retailers didn't have these issues, as frequency bands in Europe are much more regulated," explains Andy McBain, RFID product manager for Motorola's enterprise mobility business. "RFID in the US uses the same frequency as UK mobile phones, which isn't ideal. And the space that should be available in Europe is sometimes used for military communications; places such as Italy and Turkey still demand notification of RFID deployments in case these clash."

Opponents of RFID use in the retail sector claim that tagging all items would allow businesses to track consumers' behaviour. McBain dismisses these concerns as "unfounded myths". "There's been an awful lot of hype on this topic, but it's really all down to data linkage. As long as companies continue to observe data protection and privacy laws, there isn't an issue, as you'd need to hack into the back-end databases to uncover any personal details, which an attacker would then get anyway," he says. "People also forget that if you have signed up for any loyalty cards, your personal shopping habits are already being tracked."

One of the UK's largest public RFID deployments is the Oyster card for London's buses, tubes and trains. The cards keep a limited record of all journeys made by each individual, but public outcry has been muted so far.

The passport debate
However, RFID is not just being used as a supply-chain technology and, as the complexities of the deployments increase, so do the security concerns. A particularly topical example are biometric passports, which are now fitted with RFID chips. Nearly seven million Britons have already been issued with the UK's new hi-tech passport, which was intended to be a precursor to the UK's ID card plans. Critics claim the RFID component of the new passports is not secure enough.

Researchers for The Guardian claimed in November 2006 that, although the data held on the chip was encrypted and secure, the key to decrypt the data could be easily guessed, and the chip could then be cloned. The problem was that the International Civil Aviation Organisation had publicly specified that the key needed to access the data on the chips should be comprised of the passport number, the holder's date of birth and the passport expiry date, in that order.

US passports also contain RFID chips, and after campaigners revealed that the documents could be read from up to 30 metres away "metallic anti-skimming material" was added to the back page to block radio emissions.

So does the legal framework need to be strengthened to protect us from this new technology? Chris Coulter, a partner at legal firm Morrison & Foerster, thinks not: "The existing law in this area has enough teeth to protect the individual. Data protection law is, in theory, pretty robust," he says. "However, with technology such as RFID, the real crunch is working out what constitutes compliance with the law in practice, concerning things such as read distances, encryption standards etc."

And RFID is not just finding its way into your passport. VeriChip Corporation has created an implantable RFID chip, the size of a grain of rice, for use in humans. The VeriChip has been approved by the US Food and Drug Administration and is currently deployed in commercial and medical environments, for example to control access to high-security areas or make medical records instantly available. However, studies from the 1990s recently unearthed by Associated Press suggest that implanted chips "induced" malignant tumours in some lab mice. Although the studies are inconclusive, they have reignited the debate about human implantation.

Attacks on readers
RFID certainly is not safe from viruses. White-hat hackers have already constructed a variety of proof-of-concept exploit code they claim would be easy to spread in the wild. "The real issue is not with the RFID chips themselves, but the readers," says John Pescatore, vice-president and senior analyst at Gartner. "Very few of these have been hardened to resist malicious attacks, and most RFID deployments have been so far in controlled environments, where the readers were physically fairly secure. However, as deployment widens to airports and more public spaces, malicious individuals will have more opportunity and reason to attack."

However, the release of the Generation-2 standard has increased the security options available. Individual tags can now be password-protected to prevent them from being copied, while humidity and temperature sensors will make it harder for anyone to tamper with a supply-chain RFID tag undetected.

To a great extent, the future of RFID security depends on the time and care taken with its implementation. As deployments become more complex and public-facing, the voices expressing privacy and security concerns will grow louder. Gartner sees the market recovering from it's slowdown over the past two years to reach more than $3.4 billion (£1.7 billion) by 2011 - that's an awful lot of tiny chips ...

CASE STUDY - THE US DEPARTMENT OF DEFENSE

What do you do when you need to supply a huge attack force thousands of miles away in a hostile desert with equipment ranging from aircraft carriers to shovels and fencing? That was the problem faced by the US Department of Defense (DoD) looking after the forces taking part in operation Desert Storm in the Gulf in 1991.

In order to organise the deployment of such a range, variety and sheer volume of equipment, the DoD called in Unisys to build and maintain an RFID solution. Since 1991, the project has continued and now covers more than 1,500 nodes, or RFID read/write stations, worldwide - the largest RFID network anywhere. Known as In-Transit Visibility (ITV), the project uses active RFID technology to track as many as 125,000 shipments every week, featuring everything from ammunition to food rations and medical supplies to vehicles. Both fixed and handheld RFID readers are deployed, and the data on each active tag is replicated across five servers to provide decision-makers across the globe with the same information. The tracking spans all modes of military transportation, including lorry, air, ship and rail.

"We called the problem the 'iron mountain' - thousands of containers with unknown contents, it was a logistical nightmare," recalls Jeff Miller, practice leader for supply chain solutions at Unisys. "There was also no depot structure to rely on, as is the case in many supply-chain RFID deployments.

"RFID was the obvious choice here as it's possible to associate information with the actual item, such as destination, contents etc, thus eliminating paperwork to lose," he continued. "Also it allows more dynamic shipping, as tracking specific containers becomes feasible - often the DoD was finding that the final destination had changed by the time some items arrived."

Unisys chose active tags to identify each container, and passive tags for the individual items inside. The RFID tags contain information such as the location, identity of consignor and consignee address code.

The data written to the tags is replicated among the four servers, enabling users anywhere in the world to access the same information on the last known location, last write date, and consignee and consignor address code. Thus, decision makers at all levels of command and throughout the logistics pipeline can collaboratively plan, prioritise and redirect logistics operations.

As the US continues its deployment of troops in Iraq, the need for RFID technology is increasingly evident. "We've made significant progress since Desert Storm in terms of asset visibility and the need for a policy regarding technology," says Kevin Carroll, the army's program executive officer for enterprise information systems.

"We now realise that we must have an end-to-end business process on how to use information technology, and working with industry partners has really helped get the system working,"

HOW IT WORKS

Radio frequency identification technology (RFID) is a generic term describing a system that uses radio signals to transmit the identity of an object in the form of a unique serial number. Typically an RFID system will have three parts: tags, readers and the backend computer system.

The tags are basically tiny silicon chips attached to a small, flat aerial, which can then be enclosed in different materials, such as plastic, depending on its ultimate usage.

There are three general types of RIFD tag: passive, active and semi-passive (also known as battery-assisted). Passive tags contain no power source and rely on the reader to power them; semi-passive and active tags require a power source, usually a small battery.

Passive tags can be read over distances between 10cm to 2m, depending on antenna and environment. These have been widely deployed in retail and manufacturing environments, due to their small size - they can be embedded in a sticker - and low unit cost.

Active tags have their own internal power source, so actively broadcast a signal to the reader. That means they are more reliable in longer-range applications and non-radio friendly environments such as metal shipping containers, cars or humans and animals. Active tags have a much greater range (around 500m) and larger memories than passive tags, as well as the ability to store information sent by the transceiver. However, due to the battery, their active life is shorter than a passive tag, and they are more expensive.

Semi-passive tags have their own power source, but they do not broadcast a signal. They have similar reliability results to active tags, with roughly the effective reading range of a passive tag. Semi-passive tags also last longer than active ones.