Don't kill the Internet of Things
"How do you hide from something you have found"
It's catching up, NoMeansNo.
There is a well known mock-up image of a Google search result, where the query "my fucking keys" gets the answer "On the top of the fridge, right where you left them dipshit". This captures the essence of the Internet of Things beautifully: the virtual and the physical world get connected and collapse into one world, allowing us to search the Internet for our car keys, to see when the kids get home if we are doing overtime at work, or to get a message when the usual traffic jam back home is about to dissolve.
When presented like this, the Internet of Things seems a desirable future. Aren't we sick and tired searching for our car keys all the time? Worrying parents certainly want to be able to know where their kids are. On the other hand, this vision brings about serious privacy concerns. What if your car keys happen to lie under your neighbour's bed? Children may prefer to be invisible and out of parental reach from time to time...
What is the Internet of Things, anyway?
Our future with the Internet of Things is still quite unclear. But initial glimpses of it can be seen through applications of RFID technology. RFID tags are small computer chips with an antenna that allow the chip to communicate wirelessly with a so-called RFID reader. Normal communication range is a couple of centimetres, but can be extended to several meters using special readers.
The most basic RFID chip simply contains a unique number that it broadcasts to any reader that asks for it. This type of RFID chip can be found attached to items in a supermarket, or in books you buy over the Internet. They are so small and flat you may not even notice them straight away. They are used in logistics and supply chain management, replacing the barcode.
More complex RFID chips are used in the new biometric passports, in access cards and for public transport ticketing systems. These contain quite a lot of data, but for that reason also have several security features (that in practice have been proven to be totally ineffective in certain cases, however). Not all readers have access to these chips, and a distinction is made between reading data on the chip or modifying those data.
Some mobile phones, so called NFC phones, can act as RFID readers. They can also behave as RFID chips themselves as well. All kind of RFID chips can be 'virtually' embedded on such phones, allowing one to use such a phone as a transport card for the London Underground, as an electronic purse, or even as a credit card. Field trials for such applications are already being conducted.
Many other applications of RFID technology have been thought of, are being developed or are already in use. Modern car keys use RFID. Billboards may contain an RFID chip: if you move your mobile smartphone in front of the billboard, your mobile will automatically display the corresponding website. Similar systems have been tested in museums: the website will show additional information about the exhibited item, in the language of your choice. In an interactive setting, where visitors can experiment and interact with the items on display, the RFID chip in the visitor access card enables the museum to automatically record your scores in a visitor profile that you can view later through the museum website. RFID chips in banknotes could prevent counterfeiting. Japan developed a system for the visually impaired, where RFID chips embedded in the pavement report the exact location. The reader is embedded in the white walking cane. Paper archives are much easier to manage when all paper sheets contain an RFID chip. Sharing tools with the people in your neighbourhood becomes a possibility without the risk of losing track of all your tools. When a neighbour needs a certain piece of equipment a bit longer, or if he forgets to return it straight away.… "Where is my fucking power drill?".. Google is your friend.
Privacy risks
Many of these applications have been developed to support people. They extend the reach of current Internet tools to the real, physical, world. These applications enrich our lives, or simply make our lives bearable. From that perspectiver, it would be nice to build these applications for real in the future. Other applications are designed to limit our abilities, like the example of RFID in banknotes to prevent counterfeits shows.
In any case, each of the applications discussed carries a certain threat to our civil liberties as well. They collect huge amounts of often personal information about their users, without the user knowing, and without any user control or oversight. Moreover, many of the RFID chips can be read by others over quite a long distance. If you wear a dress or a watch with an RFID chip that contains a unique number, you are always uniquely identifiable. Even if such a chip would only contain a product number and not a unique serial number, a combination of 3 or 4 of such products is usually unique anyway.
Is the 'kill-switch' a solution?
According to privacy advocates, this aspect of RFID is a curse, and one of the main arguments against the use of RFID. Indeed, without a proper solution to this problem, it is irresponsible to introduce RFID on a large scale. No wonder that EU commissioner Vivian Reding announced a EU recommendation last May, advising to de-activate (aka kill) RFID chips at the point of sale. Such a kill command blows an internal fuse in the RFID chip, making it impossible for the chip to communicate with the outside world any longer. Most RFID chips support such a command.
This "right to silence" is only a solution for RFID chips that are used for supply chain management, however. In those systems, the RFID tag no longer serves a purpose after the product reaches the consumer. We saw earlier that there are many other types of applications that are using or will be using RFID technology. For those applications (e.g. passports, public transport) killing the RFID tag makes no sense at all. The application would simply stop working. Moreover, even for the goods you buy at the supermarket, the real privacy benefit of the kill switch remains to be seen. Many people will choose to keep their tags alive, if offered a small financial benefit. To offer services, or to verify warrantees, it is convenient for the shop to leave the RFID tag active. In that case, you may not have a choice but to keep the RFID chip alive (unless you want to void her warranty). The problem is that a kill switch is an 'all-or-nothing' solution: if you leave the chip active, everyone can access the chip. And if you kill it, no one can use it ever more.
Demanding a kill switch for RFID chips is like demanding that users of social networks like Facebook only have a choice between accepting no friends at all, and accepting absolutely everyone as a friend. In such a setting, social networks would have struggled to survive, and we would still be experiencing Web 0.1 so to speak.…
A better solution
Another possibility that is so far not used (except on the more complex RFID chips), is to enforce some kind of access control to the chips. This access control should be implemented in such a way that the user herself can control, in a user friendly way, who accesses her chips when and where. Compare this to the way people deal with granting access to personal information on Facebook: some information is visible to all, some information is visible to friends only, and some information is completely invisible. (This example only serves to illustrate the possibilities and intentions: it is well known that there is a lot to be desired regarding the usability, control and security of the privacy settings in Facebook.) Such a system for access control to RFID chips is preferable, but requires changes to their current design.
Still, it is better to choose for such a long term solution than to choose for a short term solution like the kill switch that only applies to a small class of applications anyway. There is a serious risk that trying to take away privacy concerns in this manner, no real investments will be made to implement the proposed long term solutions. If that is the case, we create an Internet of Things with RFID chips that can been killed, but that everyone keeps alive in order not to be left out of the Internet of Things. Such an Internet of Things is not a beautiful dream but a horrible nightmare.
Jaap-Henk Hoepman is senior scientist security and cryptography at TNO ICT and associated professor at the Radboud University Nijmegen.
Last Version - e1e3326.
(Note: changeover from CVS to dotless svn version numbers on Jan 19, 2008, and changeover to GIT versioning on May 30, 2013.)
Maintained by Jaap-Henk Hoepman
Email: jhh@cs.ru.nl