RFID: Legitimate fear or fear-mongering?

A Wall Street Journal article details the exploits of RFID-defeating privacy advocates and a few snake-oil solutions.

Say what you want about the future, but it is certain it will arrive faster than we expect and usually without a great deal of debate. Radio-frequency identification, or RFID, is finding its way into many credit cards and, soon, other artifacts we carry on our persons. It'sFor anyone who wants it, RFID is going to be widely available. Because your neighbor wants it, should you have to have it too? a mixed blessing at best. It may not be a blessing at all, making spending and  thievery so easy our virtual wallets could be emptied before we know it.

MIT has launched an excellent site on the topic of RFID and privacy, for those wanting to dig in to the details. 

The Wall Street Journal features the exploits of RFID-smashing privacy activists in a story today:

The PayPass card, which contains an embedded radio chip, had worked perfectly. Other companies have their own versions: Exxon (SpeedPass), American Express (ExpressPay) and Visa (Contactless and Blink). In each case, the cards use an embedded electronic chip with miniature antenna. When activated by a scanner, the chip transmits the user's account information via radio signals. In just the wave of a hand, the purchase amount is automatically drawn from an account.

But Mr. [Brendan] Walker, a 37-year-old software engineer in Canton, Ohio, is one of a growing number of computer and technology experts who are becoming anxious about possible abuses of the technology. Mr. Walker fears that thieves will be able to eavesdrop on the radio transmission and buy gas at his expense. He also figures that he himself could walk past the pump and accidentally pay for somebody else's gas, though the card companies say he would have to get within two inches of the scanner to accomplish that feat.

You actually don't need to be a computer or privacy expert to understand the privacy threats. It's unfortunate that the activists are portrayed as beyond-the-fringe paranoiacs who, as Mr. Walker, drawn in WSJ pointillism art with glasses, earrings and a kind of Ho Chi Mihn-goatee beard, is described as taking a hammer to a new credit card. We get it, this is a nerd concern.

I'm pretty sure the same guy has made a stink about some Libertarian issues. An Ohion from Canton named Brendan Walker has also been an activist on behalf of concealed weapons permits, arguing in a letter to the editor of the CantonRepository.com that police concerns that citizens carrying weapons present a hazard to themselves and officers is specious. He's got his issues, obviously.

Nevertheless, RFID privacy is a legitimate concern. Walker's worry that his location could be tracked or that someone with a reciever sitting nearby when he pays for a purchase with an RFID-enabled card could capture his payment information is not realistic, because the field of the receiver defines the transmission distance. In all likelihood, the best way to catch RFID data will be to place a receiver near the RFID transmitter that activates the card (as ATM thieves place a fake reader over the card slot on a cash machine), rather than someone sitting nearby grabbing the signal.

An RFID card is, by design, kind of permissive with its data, because the design problem is to ensure the customer gets her payment recorded quickly, with security an afterthought to that convenience.

The article goes on, however, to describe metal wallet inserts to protect cards from eavesdropping and the use of electromagnetic devices that destroy RFID chips and, as any degausser will, everything else within its range. These are outlandish solutions to the problem, adding nothing to the debate that should be taking place. Why? Because they assume that RFID is inevitable.

For anyone who wants it, RFID is going to be widely available. Because your neighbor wants it, should you have to have it too? In a post-mass market era, the answer is an unequivocal "no." Yet, since the WSJ is about business, not really about life, the story only looks at the business opportunity in defeating this technology, rather than the discussion about the pros and cons of RFID. A lot of us may not want to carry contactless credit cards for a variety of reasons, not the least being the threat to privacy from vendors we do business with, who may be getting much more data than our account numbers.

The real question is whether you or I want RFID. We should be talking more about this now, instead of looking at it as something that, if we find ourselves with it, we'll be stuck with it—unless we buy one of these stupid "solutions" to the problem in our pockets. The choice is ours, preserve your option to go without RFID. So, let's talk more about RFID, and all technologies, before they become inevitable, that is, when the choices have been made by someone else.