Monday, April 17, 2006

Epilogue on RFID tags and the Coming New Fascism

The man with grue hair raises some valid technological issues with regards to the RFID issue in my last post, and I was happy to read his analysis. Yet I find that there are three main points of misunderstanding on his part regarding my position that need correcting.

First, grue hair man improperly reads my analysis as a result of a fanatical attitude. I am not saying that the "black helicopters" are coming, nor am I saying that RFID is an evil technology which we should abandon or restrict at all costs. I merely point out that the political implications of a technology can sometimes be seen before the fact, and that the trend of RFID devices gives one pause as those devices mature.

Second, I disagree that the "comparison of UPC to RFID is erroneous" and that "RFID is another beast altogether," as grue hair man charges. This is an overstatement, since these technologies are both tracking mechanisms that can be databased and subsequently accessed.

Grue hair man is no fool, however, arguing that the bigger the database, the less likely said database will be centralized. Unfortunately, grue hair man, size does matter. Even a namespace with 7.92 * 10^28 bytes is not large. Today a fairly robust 500 GB drive is nice. But double this every 18 months for 40 years years, and there is more than enough space to cover that many bytes. (And this assumes current trends in storage tech., which might change suddenly with quantum or holographic 3D advances.) Thus, I obviously don't find the probability of abuse having "high chances of it happening before 2008", as grue hair man charges; but, I just might be willing to say the probability of abuse IS worrisome by 2048, and I have every intention of being around that year.

Finally, grue hair man takes a position whereby RFID is no worse than social security numbers, so we should not grumble against RFID. He rhetorically asks, "how have social security numbers been abused in the last 7 decades?" However, I disagree that RFID is not worse; in fact, I think it has the potential to be FAR worse. Moreover, the spate of identify theft shows us that with even the use of social security numbers, one can easily ruin another's economic life in short order. Thus, how much the more cautionary should we be with RFID!

Grue Hair man is a Gentoo security professional of some note, and I appreciate his comments. If you, my reader, are still unsure which person holds the best argument, I suggest defaulting to his view.

2 Comments:

At 9:30 AM, Anonymous Grue Hair Man said...

Fair enough, I guess I interpreted your post as more aggressive than it actually was. 2 things to note about this post.

1) UPC vs. RFID. While they are both tracking mechanisms the uses are disparate. Consider the difference between a hash and a cryptographic hash. A hash is designed to minimize the input to a small value that can be stored easily. By minimizing the input hashes are meant to collide when necessary (collide means that different inputs yeild the same hash). This is analogous to UPC where the standard makes figuring out where a product came from and what it is very easy just by looking at it (one can get more specific details by going to the database). Cryptographic hashes, on the other hand, are meant to never collide. That is, the output namespace must be at least as large as the input namespace. While there is no perfect cryptographic hash where this is true they are pretty decent these days. RFID then, is suppose to never have the same value. With such an enormous namespace it will be much harder (not impossible) to figure out exactly what the value you are looking at corresponds to in the real world without looking at a database, which brings me to my second point.

2) Its clear that harddrives would have no problem storing all the data, hell, Google has most of the web stored on their servers. What I meant would be difficult is the logistics of getting every value and the corresponding information about the item into a central database. With so many of these things being made, and in use, and in so many countries, I have serious doubts that there *can* be a central database that has all RFID values in existance. When the government mandates that all RFID values and information be submitted to them I'll be right there with you though.

Good call on the Identity theft thing, I was going purely from the government corruption stance but the civil one is just as important, both with SSN's and with RFID. I agree absolutely that having RFID widespread in such a way that criminals can walk down a crowded street with a scanner and harvest all sorts of personal information (seen those new RFID credit cards yet? neat...) is a very bad thing and some strong precautions must be taken to prevent this sort of thing.

 
At 11:27 AM, Anonymous Grue Hair Man said...

I was so wrong about this.

At the time I wrongly assumed that targeted surveillance was the norm, not the exception. Now that it is clear untargeted surveillance is the norm I accept that the logistics of cataloging all of X, where X is anything that can uniquely identify someone, are routinely tackled and successfully used.

So, now walking around with anything that emits a signal, or responds to a signal is pretty likely to end up in a database somewhere. Driving around, even without the aforementioned things ends up in a database thanks to automatic license place readers.

Please accept my apologies. I was young and naive.

 

Post a Comment

<< Home