Snake Oil Under the Skin


Microchip implants raise privacy concern – Yahoo! News

This is actually an excellent AP article discussing the risks and theoretical rewards of chipping people, ala RFID. VeriChip and others are already pushing for chipping the most vulnerable human populations — those with Alzheimer’s, inmates, and migrant workers (add kids to the list). The article goes into the issues fairly comprehensively, though without much technical information.

It starts with the story of two employees who were chipped as part of their job — they now use their embedded, non-removable chips as "magic keys" for accessing the inner vault of a security company. That company is, not surprisingly, busy installing security cameras in many public places, so of course they need extra security.

To those who say this new security benefit is worth the risk to privacy, the question you can answer for me is: do these chips even provide the benefit they claim? If not, then why bother? Why not just write a three digit "secret code" on the forehead of each employee and call it a day?

Because RFID "spoofing" can steal the secret code from those chipped employees and allow a thief to impersonate them quite easily. Without other/better security in place to notice the deception, such a hack would actually make it easier for a thief to enter, not harder. The best possible security IMO would be a team of guards who know these two employees very well (names, kids names, etc..) and can spot an impersonator, effectively blocking everyone but the Mission Impossible team.

Replace the guards with cheaper RFID scanners and anyone can be anyone and who’s to say otherwise? Who’s even checking anymore? That three digit secret "pin" would probably work better than one of these chips, because at least you’d know it was useless for security.

Spoofing can actually be prevented to a significant degree with some good computer science, but the companies making the chips don’t often seem to bother, nor do they implement the one simple concept that would alleviate 90% of the security and privacy concerns:

Make the RFID cards only respond when they receive a proper [dynamic and encrypted] activation code — and otherwise remain silent and undetected.

Currently, these chips are extremely promiscuous, even if their output is occasionally [and usually ineffectively] encrypted. I still don’t understand why good computer science isn’t mandatory in something as important as our privacy, identity, and security.

Apparently, it’s much easier to make promises about vague benefits and deal with the failures down the road, if at all. It’s like electronic voting machines all over again. Don’t worry. It’s digital.

It’s pretty easy to see that the one promise that will always hold true is that RFID chipping will make it easy to identify 99% of chipped individuals, but only the ones who don’t care or don’t break the law. Anyone with a little bit of will or skill can subvert the system, leaving us to wonder what is the point, besides selling lots of snake oil to an unwitting public?

  1. #1 by Zim on July 21, 2007 - 9:28 pm

    I agree. And I suggest to use, instead, a black permanent marker to label every person in the forehead.

(will not be published)