rfid library tags unlocked, vulnerable

RFID hacking in, among other places, libraries. More on RFID.

As he waves the reader over a book’s spine, ID numbers pop up on his monitor. “I can definitely overwrite these tags,” Molnar says. He finds an empty page in the RFID’s memory and types “AB.” When he scans the book again, we see the barcode with the letters “AB” next to it. (Molnar hastily erases the “AB,” saying that he despises library vandalism.) He fumes at the Oakland library’s failure to lock the writable area. “I could erase the barcodes and then lock the tags. The library would have to replace them all.”

RFID best practices

The American Library Association was one of many companies and public interest groups that helped create a set of best practices for RFID. They include these three general principles about RFID, as it relates to privacy:

Technology Neutrality: RFID technology in and of itself does not impose threats to privacy. Rather privacy breaches occur when RFID, like any technology, is deployed in a way that is not consistent with responsible information management practices that foster sound privacy protection.

Privacy and Security as Primary Design Requirements: Users of RFID technology should address the privacy and security issues as part of its initial design. Rather than retrofitting RFID systems to respond to privacy and security issues, it is much preferable that privacy and security should be designed in from the beginning.

Consumer Transparency: There should be no secret RFID tags or readers. Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology (including tags, readers and storage of PII) as they engage in any transaction that utilizes an RFID system. At the same time, it is important to recognize that notice alone does not mitigate all concerns about privacy. Notice alone does not, for example, justify any inappropriate data collection or sharing, and/or the failure to deploy appropriate security measures. Notice must be supplemented by thoughtful, robust implementation of responsible information practices.

former Health and Human Services Secretary chips himself

I don’t care if Tommy Thompson is going to chip himself, I’m still not sold on RFID technology for libraries as it’s being marketed and implemented currently. Let’s get real here. There’s a difference between voluntarily tagging yourself and having tagging being a prerequisite for your school or library. Would TT’s tag have his social security number on it? What about his library reading record? This article looks to be nothing more than a cheap stunt hyping VeriChip’s system of linking information on your chip to a database that could contain your health information. Like many nifty technology tools, this one only becomes useful when it becomes ubiquitous which seems to me to be a long ways off. Getting this sort of coverage would [or should] mean open standards to lower prices, encourage innovation, reduce vendor lock-in and encourage growth generally.

And, speaking of RFID, Laura Smart’s URL to her excellent Library RFID site has changed. You can find all her content here: http://libraryrfid.net/wordpress