WASHINGTON  – Amidst threats of a potential patent lawsuit by HID Global, computer security company IOActive has withdrawn its plans to deliver an important presentation today at the Black Hat Computer Security Conference on the  privacy and security vulnerabilities of Radio Frequency Identification (RFID) technology.  Nicole Ozer, Technology and Civil Liberties Policy Director for the ACLU of Northern California (ACLU-NC) will instead present at the conference.

RFID tags are tiny computer chips that can be encoded with any type of information, such as a name, address, or identifying number. Often used to track cattle and products in the manufacturing sector, they are now increasingly being embedded into identification cards, such as building access badges and passports. When an RFID reader emits a radio signal, the RFID tags in the vicinity respond by automatically transmitting their stored information to the reader.

IOActive’s presentation would have included a demonstration of a handheld RFID “cloner” developed by the company to illustrate just how easily the information encoded on RFID chips can be copied and used to gain access to the very buildings that the RFID chips are intended to protect from intruders.  The cloner showed how all this is possible with a device the size of a standard cell phone, costing $20 in parts. “It’s just like making a duplicate key,” said Ozer. 

In addition, as Ozer will explain at the conference, RFID tags can be  read at a distance by an unauthorized reader and then used for improper purposes.  Either the government or an identity thief equipped with an inexpensive reader can use it for tracking and monitoring people walking down the street or attending a political protest, or stealing someone’s personal information to use for identity theft.

“It is critically important that the public be aware of the risks to security and privacy posed by the use of RFID technology,” Ozer said.  With the roll-out of RFID-embedded passports and the technology being considered for use in other identification documents, like drivers’ licenses and student cards, it is particularly important that the government and the public understand the risks of insecure RFID technology.

HID Global, one of the largest producers of RFID tags in the country, threatened to sue IOActive for patent infringement if it moved forward with plans to present its work at the conference.  [Read the letter HID sent to IOActive here]

“The ACLU-NC supports the appropriate enforcement of intellectual property laws,” says Ozer, “but scientific analysis and discussion by security professionals must be allowed to continue.  Such work is integral to safeguarding the privacy, personal security, and public safety of millions of Americans.”

It is no secret that there are significant privacy and security risks associated with RFID technology.  In just the past two years, RFID credit cards, the Dutch and British RFID passports, the human implantable VeriChip, and the RFID entry cards to the California State Capitol, have all been compromised.  The Government Accountability Office (GAO) and the DHS Privacy and Integrity Committee have also released reports detailing privacy and security concerns with RFID technology.

Last year, the California legislature sent a strong bipartisan message to the Governor when it passed the Identity Information Protection Act, landmark legislation to ensure that no RFID tags would be used in state-issued ID’s without privacy and security protections. Vetoed in the final hours of the legislative session, the legislation has been reintroduced as SB 30 (Simitian- D Palo Alto) and is currently moving through the California legislature.

“Just like you put a lock on your door to keep your things from being stolen, RFID tags must have adequate protections to ensure that personal information is kept safe,” says Ozer.  Scientific research, public education, and legislative safeguards on the use of RFID in identification documents are important steps to protect privacy, financial security, and personal and public safety.