Why One Man Got a Guerrilla RFID Implant

Shannon writes "One of my writers just did an interview with Amal Graafstra, who just had an RFID implant put in his hand and has been building appliances for it to simplify and automate his life... "I guess I have my own Big Brother paranoia. Given the choice of Orwellian societies, I'd rather live in one based on RFID tags than fingerprints, DNA, or facial structure; an RFID tag system is easy to manage and opt out of, whereas DNA sampling or facial recognition, well, isn't.""

Opt-out, eh?

[The_REAL_DZA]

So I guess this guy just doesn't take his hand with him if he doesn't want to be tracked?

RFID tags can be faked

[Anonymous Coward]

So he has traded something unique and personal for something that can be read at a distance, copied and used freely by others. What is the advantage exactly?

Yeah right

[metlin]

an RFID tag system is easy to manage and opt out of

Hahaha! So you think - until it becomes absolutely mandatory and illegal for you to remove them.

Or -- imagine -- systems which would just not function without an RFID implant, or harm you if you do not have one.

What would you do then?

Get over it, you're slowly losing all the privacy you once had. It's one of the prices we are paying for certain advancements (and obvious advantages).

Whether or not you choose to have them - that would be your choice, at the moment. However, you really may not have the ability to make that choice a while from now.

What about jewelry instead?

[PxM]

Instead of going with a permanent implant, why not just get a stylish gold ring or watch or other thing with an RFID chip? I never take off my watch so it would give me almost the same functionality. Or maybe a false fingernail or something that is semipermament. This allows me to opt out without having to cut myself open.

--
Want a free Nintendo DS, GC, PS2, Xbox. [freegamingsystems.com] (you only need 4 referrals)
Wired article as proof [wired.com]

Lesser of two evils?

[ChaosCube]

Now, I didn't read the article, but it seems to me that using a lesser of two evils argument isn't always the answer. Sometimes the right answer is just "no".

Re:Opt-out, eh?

[nocomment]

I was wondering if he ever read revelations.

Ideal...

[Tribbin]

Ideal for people that rather have their hand cut off and being stolen instead of only being stolen.

Re:Yeah right

[slavemowgli]

It actually doesn't even have to be mandatory to be practically impossible to opt out of. Just try doing things like flying or booking a hotel room or similar things without photo ID today - it's hardly possible.

I'm a pretty tolerant guy

[hey!]

but I have to say it strikes as, well, stupid to think that you can "opt out" of having somebdoy read something that is implanted in your body and has absolutely no built in security measures at all.

Saying the read range is only two inches is to count on two things: (1) that the guys who might want to read your implant without your knowledge don't have access to better technology than you do and (2) they aren't clever enough to plant the reader where you will trigger it and won't notice.

The guy almost has the right idea though. An important quality of a system, if it is to have privacy, is the ability to know when you are being scanned and potentially tracked. This is why biometric face recognition systems, which are advocated by some people on the right, are actually much more dangerous than a national ID card, which is anethema.

Re:Opt-out, eh?

[qwijibo]

I keep seeing references to short distances. That distance is true for a typical receiver. But why would a bad guy limit himself to the off the shelf receiver? It's not even necessary to get the thing all at once since it's a static value. Much better radio equipment in the hands of the attacker seems like it would be all it would take.

Re:FAQ

[qwijibo]

I think someone with a knowledge of radio equipment, antennas, and motive to spend the money on those things would be able to extend the range. Even a range of 5-10 feet would be adequate for an attacker. Taking several attempts at reading the chip would make it pretty easy to reconstruct the number.

Re:I've always thought

[Anonymous Coward]

You have 5 pieces of information there, the longest being 12 characters. You think an identity thief can't spend 20 minutes memorizing that GUID?

Obviously you never had a Fake ID (handed down, not created). Because I memorized the SSN, Address (it was another state, so that's city and zip, too), and Date of Birth. It wasn't too tough.

But oh, poor Charles Farley of Galena, Illinois. Thank God I am a trustworthy protector of your valuable personal info. :)

Why...

[kevin_conaway]

Is that comment about "Orweillian" socities in the article summary? Seems like it was just flamebait to get everyone riled up about RFID.

Its just a neat project about a lazy man making life easier for himself.

Re:I wouldn't mind it if...

[StalinsNotDead]

it replaced the need for keys for your car

What happens if you need to loan somebody your vehicle?

Global identifiers make for poor identication

[Anonymous Coward]

So when the identity thief goes to the dealership to buy a car with your id, when they can't recite the GUID assigned to you, they are instantly arrested and displayed hanging from their toenails in the town square for all to see.

Have you ever mistyped your password? Would you like to be arrested if you did?

What if the buyer is sick the day he goes to make payment on your car? What he's hungover? What if he's getting old, and his memories are fading? What if she's got dislexia, and can't visualize numbers, let alone memorize them?

With it being globally unique (theoretically), it would be nearly impossible to memorize anyone's other than yourself

You define "nearly impossible" differently than I do. :-)

If you ask most people if they can memorize ten digit numbers, they say "no". If you ask them their best friends phone number, they rattle it off without thinking. People with a vested interest can write down and then memorize darn near anything. After all, you learned to memorize your number. Why can't someone else?

What's to stop, say, the car dealer from keeping a copy of your global identifier (say, he's got a tape recorder in his pocket when you say it out loud), and then buying a vacation to Cuba with your identity?

The answer is, of course, not much.
--
AC

Re:Opt-out, eh?

[JudgeFurious]

I'm sure he did. He just recognized it for the "Fiction" that it is.

Re:FAQ

[markana]

>Q: can't they track you?!
>A: no. the read range is only 2 inches max. even

*Your* read range is 2 inches - I'll bet a bit of tweaked hardware can extend it to multiple feet. If I pass near you with a reader in my coat pocket, I'll get your tag #. Then I can spoof it, and enjoy the same physical access you do.

>with a high powered reader, the chip itself does
>not have the capability to transmit farther than
>a couple inches tops. this makes it very
>difficult to scan my RFID chip without me
>noticing, and it's definitely not possible to scan
>it just by me walking by a sensor or something.
>It has to be pretty deliberate.

Wanna bet? *You* might not be a target right *now* (too obscure), but wait until lots of people are carrying RFID'd stuff. Then it's worth the effort. It'll be just like wardriving.

Then again, you've just raised your profile enough that it might tempt someone near you to try and hack your system. Just for the cred - are you sure you can engineer it securely enough?

>Q: what about the mark of the beast!?
>A: well, last time I checked, this chip wasn't
>required, I won't be killed for not having one, I

Not yet, anyway...

>don't need it to buy/sell things, and with

Ever try to travel without a credit card? You can't buy an airline ticket, reserve a hotel room, rent a car, or a number of other things without using a CC. Oh, it *might* be possible in some cases, but those are getting rarer and rarer.

>billions of unique ID codes (numbers and
>letters), I don't see how each unique code could
>be calculated in some way to 666. bottom line, if

They don't have to. In fact, you'd want the tag to be very unique to the person. But the very *act* of agreeing to such an implant could be used as a loyalty test.

>this ever becomes an oppressive technology,
>required by some government, I can simply take it
>out.

Really? You're applying today's legalities to tomorrow, which is always tricky.

A cashless economy based on implanted RFID tags has, on the surface, a lot of positives. Theft would be a lot harder. Not impossible, but harder (at least compared to stealing cash or credit cards). And convenient - no more forgetting your checkbook at the supermarket. Stores will love it - no robberies (no cash on hand), and complete tracking of individual purchases.

Governments will love it also. Buying patterns could be mined for potential anti-establishment patterns. Assuming a central authorization system(s) somewhere (needed to prevent fraud, you see), a dissident could become a non-person at the touch of a button. Put this in a global government, and there would be nowhere to run. Total control, on a scale impossible before computers and global networking.

The best part of all is that taking a tag doesn't have to be legally mandated. If you can't buy food without one, that'll be incentive enough to "volunteer". Use PR to associate the tags with some social or patriotic feeling ("All *good* citizens have the chip - why don't you?"). That way, peer pressure will take care of most of the casual resisters. The rest can be left to starve or try to survive on the fringes of society.

Re:Yeah right

[FrostyWheaton]

Just remember, the technology that lets you keep tabs on your kids, lets Joe Random Paedophile keep tabs on them as well.

I'm not too worried...

[tomarseneault]

Call me a cockeyed optimist but I'm not too worried, at least not about the Government enforcing RFID. Anything they field can easily be defeated, if history is any teacher. Here are my thoughs on some of the issues brought up: 1) "you can't opt out" - Yes you can, you can have the thing removed or destroyed. Even if the government said it's against the law to do so doesn't make it technicly imposible to do. And if enough people do it, it gets to be unenforceable. You can't opt out of DNA and while facial recognition software is easy to defeat it's way too costly to permently change your face. I'm more worried about the general economy addopting it, as some posters have alluded too. I don't think the Gov will mandate it, not sure they could anyway, our paper money say "legal tender for all depts public and private" so by law they probably have to supply it but there may be some businesses that will become "electronic transactions only" outlets but major stores will probably still take cash. Even in a worst case where you can't get by with out an RFID (which will only happen if better encryption can be implemented) it'll be business's that'll drive it and not the Gov. And I can only guess at the black/grey markets that'll popup with anonymous/fake RFIDs, it'll be a brave new world. 2)Why not wearable instead? - This has been covered pretty good by others but it boils down to if you wear it, it can be stolen/lost. Some folks, possibly as jokes, mention the cutting off of his hand to seal his ID; not an easy thing to do, most folks would easliy give up their watch/rings/wallets but would fight rather hard to keep their hand. 3) Its unencrypted - The author understands that, he even understans that the 40bit encrypted ones have been cracked already. He mentions some form of 2 factor authentication on some critical operations, such as open a door, but that's not needed when turning on a light. And I agree that even a 1 to 2 inch read limit is of little protection against theft, Credit cards require the target to remove them from their wallet and make physical contact with a reader (to get the info off the magnetic strip) but that's an easyenough crime to commt, scanning a hand should be no problem. Thougth we might see a surge in sales of wire mesh gloves for blocking this. 4) We already are being tracked by RFID in cloths and other products - Partly true, but it's a very iffy way of doing it. WalMart has hundreds of shirts in stock to be able to track my shirt and associate it with me would take the updating of possibly dozens of databases, not an easy thing to do (the IRS has been working for 20 years to try and get computerized and they still can't get it right and they only have one DB) In conclution: RFID, DNA, Facial Recongnition, federal ID cards all of these are useless for near 100% identification purposes (DNA comes nearest but is nowhere near realtime) so other than a token effort by the government I am not too worried. They'll pass it, it'll be a major headache for a few months/years then it'll go away (congress has a notorisly short attention span and when the next new birght shiny object comes into view they'll forget all about it). P.S. One poster mentioned everyone getting an GUID at birth, I go one further, I think we should all get a 48 bit Mac address at birth so that when the IPv6 enabled RFIDs come out we can jack in right away.

Re:What about jewelry instead?

[Prometheus+Bob]

Stickem up! Gimmie your cash! Now! Oh and I'll take that Nice RIGHT HAND too.