RFID Implants: Making the Body Electric
Posted: 04-02-2006 11:11 PM
Implanted RFID tags have been receiving a lot of attention lately. Originally used to provide unique identification for race horses and family pets, they are now being increasingly considered as a way to provide a "loss proof" identification device for people.
Since the US Food and Drug Administration (FDA) approved the tags for implantation in humans, primarily as a "license plate" key to access individual's medical records, there have been a number of other applications for which these tags have been proposed or even used, at least on a trial basis.
Are implanted RFID tags the wave of the future or a potential misuse of technology?
In order to assess the potential benefits -- and risks -- of implanted RFID tags, it's important to understand the design and original use of these tags.
Background
Since the initial use was to identify animals to either help make sure lost pets were reunited with their owners and to positively identify thoroughbred race horses, there was no need to be concerned about security. Tags contain a read-only 16 bit code that is programmed during manufacture. Tags are designed to be read by any appropriate reader and contain no security features.
The code is designed to serve as a key to a database and does not contain anything other than a unique number.
Tags contain a small capacitor that is charged up during the interrogation process. This charge is used to power the response. It is not possible to make the tag provide a higher power response no matter how much energy is sent to it since the capacitor has a fixed limit to what it can hold.
Because tags are injected into a body, animal or human, and human bodies are 70% water, this also limits the range of the tag.
Reading tags requires near contact with the tag, typically with the reader placed against the skin very close to the location of the tag.
Applications
Medical records:
The first human application is to provide access to a database of medical records. The idea is that the tag could replace other forms of identification, such as cards, that could be lost or not available when a patient is admitted to a medical facility. This could be critical in the event a patient is brought in unconscious and unattended.
The limitations are, first, hospitals have to be equipped to read the tag and, second, they know to look for it. The other consideration is that the medical records contained in the database must be accurate and up-to-date. There is a fee to maintain an individual's records. There is some concern among medical professionals that, until such record-keeping becomes universal and covered by medical insurance, the information may not be current. On the other hand, having basic information on a patient's history and previous treatments (and physicians' names) may be better than having none at all.
The concern among privacy advocates is that tags could be surreptitiously read and give access to unauthorized individuals to the individual's medical history.
Security access:
Some companies are also beginning to use these tags to provide access to secure areas within a facility. Several employees of one company voluntarily had the tags implanted (although it was not required). Other employees, including the manager, wear the tags.
Here, the concern is that there is no security built into the system and that tag data could be "spoofed" (copied and retransmitted using a hand-held device).
Financial Transactions:
It has been proposed that having an RFID tag implanted in the palm of a hand could be used in lieu of a smart card or traditional credit card for financial transactions. This presumes that there's a central database that relates all of a person's credit card accounts to the 16 bit ID number.
The concern is that, without some form of secondary authorization such as a PIN, the code could be surreptitiously read and used by unscrupulous merchants to make fraudulent charges.
Password Access:
It has been suggested that the tags could be used to replace passwords for computer applications. It was recently reported that a couple had tags implanted to give them access to each others' computer passwords as a demonstration of their commitment to each other.
In addition to the possibility the couple could break up (and either have to change all their passwords or somehow get the tag back from the other person), the same concern about copying and using the ID to gain access to the person's computer, e-mail accounts and other personal information stored on a computer.
Considerations
There is a potential concern that, if one tag is used for each application, an individual might need multiple tags implanted which may cause conflicts among various applications. Whether this becomes a significant concern or not depends on whether these applications become common.
There are, however, two current concerns about some of the uses of implanted RFID tags.
The first is the potential for the tag to be surreptitiously read, the second is the security of the database.
In the first instance, successfully reading a tag surreptitiously that's implanted in an arm is not as easy as it sounds. Because the range is so limited, it may take several seconds of contact with a reader to be successful -- significantly reducing the "surreptitious" nature of the read. Implanting a tag in a palm makes it much easier to perform an unauthorized read.
It has been proposed that implanting the tag in a tooth is the most appropriate location since "keeping your mouth shut" would definitely help protect data on the tag and would be very difficult to read without the individual's knowledge (except, say, in a hospital emergency room when the person's unconscious when you would want the information read).
Most of the applications require the development and maintenance of a centralized or interconnected database. This does not yet exist. There are currently multiple providers of companion animal ID systems, which require different readers and access to different databases.
However, this points to the other, more significant concern: the security of the database itself.
While it may be possible to "spoof" the data on the tag, the security of any system depends on having an authorization procedure between the source of the query, a hospital for example, and the data repository. Ensuring strong authorization procedures can help mitigate concerns about the ease with which personal information could be accessed by unauthorized people.
Analysis
Some applications, such as companion animal ID, can clearly benefit from RFID. Others might benefit from a more secure form of implanted RFID.
However, one of the key questions that needs to be asked is whether the implementation of an ID that can't be lost, misplaced or left behind can best be served by RFID or by some other technology such as biometrics.
http://www.aimglobal.org/members/news/t ... &zoneid=24
Since the US Food and Drug Administration (FDA) approved the tags for implantation in humans, primarily as a "license plate" key to access individual's medical records, there have been a number of other applications for which these tags have been proposed or even used, at least on a trial basis.
Are implanted RFID tags the wave of the future or a potential misuse of technology?
In order to assess the potential benefits -- and risks -- of implanted RFID tags, it's important to understand the design and original use of these tags.
Background
Since the initial use was to identify animals to either help make sure lost pets were reunited with their owners and to positively identify thoroughbred race horses, there was no need to be concerned about security. Tags contain a read-only 16 bit code that is programmed during manufacture. Tags are designed to be read by any appropriate reader and contain no security features.
The code is designed to serve as a key to a database and does not contain anything other than a unique number.
Tags contain a small capacitor that is charged up during the interrogation process. This charge is used to power the response. It is not possible to make the tag provide a higher power response no matter how much energy is sent to it since the capacitor has a fixed limit to what it can hold.
Because tags are injected into a body, animal or human, and human bodies are 70% water, this also limits the range of the tag.
Reading tags requires near contact with the tag, typically with the reader placed against the skin very close to the location of the tag.
Applications
Medical records:
The first human application is to provide access to a database of medical records. The idea is that the tag could replace other forms of identification, such as cards, that could be lost or not available when a patient is admitted to a medical facility. This could be critical in the event a patient is brought in unconscious and unattended.
The limitations are, first, hospitals have to be equipped to read the tag and, second, they know to look for it. The other consideration is that the medical records contained in the database must be accurate and up-to-date. There is a fee to maintain an individual's records. There is some concern among medical professionals that, until such record-keeping becomes universal and covered by medical insurance, the information may not be current. On the other hand, having basic information on a patient's history and previous treatments (and physicians' names) may be better than having none at all.
The concern among privacy advocates is that tags could be surreptitiously read and give access to unauthorized individuals to the individual's medical history.
Security access:
Some companies are also beginning to use these tags to provide access to secure areas within a facility. Several employees of one company voluntarily had the tags implanted (although it was not required). Other employees, including the manager, wear the tags.
Here, the concern is that there is no security built into the system and that tag data could be "spoofed" (copied and retransmitted using a hand-held device).
Financial Transactions:
It has been proposed that having an RFID tag implanted in the palm of a hand could be used in lieu of a smart card or traditional credit card for financial transactions. This presumes that there's a central database that relates all of a person's credit card accounts to the 16 bit ID number.
The concern is that, without some form of secondary authorization such as a PIN, the code could be surreptitiously read and used by unscrupulous merchants to make fraudulent charges.
Password Access:
It has been suggested that the tags could be used to replace passwords for computer applications. It was recently reported that a couple had tags implanted to give them access to each others' computer passwords as a demonstration of their commitment to each other.
In addition to the possibility the couple could break up (and either have to change all their passwords or somehow get the tag back from the other person), the same concern about copying and using the ID to gain access to the person's computer, e-mail accounts and other personal information stored on a computer.
Considerations
There is a potential concern that, if one tag is used for each application, an individual might need multiple tags implanted which may cause conflicts among various applications. Whether this becomes a significant concern or not depends on whether these applications become common.
There are, however, two current concerns about some of the uses of implanted RFID tags.
The first is the potential for the tag to be surreptitiously read, the second is the security of the database.
In the first instance, successfully reading a tag surreptitiously that's implanted in an arm is not as easy as it sounds. Because the range is so limited, it may take several seconds of contact with a reader to be successful -- significantly reducing the "surreptitious" nature of the read. Implanting a tag in a palm makes it much easier to perform an unauthorized read.
It has been proposed that implanting the tag in a tooth is the most appropriate location since "keeping your mouth shut" would definitely help protect data on the tag and would be very difficult to read without the individual's knowledge (except, say, in a hospital emergency room when the person's unconscious when you would want the information read).
Most of the applications require the development and maintenance of a centralized or interconnected database. This does not yet exist. There are currently multiple providers of companion animal ID systems, which require different readers and access to different databases.
However, this points to the other, more significant concern: the security of the database itself.
While it may be possible to "spoof" the data on the tag, the security of any system depends on having an authorization procedure between the source of the query, a hospital for example, and the data repository. Ensuring strong authorization procedures can help mitigate concerns about the ease with which personal information could be accessed by unauthorized people.
Analysis
Some applications, such as companion animal ID, can clearly benefit from RFID. Others might benefit from a more secure form of implanted RFID.
However, one of the key questions that needs to be asked is whether the implementation of an ID that can't be lost, misplaced or left behind can best be served by RFID or by some other technology such as biometrics.
http://www.aimglobal.org/members/news/t ... &zoneid=24