Team for Research in
Ubiquitous Secure Technology

Security and Privacy Risks of Embedded RFID in Everyday Things: the e-Passport and Beyond
Marci Meingast, Jennifer King, Deirdre Mulligan

Citation
Marci Meingast, Jennifer King, Deirdre Mulligan. "Security and Privacy Risks of Embedded RFID in Everyday Things: the e-Passport and Beyond". Journal of Communications, 2(7):36-48, December 2007.

Abstract
New applications for Radio Frequency Identification (RFID) technology include embedding transponders in everyday things used by individuals, such as library books, payment cards, and personal identification cards and documents. While RFID technology has existed for decades, these new applications carry with them substantial new privacy and security risks for individuals. These risks arise due to a combination of aspects involved in these applications: 1) The transponders are permanently embedded in objects individuals commonly carry with them 2) Static data linkable to an individual is stored on these transponders 3) The objects these transponders are embedded in are used in public places where individuals have limited control over who can access data on the transponder. In 2002, the U.S. Department of State proposed the adoption of an “electronic passport,” which embedded RFID transponders into U.S. passports for identification and document security purposes. In this paper, we use the U.S. Government’s adoption process for the electronic passport as a case study for identifying the privacy and security risks that arise by embedding RFID technology in everyday things. We discuss the reasons why the Department of State did not adequately identify and address these privacy and security risks, even after the government’s process mandated a privacy impact assessment. We present recommendations to assist government as well as industry in early identification and resolution of relevant risks posed by RFID technology embedded in everyday things. We show how these risks exists with many new and upcoming applications of embedded RFID in everyday things and how these applications can benefit from the recommendations for a more secure and privacy preserving design.

Electronic downloads

Citation formats  
  • HTML
    Marci Meingast, Jennifer King, Deirdre Mulligan. <a
    href="http://www.truststc.org/pubs/312.html"
    >Security and Privacy Risks of Embedded RFID in Everyday
    Things: the e-Passport and Beyond</a>,
    <i>Journal of Communications</i>, 2(7):36-48,
    December 2007.
  • Plain text
    Marci Meingast, Jennifer King, Deirdre Mulligan.
    "Security and Privacy Risks of Embedded RFID in
    Everyday Things: the e-Passport and Beyond".
    <i>Journal of Communications</i>, 2(7):36-48,
    December 2007.
  • BibTeX
    @article{MeingastKingMulligan07_SecurityPrivacyRisksOfEmbeddedRFIDInEverydayThingsEPassport,
        author = {Marci Meingast and Jennifer King and Deirdre
                  Mulligan},
        title = {Security and Privacy Risks of Embedded RFID in
                  Everyday Things: the e-Passport and Beyond},
        journal = {Journal of Communications},
        volume = {2},
        number = {7},
        pages = {36-48},
        month = {December},
        year = {2007},
        abstract = {New applications for Radio Frequency
                  Identification (RFID) technology include embedding
                  transponders in everyday things used by
                  individuals, such as library books, payment cards,
                  and personal identification cards and documents.
                  While RFID technology has existed for decades,
                  these new applications carry with them substantial
                  new privacy and security risks for individuals.
                  These risks arise due to a combination of aspects
                  involved in these applications: 1) The
                  transponders are permanently embedded in objects
                  individuals commonly carry with them 2) Static
                  data linkable to an individual is stored on these
                  transponders 3) The objects these transponders are
                  embedded in are used in public places where
                  individuals have limited control over who can
                  access data on the transponder. In 2002, the U.S.
                  Department of State proposed the adoption of an
                  âelectronic passport,â which embedded RFID
                  transponders into U.S. passports for
                  identification and document security purposes. In
                  this paper, we use the U.S. Governmentâs
                  adoption process for the electronic passport as a
                  case study for identifying the privacy and
                  security risks that arise by embedding RFID
                  technology in everyday things. We discuss the
                  reasons why the Department of State did not
                  adequately identify and address these privacy and
                  security risks, even after the governmentâs
                  process mandated a privacy impact assessment. We
                  present recommendations to assist government as
                  well as industry in early identification and
                  resolution of relevant risks posed by RFID
                  technology embedded in everyday things. We show
                  how these risks exists with many new and upcoming
                  applications of embedded RFID in everyday things
                  and how these applications can benefit from the
                  recommendations for a more secure and privacy
                  preserving design.},
        URL = {http://www.truststc.org/pubs/312.html}
    }
    

Posted by Marci Meingast on 29 Jan 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.