FAST-FORWARD THREE or four years to a day when you walk up to the checkout counter at your local drugstore and place your shopping basket with its dozen items on the counter. Three seconds later the total sales price is displayed without a single item being pulled from the basket. You wave your debit card, punch in your personal identification number, dump the items into a plastic bag and leave, spending less than 30 seconds conducting the entire transaction. You have your products … but your products have a secret that can continue to identify you even after you’ve left the store.

Science fiction? No. Efficient? Yes. Scary to people concerned about privacy? You bet. And if the researchers at RSA Laboratories — the renowned research arm of
RSA Security — have their way, the identification of the miniature barcode-like devices called RFID tags that make this scenario possible will be something over which you, the consumer, will have some control.

Radio frequency identification (RFID) tags are an advanced electronic version of those Uniform Product Code (UPC) bar codes stuck on everything we purchase, from razor blades to car tires. The tags, which require no batteries, automatically activate when close to an RFID reader and then transmit their identification information (typically a UPC barcode-type number identifying the product to which it’s attached) to the reader. Over the next few years, manufacturers and retailers plan to embed or attach RFID tags to all types of products, theoretically reducing theft and making automated checkout, product returns and inventory audits remarkably fast.

Although faster checkouts sound good to most people, it’s the subtler and undefined areas of RFID usage that have some consumers concerned about privacy. What happens when you wear the expensive new sneakers with the still-functioning RFID tag embedded in them (there is a “kill” command that may or may not be employed by stores) to the store where you purchased the sneakers? Will the store read the tag again and correlate it with your previous purchase? Will the store track what shelves or items you look at while you’re browsing? Who’s to stop the store (or anyone else) from reading the RFID tags on any item you purchase, tracking your behavior, movements or associated personal information from previous purchases?

You will stop it, if one of the RSA Laboratories projects, called Blocker Tags, becomes a reality. RSA Laboratories previously identified the importance of helping organizations and individuals keep data secret (such as through the building blocks for SSL security in standard Web browsers) and now has identified privacy as an important and unsolved problem, especially in the face of developments such as the upcoming proliferation of RFID tags in consumer goods.

“Once you ’ve been identified by a store’s scanner activating a previously purchased RFID-embedded item, you’ve lost your privacy coming into the store,” says Dr. Burt
Kaliski, chief scientist at RSA Laboratories. Because the tags are not smart enough to know who should be reading them, they simply identify themselves to any RFID reader that activates them — potentially opening up consumers to having their privacy compromised anytime they carry or use an item with an RFID tag.

So that you don ’t need to hide under a cocoon of tinfoil to block potential RFID readers from scanning your RFID tags, RSA Laboratories has come up with a way to introduce better privacy through a new kind of tag, which it calls a Blocker Tag.

Invented by RSA Security co-founder Ron Rivest, in collaboration with scientists Ari Jules and Mike Szydlo, "the Blocker Tag gives consumers control over what's being scanned," says Dr. Kaliski

“The Blocker Tag gives consumers control over what ’s being scanned,” says Kaliski.

Doing exactly what its name implies, the Blocker Tag uses a sophisticated algorithm to provide an endless series of responses to RFID readers, so they never have time to read other nearby RFID tags. Technically speaking, the Blocker Tag interferes with the singulation protocol of RFID readers.The only thing consumers need to know is that when they carry one into a store, the store's RFID reader will not be able to read any of the other RFID tags that come in with them, ensuring the privacy of shoppers through the elimination of this electronic eavesdropping.

Although the first applications of Blocker Tags are primarily consumer-oriented, enterprises also will benefit from the technology. For example, enterprises that
use RFID tags should be concerned about
industrial espionage. Anyone with a tag
reader potentially could monitor all tagged
traffic (people and products) in and out of an enterprise, or shipments of RFID goods to customers or business partners. Blocker Tags also may help enterprises in selling RFID-enabled products to security-conscious consumers, because there has been so much public concern about privacy issues. By ensuring that their customers have some control over their privacy while using RFID tags, an enterprise could greatly reduce the potential of bad publicity or consumer backlash.

The Blocker Tag privacy project is one of RSA Laboratories’ key research projects for 2003. RSA Laboratories has been publishing technical papers on the topic since May, and has been talking with standards bodies, manufacturers and potential customers to refine the specifications, identify applications and evaluate the market’s needs. Even if Blocker Tags do not become a commercial product, the issues and research that have gone into them will give RSA Security forward-looking experience in addressing critical privacy issues for its customers and strategic partners.