Sites Inria

Version française

RFID

David Simplot-Ryl et Nathalie Mitton - 20/05/2011

Is RFID dangerous?

Despite the numerous services it provides, consumers find RFID worrying. The technology uses radio waves. Is it dangerous ? An RFID tag contains information that can be read remotely. Could this jeopardise privacy ?

What's RFID ?

RFID, or Radio Frequency Identification, is a technology which can be used to identify an object through a unique RFID tag. This tag consists of an antenna and an electronic chip. It does not contain an energy source and is totally passive. It can only emit information – its identifier, by default – if it is activated by the electromagnetic field of a reader. If so activated, it can be used to communicate remotely.

Each tag has a unique identifier, assigned by a single global organisation, GS1. Basic tags only store this identifier. The most advanced tags can store up to 1 kilobyte of data, which opens up possibilities for use in a number of fields. Every day, new applications of RFID emerge, in public transport (Brussels, Beijing, Shanghai, Paris, etc.), ski packages (the biggest Alpine ski resorts are already equipped with the technology), chips for animals, etc.

But the area in which RFID technology is really being adopted en masse  is in supermarket distribution. RFID’s remote reader and unique identifiers can bring about improvements in logistics. Inventories of objects can be obtained in real time, without any need to handle the objects. The technology also offers better traceability. A product can be monitored throughout its lifetime thanks to its unique identifier. For further details on this subject, see the document Communicating tags.

Radio frequency

The RFID tag is passive, insofar as it does not have an in-built energy source. A tag alone therefore emits no waves and poses absolutely no danger.

The tag communicates when it comes within the electromagnetic field of a reader. It is this reader which emits electromagnetic waves at a certain power. Depending on the RFID technology, these readers may emit waves in three frequency bands: 125 kHz for very low frequency (LF) readers, 13.56 MHz  for high-frequency (HF) readers and 900 MHz for ultra-high-frequency (UHF) readers. The impacts of these waves on the human body therefore depend on the frequency band used. The electromagnetic fields generated by the readers have been measured in laboratory conditions, as recounted in a report by AFSSET, the French agency for safety in the environment and at work, renamed Anses in 2010. The field emitted in the LF and HF bands quickly fades and is only significant in the immediate vicinity of a reader. In any case, this radiation remains lower than the threshold limit value for humans recommended by the ICNIRP, the International Commission on Non-Ionizing Radiation Protection (maximum permitted magnetic field = 400 nT for HF technology and 105 nT for UHF). Although, in UHF frequency bands, the magnetic fields span greater distances, measurements have shown that the radiation does not exceed the threshold limit values.

So for individuals who are only sporadically exposed to waves emitted by RFID readers, the risk is low. However, in the event of continued exposure, even if radiation levels are low, AFSSET recommends maintaining a minimum distance of around 20cm from the readers at all times.

Research is also being conducted into potential electromagnetic incompatibilities with medical devices such as pacemakers . Some risks of interference have been identified in the lab, but no real-life cases have been reported.

An RFID tag, as described above, consists only of an antenna and a chip. It does not have an in-built energy source and can only emit waves if it is powered by the field of a reader. If the tag is fitted with a battery, it becomes active, and can communicate even when outside of the field of a reader. Such tags are used for short-range communication and serve as relays to forward the data read to the remote reader. These active RFID tags tie in with the concept of sensor networks. They pose a different problem. The frequency band used ranges from 900 Mhz to 2.4 GHz and comes in addition to the WiFi spectrum. However, the waves from active RFID tags are emitted at very low power and have a short range. Their impact is therefore limited.

Privacy

The RFID tag is also accused of jeopardising people’s privacy. It is true that each RFID tag has a unique identifier. If this identifier is paired with the identity of a person, that person can be traced each time the tag tranPsmits its identifier.

This can happen, for instance, when several tags come within the field of a reader. If they all emit at the same time, the signal will be scrambled and none of them will be identified. Anti-collision protocols are implemented to mitigate this problem. Some of these protocols require the tag to send its identifier, while others do not, but do not guarantee that the identifier will not be sent.

When the tag is placed on a product sold in a shop, the CNIL and the European Commission recommend deactivating the RFID chip when the product leaves the store, unless the consumer explicitly requests otherwise. Most of the time, people don’t even know that the products they buy have RFID tags, which are generally theft prevention devices, and these tags are automatically destroyed at the cash desk, which deactivates the theft prevention device.

Furthermore, the information collected or stored on RFID tags is subject to the rules set out in the 1995 EU Directive on data protection. The basic principles are clear: the data collection must have a specific purpose and must only concern relevant information. The period for which the data is retained must then be justified in relation to this purpose. It is prohibited to couple an RFID identifier with a person’s identity, unless the person concerned explicitly so requests.

When RFID tags are used in badges for paying motorway tolls or in public transport passes, the owner of the card is associated with the card itself, as with a bank card. This person can therefore be traced. Such cases are accepted by the CNIL, as the card is created at the express request of the consumer. The limits of consent are always a subject of debate. The Commission recommends adapting the level of detail of the data to suit different uses. For example, for public transport, the CNIL has decided to issue a recommendation to ensure that the collection and processing of personal data by public transport companies as part of ticket applications comply with the principles of the law on ‘Information technology and freedoms’ of 6 January 1978. The CNIL recommends, among other things, that data concerning people’s journeys should not be used in a form that would enable the users to be identified, except for the purposes of fraud prevention, and then only for the time necessary to detect the fraud, which must not exceed two consecutive days.

RFID technology can pose a threat to privacy, which is why there are laws governing its use. Are these laws sufficient, and sufficiently adhered to, to protect individuals? The doubts surrounding this subject remain a barrier to the deployment of the technology. Indeed, in recent years, many big companies (Benetton , WalMart , Metro , etc.) have adopted RFID to improve their logistics, but then been forced to backtrack in the face of public opinion.

Implanted RFID chips

Like any new technology, RFID has erred at times. You probably heard about the night club in Barcelona which implanted RFID chips under the skin of its regular customers. The idea was as follows: when entering the club or buying a drink, customers would, instead of getting out their wallet, simply present their skin to an RFID reader. The tag would be read, the customer identified and their bank accounted debited. They could travel light and wouldn’t have to worry about anyone stealing their wallet or purse. This practice was legal, as only people who requested a chip had one implanted. The danger lay in the fact that the chip was not implanted by doctors. In some cases, customers suffered muscle damage.

To summarise, a passive RFID tag does not pose any health risk when carried on your person, as it does not emit any waves when outside of the field of a reader. Readers do emit waves, but they have only a short range. The same goes for active tags, which are relatively rare and similar to sensor networks. The question of privacy is more delicate. Abuses are certainly possible, but use of RFIDs is controlled by laws and regulations.

Source : Interstices

Keywords: RFID Inria Lille - Nord Europe Research Centre Dangerous Technology POPS research team

Top