Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

April 3, 2017

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction from the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”).

RFID tags have been utilized in many industries. In the manufacturing sector they are used to track parts within a factory, or the location of a final product in a production line. In the agricultural sector they can be implanted in livestock to allow for the identification of animals. In the payments sector, some payment cards were embedded with RFID chips to permit consumers to process a payment by holding their payment card within close proximity of a point of sale device that was enabled with an RFID reader. As payment cards have shifted toward embedded microprocessors (“EMV”), and the financial technology community has embraced alternative wireless transmission protocols, such as Near Field Communication (“NFC”) utilized by ApplePay, the use of RFID technology has declined.

Privacy advocates have voiced concern that consumer products that contain personally identifiable information that is intended to be accessible using RFID technology may be susceptible to interception or eavesdropping. Specifically, the media has expressed concern that identity thieves could be able to use remote RFID readers to remotely steal information from RFID enabled payments cards or identification cards. To-date, however, there have been relatively few (if any) confirmed instances of identity theft from RFID eavesdropping.

$12.6 Billion

Size of the market for RFID technology.1

19

Number of states that have enacted privacy statutes focused on RFID technology.2

569

The number of wallets advertised by a prominent retailer as containing RFID blocking technology.3

 

If your organization is considering using RFID technology to track consumers, or to save personal information, you should consider the following:

  1. What, if any, personal information does your organization intend to embed in an RFID tag?
  2. If the personal information were accessed by an unauthorized party could it lead to identity theft?
  3. Will consumers be notified about the type of information contained in the RFID tag?
  4. Will consumers have any misconceptions concerning the security of their information?
  5. Will consumers be provided a choice to opt-out of having an embedded RFID tag?
  6. Can you assure consumers that the RFID tag cannot be eavesdropped?
  7. Do you have a process for periodically evaluating any changes concerning the security of RFID tags?
  8. Does your organization’s proposed use of RFID technology comport with state laws?

1. Source: Statista.com available at http://www.statista.com/statistics/299966/size-of-the-global-rfid-market/ (last checked Nov. 2016)

2. National Conference of State Legislatures Survey of RFID Privacy Laws available at http://www.ncsl.org/research/telecommunications-and-information-technology/radio-frequency-identification-rfid-privacy-laws.aspx (last viewed Nov. 2016).

3. Search of Walmart.com for “RFID Wallet” conducted in November 2016.