[Web4lib] [Publib] RFID and insecurity

Mark Ellis mark.ellis at yourlibrary.ca
Thu Sep 23 12:40:56 EDT 2010


While I agree with you that RFID is nearly useless for securing
collections for the reason you cite, I'm not convinced it's a privacy
problem unless you're putting data on the tags that can readily be used
to retrieve  bibliographic data.

OPACs don't usually provide search by barcode facilities--much less APIs
to allow programmatic lookups, so I'm thinking you'll have difficulty
telling me what 31290092415991 is in our collection. [NB: There's no
prize for the first person who does!]

This got me thinking about similar problems with commercial applications
of RFID, so I Googled "UPC Database" and found this:

I tried the first UPC barcode I could put my hands on and came up with:


Now I can imagine a display window full of TV sets displaying the
contents of my shopping bag as I walk by:  Preparation H, Viagra,


Mark Ellis
Manager, Information Technology
Richmond Public Library
Richmond, BC
(604) 231-6410

-----Original Message-----
From: publib-bounces at webjunction.org
[mailto:publib-bounces at webjunction.org] On Behalf Of Robert L. Balliot
Sent: Thursday, September 23, 2010 5:53 AM
To: publib at webjunction.org; web4lib at webjunction.org
Subject: [Publib] RFID and insecurity

I was asked by the president of a Library Friends group if I knew of any
comprehensive studies since 2005 addressing the relative benefits and
security of RFID with self-check.  To me, RFID represents some good
inventory control benefits. It does not, however, represent anything
resembling good security.  In fact, it represents a certain amount of
insecurity and here is why -

There are several problems with trying to find comprehensive studies -

1. Articles in the major library trade publications are essentially
sponsored by vendor advertising and many of their tech writers are
employed by vendors.
2. RFID is a big business with high profits, so vendors are unlikely to
be self-deprecating 3. Libraries that use RFID/ Self Check and invested
heavily in the technology are unlikely to point out problems because 
   - they would be publishing their security flaws
   - they don't have an alternative because they got rid of staff
   - they have not yet been targeted by theft

The proliferation RFID tags brought up a huge privacy issue.  They
transmit information.  I recall reading in 2005, that you could received
RFID tag signals from about 69 feet away.    In 2005, receivers were
expensive, large, and rare. Now they are not. 

So, the initial reaction from privacy advocates was to find a way to
turn off RFID if institutions chose to use them. You can put them in a
microwave, hit them with a hammer, cut the little antenna or otherwise
damage them so that they will not transmit. 

But, there is a very simple, inexpensive alternative to damaging the tag
- simply put the materials in a Faraday Bag. It blocks the transmission
and makes the item invisible to RFID receivers.  Faraday bags are
inexpensive, easy to manufacture, and easy to conceal. You could line
book bags and purses and even envelopes with faraday bags and render the
RFID 'security'
completely ineffective.

So, with self-check you have two issues.  If you are using barcodes for
patrons, they are not secure. If you are using RFID it is not secure.

There *are* many inventory control benefits from RFID but I believe
those same benefits and a substantially lower unit cost could be
accomplished with externally affixed GR tags. 

Robert L. Balliot
Skype: RBalliot
Bristol, Rhode Island

Publib mailing list
Publib at webjunction.org

More information about the Web4lib mailing list