Skeptic Sees M2M's Dark Side


The Internet of Things doesn't convey a pretty picture in the mind of Katherine Albrecht.

A longtime advocate for consumer privacy and the author of "Spychips: How Major Corporations And Government Plan To Track Your Every Move With RFID," Albrecht is one of the industry's biggest skeptics of the Internet of Things and machine-to-machine trends.

"When I think about the Internet of Things, I picture this thing that we are building, which you could call a web. And where there's a web, there's a spider," Albrecht said in an interview with CRN. "All of this connectivity and all of this sensor-awareness that's being built into the physical world is all going to be feeding its data back to some central location -- and lots of companies want to be the spider at the center of that."

RFID HORROR STORIES

In addition to writing the award-winning "Spychips," Albrecht is the founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), a grassroots advocacy for consumer privacy founded in 1999. During her career, Albrecht has uncovered a number of real-life use cases for RFID tags -- technology that leverages computer chips as small as a grain of sand to track items remotely -- that are nothing short of chilling.

Even a decade ago, the early use cases emerging around RFID tags were, in Albrecht's words, "horrifying." In making her point, Albrecht references a case involving a group of unknowing shoppers at a Broken Arrow, Okla.-based Walmart back in 2003.

Working alongside consumer goods giant Procter & Gamble, the Oklahoma Walmart equipped Procter & Gamble's Lipfinity lipstick with RFID tags, meaning shoppers who bought the product left the store, unknowingly, equipped with a personal tracking device. But that, Albrecht said, wasn't the worse of it: Those same Walmart shelves were equipped with a discrete surveillance technology that filmed shoppers as they perused the lipstick display. That footage was then transmitted back to a Procter & Gamble office in Cincinnati, where executives would tune in and watch, Albrecht explained.

"They were using this to do this kind of creepy, unpaid and unalerted consumer research on these women," said Albrecht, who, with the backing of CASPIAN, was among the first to call out Procter & Gamble on the issue. "They initially denied it and then we produced video to prove that they had been doing it, and then they quietly got rid of it."

Throughout her career, Albrecht has seen and fought back against other instances of RFID tags, including their use on Gillette razor blades. At one point, CASPIAN even exposed plans by worldwide clothing manufacturer Benetton to embed RFID chips into women's undergarments. Appalled by the idea of women's unmentionables being tracked from afar, CASPIAN launched its "I'd Rather Go Naked" campaign, which prompted an international outcry and ultimately halted Benetton's plans.

THE DHS AND RFID

RFID tags -- which are one of several technologies playing a role in the burgeoning Internet of Things and machine-to-machine trends -- were embraced by the retail industry as early as 1999 to track products as they move through the supply chain. But since then, RFID tags have been adopted by other industries, including the federal government.

In 2008, for instance, the U.S. Department of Homeland Security announced plans to roll out "Enhanced Driver's Licenses," or licenses that are remotely readable, thanks to a tiny microchip embedded inside. The initial aim of these high-tech licenses was to simplify border control; customs personnel equipped with RFID readers could extract information from the licenses up to 30 feet away, as carriers approached the border.

When it became necessary to use a passport to cross into Mexico and Canada from the U.S., states close to borders -- such as Washington, Arizona and Michigan -- were encouraged to adopt these enhanced IDs as an alternative, Albrecht said. And while the cards were positioned as being secure, transmitting only a unique ID number that links to information contained in a DHS database rather than personal information, Albrecht wasn't convinced.

The issue, she said, is that the RFID technology used in the licenses is identical to that used for tracking consumer products. It's called EPCglobal Gen 2, a technology, she said, optimized for readability, not security. Anybody equipped with an average RFID reader could tap into these licenses from afar.

"It takes literally nothing. All you have to do is have a little, pager-size device, you push a button, and if you are standing next to somebody with one of these cards, and then you began emitting those numbers," Albrecht said.

Albrecht noted that some Walmarts even have RFID readers embedded in their underwear shelves, meaning the shelves themselves could technically read one of these enhanced licenses right through a shopper's pocket.

"I try to not be a conspiracy theorist or anything, but I looked at that and said, 'The only reason you would choose that standard would be if you wanted ... readers placed in public spaces for product tracking to also serve a secondary function of tracking your citizens," Albrecht said.

Other states including Vermont and New York have since rolled out these enhanced ID cards.

Of course, the Internet of Things stretches beyond the world of RFID tags. But the basic principle -- and security concerns -- around the two technologies are the same. Government, marketing organizations and other industries, could (and in some cases already) leverage these technologies to track us more closely than ever. Combine this with the bread-crumb trail of personal data users scatter across the Web every day, and we're all in for a "world of hurt," Albrecht said.

"Essentially, we are building a kind of nervous system -- and this is not my phrasing, it's the phrasing of the industry itself -- for this centralized thing that's being created," she said.

PUBLISHED JUNE 10, 2013