Executive Briefings

RFID: Critiquing the Critics

To suggest that RFID is the perfect solution for every problem ignores the obvious: that there is no "perfect" solution for any problem. However, it's equally fallacious to suggest that limitations of an RFID technology mean it should not be deployed at all. Critics are often successful at pointing out what's "wrong" with RFID because they do so without providing either context or alternatives. So, here's a quick guide to uncovering the merit of RFID critiques that you might see.
There's an old saying in the theater that "Everyone's a critic." It's equally true with RFID today. Inventing objections to RFID is not a difficult chore (see below). Supporting those assertions is much more difficult-- which is why most critics don't do it.

While there are some valid concerns about how RFID is implemented (and most result from ill-conceived applications) and there have been a few valid demonstrations of vulnerabilities of certain types of RFID under certain conditions, no problem exists in a vacuum. There are a number of details to consider before an honest evaluation of any solution can be made. This is why it's important to look at the context of the problem and solution. These are keys to understanding the merit of any critique of RFID. Here are some points to consider.

1. Are the perceived flaws real or hypothetical? Are scenarios based on realistic probabilities (as opposed to what "might be")? For example, do they assume a type of data sharing among retailers that does not, and will not, exist? Do perceived threats presuppose malevolence on the part of businesses or do they acknowledge that businesses do take their customers' concerns seriously? Are supposed dangers couched in real world terms or are they simply based on personal fears or beliefs?

2. Do performance claims exist in the real world or only under optimal (or even contrived) laboratory conditions? For example, one common demonstration you might see is how far away a tag could be read by someone with evil intent. In looking at this demonstation one has to ask if the test was performed in the presence of multiple tags in a real world setting with all the ambient RF signals one would encounter in the hypothetical setting? Was the reader placed in a realistic way? Was the target moving or stationary? In short, was it carefully staged or did it represent a real situation?

3. In proof-of-concept attacks on RFID tags or systems, does the test set-up represent a "typical" system or was it constructed specifically to be susceptible to attack? Does the test include consideration of additional safeguards that might be built into the back end system? Does the scenario depend on some convoluted set-up and assume a lack of vigilance on the part of store clerks or security personnel?

4. Do perceived threats or proofs-of-concept include a consideration of the ROI? In other words, does it demonstrate what someone might actually get out of going to the trouble and expense of exploiting the perceived flaw? Is it economically feasible? Is there an easier or less expensive way for someone to accomplish the end goal?

5. Is the technology represented correctly? Does the criticism include all the facts? For example, does it cite limitations of RFID but neglect to mention significant benefits? Does it promote the benefits of a different technology but neglect to mention its own limitations?

6. Finally, and most importantly, does a critique put the question in perspective? Does it evaluate other available options? That is, if RFID is not 100% fool-proof, does the critique compare it with the equivalent strengths and limitations of the alternative(s)? Or does it simply point out negatives without offering a viable alternative?

Back to the earlier statement that it's easy to invent objections to RFID: it is, in fact, easy to invent objections to anything--as long as you don't have to prove they're real. In the November 2003 issue, RFID Connections published the following article to illustrate that point.
http://www.aimglobal.org

To suggest that RFID is the perfect solution for every problem ignores the obvious: that there is no "perfect" solution for any problem. However, it's equally fallacious to suggest that limitations of an RFID technology mean it should not be deployed at all. Critics are often successful at pointing out what's "wrong" with RFID because they do so without providing either context or alternatives. So, here's a quick guide to uncovering the merit of RFID critiques that you might see.
There's an old saying in the theater that "Everyone's a critic." It's equally true with RFID today. Inventing objections to RFID is not a difficult chore (see below). Supporting those assertions is much more difficult-- which is why most critics don't do it.

While there are some valid concerns about how RFID is implemented (and most result from ill-conceived applications) and there have been a few valid demonstrations of vulnerabilities of certain types of RFID under certain conditions, no problem exists in a vacuum. There are a number of details to consider before an honest evaluation of any solution can be made. This is why it's important to look at the context of the problem and solution. These are keys to understanding the merit of any critique of RFID. Here are some points to consider.

1. Are the perceived flaws real or hypothetical? Are scenarios based on realistic probabilities (as opposed to what "might be")? For example, do they assume a type of data sharing among retailers that does not, and will not, exist? Do perceived threats presuppose malevolence on the part of businesses or do they acknowledge that businesses do take their customers' concerns seriously? Are supposed dangers couched in real world terms or are they simply based on personal fears or beliefs?

2. Do performance claims exist in the real world or only under optimal (or even contrived) laboratory conditions? For example, one common demonstration you might see is how far away a tag could be read by someone with evil intent. In looking at this demonstation one has to ask if the test was performed in the presence of multiple tags in a real world setting with all the ambient RF signals one would encounter in the hypothetical setting? Was the reader placed in a realistic way? Was the target moving or stationary? In short, was it carefully staged or did it represent a real situation?

3. In proof-of-concept attacks on RFID tags or systems, does the test set-up represent a "typical" system or was it constructed specifically to be susceptible to attack? Does the test include consideration of additional safeguards that might be built into the back end system? Does the scenario depend on some convoluted set-up and assume a lack of vigilance on the part of store clerks or security personnel?

4. Do perceived threats or proofs-of-concept include a consideration of the ROI? In other words, does it demonstrate what someone might actually get out of going to the trouble and expense of exploiting the perceived flaw? Is it economically feasible? Is there an easier or less expensive way for someone to accomplish the end goal?

5. Is the technology represented correctly? Does the criticism include all the facts? For example, does it cite limitations of RFID but neglect to mention significant benefits? Does it promote the benefits of a different technology but neglect to mention its own limitations?

6. Finally, and most importantly, does a critique put the question in perspective? Does it evaluate other available options? That is, if RFID is not 100% fool-proof, does the critique compare it with the equivalent strengths and limitations of the alternative(s)? Or does it simply point out negatives without offering a viable alternative?

Back to the earlier statement that it's easy to invent objections to RFID: it is, in fact, easy to invent objections to anything--as long as you don't have to prove they're real. In the November 2003 issue, RFID Connections published the following article to illustrate that point.
http://www.aimglobal.org