Editor: Vince Stanford ! vince-stanford@users.sourceforge.net

Applications

1536-1268/03/$17.00 © 2003 IEEE ! Published by the IEEE CS and IEEE ComSoc PERVASIVEcomputing 9

W hat if networked computers wereas cheap as paper clips and could

be attached to things as easily as a yellowsticky? We are about to find out, becausesuch computers are being deployedacross the world as you read this. Theyare, of course, Radio Frequency Identifi-cation tags—low-power, short-rangecommunication devices that we canembed into everyday objects to tracklocation, monitor security, and record thestatus of events or even environmentalconditions. Conceptualizing them simplyas ID tags greatly underestimates theircapabilities, considering some have localcomputing power, persistent storage, andcommunication capabilities.

RFID APPLICATIONSThis industry is very active, with

numerous companies developing RFID

tags of varying capabilities (see the“RFID Resources and Companies”sidebar). Broadly speaking, the RFIDmarket is segmented into low-end andhigh-end tags. Low-end passive tagshave approximately 32 bytes of localstorage and are powered by the RF fieldgenerated by the readers. High-end tagscan have full-blown microcontrollersand multiple interfaces to the environ-ment, with local batteries to powerthem.

People often think of RFID tags assimply an updated replacement for thefamiliar bar code, but they differ in sev-eral important ways. Specifically, they

• Do not need line-of-sight access to beread

• Can be read simultaneously whenmany are present

• Carry more data, letting us identifyindividual items

• Can store new data from readers• Can interface with environmental

sensors and digital data sources

Make no mistake about it—at thehigh end, RFID tags are wireless, net-worked, pervasive computers, success-fully integrated into their environment.They are easily attached, often of negli-gible weight and bulk, and offer manybenefits for business, manufacturing,and tracking processes. Applicationsalso exist at the retail level for individ-ual consumers and shoppers, with manyalready deployed in real-world systems.

These systems’ benefits are best under-stood in a full-system context, becauseisolated tags—such as scanners at thedoors of retail stores—have limited usesuntil they connect to enterprise data-bases. Some currently used applicationsinclude

• Access control: RFID tags embeddedinto personal ID cards.

• Baggage ID: Passive tags embeddedin paper luggage tags.

• Automotive systems: Keyless entryand immobilization systems.

• Document tracking: Passive tagsaffixed to documents.

• Express-parcel tracking: FedEx tagsdrivers and packages for various pur-poses.

• Library checkout and check-in: Pas-sive tags in books.

Pervasive Computing Goesthe Last Hundred Feet withRFID Systems Vince Stanford

Previously, I have discussed pervasive computing’s business benefits and applications thatpay their own way. These applications transport the enterprise database’s benefits the “lasthundred feet” directly to the point of work, sale, or service. Many are PDA-based, offeringpoint-of-service terminals in clinical medicine, package delivery, and even restaurant ordering.

In this issue, I examine a different class of pervasive computers: Radio Frequency Identifica-tion tags. RFID tags turn everyday objects into network nodes that uplink IDs and status datato enterprise databases, storing new information as needed. They literally vanish intocommonplace objects such as library books, shipping containers, car keys, luggage tags,clothing, or even pets, offering efficiencies in handling, location, and condition tracking. How-ever, some people caution that we must implement privacy and security features from theground up to avoid covert reuse of the tags. —Vince Stanford

EDITOR’S INTRODUCTION

• Livestock or pet tracking: Tagsinjected into pets, aiding recoverywhen they are lost.

• Logistics and supply chain: Con-tainer and product tracking.

• Wireless commerce: Speedpass and

E-ZPass pay tolls and gasoline pur-chases.

Figure 1 illustrates three examples.Furthermore, there are many areas in

which we have not yet capitalized on

RFID capabilities. One example includesrecalling tainted food or medicine lots,perhaps even blocking them from sale inthe first place using the point-of-sale ter-minals used in most stores. This is becauseeven low-end RFID tags can identify theindividual item or lot on which it isinstalled—and not just classes. Also, theycan record the status of objects to whichthey are attached in important ways. Forexample, if a tagged hospital patient hasreceived the morning dose of antibiotic,the tag could later upload the informa-tion to the clinical documentation system.RFID tags can monitor tamper seals, ther-mometers, or accelerometers to auditheat, shock, and vibration levels encoun-tered by products in transit. They can alsolog accesses to shipping containers.

RFID MARKET SEGMENTSPassive tags, often used for retail theft

control or library checkout desks, receivepower through inductive coupling of low-frequency broadcasts by readers. Thesecan have indefinitely long life cyclesbecause they do not require batteries tomaintain the wake-and-query cycle that

10 PERVASIVEcomputing http://computer.org/pervasive

A large and vibrant RFID industry exists, offering Web sites that document, explain, and sellrelated product lines. The following list is only representative (space does not permit a com-prehensive listing):

• Alien Technology (www.alientechnology.com) is developing self-assembly techniques thatpromise to drive the cost per tag to a few cents.

• Phillips Semiconductors (www.philips.com) offers a fairly extensive Web site describing its I-Code product line.

• RFID Journal (www.rfidjournal.com) contains numerous articles on RFID technology. Youcan obtain premium reports for a price, but a lot of useful material is free.

• Texas Instruments (www.ti.com) has lines of RFID tag and reader technologies, at both low-frequency (134.2 kHz) and mid- frequency (13.56 MHz) ranges. Its Web site is a particularlycomprehensive resource with white papers, design notes, press releases, detailed productdescriptions, and even an image library.

• Radio-Frequency-Identification (www.rfid-handbook.com) provides a useful, and free,overview of a book by the same name. There are editions in German, English, Chinese, andJapanese.

RFID RESOURCES AND COMPANIES

Figure 1. Existing RFID tag applications: (a) keyless entry for a FedEx driver; (b) personal identification badges; and (c) a Speedpassused for gasoline purchases. (photos courtesy of Texas Instruments)

(b)

(a)

(c)

APPLICATIONS

A P P L I C A T I O N S

active tags use. However, they cannotobserve their environment independentlyof a reader’s power broadcast field.

High-end active tags, on the otherhand, are usually battery powered andhave a greater range than passive tagsbecause they are not limited to reflect-ing the energy from the reader, with aninverse fourth-power signal diminutionas a function of distance.

Passive tagsEarly passive RFID tags were limited

to simple fixed replies to an interrogat-ing reader through reflected energyfrom resonant circuits. However, evenpassive RFID tags now have limitedonboard read/write memory.

Figure 2 shows a variety of TexasInstruments passive mid-frequency,13.56-MHz tags, with a 256-bit read/write memory organized into eight 32-bit blocks. These tags are programma-ble and can be locked to protect datafrom further modification. Addition-ally, they have data transmission ratesin the range of 9 to 27 kBd, dependingon the security and error detection andcorrection protocols used. This class oftags, represented by the TI TagIt andPhilips I-Code tags, are designed to becompliant with the ISO-15693 RFIDtag standard (see the related sidebar).

Active tags I spoke with Peder Martin Evjen,

Director of Technical Support at Chip-con, a company specializing in low-power RF devices headquartered inOslo, Norway. The Chipcon RF tag linefocuses on active tags that have high-

end onboard capabilities and can inte-grate analog and digital interfaces to theoutside world. These go well beyond thebasic functions of passive tags, movinginto functions of small wireless net-worked nodes. Furthermore, they havegreater computing capability in anonboard 8051 8-bit microcontrollerthan first-generation desktop personalcomputers did in the early 1980’s.

The Chipcon CC1010 can be readand written from distances in excess of100 meters. This lets companies usethem in loading docks to track the loca-tion of trucks, or on large cargo shipswith many containers, which Evjen saidis a major application (see the “US Cus-toms Service Container Security Initia-tive” sidebar). Figure 3 shows a CC1010tag and a tag programmer, used todownload application programs.

Chipcon can integrate the CC1010tag with analog sensors and digital datasources, because it supports three ADC(analog-to-digital converter) channels, aUniversal Asynchronous Receiver Trans-mitter (UART), and several general I/Opins. These let the tag monitor sensorsthat are placed, for example, on or inshipping containers as required by theContainer Security Initiative (see therelated sidebar). Chipcon designed theCC1010 line mainly for frequency-shiftkeying systems in the ISM/SRD (Indus-trial, Scientific, and Medical/short-rangedevices) bands at 315, 433, 868, and915 MHz, but it can program the line tofrequencies between 300 and 1,000MHz. These interfaces let the tags mon-itor sensors such as accelerometers andthermometers that can record tempera-

ture, shock, and vibration levels. Also,Chipcon can digitize internal sensors torecord conditions inside containers toindicate if potentially toxic volatiles haveleaked from the individual packaging.

Chipcon can also equip the CC1010tag with an 8051 microcontroller tomanage 32K nonvolatile flash memorycontaining programs and data, and 2Kof static RAM for scratch purposes.

APPLICATIONS

APRIL–JUNE 2003 PERVASIVEcomputing 11

Figure 2. Texas Instruments TagIt passiveRFID tags have onboard read/write memories. These tags are delivered in apolymer substrate in reels for easyhandling. They are so cheap that they aredisposable and truly pervasive. (photocourtesy of Texas Instruments)

Appropriate standards allowing numerous companies to create inter-operable products are a key prerequisite to widespread use of RFID tags.ISO 15693, accepted in 2000, is one such standard (see www.iso.org). Itis titled “Identification Cards—Contactless Integrated Circuit(s) Cards—Vicinity Cards” and has three parts: physical characteristics, air interfaceand initialization, and anticollision and transmission protocol. It specifiesa 13.56-MHz RFID protocol, originally proposed by Texas Instruments

and Philips Semiconductors in 1998, defining data exchange betweenRF tags and readers, and collision mediation when multiple tags are in areader’s RF field. Compliance guarantees that RF tags and readers usingthe ISO 15693-2 protocol will be compatible across companies andgeographies. These are typically passive tags powered only by thereader’s RF field, making them easy to manufacture and free of batterylife limitations.

THE ISO 15693 STANDARD FOR INTEROPERABLE RFID TAGS

Onboard, the tag supports a serialperipheral interface, and for encryption,a hardware Data Encryption Standardchip for secure communication. The 32Kflash RAM is divided into 256 pageswith programmable protection flags thatcan prevent unauthorized downloadingof internal programs and data, such asencryption keys and sensor monitor rou-tines already loaded into the tags. Thetag can reload software from a readerthrough a duplex RF link using an RFboot loader, provided that the previous

version is erased before reprogramming.This prevents malicious downloadingand reprogramming with modified dataand code, which could circumvent thesecurity functions the tags are designedto provide.

In very large quantities, these high-endtags cost less than US$4 each, so deploy-ment to protect high-value cargos thatare subject to environmental hazardsmakes economic sense. These tags’ bat-tery life lets them operate for months, oreven years, with a typical life cycle

including many trips on reusable ship-ping containers before they are replaced.

Chipcon tags can be programmed ina variant of C with its own developmenttools such as an integrated developmentenvironment and a debugger. These toolsallow cross-development on PCs for themicrocontroller-based RFID tags. Thereis also a library of example programsthat can serve as design patterns. Addi-tionally, the development tools can runan open operating system called Tiny OSdesigned for processing real-time event-

APPLICATIONS

A P P L I C A T I O N S

12 PERVASIVEcomputing http://computer.org/pervasive

According to the US Coast Guard in its December 2002 report Mar-itime Strategy for Homeland Security (see www.uscg.mil), the maritimetransportation system handles more than 2 billion tons of freight, 3 bil-lion tons of oil, 134 million ferry passengers, and 7 million cruise shippassengers. On the order of 7,500 ships, manned by 200,000 sailors,enter US ports annually to off-load approximately 6 million truck-sizecargo containers onto US docks.

To deal with security threats posed by this volume of container ship-ping, the US Customs Service (www.customs.gov) is proposing the Con-tainer Security Initiative to identify high-risk containers and secure themwith tamper-detection systems. The initiative aims to expedite process-ing of containers prescreened at points of embarkation in overseasmegaports participating in the initiative. The CSI’s basic goal is to firstengage the ports that send the highest volumes of container traffic intothe US, as well as the governments in these locations, in a way that will

facilitate detection of potential problems at the earliest possible time. To meet this requirement, high-end RFID tags could periodically

monitor electronic seals on the containers during transit. This class ofapplication requires tags that can integrate sensor management elec-tronics, such as analog-to-digital converters, and digital data interfaces.Tampering can also be detected in real time, and the tags, as the lowestlevel of a multitier architecture, can relay data to alert the shippers orcustoms authorities of tampering as it occurs.

Similarly, Chipcon tags are used extensively to transport high-valuegoods in the US as well as worldwide. There is also great potential inEurope. For example, Norway is a major exporter of salmon, so theRFID tags record the temperature in the containers so that the buyercan verify product freshness. This can be especially important when theshipments are bound for southern locations such as Italy, Spain, orNorth Africa.

US CUSTOMS SERVICE CONTAINER SECURITY INITIATIVE

Figure 3. (a) A Chipcon CC1010 tag with (b) a programmer board. Like all embedded computers, these come with software andhardware development tools. (photo courtesy of Chipcon)

(b)(a)

driven programs in embedded systems(see http://today.cs.berkeley.edu/tos).The system provides a component-basedabstract hardware model, RF messagingprotocols, periodic timer events, asyn-chronous access to UART data transfer,and mechanisms for persistent storage.

WHITHER PRIVACY?As the cost of RFID tags drops from

several dollars to several cents, the tagswill almost certainly appear in anincreasing variety of retail items. TheMIT Auto-ID Center (www.autoidcen-ter.org) presents a heady vision: “By cre-ating an open global network that canidentify anything, anywhere, automat-ically, [the Auto-ID Center] seeks to givecompanies something that, until now,they have only dreamed of: near-perfectsupply chain visibility.” This will bebased on RFID tags of negligible indi-vidual cost, and the efficiencies madepossible by the tags in the supply chainare absolutely compelling to businesses.

However, unless these systems are prop-erly architected, they can cause massivecollateral damage to consumer privacy.

A cautionary story for retail mer-chants emerged when it was widelyreported that Italian clothing retailerBenetton planned to deploy RFID tagsfor some clothing lines. There was nomention in the press releases of the tagsupplier, Philips Electronics, on how todisable the tags after the sale. There wasa massive consumer reaction, which thepress came to refer to as the BenettonBrouhaha. Because the modern passiveRFID tag carries enough data bits toidentify the individual garment and notjust its type, consumers were concernedthat the garments would be associatedwith the purchaser at the point of saleand added to a database. Then the tagswould radiate identifying informationto any tag reader anywhere, trackingtheir every movement.

Consumers and privacy groups arealso concerned that live RFID tags in

clothing, automobile tires, and fooditems will allow undue surveillanceopportunities. This concern came to aboil when consumers called for a boy-cott against Benetton. The public out-cry generated by the deployment of anRFID tag system without proper pri-vacy architecture caused Benetton towithdraw from actually deploying theRFID system.

ARCHITECTURES FOR ETHICALPERVASIVE COMPUTING

I spoke with the MIT Laboratory forComputer Science’s longtime privacyadvocate, Simson Garfinkel, author ofPractical UNIX and Internet Securityand several other books on networksecurity and privacy. (See the “PrivacyResources for a Pervasively NetworkedWorld” sidebar for more information.)He has also recently authored a whitepaper titled Adopting Fair InformationPractices to Low Cost RFID Systems,which discusses approaches to ensure

APPLICATIONS

IEEE International Conference on Pervasive Computing and Communications Orlando, Florida, March 14-17, 2004

http://www.PerCom.org Co-sponsors: IEEE Computer Society and The University of Texas at Arlington

Original and unpublished papers and workshop proposals are solicited in all areas of pervasive computing and communications. Topics include but not limited to:

• Pervasive computing architectures and Systems

• Intelligent devices and smart environments

• Wearable computers and PANs

• Service discovery mechanisms

• Agent technologies

• Enabling technologies

• Mobile / wireless/sensor systems

• Context-aware and implicit computing

• User interfaces and interaction models

• Security, privacy and authentication issues

Authors should submit papers in electronic form (PS or PDF only) through the PerCom 2004 website. Page limit is 12 pages (single column, 11 pt fonts and 1.5 line spaced, excluding references, figures and tables). Submission guidelines will be available at: http://www.percom.org. Conference proceedings will be published by IEEE.

Important Dates:

Paper Submission: September 1, 2003

Workshop Proposals due : June 1, 2003

Acceptance Notification: November 15, 2003 Camera Ready Manuscripts: December 10, 2003

Organizing Committee General Chair: Sajal K. Das, UTArlington

General Vice Chair: Mohan Kumar, UTArllington

Program Committee Chair and Contact Person Anand Tripathi University of Minnesota, Twin Cities Email: tripathi@cs.umn.edu

Program Vice Chairs Liviu Iftode, University of Maryland, College Park Klara Nahrstedt, University of Illinois at Urbana Champaign Paddy Nixon, University of Strathclyde, UK

personal privacy and technologies toprevent abuse of the tags (available atwww.simson.net). The white paper alsodiscusses how people can abuse thistechnology by using covert tag readersto track items that are associated withindividuals.

Garfinkel said the Benetton Brouhahadid not surprise him, because bothBenetton and Philips Electronics “utterlyignored” privacy protocols that couldhave password-protected or even erasedthe tags’ data. He further said that Benet-ton could have avoided the problems byusing such password-protection tags,prohibiting promiscuous responses totag readers.

Furthermore, he pointed out that con-sumers are not the only stakeholderswith an interest in privacy protocols. Forexample, large retailers, such as Wal-Mart, would not want a competitor tobe able to walk the aisles of a store witha reader in his or her pocket and covertlyaccumulate a complete inventory thatcould be used for purposes disadvanta-geous to its inadvertent provider. This

would allow industrial espionage on anunprecedented scale.

When asked the ranges at which pas-sive tags can be read, Garfinkel said thatthe physics of passive tags will always belimited by the inverse fourth-power law,because reader field strength declines atan inverse square and the reflected energyreturn also declines at an inverse square.However, readers can be placed almostanywhere people move and work, andwith tags that respond promiscuously toany reader, it is a virtual certainty that theywill be abused. Moreover, privacy archi-tectures must be predicated on the sureknowledge that the tags and readers arerapidly declining to price levels approach-ing zero and will be truly pervasive in theenvironment. We are entering at thethreshold of a world in which you will beread if your RFID tags respond to queries.

Another example Garfinkel gave wasthe electronic toll-collection system inMassachusetts, originally deployed to col-lect tolls using an account-based systemrather that an anonymous digital cash sys-tem. The electronic toll-collection system

tags are actually hybrid tags rather thanpassive ones and have a battery that canboost the return signal’s strength and thuscan be read at substantial distances.Moreover, uses of these tags are experi-encing scope creep, with traffic manage-ment systems now using electronic toll-collection system tags to sense trafficvolumes. Some states are already usingthese passes to compute speed and issueautomatic traffic tickets. While severaldigital-cash systems avoid this kind ofwholesale disclosure of personal infor-mation, the electronic toll-collection sys-tem in Massachusetts did not use them.Systems with profound social conse-quences are being deployed routinely withlittle concern for or understanding of theirimpact on individual privacy.

T he market for RFID tags is alreadywell established, and the near

future will see the emergence of evenmore capable active tags that can beintegrated into nearly everything wewish to track. They will offer neweconomies through the supply chain,allow greater security to retail estab-lishments, and provide easier ways toprocess payments. As a caution, how-ever, experience to date suggests thatwe must design these systems with fea-tures that preserve privacy. Otherwise,they could be used in many ways thatare not in the interest of people whocarry them. Those used for financialtransactions, for example, should bedesigned to allow the end user to con-trol whether, and how, tags will respondto queries.

APPLICATIONS

A P P L I C A T I O N S

14 PERVASIVEcomputing http://computer.org/pervasive

MIT’s Simson Garfinkel is a well-known writer on privacy, network, and system security—and, of course, personal encryption technology. According to Garfinkel, we can preserve pri-vacy in a networked world if we care enough to do so. After all, privacy in a networked worldbegins with our understanding and securing our own systems and networks. This will onlybecome more important in the pervasive future, but system architects and designers will haveto make this a part of the design goals, and citizens will have to insist that this be done.

A few of Garfinkel’s books (O’Reilly and Associates) include

• Database Nation: The Death of Privacy in the 21st Century• PGP: Pretty Good Privacy• Practical Unix and Internet Security: 3rd Edition, with Gene Spafford and Alan Schwartz• Web Security, Privacy, and Commerce, with Gene Spafford

Other resources on privacy include

• CASPIAN (www.nocards.org), a Web site initially devoted to discussing electronic trackingsystems including customer cards in grocery stores, but lately covering RFID tags as well

• Electronic Frontier Foundation (www.eff.org), a well-known and broad Web site on citizens’rights in the digital millennium

• Privacy Rights Clearing House (www.privacyrights.org), a Web site on privacy in the electronicage, with resources and links to many others

PRIVACY RESOURCES

Vince Stanford is the lead engineer for the NIST

Smart Space Laboratory, project manager for the

NIST Smart Space project, and a founding mem-

ber of IEEE Pervasive Computingmagazine. He writes

here as a volunteer; NIST does not endorse

any opinions or information presented in the

magazine. Contact him at vince-stanford@users.

sourceforge.net.