Applications Editor: Vince Stanford ■ [email protected]

Pervasive Computing Goes the Last Hundred Feet with RFID Systems

Vince Stanford

EDITOR’S INTRODUCTION • Carry more data, letting us identify individual items • Can store new data from readers Previously, I have discussed pervasive computing’s business benefits and applications that • Can interface with environmental pay their own way. These applications transport the enterprise database’s benefits the “last sensors and digital data sources hundred feet” directly to the point of work, sale, or service. Many are PDA-based, offering point-of-service terminals in clinical medicine, package delivery, and even restaurant ordering. Make no mistake about it—at the In this issue, I examine a different class of pervasive computers: Radio Frequency Identifica- high end, RFID tags are wireless, net- tion tags. RFID tags turn everyday objects into network nodes that uplink IDs and status data worked, pervasive computers, success- to enterprise databases, storing new information as needed. They literally vanish into fully integrated into their environment. commonplace objects such as library books, shipping containers, car keys, luggage tags, They are easily attached, often of negli- clothing, or even pets, offering efficiencies in handling, location, and condition tracking. How- gible weight and bulk, and offer many ever, some people caution that we must implement privacy and security features from the benefits for business, manufacturing, ground up to avoid covert reuse of the tags. —Vince Stanford and tracking processes. Applications also exist at the retail level for individ- ual consumers and shoppers, with many already deployed in real-world systems. hat if networked computers were tags of varying capabilities (see the These systems’ benefits are best under- W as cheap as paper clips and could “RFID Resources and Companies” stood in a full-system context, because be attached to things as easily as a yellow sidebar). Broadly speaking, the RFID isolated tags—such as scanners at the sticky? We are about to find out, because market is segmented into low-end and doors of retail stores—have limited uses such computers are being deployed high-end tags. Low-end passive tags until they connect to enterprise data- across the world as you read this. They have approximately 32 bytes of local bases. Some currently used applications are, of course, Radio Frequency Identifi- storage and are powered by the RF field include cation tags—low-power, short-range generated by the readers. High-end tags communication devices that we can can have full-blown microcontrollers • Access control: RFID tags embedded embed into everyday objects to track and multiple interfaces to the environ- into personal ID cards. location, monitor security, and record the ment, with local batteries to power • Baggage ID: Passive tags embedded status of events or even environmental them. in paper luggage tags. conditions. Conceptualizing them simply People often think of RFID tags as • Automotive systems: Keyless entry as ID tags greatly underestimates their simply an updated replacement for the and immobilization systems. capabilities, considering some have local familiar bar code, but they differ in sev- • Document tracking: Passive tags computing power, persistent storage, and eral important ways. Specifically, they affixed to documents. communication capabilities. • Express-parcel tracking: FedEx tags • Do not need line-of-sight access to be drivers and packages for various pur- RFID APPLICATIONS read poses. This industry is very active, with •Can be read simultaneously when • Library checkout and check-in: Pas- numerous companies developing RFID many are present sive tags in books.

1536-1268/03/$17.00 © 2003 IEEE ■ Published by the IEEE CS and IEEE ComSoc PERVASIVEcomputing 9 APPLICATIONS APPLICATIONS

(b)

(c)

(a)

Figure 1. Existing RFID tag applications: (a) keyless entry for a FedEx driver; (b) personal identification badges; and (c) a Speedpass used for gasoline purchases. (photos courtesy of Texas Instruments)

• Livestock or pet tracking: Tags E-ZPass pay tolls and gasoline pur- RFID capabilities. One example includes injected into pets, aiding recovery chases. recalling tainted food or medicine lots, when they are lost. perhaps even blocking them from sale in • Logistics and supply chain: Con- Figure 1 illustrates three examples. the first place using the point-of-sale ter- tainer and product tracking. Furthermore, there are many areas in minals used in most stores. This is because • Wireless commerce: Speedpass and which we have not yet capitalized on even low-end RFID tags can identify the individual item or lot on which it is installed—and not just classes. Also, they RFID RESOURCES AND COMPANIES can record the status of objects to which they are attached in important ways. For A large and vibrant RFID industry exists, offering Web sites that document, explain, and sell example, if a tagged hospital patient has related product lines. The following list is only representative (space does not permit a com- received the morning dose of antibiotic, prehensive listing): the tag could later upload the informa- tion to the clinical documentation system. •Alien Technology (www.alientechnology.com) is developing self-assembly techniques that RFID tags can monitor tamper seals, ther- promise to drive the cost per tag to a few cents. mometers, or accelerometers to audit • Phillips Semiconductors (www.philips.com) offers a fairly extensive Web site describing its heat, shock, and vibration levels encoun- I-Code product line. tered by products in transit. They can also • RFID Journal (www.rfidjournal.com) contains numerous articles on RFID technology. You log accesses to shipping containers. can obtain premium reports for a price, but a lot of useful material is free. •Texas Instruments (www.ti.com) has lines of RFID tag and reader technologies, at both low- RFID MARKET SEGMENTS frequency (134.2 kHz) and mid- frequency (13.56 MHz) ranges. Its Web site is a particularly Passive tags, often used for retail theft comprehensive resource with white papers, design notes, press releases, detailed product control or library checkout desks, receive descriptions, and even an image library. power through inductive coupling of low- • Radio-Frequency-Identification (www.rfid-handbook.com) provides a useful, and free, frequency broadcasts by readers. These overview of a book by the same name. There are editions in German, English, Chinese, and can have indefinitely long life cycles Japanese. because they do not require batteries to maintain the wake-and-query cycle that

10 PERVASIVEcomputing http://computer.org/pervasive APPLICATIONS

THE ISO 15693 STANDARD FOR INTEROPERABLE RFID TAGS

Appropriate standards allowing numerous companies to create inter- and Philips Semiconductors in 1998, defining data exchange between operable products are a key prerequisite to widespread use of RFID tags. RF tags and readers, and collision mediation when multiple tags are in a ISO 15693, accepted in 2000, is one such standard (see www.iso.org). It reader’s RF field. Compliance guarantees that RF tags and readers using is titled “Identification Cards—Contactless Integrated Circuit(s) Cards— the ISO 15693-2 protocol will be compatible across companies and Vicinity Cards” and has three parts: physical characteristics, air interface geographies. These are typically passive tags powered only by the and initialization, and anticollision and transmission protocol. It specifies reader’s RF field, making them easy to manufacture and free of battery a 13.56-MHz RFID protocol, originally proposed by Texas Instruments life limitations.

active tags use. However, they cannot end onboard capabilities and can inte- ture, shock, and vibration levels. Also, observe their environment independently grate analog and digital interfaces to the Chipcon can digitize internal sensors to of a reader’s power broadcast field. outside world. These go well beyond the record conditions inside containers to High-end active tags, on the other basic functions of passive tags, moving indicate if potentially toxic volatiles have hand, are usually battery powered and into functions of small wireless net- leaked from the individual packaging. have a greater range than passive tags worked nodes. Furthermore, they have Chipcon can also equip the CC1010 because they are not limited to reflect- greater computing capability in an tag with an 8051 microcontroller to ing the energy from the reader, with an onboard 8051 8-bit microcontroller manage 32K nonvolatile flash memory inverse fourth-power signal diminution than first-generation desktop personal containing programs and data, and 2K as a function of distance. computers did in the early 1980’s. of static RAM for scratch purposes. The Chipcon CC1010 can be read Passive tags and written from distances in excess of Early passive RFID tags were limited 100 meters. This lets companies use to simple fixed replies to an interrogat- them in loading docks to track the loca- ing reader through reflected energy tion of trucks, or on large cargo ships from resonant circuits. However, even with many containers, which Evjen said passive RFID tags now have limited is a major application (see the “US Cus- onboard read/write memory. toms Service Container Security Initia- Figure 2 shows a variety of Texas tive” sidebar). Figure 3 shows a CC1010 Instruments passive mid-frequency, tag and a tag programmer, used to 13.56-MHz tags, with a 256-bit read/ download application programs. write memory organized into eight 32- Chipcon can integrate the CC1010 bit blocks. These tags are programma- tag with analog sensors and digital data ble and can be locked to protect data sources, because it supports three ADC from further modification. Addition- (analog-to-digital converter) channels, a ally, they have data transmission rates Universal Asynchronous Receiver Trans- in the range of 9 to 27 kBd, depending mitter (UART), and several general I/O on the security and error detection and pins. These let the tag monitor sensors correction protocols used. This class of that are placed, for example, on or in tags, represented by the TI TagIt and shipping containers as required by the Philips I-Code tags, are designed to be Container Security Initiative (see the compliant with the ISO-15693 RFID related sidebar). Chipcon designed the tag standard (see the related sidebar). CC1010 line mainly for frequency-shift keying systems in the ISM/SRD (Indus- Active tags trial, Scientific, and Medical/short-range Figure 2. Texas Instruments TagIt passive I spoke with Peder Martin Evjen, devices) bands at 315, 433, 868, and RFID tags have onboard read/write Director of Technical Support at Chip- 915 MHz, but it can program the line to memories. These tags are delivered in a con, a company specializing in low- frequencies between 300 and 1,000 polymer substrate in reels for easy power RF devices headquartered in MHz. These interfaces let the tags mon- handling. They are so cheap that they are Oslo, Norway. The Chipcon RF tag line itor sensors such as accelerometers and disposable and truly pervasive. (photo focuses on active tags that have high- thermometers that can record tempera- courtesy of Texas Instruments)

APRIL–JUNE 2003 PERVASIVEcomputing 11 APPLICATIONS APPLICATIONS

(a) (b)

Figure 3. (a) A Chipcon CC1010 tag with (b) a programmer board. Like all embedded computers, these come with software and hardware development tools. (photo courtesy of Chipcon)

Onboard, the tag supports a serial version is erased before reprogramming. including many trips on reusable ship- peripheral interface, and for encryption, This prevents malicious downloading ping containers before they are replaced. a hardware Data Encryption Standard and reprogramming with modified data Chipcon tags can be programmed in chip for secure communication. The 32K and code, which could circumvent the a variant of C with its own development flash RAM is divided into 256 pages security functions the tags are designed tools such as an integrated development with programmable protection flags that to provide. environment and a debugger. These tools can prevent unauthorized downloading In very large quantities, these high-end allow cross-development on PCs for the of internal programs and data, such as tags cost less than US$4 each, so deploy- microcontroller-based RFID tags. There encryption keys and sensor monitor rou- ment to protect high-value cargos that is also a library of example programs tines already loaded into the tags. The are subject to environmental hazards that can serve as design patterns. Addi- tag can reload software from a reader makes economic sense. These tags’ bat- tionally, the development tools can run through a duplex RF link using an RF tery life lets them operate for months, or an open operating system called Tiny OS boot loader, provided that the previous even years, with a typical life cycle designed for processing real-time event-

US CUSTOMS SERVICE CONTAINER SECURITY INITIATIVE

According to the US Coast Guard in its December 2002 report Mar- facilitate detection of potential problems at the earliest possible time. itime Strategy for Homeland Security (see www.uscg.mil), the maritime To meet this requirement, high-end RFID tags could periodically transportation system handles more than 2 billion tons of freight, 3 bil- monitor electronic seals on the containers during transit. This class of lion tons of oil, 134 million ferry passengers, and 7 million cruise ship application requires tags that can integrate sensor management elec- passengers. On the order of 7,500 ships, manned by 200,000 sailors, tronics, such as analog-to-digital converters, and digital data interfaces. enter US ports annually to off-load approximately 6 million truck-size Tampering can also be detected in real time, and the tags, as the lowest cargo containers onto US docks. level of a multitier architecture, can relay data to alert the shippers or To deal with security threats posed by this volume of container ship- customs authorities of tampering as it occurs. ping, the US Customs Service (www.customs.gov) is proposing the Con- Similarly, Chipcon tags are used extensively to transport high-value tainer Security Initiative to identify high-risk containers and secure them goods in the US as well as worldwide. There is also great potential in with tamper-detection systems. The initiative aims to expedite process- Europe. For example, Norway is a major exporter of salmon, so the ing of containers prescreened at points of embarkation in overseas RFID tags record the temperature in the containers so that the buyer megaports participating in the initiative. The CSI’s basic goal is to first can verify product freshness. This can be especially important when the engage the ports that send the highest volumes of container traffic into shipments are bound for southern locations such as Italy, Spain, or the US, as well as the governments in these locations, in a way that will North Africa.

12 PERVASIVEcomputing http://computer.org/pervasive APPLICATIONS

driven programs in embedded systems However, unless these systems are prop- clothing, automobile tires, and food (see http://today.cs.berkeley.edu/tos). erly architected, they can cause massive items will allow undue surveillance The system provides a component-based collateral damage to consumer privacy. opportunities. This concern came to a abstract hardware model, RF messaging A cautionary story for retail mer- boil when consumers called for a boy- protocols, periodic timer events, asyn- chants emerged when it was widely cott against Benetton. The public out- chronous access to UART data transfer, reported that Italian clothing retailer cry generated by the deployment of an and mechanisms for persistent storage. Benetton planned to deploy RFID tags RFID tag system without proper pri- for some clothing lines. There was no vacy architecture caused Benetton to WHITHER PRIVACY? mention in the press releases of the tag withdraw from actually deploying the As the cost of RFID tags drops from supplier, Philips Electronics, on how to RFID system. several dollars to several cents, the tags disable the tags after the sale. There was will almost certainly appear in an a massive consumer reaction, which the ARCHITECTURES FOR ETHICAL increasing variety of retail items. The press came to refer to as the Benetton PERVASIVE COMPUTING MIT Auto-ID Center (www.autoidcen- Brouhaha. Because the modern passive I spoke with the MIT Laboratory for ter.org) presents a heady vision: “By cre- RFID tag carries enough data bits to Computer Science’s longtime privacy ating an open global network that can identify the individual garment and not advocate, Simson Garfinkel, author of identify anything, anywhere, automat- just its type, consumers were concerned Practical UNIX and Internet Security ically, [the Auto-ID Center] seeks to give that the garments would be associated and several other books on network companies something that, until now, with the purchaser at the point of sale security and privacy. (See the “Privacy they have only dreamed of: near-perfect and added to a database. Then the tags Resources for a Pervasively Networked supply chain visibility.” This will be would radiate identifying information World” sidebar for more information.) based on RFID tags of negligible indi- to any tag reader anywhere, tracking He has also recently authored a white vidual cost, and the efficiencies made their every movement. paper titled Adopting Fair Information possible by the tags in the supply chain Consumers and privacy groups are Practices to Low Cost RFID Systems, are absolutely compelling to businesses. also concerned that live RFID tags in which discusses approaches to ensure

IEEE International Conference on Pervasive Computing and Communications Orlando, Florida, March 14-17, 2004 http://www.PerCom.org Co-sponsors: IEEE Computer Society and The University of Texas at Arlington Original and unpublished papers and workshop proposals are solicited in all areas of pervasive computing and communications. Topics include but not limited to: • Pervasive computing architectures and Systems • Enabling technologies • Intelligent devices and smart environments • Mobile / wireless/sensor systems • Wearable computers and PANs • Context-aware and implicit computing • Service discovery mechanisms • User interfaces and interaction models • Agent technologies • Security, privacy and authentication issues Authors should submit papers in electronic form (PS or PDF only) through the PerCom 2004 website. Page limit is 12 pages (single column, 11 pt fonts and 1.5 line spaced, excluding references, figures and tables). Submission guidelines will be available at: http://www.percom.org. Conference proceedings will be published by IEEE. Important Dates: Paper Submission: September 1, 2003 Acceptance Notification: November 15, 2003 Workshop Proposals due : June 1, 2003 Camera Ready Manuscripts: December 10, 2003

Organizing Committee General Chair: Sajal K. Das, UTArlington Program Vice Chairs General Vice Chair: Mohan Kumar, UTArllington Liviu Iftode, University of Maryland, College Park Program Committee Chair and Contact Person Klara Nahrstedt, University of Illinois at Urbana Champaign Anand Tripathi University of Minnesota, Twin Cities Paddy Nixon, University of Strathclyde, UK

Email: [email protected]

APPLICATIONS APPLICATIONS

PRIVACY RESOURCES tags are actually hybrid tags rather than passive ones and have a battery that can boost the return signal’s strength and thus MIT’s Simson Garfinkel is a well-known writer on privacy, network, and system security— can be read at substantial distances. and, of course, personal encryption technology. According to Garfinkel, we can preserve pri- Moreover, uses of these tags are experi- vacy in a networked world if we care enough to do so. After all, privacy in a networked world encing scope creep, with traffic manage- begins with our understanding and securing our own systems and networks. This will only ment systems now using electronic toll- become more important in the pervasive future, but system architects and designers will have collection system tags to sense traffic to make this a part of the design goals, and citizens will have to insist that this be done. volumes. Some states are already using A few of Garfinkel’s books (O’Reilly and Associates) include these passes to compute speed and issue automatic traffic tickets. While several • Database Nation: The Death of Privacy in the 21st Century digital-cash systems avoid this kind of • PGP: Pretty Good Privacy wholesale disclosure of personal infor- • Practical Unix and Internet Security: 3rd Edition, with Gene Spafford and Alan Schwartz mation, the electronic toll-collection sys- • Web Security, Privacy, and Commerce, with Gene Spafford tem in Massachusetts did not use them. Systems with profound social conse- Other resources on privacy include quences are being deployed routinely with little concern for or understanding of their • CASPIAN (www.nocards.org), a Web site initially devoted to discussing electronic tracking impact on individual privacy. systems including customer cards in grocery stores, but lately covering RFID tags as well • Electronic Frontier Foundation (www.eff.org), a well-known and broad Web site on citizens’ rights in the digital millennium he market for RFID tags is already • Privacy Rights Clearing House (www.privacyrights.org), a Web site on privacy in the electronic T well established, and the near age, with resources and links to many others future will see the emergence of even more capable active tags that can be integrated into nearly everything we personal privacy and technologies to would allow industrial espionage on an wish to track. They will offer new prevent abuse of the tags (available at unprecedented scale. economies through the supply chain, www.simson.net). The white paper also When asked the ranges at which pas- allow greater security to retail estab- discusses how people can abuse this sive tags can be read, Garfinkel said that lishments, and provide easier ways to technology by using covert tag readers the physics of passive tags will always be process payments. As a caution, how- to track items that are associated with limited by the inverse fourth-power law, ever, experience to date suggests that individuals. because reader field strength declines at we must design these systems with fea- Garfinkel said the Benetton Brouhaha an inverse square and the reflected energy tures that preserve privacy. Otherwise, did not surprise him, because both return also declines at an inverse square. they could be used in many ways that Benetton and Philips Electronics “utterly However, readers can be placed almost are not in the interest of people who ignored” privacy protocols that could anywhere people move and work, and carry them. Those used for financial have password-protected or even erased with tags that respond promiscuously to transactions, for example, should be the tags’ data. He further said that Benet- any reader, it is a virtual certainty that they designed to allow the end user to con- ton could have avoided the problems by will be abused. Moreover, privacy archi- trol whether, and how, tags will respond using such password-protection tags, tectures must be predicated on the sure to queries. prohibiting promiscuous responses to knowledge that the tags and readers are tag readers. rapidly declining to price levels approach- Furthermore, he pointed out that con- ing zero and will be truly pervasive in the sumers are not the only stakeholders environment. We are entering at the with an interest in privacy protocols. For threshold of a world in which you will be Vince Stanford is the lead engineer for the NIST example, large retailers, such as Wal- read if your RFID tags respond to queries. Smart Space Laboratory, project manager for the Mart, would not want a competitor to Another example Garfinkel gave was NIST Smart Space project, and a founding mem- be able to walk the aisles of a store with the electronic toll-collection system in ber of IEEE Pervasive Computing magazine. He writes a reader in his or her pocket and covertly Massachusetts, originally deployed to col- here as a volunteer; NIST does not endorse accumulate a complete inventory that lect tolls using an account-based system any opinions or information presented in the could be used for purposes disadvanta- rather that an anonymous digital cash sys- magazine. Contact him at vince-stanford@users. geous to its inadvertent provider. This tem. The electronic toll-collection system sourceforge.net.

14 PERVASIVEcomputing http://computer.org/pervasive