On Tuesday, preschoolers in Richmond, California showed up for school and were handed jerseys embedded with Radio Frequency Identification (RFID) tags. RFID tags are tiny computer chips that are frequently used to track everything from cattle to commercial products moving through warehouses. Now the school district is apparently hoping to use these chips to replace manual attendance records, track the children’s movements at school and during field trips, and collect other data like whether the child has eaten or not.
While school officials and parents may have been sold on these tags as a "cost-saving measure," we are concerned that the real price of insecure RFID technology is the privacy and safety of small children. RFID has been billed as a "proven technology," but what’s actually been proven time and again (PDF) since the ACLU first looked at this issue in 2005 is just how insecure RFID chips can be:
• RFID chips in US passport cards were cracked and copied from a distance of 30-feet using $250 in parts bought from eBay (2009).
• RFID chips used in building access cards across the country were cracked and copied with a handheld device the size of a standard cell phone that was built using spare parts costing $20 (2007).
• California State Capitol RFID-based identification cards were cracked and copied and access was gained to member-only, secure entrances (2006).
• RFID chips implanted in humans were cracked and copied (PDF) (2006).
• The RFID chips used in the Dutch and British e-passport were cracked (PDF) (2006).
Without real security, RFID chips could actually make preschoolers more vulnerable to tracking, stalking, and kidnapping. Someone who wants to do children harm could potentially sit in a car across the street and scan the children’s jerseys without teachers, school officials, parents, or children ever knowing that any information has been read. And if this information can be read, it can be copied easily to a duplicate chip. A child could be taken off campus while the duplicate chip continues to tell RFID readers that the child is safely at school.
These are just the tip of the security issues—and we haven’t even touched on the core privacy concerns. The editors of Scientific American said it well back in May 2005: "Tagging … kids becomes a form of indoctrination into an emerging surveillance society that young minds should be learning to question."
At this point, we have far more questions than answers about the RFID system in use in Richmond:
• What security measures are in place on the RFID chips?
• How will data collected from the chips be used? How long will it be kept?
• Were parents given a choice whether or not to have their child "chipped?"
• Were parents told how RFID technology works, what the privacy and security risks are, and what the school has done to make sure the chips are secure and compliant with student privacy laws?
• And did the County consider these questions before they received a federal grant for this program?
When it comes to student safety, insecure RFID creates more problems than it solves. We hope to work with the school officials and parents in Richmond to help them take a good look at this program and whether it properly protects the privacy and security of their young children.