1. Field of the Invention
The invention is in the field of Radio Frequency Identification (RFID) and more specifically is a solution to privacy concerns as these concerns relate to the purchase of consumer goods. The present inventive system surrenders control over the administration of personal purchase information from the retailer to the consumer or purchaser while still good purchased to be later verified as having been bought from a specific retailer thus enabling goods purchased to be identified for refund or exchange by the consumer or purchaser.
Radio frequency identification (hereinafter “RFID”), is a technology powered by small, wireless devices known as tags or transponders which can automatically track physical objects, animals and people when air interfacing with RFID readers, also known as interrogators. RFID can be seen as a means to explicitly label objects, animals and people so that tracking becomes automatic for back end computer host systems. Generally, in the RFID industry, an RFID tracking device which is known alternatively as a tag or as a transponder, is attached to or embedded in a product or product packaging and is air interfaced by radio frequency transmission with the antenna of an RFID reader/interrogator. The microchip itself can be as small as a grain of sand. The expense and size of a standard RFID tag or transponder package is a product of the external antenna which needs to be large enough to resonate at multiples of the wavelengths of currently authorized RFID frequencies. The antenna is usually constructed of copper or aluminum which is an expensive commodity. The authorized resonant frequencies for the antenna are Low Frequency in the 124 kHz to 135 kHz range. These have read distances of roughly two feet. There are High Frequency tags in the 13.56 MHz range with read ranges of over three feet. Moreover, there are Ultra High Frequency tags in the 860 MHz-960 MHz which have read parameters of up to 100 feet and more. RFID is being vigorously touted as a successor to optical barcode technology ubiquitous to consumer products. There are two advantages which RFID technology holds over the current barcode product identification system. First, the barcode indicates the type of object on which it is printed. For example, it will indicate to a cash register or check out automated system that the object in question is a yellow pencil of ABC brand. The RFID system goes a step further in that it emits a unique serial number which distinguishes it among millions of identically manufactured ABC brand of pencils. This unique identifying number can act as a direction finder to database entries which contain a plethora of transaction histories for individual product items. Second, barcodes are optically scanned with laser light which requires line of sight contact with readers in order for the scanning technology to operate properly. This usually means human intervention to carefully position the object to be scanned. RFID technology does not require line of sight to operate properly. It can scan hundreds of items per second. For example, a fast moving conveyor belt in a factory can be scanned for objects of interest with no need for line of sight contact.
In a supply chain application RFID is becoming ubiquitous in the tracking of crates and pallets. These are considered to be discrete, but bulk (not item level), quantities of objects. Tracking in the supply chain scenario is concerned with improving accuracy and timeliness of information regarding the whereabouts and movement of goods which comprise any specific supply chain.
In attempting to keep costs to a minimum RFID tags which are manufactured according to Electronic Product Code (hereinafter “EPC”) standards carry extremely limited on board memory. Normally, the only information on the EPC tag is the unique number as well as the usual informational data of a barcode. There can also be a link to database records for any specific tag. Although the EPC tag can be up to 96 bits in data or informational length, the centralized host database can have unlimited entries or cryptographic security algorithms regarding any specific tag in question. Part of the EPC protocol is a reference service known as Object Name Service or ONS. Its purpose is to route tag queries to the database of specific tag owners or to the database of back end computer host managers. In other words, there is a system designed and in place for legitimate back end systems to track and trace all objects in an RFID system.
All communication for RFID interrogators and transponders is via an insecure medium. That medium is air, also known as the atmosphere, and sometimes referred to as the environment. In other words, all wireless communication using RFID technology travels through an atmosphere, or an environment, shared by legitimate and illegitimate users or wireless technology alike. The shared medium highlights security and privacy problems for retail consumers of products containing item level RFID tags, whether attached or embedded.
2. Description of Prior Art
There are two main privacy concerns espoused by privacy proponents and lobbyists. Specifically, these are clandestine tracking and inventorying. As RFID tags respond to reader interrogation without alerting the holder of a tagged item, surreptitious scanning of tags is a serious security threat. Pursuant to EPC protocol each tag always emits a unique identifier. This includes even those tags which protect data with cryptographic algorithms. The result is that a person in possession of an item level object which has a tag attached to it or embedded into it effectively transmits a fixed identifier number to any nearby interrogators. Therefore, tracking the whereabouts of a retail consumer in possession of an RFID tag is easy for those so inclined. This is true even if the unique identifying number is random or carries no intrinsic data. Consider it to be a beacon, like a lighthouse on a pitch black night, which never turns off.
The threat to privacy grows stronger if the unique identifier on the tag is combined in any way with personal information. An example is a grocery store which accepts payment via a credit card for twelve tagged items. These specific twelve items can be linked to the identity of the purchaser through the credit card number which is known to the grocery store at the time of purchase interrogation. Marketers can then identify and profile consumers using networks of RFID readers placed surreptiously around the grocery store. Furthermore, EPC tags carry information about the object to which they are attached, for example, the manufacturer and product code. Therefore, a person who is wearing or carrying items with EPC tags attached is subject to being inventoried. In other words, a nefarious individual could determine clothing worn, sizes, plus accessories as well as medications carried and harvest or capture this important, yet highly personal and private information into a commercial database. The target consumer could be innocently strolling a mall and be none the wiser for this intrusion. This process is known as skimming.
There have been a number of ineffective privacy protecting schemes put forward as prior art. There is a stop provision for EPC tags called “killing the tag”. According to this provision, when an EPC tag receives a kill command from an interrogator the tag renders itself permanently inoperable. The kill command is PIN protected and is accomplished via the interrogator which transmits a tag specific 21 bit PIN in the EPC Class A, Gen 2 protocol. This is a very effective means of securing privacy. The tags are effectively dead at the point of sale. This is the same approach taken by a removable tag security system. Although brutally effective, these two methodologies of “killing the tag” obviate any benefits which would be garnered from post purchase tag interrogation. For example, for library books the tag is supposed to operate for the life of the book. In a retail situation, for example, receipt less item returns become a problem for the retailer if the tag is killed or taken from the retail object.
Another ineffective security approach is to put the tag to sleep rather than to kill the tag. This means to render the tag temporarily inoperative. However, if any reader is able to wake the tag then there would be no security benefit. There would have to be some sort of access control. This could take the form of PIN access. This would lead to a plethora of PIN numbers for a consumer to memorize in order to wake individual tags on countless consumer items. This solution is unworkable in a real world environment. Additionally, there are some “touch” types of security concepts; for example, touch a cellular phone to render the tag awake. In this scenario a holder of a contact less card places the card in the smart card reader located on the cellular telephone. Most European cellular telephones contain smart card readers. When so inserted the smart card chip can be activated by dialing a specific initiation number and inserting the correct PIN number. However, this type of “touch” solution negates the benefits of RFID. In other words, if a touch is necessary to activate the tag then why design or implement a wireless method of interrogation?
The prior art includes numerous attempts to secure privacy through various cryptographic methods. This method generally contradicts the business case for RFID. The business case requires cost effective tags. The more information or data which needs to be written onto the chip memory the larger and more expensive the chip will become. All cryptography systems, even the ones deemed minimalist, require serious storage space for cryptographic algorithms to be located upon chip memory systems. This increases the chip cost and complexity of manufacture. This same argument can be applied for on tag access control security systems such as hash locks or pseudonyms or off tag access control such as blocker tags or tag reader authentication such as lightweight protocols and adapted air interfaces. All of these potential solutions require high end, battery operated, and expensive RFID tags for proper implementation.
There is a gadget making itself known on the Internet as the brainchild of two amateur German engineers which they call an RFID-Zapper. It is being made available for the purpose of deactivation and destruction of passive RFID tags. This gadget borrows from the microwave oven system. In a nutshell, the microwave oven system proposes that RFID passive chips be placed in a microwave oven for 20 to 30 seconds. The high frequency electromagnetic signals from the microwave oven overloads and then fries the circuitry (the capacitor) in an RFID tag. However, it has been demonstrated that this method can damage clothes or cause small fires. The RFID-Zapper proposes to generate a strong electromagnetic field with a coil. The coil is placed as near to the target RFID tag as possible. The RFID tag then receives a strong shock of energy comparable to an electromagnetic pulse. This electromagnetic pulse blows the circuitry (capacitor) in the chip thus deactivating same. The problem with this solution is that it obviates any benefits of RFID technology for returned consumer items. The chip is destroyed and rendered useless forever.
The most important part of RFID security in a consumer environment is user perception of security and privacy. As users cannot see electromagnetic signals, impressions are formed on physical cues and industry explanations for any given RFID system. The key to commercial success is to form a secure physical access control easily perceived by the consumer, plus secure logical access, to the personal data and information on a consumer oriented RFID system. The present invention focuses on a system and method of design and engineering which physically and logically secures RFID critical data. At the same time this system and method is usable and commercially viable as an operating RFID system. This invention permits business decisions which lever all of the advantages of wireless communication while demonstrating physical and logical security for personal information which is the private property of individual consumers. Commercial viability of this invention is a function of the surrender of privacy control of consumer information to the consumer. Commercial viability is also a function of a simple design structure for this invention as well as less costly manufacturing costs as compared to prior art inventions.
Some other of the flawed prior art and inventions include IBM's Clipped Tag design which allows consumers to tear off most of a passive RFID tag's antenna. This technology was developed by IBM researcher Paul Moskowitz at IBM's Watson Research Center. The primary goal of the research was to preclude the reading of an RFID tag from a retail item carried by a consumer through the auspices of an unauthorized person in possession of an RFID interrogator. A number of alternative solutions were considered. Moskowitz reviewed the use of a blocker tag which renders nearby tags difficult to read. However, this solution meant that the blocker tag would need to be carried with the consumer at all times. This was considered to be an unwieldy proposition unacceptable to retail consumers. Also considered was a scratch off tag which included a small strip of printed electrical conductor which links the chip and a short portion of the tag's antenna. To shorten the read range consumers would scratch off the printed electrical conductor with a penny. This was deemed too complex to manufacture and less convenient for the consumer. The solution proposed by Moskowitz was a perforation which allowed the consumer to tear off most of a tag's antenna. This reduces the operational range of the antenna to a very short distance. The specifications for the perforated tag are four inches by three inches with the perforation line across each half of its dipole antenna. Once its sides are torn off, along the manufactured perforation lines, the tag remains operable, but its read range is reduced from 20 feet to a matter of several inches. Moskowitz says that consumers can make the tag unreadable through the physical process of tearing the perforation. The tag cannot be read unless presented directly in front of an interrogator. If a customer needed to return an item, the retailer could use a stationary or handheld interrogator to read the tag from a very close range. The Clip Tag technology of IBM is not really security at all. The physical measurements of the tag make it an easily identifiable target for information thieves. By admission the design of the Clip Tag technology only shortens the length of the antenna thereby reducing the read range. This technology does not disable the chip. It puts a title such as Clip Tag to a system which is far more perception than reality. The truth is that any thief with a powerful enough interrogator could still read the information on the tag. While this technology may give the consumer some solace on its face, careful scrutiny reveals a fatal flaw.
Similarly, another new technology from an Australian provider titled the Smart & Secure Retail Tag is designed to address consumer concerns that data encoded to tags on the items purchased could be read by a third party without the knowledge of the consumer. The methodology of accomplishing this is by decreasing the read distance of a tag. After the item is purchased a consumer can reduce read distance by unfolding the substrate which contains the tag antenna. An edge of the substrate which contains the antenna and which is attached to the retail product is designed so that it can be securely grasped by the consumer. When the substrate material is pulled at its edge the tag unfolds thereby reducing read range. To re-engage the original read range, in the case of a returned item for example, the edge is grasped so that the chip/antenna package can be refolded thereby setting the apparatus to the original read range. The key is that the tag is never fully disabled.
The fatal flaw to this technology is the same as that of the IBM Clip Tag. The antenna is never fully decommissioned. While this Australian system and invention allows for return of items it does not adequately address the consumer privacy issue. It provides perception of security while not actually providing real security. Like the IBM solution, a thief with an interrogator with enough harvesting power can still surreptiously interrogate a tag.
The inventor has coined the term the “Clip Chip”. The term “Clip Chip” is currently the subject of a U.S. Trademark Application by the inventor. The solution proposed by this Application called “Clip Chip” is to utilize either the perforation or unfolding method outlined herein, or by other means, in a manner which prevents the information or data on the tag or transponder from being read or the consumer carrier of the tag from being tracked. In a nutshell, subject to the Summary of the Invention section herein, this invention proposes providing real privacy security in addition to appearance and perception from the vantage point of the consumer by splitting the chip into two parts. Instead of perforating or unfolding the substrate to reduce the read range by shortening the antenna, this invention proposes splitting one part of the chip from the other, thereby rendering the system unreadable. For example, a perforation could be placed on the substrate of the tag. A consumer could tear same, thereby giving the appearance and perception of security. On one side of the tag package there is a silicon component which houses one piece of the integrated chip package. On the torn off side of the attached tag would be the other part of the integrated chip package. The two sides would be connected, when operating as a whole, by a fine piece of conductive material, such as a conductive ink. At the time of sale of the consumer object the connected integrated chip package would be read using a standard RFID system. Hence all of the convenience of RFID is intact. At the time of retail check out the information stored on that piece of the integrated chip package which is torn away is automatically harvested and captured by the interrogator and communicated by secure land line to a host, back end, computer database. The part of the chip remaining attached to the item purchased would have only a simple identifier alpha numeric which would reference the purchased object to the back end host system database. This information would not be harvested directly to the back end system but would be stored separately in cryptographic format. As the chip is torn in two and is inoperable, it cannot be read by someone eavesdropping no matter how powerful the interrogator. When torn, the chip will not function as the antenna section is no longer attached to the transistor section. Furthermore, it cannot be used to track an individual as it is no longer operable. Physically it cannot reflect any information or data. However, in the event of a returned item, the connection to the host back end computer management system can be made by physically placing the communicating ink in contact with a specifically designed returned item reader. In other words, the two halves of the chip, more specifically the information on the two halves of the chip, are reconnected. In this fashion, the alpha numeric identifier is cross referenced to the host database information. In essence, the Clip Chip stores all relevant information in a management owned and controlled, back end, host computer database. This inventive system splits the critical and highly personal consumer information into two distinct pieces. One piece is useless without the other piece. This means that even if the host database is corrupted, for example by being compromised through computer hacking, the information cannot be connected to any particular item in the marketplace. The information in the host database cannot connect to the alpha numeric item unless it is returned to the place of purchase. The backend host system only has part of the piece of the puzzle as the alpha numeric identifier is stored separately and secured by cryptography. This invention offers to consumers a real choice for privacy while providing all of the perception of security through the perforation or unfolding type of physical methodologies enunciated herein. The logical security for the highly personal consumer information is accomplished by the split in two methodology activated when the chip is clipped to render it inoperable.
U.S. Pat. No. 7,098,794 titled, “Deactivating a data tag for user privacy or tamper-evident packaging”, describes a system of a plethora, or array, of antennae whereby one antenna can be removed from an item thereby rendering communication of the unique identification information on that object impossible through the removed antenna.
According to this Patent there are other antennae which then take over the communication task which operate at a second frequency range, smaller than that of the first antenna. This system is outlined in claim 1 and 2 of this Patent. The point is that the second set of antenna take over and are still operable. It can be distinguished from the present application in that the present application is a solution to privacy concerns regarding item level tagging employing a system and method of separating critical personal information into two separate parts on an RFID chip, connected by conductive ink, yet subject to consumer perforation, which disables the chip.
An article titled, “RFID Guardian: A Battery-Powered Mobile Device for RFID Privacy Management” authored by Rieback, Crispo and Tanenbaum of the Department of Computer Science, Vrije Univeristeit, Amsterdam, The Netherlands, details a compact, portable, electronic device to be carried by consumers which authenticates RFID readers and blocks attempts to access consumer information from unauthorized readers. This invention proposes to warn consumers of surreptious RFID activity and then counsels to take corrective action if need be. The descriptive information of this invention can be located in the Abstract section of this article. It can be distinguished from the present application in that the present application is a solution to privacy concerns regarding item level tagging employing a system and method of separating critical personal information into two separate parts on an RFID chip, connected by conductive ink, yet subject to consumer perforation, which disables the chip.