29 July 2011

RFID and Guns

So there has been a lot of talk about Chiappa Firearms of Italy announcing that they will start using RFID tags in their firearms to improve manufacturing and distribution accuracy and efficiency. (See TFB, SayUncle, Weerd). This seems like a perfect topic for me to write since I consider myself an Information Security/Assurance nerd as well as a gun enthusiast.

I am not going to address Chiappa's underlying business reasons for deciding to use RFID during the manufacturing an distributing process.  The realizable benefits of using a system like this in an environment such as manufacturing firearms is questionable, but is an entirely different conversation.

I want to address the security/privacy concerns that has the blogosphere on fire.  For those of you who are unfamiliar with Radio Frequency IDendification (RFID), they come in two basic forms: Passive, and "Active". 

Passive tags work in a similar fashion to the old idea of a crystal radio.  There is no internal power source so the tag does not actively broadcast anything.  The power comes from radio signals that a RFID Reader sends outs.  The reader must send a radio signal at the specific frequency that the tag is designed for. Radio signals at the correct frequency cause the tag to react and respond with a feedback signal that contains the stored information.  The best examples of these tags in every day life are in the retail industry where they are affixed to DVD and CD cases, high-end clothing, and electronics.  They are used less for inventory control than they are for loss prevention.

Active tags, unlike passive tags, have an internal power source, often in the form of a battery.  Active tags are often used for things like remote sensors or tracking.  They are not as prolific and are rarely used for manufacturing or inventory control because they are much more expense.  The best example I can think of for the use of active tags are in animal research where a certain animal is tagged in order to understand migration patterns or other behavior.  Over time the battery will run out and the tag will no longer broadcast its information.

The type of tag that will most likely be used in Chiappa's guns are passive tags.  These tags will likely contain a product number, manufacture date, and serial number ( more on this later). They will use RFID readers at various points in the manufacturing and distributing process to track individual products to strengthen their quality controls and increase the speed at which they are able to produce and ship guns.

So what's the big deal?

Computer and tech geeks have been considering the privacy and security concerns of RFID tags for nearly 10 years. The concerns range from the government being able to track your purchasing habits and movements to people finding out that you went to the local adult video store because your girlfriend was going to be out of town for a couple of weeks visiting her parents.

So what is the risk of any of the above situations actually happening.  RFID readers and scanners generally have to be withing a few feet to be able to have enough power to read the information off of an RFID tag.  That is why you have to walk through the little "gates" at Target or Wal-mart after making a purchase.  Most RFID readers are designed to have an effective range of 4-6 feet (some more expensive tags are designed to be read out to 30 feet with the proper reader).  This means that someone with an RFID scanner would most likely have to be within 6 feet of you for an extended period of time while the reader scanned through all the available RFID frequencies and searched for a tag. It isn't all that unlikely to be that close to someone for an extended time at a restaurant, library, concert or other event where people will be sitting in close proximity to each other for extended periods of time.

If someone is able to sit next to you for an extended period of time, and if they have an RFID scanner, what kind of information would they get?  Well that is where some of the gun community's concern lies.  What if you have a concealed carry permit and the gun your are currently carrying has an RFID tag in it.  A person with a scanner and enough time could potentially discover that you are carrying concealed. 

One aspect I didn't address is that RFID scanners are generally "directional", meaning that the radio waves that it emits are usually sent in one general direction, but they are not able to pinpoint an RFID tags exact location ( you would need to triangulate the position using at least 3 strategically placed RFID scanners.... and... give me a break!).  Take the concert example.  If someone sitting two seats to your righthas a scanner and pulls it out and points it to his left and gets results back that indicate someone is carrying a Chiappa revolver.  The person carrying could be any of the three or four directly to his left, or even a few people sitting to his left in the rows behind and in front of him. All he knows is that someone in the half dozen people sitting near him are carrying a revolver. All in all I don't find that to be an overly threatening situation.

Generally the risk that people will know you are carrying a firearm, or like to buy expensive shoes, or went to your local adult video store, are low and don't pose any significant threats.  That being said, I do no like the idea of wearing or carrying ANYTHING that can aid in identifying me from a distance (yet I still carry a GPS enabled cell phone with WiFi and Bluetooth...).  Chiappa did the right thing by disclosing the fact that they will be including RFID tags.  And despite the fact that I don't believe they will realize any significant gains in efficiency or quality control, it is their right to use them.  Their next step should be to provide instruction on how to safely remove the RFID tags should the consumer not want it after purchase.

So what went wrong in this situation? Quite honestly I think the biggest mistake made here was on the part of the Chiappa distributor here in the US, MKS Supply.   Their response to customer concerns over the RFID tags was to mock and make fun of people who would like to protect their privacy. Instead of chuckling in private but being professional in their response, they chose to call people with privacy concerns conspiracy theorists and overly paranoid.

MKS will not see any of my business because of the sheer arrogance and disregard for their customers that they showed in their handling of this situation.  No loss for them or me really. I thought Chiappa's Rhino was a novelty that might be worth owning, but overall it is not a gun I must have. And MKS also distributes Hi-Points, which I have absolutely no desire to own.

In summary, RFID tags can present privacy issues, but I will not be purchasing an RFID reader to scan every good that I purchase to determine if it has a hidden RFID tag.  And finally, don't buy from MKS Supply. If they handled this PR situation so poorly and have such contempt for a large section of their customer base, imaging what kind of customer service you would get out of them after making a purchase.

No comments: