More Workplace Bullshit

Yes, Todd Westby, you can track people with RFID

John C. Welch
Jul 25, 2017 · 5 min read

So this piece in the New York Times, “Microchip Implants for Employees? One Company Says Yes”, about yet another “IMPLANT RFID CHIPS, IT’S TEH FYOOTURE” movement at a company in Wisconsin, we see a rather nicely worded bit from the CEO of an RFID company on privacy (Emphasis added):

Another potential problem, Dr. Acquisti said, is that technology designed for one purpose may later be used for another. A microchip implanted today to allow for easy building access and payments could, in theory, be used later in more invasive ways: to track the length of employees’ bathroom or lunch breaks, for instance, without their consent or even their knowledge.

“Once they are implanted, it’s very hard to predict or stop a future widening of their usage,” Dr. Acquisti said.

Todd Westby, the chief executive of Three Square, emphasized that the chip’s capabilities were limited. “All it is is an RFID chip reader,” he said. “It’s not a GPS tracking device. It’s a passive device and can only give data when data’s requested.”

“Nobody can track you with it,” Mr. Westby added. “Your cellphone does 100 times more reporting of data than does an RFID chip.”

That bolded statement, gentle reader, is bullshit. It’s not a lie, it is carefully worded to not be a falsehood, but it is bullshit. Allow me to elaborate.

Mr. Westby is factually correct about RFID chips on several points:

  1. They are a passive device. On its own, an RFID chip sends no data
  2. No one can track you based solely on posession of an RFID chip, implanted or not. They don’t work that way.
  3. It can in fact, only provide data when interrogated by an RFID chip reader.
  4. Your cellphone, does in fact, on its own, report far more data about you and your movements than any RFID chip ever will

However, this part: “Nobody can track you with it,”? That, gentle reader, that is bullshit. I can track the crap out of you via RFID chip, and you’ll never know I’m doing it. Most people, especially in tech, deal with RFID daily. The ritual of badging into buildings, areas of buildings, even conference rooms, almost all of that is RFID.

It’s actually pretty smooth, takes no time, just proximity. One place I worked, the badges were all at a height to where you could hip-check them if you had your badge at your waistline or in your wallet. I got to where I could go through doors with my badge and never break stride. RFID transactions are fast and require no other interaction save proximity. The only reason for beeps and lights are for the humans, so you know the door is able to be opened, etc.

However, every RFID system I’ve worked with, including ones from companies like Sonitrol, Redwire, etc., are all tied into a central console. There’s good reasons for this, if nothing else, it allows you to quickly enable and disable access to buildings or rooms. This is a Very Good Security Thing.

However, that also means transactions are tracked. There’s not a lot of data, badge number, date and time is the norm for the systems I run, but you know what that data provides over time? A rather nice map of movements. I can tell when anyone on my system has badged through a given sensor. If I know what sides of a door a sensor is on (and I do) and I can sort by time and date (and I can), then it is pretty trivial to tell when someone badged through a door and I can even infer direction of movement.

That, gentle reader, is called “tracking”. You know, that thing Mr. Westby said is “impossible”. Because he was being very Clintonian (Bill) in his statement. What he left off was the part about how the chip in and of itself does nothing until interrogated. That’s important.

So, as a sysadmin, when someone proposes a new system, the first thing I do is think about how it can go wrong. That’s not being a nattering nabob of negativity, that’s a critical part of my job. If I can predict potential problems, I can have processes and procedures in place to manage or even prevent those problems.

Remember how I said that the beeps and lights are only there for the humans? You don’t need them. You can put RFID readers anywhere and all you need are power and a network connection, and with the joyous thing that is power over Ethernet, PoE, that’s one cable. So you can embed RFID readers in door frames at a height you know the reader’s going to be near. Say, the height of the handle/push plate. Or in an office doorway. Or a cubicle doorway. Or, if you’re one of those open office plan dips, in a desk.

So now, I can, in real time if I really wanted, track someone’s movement on a fairly detailed level. I can tell when they entered the bathroom and when they left, when they got to their desk, when they left their area, all kinds of information, and there is no way for Izzy with the Implant to know I’m doing this. Chip doesn’t buzz, and the readers don’t have to light up or beep.

So there are two issues here:

  1. Can this be done? Absolutely, with off the shelf systems, it’s not even an engineering issue, it’s an installation issue at this point. The only “hard” work is mounting the sensors. Because you have to drill things, cut things and run wire.
  2. Will/Should it be done? Well, that’s the important question isn’t it? There are a lot of companies, I’m positive, that have enough of a clue about ethics that this kind of thing would be laughed out of the room at best and the person pursuing it encouraged to work someplace else, as their ethics obviously clash with the company’s. But, there are a lot, a lot of companies that would have zero problem with this, indeed, would view it as their right. And once that RFID tag is in your hand or your arm, you have no way to tell who’s using it for what. None.

So yeah, maybe this seems cool in some kind of hipsterish way, but the idea that you can’t be tracked or monitored with RFID is blatantly bullshit. It also makes me question Mr. Westby and Three Square’s ethics, because years of experience has shown me that just like the biggest homophobes are the ones cruising Grindr the most, the people who say “That’s just impossible” and “no one would ever do that” the loudest are the ones doing it the most.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade