The Day of the RFIDs Read online

Page 2


  In short, I was confused.

  Then Mechanicsville happened.

  * * * *

  CNN played softly 24/7 on a dozen TVs mounted high up on pillars throughout the JAB cafeteria. I was on an early lunch break, escaping the computer-room chill of my lab, when murmuring broke out. On-screen, flames engulfed a red barn, surrounded at a safe distance by flasher-equipped unmarked cars, ambulances, and two fire trucks. A trim HSB helicopter had landed to one side of the frame, its rotor still spinning lazily. The screen crawler gave the then-unfamiliar town name in Iowa.

  All around me, “Waco” was getting mentioned a lot.

  The Branch Davidian references were prescient. That is, although I don't think the HSB agents all around me knew it at first, children were dying in the conflagration: a high-school science club.

  Many network exposés and blogs later, you know what none of us knew then: It was only a gung-ho young teacher trying during spring break to excite kids about physics through model rocketry. That—and some bitter irony here—regulatory overkill.

  Respect for a parental phobia has kept my knowledge theoretical, but I understand model rockets. The fuel of choice is ammonium perchlorate composite propellant. If APCP happens to sound familiar, it's probably because APCP fuels the solid rocket boosters of the space shuttle. APCP is a rubbery mixture of salts, powdered metals, and resins that ignites at about 500 degrees Fahrenheit.

  The thing is, APCP falls within the purview of the post-9/11 Safe Explosives Act, which means permits, fingerprinting, and background checks before anyone is allowed to buy the stuff. The funny thing is, APCP doesn't explode; it merely burns like the dickens. If you do buy it, the feds are allowed onto your property at any time and without notice to check for its proper storage.

  The Cedar Rapids Rocketeers, like similar clubs, cooked up their APCP from unregulated precursor chemicals, just as farmers mix explosives to blow up tree stumps or “dig” irrigation ditches. It's all perfectly legal, under a personal use exemption. You might ask: How does one prove personal use? Is it not better, in our dangerous world, to err on the side of caution?

  The final count was twenty-six dead: eighteen kids, the teacher, and seven parents.

  Based on “a tip,” HSB had begun what spokespeople called an “unscheduled inspection.” Most people who see HSB's own video of swooping helicopter and onrushing cars think: raid. “Tragically,” the final report concluded, “the unexpected arrivals appear to have caused the unintended indoor ignition of one or more model rockets. A rapidly spreading fire resulted. This only reinforces the tragedy of citizens working with such dangerous, generally illegal materials."

  * * * *

  Like most small businesspeople I know, Dad has little respect for economists. “If you took all the economists in the world and laid them end to end,” he likes to say, “they wouldn't reach a conclusion.” And, “Economists correctly predicted nine of the past five recessions.” That last one, it turns out, is attributable to an economist.

  My ambivalence about HSB ended with the cold shower that was Mechanicsville. There were real human consequences when domestic intelligence foiled nine of the past five terrorist plots.

  Mechanicsville and the subsequent investigations raised plenty of questions. One of the most obvious—still officially unanswered—was, “Who tipped off HSB.” That is: Who somehow confused a science club with terrorists? HSB did not reveal its sources, of course. I heard just enough hallway chatter to know that the question worried the hell out of people—and enough to disbelieve the media speculation that Homeland BS was covering for some naïve or competitive or vindictive classmate of the victims, lest others hesitate in the future to inform.

  * * * *

  Two kinds of people work in JAB: those who carry guns and those who don't. The latter (which includes contractors like me) tend not to get much respect. Too many of the former know squat about computers. In 2003, the FBI was training agents how to use a mouse.

  And yet ... the modern approach to security is all about information.

  Unless you've been on Titan, you must know passenger screening became serious business after 9/11. The last time I checked (Airline Disclosures of Passenger Information), six airlines and two big reservation systems admit to having shared at least samples of their passenger data with the Transportation Security Administration. No one asked the passengers if they cared to be part of the experiment.

  After 9/11, everyone demanded to know why the FBI hadn't known ahead of time. No matter how many hostile operations were prevented in the intervening, fairly peaceful years, the question came back, big time, after 2/4. One result was establishment of the HSB. Not coincidentally, the biggest technology project the HSB now has going is its Consolidated Data Warehouse, the mother lode of information about anything. I had no need to know what was in it, nor did I, but it was clear that the approach being taken to better connecting dots in the future was: collect lots more dots.

  Dots like: Several of the Cedar Rapids students had recently purchased “extremist Islamicist literature.” That literature, as NBC News broke soon after this HSB explanation, was extra-credit reading in the curriculum of a World Civ class.

  For a time I had a privileged user account on CDW. Designing gadgets did not require any access, let alone privileged access, but my testing collected scads of RFID transaction data, which I had kept, in my HSB lab, within a database management system. When a dayshift database administrator on CDW announced her vacation plans, I got volunteered to backfill.

  My new, unwanted DBA task required occasional poking about the database, just to make certain everything was operating okay. The cardinal rule is: Never look up yourself. It's apparently bad form to check whether you're under investigation (evidently, double agent Robert Hanssen monitored his own records at the FBI for years for signs of suspicion). One thing I looked up instead, as a sample query, involved press reports of the Mechanicsville situation. A security admin spotted my query in an audit log, and my wrist got slapped. I wasn't on the approved list of people to be accessing such a sensitive matter.

  Too late: I had already clicked through to long lists of annotated RFID transactions associated with the investigation. I had glanced at a few, and one I couldn't get out of my mind: the tires of a parent's SUV, recorded by a Wave-N-Go pump at a Mechanicsville gas station. There was no record of a purchase, as though the stop had been for directions or a bio-break.

  Clearly, the gas-station chain was providing company data to the feds. Was such surveillance illegal? Unethical? Creepy? Was this different than flight records, which, since 9/11, few expected to remain private?

  I was still wrestling with those questions when I noticed: One of the chains providing RFID data to the HSB was Big Bob's.

  * * * *

  I was more facing my TV than watching it when the last puzzle piece fell into place. Had I been paying attention, I would have simply zapped the commercial. The ad did not even penetrate my consciousness until well into the next segment of sitcom. If my TiVo thought it strange that I backed up to re-screen a commercial, it did not comment.

  The ad was for a high-end washing machine. Accompanying a close-up of a red sock atop a mound of pink underwear, the voiceover declared, “Make such tragic accidents a thing of the past.” I froze the frame. It would indeed be great if my red socks and my tidy whities declared themselves to my washer. What was decidedly not great was the sudden epiphany that my socks and undies were likely announcing my presence to every RFID scanner I passed. As in: every big store I entered; every subway turnstile I passed, even if I'd bought my fare card with cash; every Wave-N-Go gas pump....

  Feeling stupid—why had I compartmentalized the RFID-in-clothing problem as purely an in-the-lab issue?—I unearthed my homebrew scanner from its place of exile at the bottom of a desk drawer.

  The newer half my wardrobe had RFID tags. My wallet was filled with them.

  * * * *

  If you have not yet joined a curren
cy exchange, you should.

  In much simpler times, people worried that newfangled credit cards were an invasion of privacy. There would be centralized records, somewhere, of what you bought when. People who worried about such records—some of them, obviously, Doing Bad Things—would use only cash.

  Surely you've heard about the supposed nutcases who wear tinfoil-lined hats to hide their thoughts from the aliens. Well, my wallet is now foil-lined. New Euro notes carried embedded RFID tags as long ago as 2005; for several years now, new US currency shared that “honor"—to prevent counterfeiting. Here's what they don't tell you: You can be traced by the money in your pocket. Each bill in your wallet was associated with you when you received it at the bank lobby or ATM or in change at a store. It stays associated with you until a bank or store cash register logs its receipt. Tagged bills mean that even buying things with cash is no longer anonymous.

  Are you still wondering about currency exchanges? That's a bunch of folks who meet for the sole purpose of swapping their cash. You can do it out in the countryside somewhere, far from any possible RFID poller, although there are obvious risks to carrying large sums of cash to an isolated rendezvous. A better solution is a shielded room (in technical terms, a “Faraday cage"). Copper window screening works nicely, as long as you remember to cover the floor, ceiling, and door, too. RFID interrogation signals can no more get in than microwaves can get out past the similar mesh embedded in the glass of microwave oven doors.

  Click here for plans to build your own currency exchange.

  * * * *

  RFID chips are tiny. RFID tags generally are not, because the antennae must capture enough power to operate the silicon chip. The typical antenna occupies a couple square inches. That means you can find—and disable—the tags. After I calmed down from my red-sock epiphany, that's just what I did. If my story has made any impression on you, you will, too. I used a scanner to look for them; if you lack access to a scanner, pay close attention to big labels, overlapping fabric, and wide hems. If a garment crinkles, check there between cloth layers.

  Shoes are harder. Taking them apart to find the tags that are almost certainly there will probably destroy your footwear. I zapped mine with a focused microwave beam until their chips fried. A bit of shoe polish covered the resulting scorch marks. (You might be able to microwave your shoes, but I don't recommend it—especially if they have steel shanks.)

  You may be asking: Why? Why did I disable the RFID tags in my clothes?

  No one had cause to be tracking me. Maybe that was my reason. That the tags helped retailers manage their inventory was no reason for me to be marked like a prospectively wayward cat. I was offended, damn it. Sitting in my newly RFID-free apartment, stewing in high principle, paranoia, and self-righteousness, my thoughts turned to the tires that had led HSB to Mechanicsville. Outside I went.

  My car, it turned out, was filled with RFIDs, and not only in its tires and the E-Zpass transponder clipped to the sun visor. Even if I could take the car apart, some pieces were likely unzappable.

  Which left what?

  I could replace my car with a clunker too old to contain RFIDs. I could, in theory, keep a clunker running with old parts from junk yards. My suspicions were by then in full bloom. I found myself wondering why the NHTSA had suddenly decided a few years earlier that tires had an aging mechanism (Tire Expiration Dates) distinct from tread wear. Was age-related rubber deterioration real, or was it disinformation to get RFID-tagged tires onto every car in the country? Frying an RFID embedded in a tire would soften the surrounding rubber. That couldn't be good.

  You're overreacting, I had lectured myself. Three-hundred million Americans and almost as many vehicles, evermore tags on each, every day passing within range of, well, I had no idea how many RFID-sensing toll booths and point-of-sale terminals. How could HSB possibly keep up with that data geyser? They would have to concentrate on small subsets already known for some reason, by some conventional investigative means, to merit scrutiny.

  Wouldn't they?

  * * * *

  Perhaps you are enrolled in one or more merchant loyalty programs. Knowing what you buy, and when, and where, has value. That's why so many stores (but not mom & pop) discontinued coupons in their newspaper ads, but happily provide discounts once you disclose your customer ID. You regularly buy canned soup, so it seems harmless when they tempt you at the checkout with a deal on crackers. The results can be both humorous and off-putting when your favorite bookseller makes recommendations for you extrapolated not only from what you read, but from the gifts you've purchased for your quirkiest friends and relatives. It gets downright creepy when your pharmacist speculates from your prescriptions that, for example, you have a likelihood of erectile dysfunction, and mails you a Viagra coupon and the advice you discuss it with your doctor.

  Those are trivial examples of data mining. Remember Dad and his disdain for economists? Economists predicted recessions by mining data long before that term came into vogue. Their models, of ever-growing sophistication and ever more voracious appetites for data, hunted for correlations, trends, and clustering. But correlation is different than causation, which is how they predicted nine of the past five recessions. These flawed readings of the economic entrails and commercial tea leaves—they're almost funny until misinformed government policy ensues.

  Data mining is a big deal now in homeland security, and rightly so. Way back in the Cold War, West German federal police broke the infamous Baader Meinhof gang by hunting for prime suspects: single men without cars registered to their names, who paid their apartment rent and utility bills in cash. Estimates vary, but the federal police may have surveilled, by emergent techniques not yet called data mining, up to five percent of the adult West German population.

  Data mining can be powerful and productive. It's a good thing when phone-call patterns give warning of an imminent terrorist strike. But when HSB—and I speak now of former colleagues who are honest and honorable people, who in my mind, notwithstanding my current fugitive status, I consider my friends—detects nine of the next five terrorist attacks?

  That's how you get a Mechanicsville.

  * * * *

  The red-sock incident happened on a Saturday. The following Monday I had a DBA shift, filling in for my still-vacationing colleague. Feeling a bit like Marcel St. Clair, I did a few “Is it still running?” checks of CDW.

  Sturgeon's Law posits that ninety percent of everything is crap. Either Sturgeon was a cockeyed optimist, or he knew nothing about software. The data warehouse required constant babying, reconfiguring, tuning, restarting ... pick your euphemism for “fixing.” Driving the process was a mix of recurrent and ad hoc queries, by which to gauge how well the temperamental software was behaving that day. In the ad hoc category, I queried with a few presumably innocent product RFIDs I'd recently captured with my scanner: tires on a friend's car, a second cousin's new penny loafers, a case of beer in the storeroom of the bistro where I had eaten dinner the previous night. I thought nothing of the gaggle of feds clustered across the lab at one of the security administration workstations. Secadmins are a breed onto themselves; it is their nature, like birds, to flock.

  I was staring at the screen in frozen disbelief, at a column of time-tagged hits that tracked my buddy's car around town yesterday, when an HSB guy—the gun-toting, agent type—sauntered over and tapped my shoulder. “A word to the wise, Zach. Checking out your friends and neighbors is not allowed either."

  I went outside for lunch that day, and never came back.

  * * * *

  Which brings us to the end of my cautionary tale. If I am not simply deluding myself, if this blog has a readership beyond seething HSB agents, we may even be, to borrow a phrase from Winston Churchill, at the end of the beginning.

  That is all very metaphorical, of course. I am going to be very vague about where, physically, I am. While I am being metaphorical, I will go so far as to admit a return to my roots. I am toiling once again at a mom & p
op store. It's someplace that pays me in cash, and that—like my Mom's & Dad's place—still uses those quaint, low-tech devices which, although called “cash registers,” register no information about the currency therein.

  To anyone from HSB viewing this: Maybe it's a grocery. Of course, it could as easily be a dry cleaner, a hotdog stand, or a used-book store. Perhaps it's none of those.

  In short, my hypothetical Dear Reader, I've gone underground. The Ten Most Wanted Fugitives list calls me a cyber-terrorist.

  HSB now claims I've hacked into the transactional databases of American companies. Not so. At worst, I've grazed the database of one company, Big Bob's. In my opinion, that hardly rises to most-wanted status.

  HSB would also have you believe I brazenly engaged in a nefarious spying operation from within the bowels of JAB itself. Once again: not so. I'll admit—I have admitted—to a few peeks. I'll assert every DBA and sysadmin there does the same. Vigilance in the search for bugs in crappy, overpriced software is no vice.

  Why, then, is HSB after me?

  It all keeps coming around to Big Bob's. You've already read my after-the-fact reasoning (rationalizing, if you prefer) about the field trips to Big Bob's that brought me to HSB's attention. But the friend's tires that surfaced in the CDW, just before I went to lunch and never returned, were bought at Big Bob's. By inference, Big Bob's provided the data to HSB. Who else could tie those specific tires to that friend? Not that Big Bob's alone could possibly have had enough RFID readers, widely enough dispersed, to have captured the peripatetic course around town of those tires....

  The quicker I am taken into custody, the sooner this narrative, in its many reincarnations and mirror sites on offshore servers, stops. HSB does not want to reveal its plans—devised, I will postulate, with only the best of intentions—to track everyone, everywhere, at any time. They want at all costs to keep secret the clandestine co-opting of Big Bob's, and countless other retailers, into Big Brother.