Abstract—New applications for Radio Frequency Identification(RFID) technology include embedding transpondersin everyday things used by individuals, such as librarybooks, payment cards, and personal identification cards anddocuments. While RFID technology has existed for decades,these new applications carry with them substantial newprivacy and security risks for individuals. These risks arisedue to a combination of aspects involved in these applications:1) The transponders are permanently embedded inobjects individuals commonly carry with them 2) Static datalinkable to an individual is stored on these transponders3) The objects these transponders are embedded in areused in public places where individuals have limited controlover who can access data on the transponder. In 2002,the U.S. Department of State proposed the adoption of an“electronic passport,” which embedded RFID transpondersinto U.S. passports for identification and document securitypurposes. In this paper, we use the U.S. Government’sadoption process for the electronic passport as a case studyfor identifying the privacy and security risks that ariseby embedding RFID technology in everyday things. Wediscuss the reasons why the Department of State did notadequately identify and address these privacy and securityrisks, even after the government’s process mandated aprivacy impact assessment. We present recommendations toassist government as well as industry in early identificationand resolution of relevant risks posed by RFID technologyembedded in everyday things.We show how these risks existswith many new and upcoming applications of embeddedRFID in everyday things and how these applications canbenefit from the recommendations for a more secure andprivacy preserving design.

Index Terms—RFID, e-Passport

Cite: Marci Meingast, Jennifer King, and Deirdre K. Mulligan, "Security and Privacy Risks of Embedded RFID in Everyday Things: the e-Passport and Beyond," Journal of Communications, vol. 2, no. 7, pp. 36-48, 2007.