The Bloor Perspective: RFID, crazy California law and smut in Iran

Radio frequency identification (RFID) tags have been much in the news lately, touted as the technology to finally enable total visibility into supply and value chain operations. Their use is predicted to increase efficiencies, reduce costs and provide the final word in security. RFID tags are a new generation of electronic bar codes that can transmit and receive data wirelessly. A huge amount of information can be stored on such tags - vastly more than on the traditional bar code. To read this information, adaptive agents are required - essentially small software packages that can analyse the information stored on the tag.

As RFID tags can be read remotely by a wireless device, they can be used in all sorts of environments. With this capability, tags can be fitted to products and the movement of that product can then be traced from the manufacturing plant, through transportation and storage, right down to when the product is placed on a shelf in a shop.

Companies have been experimenting with the use of RFID tags for a number of years now. For example, British Airways started experimenting with tracking customers' baggage back in 1998.

But it is only recently that momentum is growing and companies are moving past trials. Over the past year vendors such as Microsoft and SAP have announced that their supply chain products will support the tags. But the greatest push may come from the US government in its initiatives to beef up container security - it has said that it may require that highly secure electronic tags, most likely incorporating RFID technology, to trace all containers.

Evidence is also emerging that RFID tags can be used to streamline warehousing and distribution operations. Tags can be fitted to reusable pallets that can be more easily fitted into containers. In a trial in Spain, Procter & Gamble found that such tags allowed it to boost throughput at its transport loading docks - eliminating mistakes as the contents of containers could be more accurately identified. It found that pallets could be loaded 40 per cent faster using RFID as opposed to bar codes.

One area of concern remains - if they can be used to track products, they can also be used to track people. Clothing retailers that have proposed fitting RFID tags to their clothes have caused concern that whoever buys those clothes can be traced forever after. There needs to be an effective way not only of removing, or turning off the tags, but of convincing the customer that they are no longer active. *Security: California dreamin'*

We just love it when legislation takes on popular issues and threatens to bring evolution to a grinding halt. Only in California can people expect to have 100 per cent security and 100 per cent knowledge. Legislation in California that requires companies to reveal vulnerabilities on their enterprise networks has just become official. Customers must also be alerted when networks are breached and sensitive data is stolen - all in the attempt to reduce identity theft.

Here we have a clear example of legislators failing to grasp the issue and throwing it to the vendors with a message something along the lines of "You created this problem, you sort it out."

So what is going to happen? Well, the first thing is that it will not reduce identity theft. Why? Because you don't have to hack a website to steal someone's identity.

Will it help reduce fraud? Probably not, because the decision to accept or reject a transaction has noting to do with being hacked.

Do we know we are secure? No. We make the best attempts we can, according to good practice. The next surprise is waiting just around the corner.

What is glaringly obvious is that the legislation does not set a hurdle over which retailers must jump. For example, the website operator must be accredited to ISO17799 or NIST 800-26. Without this, there is no realistic way to achieve the legislators' hope, that the regulation will be a model for national legislation.

The other bizarre aspect of this regulation is because it does not set a measurable independent hurdle, it assumes that the public will understand what the retailer is doing in terms of security and whether that is adequate for the consumer to be happy to make a credit card purchase.

Part of the problem resides in the fact that retailers have created unrealistic expectations and confusion when they say they operate a secure site because they use SSL. As any schoolboy knows, this does not represent security. Breaches occur where back-end security is poorly implemented and maintained.

The regulation currently applies to any company that stores data electronically and does business in California. Companies must alert customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person".

The plus side of the regulation is that if there is a breach, consumers have to be advised that their personal information, such as credit card details, may have been put at risk.

California's new regulation contrasts with the Bush administration's hands-off treatment of the technology industry. It wants to see the ecommerce industry develop unhampered, allowing market forces to improve security rather than revert to legislation.

*The Iranian block*

Iranian internet 'porn' may be extremely mild by web standards but it doesn't amuse the mullahs of Iran.

Consequently, like China six years ago, Iran is trying to censor the web. For China, it was a matter of blocking the critical political websites. As Chinese use of the web has grown this has become less effective but still the rearguard action continues.

Iran is trying to stem a similar tide. It wants to block access to 'degenerate' websites which means those that are politically or morally unacceptable. In Shiite Islam sexual morality appears to be political anyway, so I guess it's the same thing. To be fair it also means sites that are deemed damaging to other Shiite values, including those that promote gambling, drugs, drinking and smoking.

In order to implement the censorship, the mullahs send lists of the banned websites - already more than 100,000 - to the 300 or so ISPs in Iran who are obliged to prevent access. There are problems with this.

First, Iranian ISPs are not well-equipped with the filtering software that they need, and hence they get it wrong, do it slowly or both. Second, the web is organic, growing daily, so new 'degenerate' sites regularly emerge and resurrections of banned sites spring up in new places. Third, the mullahs have no way of preventing seditious behaviour of any kind by email or in chat rooms.

None of this would matter much if the Iranian internet population were miniscule. Actually, it is not huge - about 8 per cent of the population - but it is concentrated among the students and under 30s who make up about 80 per cent of the Iranian population as a whole. Recently when there were popular protests in Tehran, the newspapers gave limited coverage. The student websites became the only medium that reported the incidents in any detail. The mullahs have not yet tried to suppress these sites. Neither have they acted against some of the top portals, half of which either carry Iranian internet porn or have links that point to it.

Like China, Iran has started a battle that it cannot win. However in its case, the US technology that China deployed to help quell the information tide is not available. And the US is never going to make it available either.

Bloor Research is a leading independent analyst organisation in Europe. You can find out more at www.bloor-research.com or by emailing mail@bloor-research.com.