Politech mailing list archives

Previous By Date Next
Previous By Thread Next

Problems with FDA's proposal to do RFID tagging of drugs

From: Declan McCullagh <declan () well com>
Date: Mon, 23 Feb 2004 00:13:59 -0500
You can find the FDA final report here:
http://www.fda.gov/oc/initiatives/counterfeit/report02_04.html#radiofrequency
Use of mass serialization to uniquely identify all drug products intended for use in the United States is the single most powerful tool available to secure the U. S. drug supply. Mass serialization involves assigning a unique number (the electronic product code or EPC) to each pallet, case, and package of drugs and then using that number to record information about all transactions involving the product, thus providing an electronic pedigree from the point of manufacture to the point of dispensing. This unique number would allow each drug purchaser to immediately determine a drug's authenticity, where it was intended for sale, and whether it was previously dispensed. 

---

From: Marcel Waldvogel <marcel () wanda ch>
Date: Thu, 19 Feb 2004 15:42:39
To:dave () farber net
Cc:Steve Bellovin <smb () research att com>
Subject: Re: [IP] FDA suggests RFID tagging of drugs

Dave, Steve,

My interpretation of the appropriate sections in the FDA document seem
to use the RFID only passively: it will return its unique electronic
product code (EPC) for each query, and not using a challenge-response
scheme. My interpretation seems to be further supported by the
comparison of RFID to 2-D bar codes, which certainly are passive. Such a
use allows for easy copying of the EPC to counterfeit drugs. When the
system is to be used offline (which could be a goal; this is not
stated), it might even be possible to generate unique-looking EPCs.

Without a cryptographic challenge-response scheme, which would break
compatibility to other RFID systems and probably be too expensive to
manufacture, it does not provide any protection against counterfeiting.
It only makes customers carrying drugs easily identifyable, which will
aid in discrimination, tracking, and profile-building.

In summary, I expect the system to be completely BAD (Broken As
Designed). But nevertheless, I find it fascination how easily and
frequently even educated people attribute almost-magical properties to
technology.

-Marcel
http://marcel.wanda.ch/

Dave Farber wrote:

>Delivered-To: dfarber+ () ux13 sp cs cmu edu
>Date: Wed, 18 Feb 2004 22:25:01 -0500
>From: Steve Bellovin <smb () research att com>
>Subject: FDA suggests RFID tagging of drugs
>To: dave () farber net
>
>The FDA has released a report calling for the RFID tagging of
>pharmaceuticals to help defend against counterfeiting.  The word
>"privacy" barely occurs in the report -- there's simply a reference to
>HIPAA -- and it is not listed among the important unresolved issues.
>
>The report is at http://www.fda.gov/oc/initiatives/counterfeit/report02_04.html 
>
>
>               --Steve Bellovin, http://www.research.att.com/~smb
>


_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)
Previous By Date Next
Previous By Thread Next

Current thread: