Risk is not always about security. For example, Bruce Schneier’s latest blog post, “in praise of security theater.”

While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.

Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S. — one in 145 — and it becomes clear where the real risks are.

And the 1-in-375,000 chance is not today’s risk. Infant abduction rates have plummeted in recent years, mostly due to education programs at hospitals.

So why are hospitals bothering with RFID bracelets? I think they’re primarily to reassure the mothers. Many times during my friends’ stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.

While these are all true statements and I completely agree, that’s not what I was told the RFID tags are primarily for.

When my daughter was born, I observed the same seeming security theater and asked the nurse what the point of it all was. After all, I observed, it would take me about 2 seconds to snip the tag off a baby and stuff that little bundle (and newborn babies are tiny) inside a coat, bag (half the people in a maternity ward are carrying some sort of gift, usually in a brightly-colored “gift bag”) and walk out of there.

They agreed that it would do very little to prevent a malicious attacker. If a baby was brought within range of the door’s sensor, the doors of the maternity ward were wired to mag-lock shut and an alarm would sound. Given the ease of removing the tag, however, that would do little to stop a malicious attacker.

The primary reason for the tags is to prevent accidental baby swaps. That the tags come in pairs with one assigned to the mother (non-RFID) and one to the baby (RFID). This has nothing to do with the RFID, but I was asked to verify the tags were a match at the moment of birth, then witnessed as the tag matching my wife’s was placed on our daughter.

Presto! Instant establishment of a verified chain of identity. Each time the baby was brought in, we were required to re-authenticate that she was, in fact, our child since during those first one to three days, babies tend to look pretty much alike other than race and, when naked anyway, gender. This is especially true if you’re a first-time parent and lack the recognition skills to tell one baby from another.

This chain-of-identity may have a reassuring effect on the parents, but the RFID function is not a component of it unless hospitals have begun incorporating automated checks into the chain-of-identity process.

Even trivial accidental baby swaps are a legal and Public Relations risk for hospitals. The cost of defending even a single lawsuit probably exceeds the annual cost of the RFID program by several multiples.

The RFID served two main purposes. The first was to ensure that no one accidentally carried a a baby where they weren’t supposed to be. Despite the big doors and signs to the effect of “No Babies Beyond this Point,” people are usually in some state of shock or excitement when a baby is born and manage to miss those signs. The RFID keeps those people from accidentally taking the baby outside the controlled space.

The second was to prevent those who selfishly think, “It’s my baby and I’ll take it where I want to,” or they want to show it to a larger group of family members and/or friends than are allowed to visit the mother in the hospital (It was no more than two or thee at once in my case). Their intentions are genuine, but once again, the RFID will activate the mag-lock and enforce the restriction on where the baby can be taken.

For the two most common malicious scenarios, the grab-and-run and the imposter, it might deter the grab-and-run attacker, assuming they don’t tear or cut the tag between the time they pick up the baby and the time they hit the door. For the imposter, this person dresses (usually) as a nurse, orderly, or other staff member and attempts to carry the baby out undetected. I seriously doubt that anyone who goes to that much trouble will forget to include cutting the RFID tag off. I might be wrong, but I’m glad I didn’t have to bet my child on it.

As Schneier accurately notes, the risk of malicious baby theft is extremely low, but given the unwillingness to accept risk by either party (parent or hospital) combined with the low cost of the countermeasure and other risk reduction benefits, the RFID tags make perfect sense in this case.

[…] Chandler Howell recounts a story of his daughter’s birth, and in particular the RFID bracelet attached to her ankle. The bracelet’s primary function is to sound an alarm when a tag travels outside a particular area, presumably to stop abductions. But Howell notes they’re also used as a means of identity authentication, since the tag placed on a baby matches up to a non-RFID tag its mother has. His bigger point is that while the risk of an abduction or an accidental baby swap is probably fairly low, nobody is willing to accept that risk, hence the utility of the tags. The example serves as a reminder that just because something carries low risk certainly doesn’t always mean that it’s not worth devoting considerable resources to protecting. […]