RFID Product News ST Media RFID Product News
ST Media
INTERMEC
 
Impinj

Private Eyes Are Watching You

A Q & A session with leading RFID and privacy experts

Katherine Albrecht

Liz McIntyre

Nicholas Chavez

Elliot Maxwell

To view the web-only content from this Q & A session, click here

By Eric Van Osten
Managing Editor

Since RFID's beginnings in the 1940s, RFID applications have grown to include personnel security, toll systems, animal identification, container tracking, and much more. As mandates from the DoD and powerful mass market retailers escalate and RFID tags infiltrate supply chains all over the world, benefits are being realized in ways never before imagined.

But not everybody is a fan. Consumer privacy groups have sprung up in retaliation of RFID because of its perceived potential to allow the government, marketers, or other unscrupulous organizations or individuals to track and profile people unwillingly. The argument is that when item-level tagging takes off, everyone's every possession could be recorded in a database and tracked for the rest of its life (from manufacturer to trash dump). This kind of tracking allows for the possibility that consumers themselves could be tracked in association with what they buy, wear, carry, and interact with every day.

In the fall of 2005, Katherine Albrecht, Founder and Director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN, www.spychips.com) and Liz McIntyre, CASPIAN's Communication Director, released the book Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID. The book climbed to the top of the nonfiction bestseller charts and launched a wave of disapproval from supporters of the RFID industry. Nicholas Chavez, President of RFID, Ltd., was one of several vocal critics. His rebuttal to the book is outlined, chapter by chapter, in The Original Spychips Rebuttal (www.packagedrfid.com/spychips_rebuttal.pdf).

Albrecht spoke at the Truth in Technologies forum in Long Island, NY, around the same time as the book's release. Also speaking about policy issues was Elliot Maxwell (www.emaxwell.net), a consultant to private and public sector clients on strategic issues involving the intersection of business, technology, and public policy in the Internet and electronic commerce domains, and a Fellow at Johns Hopkins University. Maxwell agreed that RFID raises a number of concerns but argued that the potential benefits far outweigh the potential problems. He stressed that the application of the principles underlying fair information practices, the development of new technological features aimed at increasing customer choices, and the provision of consumer education were preferable to trying to limit the technology. Moreover, many important social benefits, such as improved tracking of toxic materials or new home health care applications, would be lost if all tags were required to be deactivated.

RFID Product News asked these vocal experts—CASPIAN's Albrecht and McIntyre, RFID Ltd.'s Chavez, and Elliot Maxwell—to answer a few questions about the subject of privacy.

Please summarize your position on the issue of privacy protection in relation to RFID.

Albrecht and McIntyre: As we spell out in our book Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID, we are not big fans of legislation as a way to solve consumer privacy problems, and we believe the free market should be the final arbiter of RFID. In order for the free market to do its work, consumers need to understand the implications of the technology and know what products contain RFID tags. Since these tags can be so easily hidden in everyday objects on store shelves, we believe it is appropriate to require labeling so consumers can make educated decisions necessary for the free market to work. According to industry studies, the majority of consumers object to RFID on privacy grounds. If they refuse to buy items from retailers and manufacturers promoting the technology, then companies would be forced to honor the wishes of the majority.

Chavez: The issue of "privacy protection" in relation to RFID is a battle for the minds and verbalized opinion of those few people who are interested in the application of the technology beyond profit. These people are influencers and tend to have a wide social network that spans the globe; people find them credible and reliable. These are the people who will form opinions for the majority of the population, who will readily adopt it. This is the primary reason for my personal effort to combat the entertaining but far-fetched untruths that are being spread about RFID technology and its related industry.

Maxwell: It should be remembered that many of these privacy issues are the same ones that have been raised over the last quarter century concerning the gathering, processing, and distribution of data that contains personally identifiable information. Most are not specific to RFID, so we can and should look to the good work done by governments, businesses, and civil society to develop the principles of fair information practices designed to protect personally identifiable data however it is gathered, processed, or stored. The special privacy issues regarding RFID are based on the use of radio transmissions between tags and readers and the fact that there is no notice of when the chip is being read. We need to work to develop and apply technology and good security practices to deal with the potential problem of unauthorized interception of these transmissions. This, combined with the application of the principles of fair information practices concerning notice, choice, consent, minimization, access, security, and accountability would provide a solid foundation for dealing with RFID and related privacy concerns

Deactivation and data encryption are two capabilities that many RFID tags now feature for protecting the privacy of the consumer. What other similar features now exist or are on the way, and will any of these offer enough privacy protection in your opinion?

Albrecht and McIntyre: Deactivating RFID tags at checkout will do nothing to protect consumers while they are in stores. The privacy invasions involving RFID to date have happened well before consumers have reached checkout and a place where they can deactivate chips. One example we lay out in Spychips is the Gillette® "smart shelf" that secretly took mug shots of consumers as they picked up RFID-tagged Mach 3 razor blades. What's more, it would be foolish to allow everything to be tagged and rely on point-of-sale deactivation as our only safeguard against abuse. All it would take is another terrorist incident and the stroke of a bureaucrat's pen to eliminate the deactivation option and demand that chips remain live. If that were to happen, we could wake up to an instant surveillance society.

Of course, encryption will make it more difficult for the average criminal to use RFID to commit crimes or to compromise RFID systems and databases, but criminals are only part of the problem. Our bigger concern is abuse by companies and organizations that have legitimate access to those databases. IBM, Procter & Gamble, and NCR have all developed ways to silently identify and track consumers through RFID tags in the things they wear and carry. They spell out these plans in detail in sworn patent applications on file with the U.S. Patent and Trademark Office. IBM has even suggested scanning RFID tags linked with personal information to identify people in public spaces like shopping malls, libraries, museums, and even restrooms in its pending patent titled "Identification and Tracking of Persons Using RFID-Tagged Items." While obviously not all patent filings become reality, such patents do provide insight into how major corporations are thinking about using RFID's tracking and surveillance capabilities.

Chavez: IBM researchers introduced an RFID tag concept that can be deactivated by simply scratching the conductive ink off of the tag in a motion similar to what a consumer would use to reveal hidden numbers in a lottery scratch-game.

This concept would be excellent for application to consumer-packaged goods. This and other conceptions coming out of the RFID industry offer "enough protection" as they offer utter protection. A reader cannot read a tag that does not broadcast a signal.

Maxwell: There are many technological avenues being explored to increase protection for information and to promote privacy and security. Much of that work is aimed at securing the transmission and storage of information derived using any technology, not just RFID. Other work is aimed at the use of radio waves by readers and tags such as a recent announcement of a scheme that would allow consumers to shorten the read range of a tag by reducing the size of the tag's antenna. Other methods being explored include partial deactivation of the tags, creating an "on-off" switch for them, randomization of the information passed by the tag, some means for authenticating and authorizing readers, as well as the use of blocker tags that would broadcast multiple tag identities to confuse an unauthorized reader. People have even suggested wearing inexpensive sensors that would detect an attempt to read a chip that you are carrying.

I am confident that there will be a range of technological choices available which will provide greater control for people. But each method will have pros and cons and will raise costs or decrease efficiency. In choosing technological fixes we should be mindful of the risks and be sure the costs are justified by the benefits. But technological means are only part of a solution that needs to include good privacy and security policies and practices and consumer education.

What laws or regulations do you think need to be created to protect the privacy of consumers?

Albrecht and McIntyre: We have been seeking labeling legislation since 2003 that would alert consumers to the presence of RFID tags in the things they buy and interact with. We also support legislation to limit the government's use of RFID in government-issued documents, and legislation that would make it a crime to implant an individual with an RFID device without that individual's express consent.

Labeling is a crucial component of consumer choice. We believe that once consumers know that a product contains one or more RFID tracking devices, many will choose to switch to spychip-free brands. We also believe many consumers will prefer to shop at spychip-free stores, given the option. We have already heard from consumers around the world who have vowed to give up products they love to send a clear message to companies: "No spychips." They've written to say they're giving up Procter & Gamble products like Tide laundry detergent and Crest toothpaste, boycotting Gillette shaving products, and passing by their local Wal-Mart and Tesco stores to shop at more privacy-friendly alternatives.

Chavez: AIM Global has instituted an image called the "RFID Emblem" that acts as a visual indicator to consumers and retail workers to help them find and identify the presence (and type) of RFID tag in a label, tag, or item. This is the sufficient self-regulation of a responsible industry.

Maxwell: I think we need to be careful about any legislation focused on a specific technology like RFID. Most of the issues raised regarding RFID are about the possible misuse of personally identifiable information; this is a broader problem and usually does not depend on what technology is employed. Moreover, we are very early in the development of pervasively deployed RFID.

RFID might be described as an infrastructural technology, like the Internet. Infrastructural technologies are limited in their applications only by the imagination of innovators; premature legislation, passed before we know more about both benefits and concerns, may foreclose valuable applications. If technological solutions, consumer education, and the development of best practices and industry accountability do not work to protect privacy in the private sector, legislation or regulation may be needed. Legislation or regulation might be appropriate in those cases where individuals have no choice about their involvement with RFID, such as with governmental usage, but this too needs to be carefully considered as to whether there is a broader issue than RFID use.

Besides consumer goods, RFID technology can be beneficial in other applications (preventing drug counterfeiting and reducing tampering, alerting staff to "wandering" patients in retirement homes, locating lost children in public places, and finding stray animals). Do you believe these positive uses can counter skepticism about the privacy invasion of RFID?

Albrecht and McIntyre: It's a two-sided coin. We have to ask ourselves if it is worth risking our privacy, civil liberties, and possibly our health for the benefits afforded by RFID. CASPIAN does not oppose the use of RFID in warehouses and storerooms. (We'll leave the labor and employee health concerns to someone else.) It's when the technology crosses into public spaces and people interact with it involuntarily that we take issue. We believe that consumers should make their own decisions about RFID and not be forced to carry, wear, and interact with RFID without their expressed knowledge and consent.

Chavez: Without regard to the potential benefit of any application, uninformed contrarians will always present a "what-if" scenario that shadows the good with negative overtones intended to create fear. It is well accepted that humans fear that which they do not understand.

Making credible information publicly available is the singular technique that the RFID industry can use to calm some baseless fears engendered by certain privacy activists. Of course, the audience must truly desire to educate themselves regarding the truth; and unfortunately, desire for knowledge is not something we've seen a lot of outside of the retail and public sectors.

Maxwell: There are numerous good uses of RFID tags. Others will emerge as creative minds think of new ways to employ the technology—it seems a new application emerges almost every day. The fact that there are good applications doesn't mean that we should ignore privacy issues; we need to both foster innovation using RFID at the same time we try to think creatively about how to promote privacy and security. We can do both.

We need to look carefully at each application and determine whether it raises any issues; we can then judge the risk and find solutions that are technologically and economically viable. Those who talk only about the benefits and those who talk only about the risks don't really help; what we need is to find ways to actually get the benefits without damaging the privacy interests that deserve protection.

Continue to Part Two of this Q & A session
securakey
RfidRevolution
 
ST Media    

 

Visit our partner sites:
partner partner partner
partner partner partner

© 2003-2008 ST Media Group International. All rights reserved.
Reproduction in whole or in part is prohibited without consent from publisher.