RealTime IT News

RFID Privacy Gap?

SAN FRANCISCO -- The drive to place RFID tags on consumer products is relentless, but IT leaders say public policy on how to use and secure the information they'll provide is lagging behind.

Where does consumer privacy fit into a world where every product has a unique IP address? It's a question that consumer goods companies and Federal regulators are only beginning to tackle. The issue was discussed Thursday during "Privacy Futures," a conference sponsored by the International Association of Privacy Professionals and online security software company, TRUSTe.

EPCglobal, a not-for-profit industry organization that is building a global network to track RFID tagged products, formed a public policy committee in March to examine how to balance privacy concerns with industry practices, but its work has just begun. The Federal Trade Commission will hold its first public workshop on RFID and privacy later this month.

Meanwhile, manufacturers are ramping up to meet a January 1, 2005 deadline from Wal-Mart, Target and the Department of Defense. These companies kick-started an RFID boom by requiring their top suppliers to tag all cases and pallets shipped to them.

EPCglobal Public Policy Committee chair Sandy Hughes, who is also Procter & Gamble's global privacy executive, said the committee is getting input to help with policy decisions. "At least we have a body now that's actually looking at it," she told the audience.

Consumer advocates formed the committee following protests over early attempts by retailers to use RFID to understand shopping behavior. Last year, Gillette tested the use of RFID tags to trigger cameras when shoppers removed razor blades from store shelves, while Procter & Gamble used a similar set-up with video cameras to watch consumers interact with packages of lipstick.

RFID could provide huge benefits for businesses that move materials and products through the supply chain. Businesses that go further than "slap and ship" hope to use the information provided by RFID tracking to improve manufacturing and warehousing operations, identify trends and spot glitches. HP, for example, plans to roll out RFID in all aspects of its global operations by the end of this summer and expects a quick payback.

But there are privacy issues at every stage of a product's movement, said Malcolm Crompton, head of Australian consultancy The Trust Dimension. In the warehouse, employers could analyze an employee's work patterns by how many pallets were handled in a given time, or track people's movements via tags embedded in their uniforms or badges. In stores, retailers could track consumers' movements by way of tags embedded in loyalty cards, as German retailer METRO Group did in a demonstration store. That trial ended following consumer protests.

Once products leave the store with RFID tags attached or embedded, they could create an "RFID cloud" around a person, said Beth Givens, director of the Privacy Rights Clearinghouse.

The RFID industry is considering several options to ease post-purchase privacy concerns, including a "kill" mechanism to completely or partly deactivate chips, making blocker chips available to consumers and providing authentication mechanisms.

"We have to learn from our mistakes and design in a privacy component as they build the tags," Crompton said. "For the industry to have to go back and say, 'Oops, we wish we had a kill switch' is a stunner."

P&G's Hughes admitted that privacy came late to the table. "A lot of people coming up with the technology were focused on testing the technology within their own little endeavor. Developing the technology was their job," she said. "There wasn't a big awareness about public policy. Now, were engaged and all working on it, and it will go faster."

Givens complained that there were no consumers or consumer advocates participating in EPCglobal's policy committee. "Just as the privacy implications of RFID have been considered as an afterthought, so has consumers' part in their policy taskforce," she said.

But companies have to take charge of engineering and keep informed of how engineering may affect consumer privacy, according to Nicole Wong, senior compliance counsel for Google.

"A lot of times, engineers put in code that they think has no ramifications just because it just makes the application run better," she said. "Privacy officers need to put the engineers in a room with a bright light shining in their faces and not let them out until they find out what information they're collecting."