California Scrutinizes RFID Privacy

Could tiny transponders embedded in everything from a can of cola to a package of razor blades to a shirt label be used to track consumers’ shopping habits — and invade their privacy?

On Monday, California’s Senate Subcommittee on New Technology will hold a hearing to look at whether embedding microchips in products could invade consumers’ privacy.

The subcommittee, chaired by Senator Debra Bowen (D-Redondo Beach), will hear from privacy advocates and representatives of industry associations about the uses — and potential misuses — of radio frequency identification (RFID) technology . Bowen became aware of the technology through her work with UCLA’s Institute for Pervasive Computing and Society (iPerCS). Greg Pottie, one of the leaders of the group, will speak at the hearing.

RFID allows for automatic collection of data similar to the way barcodes work. Instead of the printed barcode, a tiny transponder, called a tag, carries the data. An RFID reader, which can be handheld or fixed in place, transmits a low-power radio signal through its antenna. The radio signal powers a chip in the tag that causes it to connect and exchange data with the reader. The reader can then send the data on to the controlling computer, which matches the data against its database to figure out what the RFID tag says. The computer can use that data just like any other data source: It can make an entry in a database or cause an action to happen.

For example, in retail, the RFID tag typically would transmit the same kinds of product information that a barcode would: product cost, description, age, etc. That information could be used to update the retailer’s inventory database or to trigger a reorder. An RFID tag affixed to a security gate could automatically open to a vehicle bearing a tag with the access code.

But it’s the automatic function that has privacy advocates spooked. Remember the movie Minority Report, when Tom Cruise walks through the shopping mall and all the signs recognize him? Wouldn’t this be a great way for the government to, er, keep tabs on all its citizens? It could happen. But it would be really, really hard, according to Dan Mullen, interim CEO of the U.S. branch of the Association for Automatic Identification and Data Capture Technologies (AIM).

At the hearing, Mullen will brief the panel on RFID technology and assure them that his organization supports privacy. AIM announced its own privacy work group last month.

“We as an industry are very open to working on these issues,” he told “This is the perfect time to start developing these guidelines and principles.”

At this stage of the industry, the juice is in inventory tracking at the pallet level and above. An industry study conducted by A.T. Kearney estimated that $40 billion, or 3.5 percent of total sales, are lost each year due to supply chain information inefficiencies. RFID technology could help in plenty of ways. Shipping containers could display their contents via a tag, and warehouse personnel could simply drive around until they found the container they were looking for. Tags on pallets of merchandise could automatically send the time and date they passed through the warehouse door, assuring the shipper that all the pallets got where they were supposed to.

To say that RFID technology is just about inventory is “a very short-sighted perspective,” Beth Givens told Givens, director of nonprofit consumer information and advocacy group Privacy Rights Clearinghouse, will address the subcommittee on Monday.

“Eventually the unique radio frequency [of an RFID tag] could be attached to a personal identity,” Givens said. “At that time, it becomes personally identifiable information. The tracking and surveillance capabilities are very real and potentially very harmful.”

Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), a consumer information organization that focuses on invasive marketing techniques, has proposed legislation, The RFID Right to Know Act of 2003, that would require mandatory labeling to inform consumers when an item contains an RFID tag. It would also prohibit companies from linking the chips with personally identifying information. CASPIAN founder and director Katherine Albrecht told that a proposed universal database for product codes would create a unique identifier for each product. When a consumer bought a sweater, for example, the sweater’s RFID code might be associated with the credit card number, so that it could be tracked back to the person. When that person entered a store that had an RFID reader attached, someone with access to the universal database could theoretically know the identity of the person wearing the sweater — assuming it was the same person who had purchased it.

“Consumers have no way of knowing when they’ll be interacting with such a device that could have an impact on their privacy or their health,” Albrecht said.

On August 11, CASPIAN called for a boycott of Gillette because it is testing smart shelves that can sense when a product is removed from a shelf. In the UK, supermarket chain Tesco tested using RFID tags to trigger cameras to photograph shoppers removing Gillette razor blades from shelves, in an effort to prevent shoplifting, causing consumer protests.

Many major retailers in the UK are still planning to trial RFID, according to Deloitte Research analyst Paul Lee, including department store Marks and Spencers and clothing retailer Benetton.

“RFID’s acceptance by consumers will depend to a large extent on the ability to devise applications that directly benefit the consumer,” Lee said. “When RFID can instruct a washing machine or a dry cleaner how to wash a garment, or when RFID can program a microwave how to cook a prepared meal, then RFID will be taken to heart by consumers.”

RFID tags are still too expensive to attach to every product. However, like all electronics, they’re getting smaller and cheaper all the time. What really scares privacy advocates is Dust, Inc.. This Berkeley startup aims to produce RFID tags the size of a pinhead — or smaller. Scarier, they are self-installing. Instead of needing a reader to communicate, they can pass data along from one to another, creating an ad hoc mesh network. The company’s website promises “drop and play networking,” raising the specter of an unwitting person being smart-dusted and turned into a walking transmitter who could be tracked from far away. Executives at Dust, Inc. did not return repeated calls.

According to AIM, the infrastructure costs for a government entity to track all citizens would be astronomical, and a huge database would be needed to process all the data coming in as the person moved around. On the other hand, in September Oracle will unveil its 10G database, which is designed to take advantage of ultra-powerful grid computing and reportedly can scale to eight exabytes.

Given the Homeland Security Department’s appetite for high-tech tools and the headlong pace of tech innovation, privacy advocates say that nightmare scenario could become a reality.

News Around the Web