November 3, 2004

RFID Rights

Continued from page 2

By Simson Garfinkel

“Wal-Mart is blatantly ignoring the research and recommendations of dozens of privacy experts," said Albrecht this spring when Wal-Mart announced its early success with RFID. “When the world's largest retailer adopts a technology with chilling societal implications, and does so irresponsibly, we should all be deeply concerned.”

Representatives from Wal-Mart and Procter & Gamble have repeatedly said that there was adequate notification inside the Broken Arrow store. And even though Wal-Mart admitts to canceling the trial in Brockton, the company insists that Albrecht had nothing to do with it. “There was no secret test. We discussed the concept with the supplier and we worked with the supplier to set up a prototype,” says Wal-Mart spokesperson Gus Whitcomb. “But we pulled the plug before it ever went live. I’m not sure you can publicly ‘reveal’ something that never took place.”

As far as the tags go, Whitcomb says, “The consumer has three choices: buy the product and keep the tag; buy the product and remove the tag anytime post-purchase; or don't buy the product.”

EPCglobal’s predecessor, the Auto-ID lab at MIT, developed a technology that would allow EPC tags to be “killed” through the use of a specially coded radio command. At the RFID Privacy Workshop that I hosted last fall at MIT, NCR’s chief RFID advocate, Dan White, showed a video of EPC tags being deactivated in a specially created “killing chamber.” The theory at the time was that consumers would have a choice of having their tags killed in the store—and perhaps tags would be killed by marketers as a matter of course.

But as EPC technology starts its move from the laboratory to the marketplace, it’s becoming clear that attention to privacy niceties and even some forms of notice will increase the price of this technology. After all, it takes time to properly alert people to the presence of RFID. Wal-Mart might have had signs up at Broken Arrow, but at least some people at the stores who bought RFID-labeled products didn’t know that the products contained radio frequency tracking devices. MIT could have printed an RFID symbol on my ID card, but it didn’t; there was no requirement for it to do so. Honda doesn’t bother putting an RFID symbol on its car keys—this despite the fact that the keys can be read from 30 centimeters or more away using specialized equipment.

The problem of voluntary, industry-approved privacy standards is that they’re voluntary—companies don’t need to comply with them. And the very real danger facing the RFID industry is that a suspicious public will push for regulation of this technology. Although the industry has successfully killed legislation proposed earlier this year in California and Massachusetts, high-handed actions on the part of RFID-advocates will likely empower consumer activists and their legislative allies to pass some truly stifling legislation.