November 3, 2004

RFID Rights

The rush by Wal-Mart and other companies to put radio frequency identification devices in their goods could imperil consumer privacy.

By Simson Garfinkel

With all of the excitement last month about the Food and Drug Administration approving an implantable radio frequency identification device (RFID), it’s easy to forget that the first place that many Americans will encounter RFID is not in their arms, but at the gas pump, on their key chains, and at major retailers like Wal-Mart. While the FDA and healthcare establishment have been noodling around on the medical and ethical implications of implanting chips into people, other industries have been moving full-speed ahead.

RFID technology is already broadly deployed within the United States. Between the “proximity cards” that are used to unlock many office doors and the automobile “immobilizer chips” that are built into many modern car keys, roughly 40 million Americans carry some form of RFID device in their pocket every day. I have two: last year MIT started putting RFID proximity chips into the school’s identity cards, and there is a Phillips immobilizer chip inside the black case of my Honda Pilot car keys.

I’m a big fan of these two chips. The proximity chip lets me open doors at the MIT Stata Center by waving my wallet—I don’t even need to take the card out of my pocket. The immobilizer chip interlocks with an RFID reader that’s built into the steering column of my Honda: if the chip isn’t there, the car’s computer kills the ignition system and “immobilizes” the vehicle. According to several studies, these chips have had a significant impact on automobile theft over the past decade.

But the real interest in RFID today isn’t these proprietary devices, but rather the standardized Electronic Product Code (EPC) chips that were developed by the AutoID center and are now being overseen by EPCglobal, a trade organization. EPC tags are designed to replace today’s ubiquitous Universal Product Code (UPC) bar-codes, except instead of identifying the maker and kind of product, the 96-bit EPC code will give every package of razors, every box of pancake mix, and every shoe its own unique serial number. The tags, which operate in the unlicensed radio spectrum between 868 and 965 megahertz, can be read at a distance of many feet and through paper, fabric, and some plastics. And although the tags can cost as much as 25 cents today, when they are purchased by the million the cost plummets to 10 cents or less.

Two years ago, I called upon the RFID industry to adopt an RFID consumer “Bill of Rights” in which the industry would pledge to refrain from various nefarious practices, such as hiding RFID chips in clothing or other consumer products without notification and having secret RFID readers, as well as giving consumers the option of having chips deactivated in products that they purchase. Those recommendations are reflected in the “Guidelines on EPC for Consumer Products” on EPCglobal’s website. But these guidelines are significantly watered down from what I proposed.

For example, EPC guidelines say that consumers should have the right to know if an EPC tag is inside a product that is purchased, but they don’t have a right to know about the presence of readers in a store or other public place. Instead of giving consumers the right to have a tag removed or deactivated, the guidelines say that consumers merely have to be told whether they have such a right. When you look closely at the wording, it becomes clear that consumers don’t really have that right at all.