RFID Rights

With all of the excitement last month about the Food and Drug Administration approving an implantable radio frequency identification device (RFID), it’s easy to forget that the first place that many Americans will encounter RFID is not in their arms, but at the gas pump, on their key chains, and at major retailers like Wal-Mart. While the FDA and healthcare establishment have been noodling around on the medical and ethical implications of implanting chips into people, other industries have been moving full-speed ahead.

RFID technology is already broadly deployed within the United States. Between the “proximity cards” that are used to unlock many office doors and the automobile “immobilizer chips” that are built into many modern car keys, roughly 40 million Americans carry some form of RFID device in their pocket every day. I have two: last year MIT started putting RFID proximity chips into the school’s identity cards, and there is a Phillips immobilizer chip inside the black case of my Honda Pilot car keys.

I’m a big fan of these two chips. The proximity chip lets me open doors at the MIT Stata Center by waving my wallet—I don’t even need to take the card out of my pocket. The immobilizer chip interlocks with an RFID reader that’s built into the steering column of my Honda: if the chip isn’t there, the car’s computer kills the ignition system and “immobilizes” the vehicle. According to several studies, these chips have had a significant impact on automobile theft over the past decade.

But the real interest in RFID today isn’t these proprietary devices, but rather the standardized Electronic Product Code (EPC) chips that were developed by the AutoID center and are now being overseen by EPCglobal, a trade organization. EPC tags are designed to replace today’s ubiquitous Universal Product Code (UPC) bar-codes, except instead of identifying the maker and kind of product, the 96-bit EPC code will give every package of razors, every box of pancake mix, and every shoe its own unique serial number. The tags, which operate in the unlicensed radio spectrum between 868 and 965 megahertz, can be read at a distance of many feet and through paper, fabric, and some plastics. And although the tags can cost as much as 25 cents today, when they are purchased by the million the cost plummets to 10 cents or less.

Two years ago, I called upon the RFID industry to adopt an RFID consumer “Bill of Rights” in which the industry would pledge to refrain from various nefarious practices, such as hiding RFID chips in clothing or other consumer products without notification and having secret RFID readers, as well as giving consumers the option of having chips deactivated in products that they purchase. Those recommendations are reflected in the “Guidelines on EPC for Consumer Products” on EPCglobal’s website. But these guidelines are significantly watered down from what I proposed.

For example, EPC guidelines say that consumers should have the right to know if an EPC tag is inside a product that is purchased, but they don’t have a right to know about the presence of readers in a store or other public place. Instead of giving consumers the right to have a tag removed or deactivated, the guidelines say that consumers merely have to be told whether they have such a right. When you look closely at the wording, it becomes clear that consumers don’t really have that right at all.

Things get worse. Instead of giving consumers a right to know what the RFID information is being used for, as I argued they should, EPCglobal’s policy simply calls for companies using EPC chips to publish their policies regarding “Record Use, Retention and Security” on their websites. A company could publish a policy saying that every RFID chip serial number is recorded, kept forever, and that this information is shared with the company’s business partners and government officials. Without actually explaining what the RFID information is used for, a company could nevertheless, be in full compliance with EPCglobal’s policy.

Meanwhile, the nation’s largest retailer, Wal-Mart, is moving full speed ahead with its plans to incorporate RFID into its business process. Last year, Wal-Mart announced that its top 100 suppliers would be required to put an RFID tracking device inside every pallet or case delivered to a Wal-Mart warehouse by January 2005. In theory, the RFID chip will let Wal-Mart track inventory as it moves through the supply chain. If 15 HP printers intended for a store in Pennsylvania accidentally get put on a truck bound for New York, Wal-Mart will know it and can either ship the printers back or update its inventory system with their new location. And if those 15 printers don’t get off the truck, Wal-Mart will have all the data that it needs to start an investigation.

Last November, Wal-Mart detailed its plans for RFID deployment at a meeting of its top 100 suppliers. Wal-Mart chief information officer Linda Dillman said that the company was working with two suppliers, wanted to expand quickly to 12 suppliers, and wanted to have a 100 percent read rate of items coming through its dock doors, according to an article in the RFID Journal.

In April 2004, Wal-Mart announced that its initial deployments of RFID were well underway. Eight early adopters—Gillette, Hewlett-Packard, Johnson & Johnson, Kimberly-Clark, Kraft, Nestle Purina PetCare, Procter & Gamble, and Unilever—were delivering a total of 21 products with RFID tags to the Wal-Mart regional distribution center in Sanger, TX. Test readers are also installed at seven pilot stores in the Dallas-Fort Worth area.

Wal-Mart has said that right now its tags are for internal use, not the checkout aisle. But three of the items in the test—two HP Photosmart photo printers and an HP ScanJet scanner—will have RFID tags built into product boxes. And this is potentially a problem, because these cases may be sent to stores that are not in the trial—a point that’s made clear in the company’s press release.

Wal-Mart has promised that the “outer packaging will be marked with an EPCglobal symbol” so that customers understand that the product they are purchasing contains an RFID tag. But stores that are not in the trial probably won’t have signs or handouts explaining what these symbols mean.

Should consumers be worried? Katherine Albrecht, founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), is one of the privacy activists leading the charge against RFID. In November 2003 Albrecht received international media attention when she revealed that Wal-Mart and Procter & Gamble had conducted a test of RFID-tagged Max Factor Lipfinity lipstick at a Wal-Mart store in Broken Arrow, OK. Albrecht and others claimed that, despite the company’s promises, consumers had not been properly notified that the lipstick boxes contained RFID tags. And earlier that year, Wal-Mart had canceled plans to test Gillette’s RFID-enabled “smart shelf” in Brockton, MA, after Albrecht had publicized the retailing giant’s plans.

“Wal-Mart is blatantly ignoring the research and recommendations of dozens of privacy experts,” said Albrecht this spring when Wal-Mart announced its early success with RFID. “When the world’s largest retailer adopts a technology with chilling societal implications, and does so irresponsibly, we should all be deeply concerned.”

Representatives from Wal-Mart and Procter & Gamble have repeatedly said that there was adequate notification inside the Broken Arrow store. And even though Wal-Mart admitts to canceling the trial in Brockton, the company insists that Albrecht had nothing to do with it. “There was no secret test. We discussed the concept with the supplier and we worked with the supplier to set up a prototype,” says Wal-Mart spokesperson Gus Whitcomb. “But we pulled the plug before it ever went live. I’m not sure you can publicly ‘reveal’ something that never took place.”

As far as the tags go, Whitcomb says, “The consumer has three choices: buy the product and keep the tag; buy the product and remove the tag anytime post-purchase; or don’t buy the product.”

EPCglobal’s predecessor, the Auto-ID lab at MIT, developed a technology that would allow EPC tags to be “killed” through the use of a specially coded radio command. At the RFID Privacy Workshop that I hosted last fall at MIT, NCR’s chief RFID advocate, Dan White, showed a video of EPC tags being deactivated in a specially created “killing chamber.” The theory at the time was that consumers would have a choice of having their tags killed in the store—and perhaps tags would be killed by marketers as a matter of course.

But as EPC technology starts its move from the laboratory to the marketplace, it’s becoming clear that attention to privacy niceties and even some forms of notice will increase the price of this technology. After all, it takes time to properly alert people to the presence of RFID. Wal-Mart might have had signs up at Broken Arrow, but at least some people at the stores who bought RFID-labeled products didn’t know that the products contained radio frequency tracking devices. MIT could have printed an RFID symbol on my ID card, but it didn’t; there was no requirement for it to do so. Honda doesn’t bother putting an RFID symbol on its car keys—this despite the fact that the keys can be read from 30 centimeters or more away using specialized equipment.

The problem of voluntary, industry-approved privacy standards is that they’re voluntary—companies don’t need to comply with them. And the very real danger facing the RFID industry is that a suspicious public will push for regulation of this technology. Although the industry has successfully killed legislation proposed earlier this year in California and Massachusetts, high-handed actions on the part of RFID-advocates will likely empower consumer activists and their legislative allies to pass some truly stifling legislation.