RFID Rights

The rush by Wal-Mart and other companies to put radio frequency identification devices in their goods could imperil consumer privacy.

Simson Garfinkel ’87, PhD ’05archive page

November 3, 2004

With all of the excitement last month about the Food and Drug Administration approving an implantable radio frequency identification device (RFID), its easy to forget that the first place that many Americans will encounter RFID is not in their arms, but at the gas pump, on their key chains, and at major retailers like Wal-Mart. While the FDA and healthcare establishment have been noodling around on the medical and ethical implications of implanting chips into people, other industries have been moving full-speed ahead.

RFID technology is already broadly deployed within the United States. Between the proximity cards that are used to unlock many office doors and the automobile immobilizer chips that are built into many modern car keys, roughly 40 million Americans carry some form of RFID device in their pocket every day. I have two: last year MIT started putting RFID proximity chips into the schools identity cards, and there is a Phillips immobilizer chip inside the black case of my Honda Pilot car keys.

Im a big fan of these two chips. The proximity chip lets me open doors at the MIT Stata Center by waving my walletI dont even need to take the card out of my pocket. The immobilizer chip interlocks with an RFID reader thats built into the steering column of my Honda: if the chip isnt there, the cars computer kills the ignition system and immobilizes the vehicle. According to several studies, these chips have had a significant impact on automobile theft over the past decade.

But the real interest in RFID today isnt these proprietary devices, but rather the standardized Electronic Product Code (EPC) chips that were developed by the AutoID center and are now being overseen by EPCglobal, a trade organization. EPC tags are designed to replace todays ubiquitous Universal Product Code (UPC) bar-codes, except instead of identifying the maker and kind of product, the 96-bit EPC code will give every package of razors, every box of pancake mix, and every shoe its own unique serial number. The tags, which operate in the unlicensed radio spectrum between 868 and 965 megahertz, can be read at a distance of many feet and through paper, fabric, and some plastics. And although the tags can cost as much as 25 cents today, when they are purchased by the million the cost plummets to 10 cents or less.

Two years ago, I called upon the RFID industry to adopt an RFID consumer Bill of Rights in which the industry would pledge to refrain from various nefarious practices, such as hiding RFID chips in clothing or other consumer products without notification and having secret RFID readers, as well as giving consumers the option of having chips deactivated in products that they purchase. Those recommendations are reflected in the Guidelines on EPC for Consumer Products on EPCglobals website. But these guidelines are significantly watered down from what I proposed.

For example, EPC guidelines say that consumers should have the right to know if an EPC tag is inside a product that is purchased, but they dont have a right to know about the presence of readers in a store or other public place. Instead of giving consumers the right to have a tag removed or deactivated, the guidelines say that consumers merely have to be told whether they have such a right. When you look closely at the wording, it becomes clear that consumers dont really have that right at all.

Things get worse. Instead of giving consumers a right to know what the RFID information is being used for, as I argued they should, EPCglobals policy simply calls for companies using EPC chips to publish their policies regarding Record Use, Retention and Security on their websites. A company could publish a policy saying that every RFID chip serial number is recorded, kept forever, and that this information is shared with the companys business partners and government officials. Without actually explaining what the RFID information is used for, a company could nevertheless, be in full compliance with EPCglobals policy.

Meanwhile, the nations largest retailer, Wal-Mart, is moving full speed ahead with its plans to incorporate RFID into its business process. Last year, Wal-Mart announced that its top 100 suppliers would be required to put an RFID tracking device inside every pallet or case delivered to a Wal-Mart warehouse by January 2005. In theory, the RFID chip will let Wal-Mart track inventory as it moves through the supply chain. If 15 HP printers intended for a store in Pennsylvania accidentally get put on a truck bound for New York, Wal-Mart will know it and can either ship the printers back or update its inventory system with their new location. And if those 15 printers dont get off the truck, Wal-Mart will have all the data that it needs to start an investigation.

Last November, Wal-Mart detailed its plans for RFID deployment at a meeting of its top 100 suppliers. Wal-Mart chief information officer Linda Dillman said that the company was working with two suppliers, wanted to expand quickly to 12 suppliers, and wanted to have a 100 percent read rate of items coming through its dock doors, according to an article in the RFID Journal.

In April 2004, Wal-Mart announced that its initial deployments of RFID were well underway. Eight early adoptersGillette, Hewlett-Packard, Johnson & Johnson, Kimberly-Clark, Kraft, Nestle Purina PetCare, Procter & Gamble, and Unileverwere delivering a total of 21 products with RFID tags to the Wal-Mart regional distribution center in Sanger, TX. Test readers are also installed at seven pilot stores in the Dallas-Fort Worth area.

Wal-Mart has said that right now its tags are for internal use, not the checkout aisle. But three of the items in the testtwo HP Photosmart photo printers and an HP ScanJet scannerwill have RFID tags built into product boxes. And this is potentially a problem, because these cases may be sent to stores that are not in the triala point thats made clear in the companys press release.

Wal-Mart has promised that the outer packaging will be marked with an EPCglobal symbol so that customers understand that the product they are purchasing contains an RFID tag. But stores that are not in the trial probably wont have signs or handouts explaining what these symbols mean.

Should consumers be worried? Katherine Albrecht, founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), is one of the privacy activists leading the charge against RFID. In November 2003 Albrecht received international media attention when she revealed that Wal-Mart and Procter & Gamble had conducted a test of RFID-tagged Max Factor Lipfinity lipstick at a Wal-Mart store in Broken Arrow, OK. Albrecht and others claimed that, despite the companys promises, consumers had not been properly notified that the lipstick boxes contained RFID tags. And earlier that year, Wal-Mart had canceled plans to test Gillettes RFID-enabled smart shelf in Brockton, MA, after Albrecht had publicized the retailing giants plans.

Wal-Mart is blatantly ignoring the research and recommendations of dozens of privacy experts,” said Albrecht this spring when Wal-Mart announced its early success with RFID. When the world’s largest retailer adopts a technology with chilling societal implications, and does so irresponsibly, we should all be deeply concerned.

Representatives from Wal-Mart and Procter & Gamble have repeatedly said that there was adequate notification inside the Broken Arrow store. And even though Wal-Mart admitts to canceling the trial in Brockton, the company insists that Albrecht had nothing to do with it. There was no secret test. We discussed the concept with the supplier and we worked with the supplier to set up a prototype, says Wal-Mart spokesperson Gus Whitcomb. But we pulled the plug before it ever went live. Im not sure you can publicly reveal something that never took place.

As far as the tags go, Whitcomb says, The consumer has three choices: buy the product and keep the tag; buy the product and remove the tag anytime post-purchase; or don’t buy the product.

EPCglobals predecessor, the Auto-ID lab at MIT, developed a technology that would allow EPC tags to be killed through the use of a specially coded radio command. At the RFID Privacy Workshop that I hosted last fall at MIT, NCRs chief RFID advocate, Dan White, showed a video of EPC tags being deactivated in a specially created killing chamber. The theory at the time was that consumers would have a choice of having their tags killed in the storeand perhaps tags would be killed by marketers as a matter of course.

But as EPC technology starts its move from the laboratory to the marketplace, its becoming clear that attention to privacy niceties and even some forms of notice will increase the price of this technology. After all, it takes time to properly alert people to the presence of RFID. Wal-Mart might have had signs up at Broken Arrow, but at least some people at the stores who bought RFID-labeled products didnt know that the products contained radio frequency tracking devices. MIT could have printed an RFID symbol on my ID card, but it didnt; there was no requirement for it to do so. Honda doesnt bother putting an RFID symbol on its car keysthis despite the fact that the keys can be read from 30 centimeters or more away using specialized equipment.

The problem of voluntary, industry-approved privacy standards is that theyre voluntarycompanies dont need to comply with them. And the very real danger facing the RFID industry is that a suspicious public will push for regulation of this technology. Although the industry has successfully killed legislation proposed earlier this year in California and Massachusetts, high-handed actions on the part of RFID-advocates will likely empower consumer activists and their legislative allies to pass some truly stifling legislation.