Dubbed by one skeptical journalist as “Big Brother in small packages,” RFID chips are tiny transponders that can be attached to almost any consumer good.
While companies are set to use these radio frequency identification tags to track their merchandise from assembly line to warehouse to store shelf, privacy watchdogs suggest these same RFID tags could be used to keep tabs on consumers — beyond the confines of a store or supermarket.
Here to discuss the potential benefits and risks associated with RFID technology are Prof. Shyam Sunder of the School of Management at Yale University, Chris Hoofnagle , associate director of the Electronic Privacy Information Center, Lee Tien, senior staff attorney at the Electronic Frontier Foundation, technology journalist Xeni Jardin and Dr. Daniel Engels of the MIT Auto-ID Labs.
Greetings.
Having just come across the motto for the Auto-ID Labs, “Identify Any Object Anywhere Automatically,” I can see how the introduction of RFID tags might make those wary of surveillance nervous about an Internet of things.
But with RFID tags, the information in question — the location of a particular good — is an extension of a commercial transaction; one in which the consumer willingly enters into an exchange with a vendor.
Moreover, like paper receipts, which are disposable, RFID tags can also be removed or deactivated by the consumer.
My first question is thus, simply: Why worry?
If RFID tags allow companies to distribute their merchandise more efficiently or, even, cater their advertising to shoppers, how does the consumer lose out from this innovation?
Likewise, are there not enough safeguards in place to ensure that RFID will not be abused by those who wish to “identify objects anytime, anywhere” to which they have no legitimate association?
The use of RFID systems within the supply chains of suppliers, manufacturers, and retailers will enable all participants within the supply chain to improve their efficiencies, decrease their costs, and innovate to create new services and revenue opportunities. The consumer benefits from these improved efficiencies and new services with (hopefully) lower prices, improved on-shelf availability of products, and better services.
Consumers will always have the right to deactivate RFID tags that may be affixed to products they purchase. The EPC RFID protocols being required by Wal-Mart allow for the electrical disabling of the tags. Thus, the tags do not need to be physically removed or destroyed to be permanently deactivated.
A person always has the right to deactivate an RFID tag that they own.
The RFID tags mandated for use within Wal-Mart, just like many other commonly used RFID tags, are promiscuous. That is, they will communicate with any reader that attempts to communicate with them. The use of promiscuous tags puts the onus on the readers and the environmental monitors to detect the operation of unauthorized readers. This enables the facility owners to protect against unauthorized reads.
Consumers that wish to enjoy the benefits of RFID systems will utilize higher functionality, higher cost non-promiscuous RFID tags to protect against the unauthorized communication with their tags.
But with RFID tags, the information in question — the location of a particular good — is an extension of a commercial transaction; one in which the consumer willingly enters into an exchange with a vendor.
Greetings,
The problem with privacy is that many companies are continually lowering the lowest common denominator, and so arguments about choice seem reasonable on their face, but don’t work in reality. One example is Amazon.com, which operates one of the most privacy- invasive business models on the web. If one wants to compete with Amazon, they have to engage in privacy practices as bad or more invasive than Amazon. And thus customers end up in part of a downward spiral of more and more invasive practices.
Supermarket savings cards are a great example. It is growing increasingly difficult to find stores without them, and in studies conducted by the Wall Street Journal, it was shown that stores without the cards give better discounts. So what you have is discounts that you would have normally received, but that now come on the condition that you give up your digits.
My first question is thus, simply: Why worry?
The risk here in part is due to transparency problems. American businesses are notoriously secretive about that they really do with personal information. I don’t think we know even the basic of companies’ plans to use this information. And we do know that RFID has been deployed in such a way that a consumer cannot detect it. We can bet that we will be held in the dark as much as possible when it comes to RFID.
If RFID tags allow companies to distribute their merchandise more efficiently or, even, cater their advertising to shoppers, how does the consumer lose out from this innovation?
I think there are great benefits to using RFID in the supply chain. The line is crossed, however, when deployed in the consumer market. Consumers are also expressing increased resistance and frustration with targeted advertising. It’s often forced upon us by people who say “it benefits you.” We’re trying to give people a choice to see whether they want it in the first place.
Likewise, are there not enough safeguards in place to ensure that RFID will not be abused by those who wish to “identify objects anytime, anywhere” to which they have no legitimate association?
The basic problem with RFID is that it is a promiscuous technology. The tags will “speak” to any reader, whether it is owned by the issuer of the tag or not. This fundamental problem with the technology is going to limit its security and effectiveness if deployed amongst consumers. I could install my own RFID reader and read your tags anytime. And even if the data on the tag is encrypted, I still get the raw data, which probably is unique and can be used to track you.
At this stage, I would not worry about RFID on merchandise as long as it stays in the commercial and industrial supply chains. The big boys can look after themselves with respect to privacy, and achieve whatever efficiency gains are possible.
When the merchandise is transferred to the consumer (e.g., sale or delivery), the balance between efficiency and privacy changes. At this time, RFID should be removed as the default option. The merchant may offer consumers the opportunity to opt-in to keep the RFID on. Opt-in is far more desirable than opt-out mechanisms until we gain experience with the technology. Such opt-in is a must for promiscuous RFIDs to protect privacy of the consumer.
Whether or not the consumer gets to opt-in at the time of purchase, the RFID tag should be (1) easily visible on product, not hidden, and (2) easy for the consumer to deactivate without specialized equipment or complicated procedures.
But with RFID tags, the information in question — the location of a particular good — is an extension of a commercial transaction; one in which the consumer willingly enters into an exchange with a vendor.
First, the privacy threat isn’t only with commercial transactions — governments are looking at many uses of RFIDs. I think the odds are high that state DMVs will want to put RFIDs into driver’s licenses, for instance. Embedding RFIDs into currency is definitely being considered in the EU.
How will consumers know that RFID tags are in their items? And if they know that RFIDs are present, will they know how to remove or deactivate them?
Second, there are lots of privacy issues today associated with commercial transactions. Just what does the consumer agree to? Does the consumer know what’s going to happen with his or her personal information?
Put another way, I wouldn’t assume that the current baseline of commercial transactions is “good” or even “OK” from a privacy standpoint. I think the current concern over identity theft, telemarketing, spam, financial privacy, and so on, is a strong indication that the status quo is problematic.
Moreover, like paper receipts, which are disposable, RFID tags can also be removed or deactivated by the consumer.
One of the major issues with RFID tags is notice (one of the basic fair information principles).
How will consumers know that RFID tags are in their items? And if they know that RFIDs are present, will they know how to remove or deactivate them?
It’s not clear to me that retailers or manufacturers will have the incentive to tell consumers. If we assume (and the available polling evidence suggests) that consumers are wary of RFID-tagged goods, there’s some incentive to hide the fact that there are RFIDs. One could argue that there’s an opposite incentive as well, on the assumption that consumers may be more offended if they feel they’ve been deceived. But there is a strong tendency in the commercial world to hide this kind of information, whether or not it’s rational for companies to do so. Companies are often reluctant to disclose in detail what they do with consumers’ information.
I recently spoke to a reporter who was trying to do a story on two companies who were planning to do item-level tagging. At the last minute the companies backed out, because they were apparently afraid of publicizing their plans.
My first question is thus, simply: Why worry?
Promiscuous RFIDs — those that will “talk” to any compatible reader — pose two basic problems. Your possessions can be inventoried without your knowledge or control, and their movements (which may well be your movements) can be tracked without your knowledge or control.
The question is whether we want a society in which many of the things we carry or wear or use contain devices that can be used to track us. I think people are entitled to move about in society without being tracked or without being afraid that they’re being tracked. This is not an immediate threat, but the deployment trajectory strongly suggests that over time RFIDs and RFID sensor/readers will become more pervasive.
If RFID tags allow companies to distribute their merchandise more efficiently or, even, cater their advertising to shoppers, how does the consumer lose out from this innovation?
No one claims that there aren’t potential benefits to consumers from RFIDs. But consumers are concerned — as they should be — that RFIDs will be used to inventory or track them.
Some of the concerns, of course, are as simple as not wanting someone to know what size clothing or what kind of shoes you wear.
Likewise, are there not enough safeguards in place to ensure that RFID will not be abused by those who wish to “identify objects anytime, anywhere” to which they have no legitimate association?
What safeguards might those be? A basic feature of promiscuous or insecure RFIDs is that you don’t know when someone is reading your RFIDs. Privacy abuses generally tend to be different from other kinds of harms. If I buy a car and it stops working a few days later, I know about it and I’ll go back to the company I bought it from. If I give my personal information to the car dealer and the dealer gives my information to someone in violation of our contract, how would I ever know? If that information is then used in a way adverse to my interests, how would I know?
The fact is, most legal safeguards depend on a deterrence mechanism — the likelihood of the injured person’s finding out about the injury and using the law to gain redress. When the injury is hard to trace back to the injurer, that feedback loop breaks down.
I often draw an analogy to pollution. It may well be rational for a firm to pollute, because it reaps the benefits of not having to control the pollution, while the costs to society are spread out. The firm’s individual cost-benefit analysis may well tip in favor of polluting the environment. When every such firm follows its individually rational course of behavior, however, you can end up with lousy air or water quality.
I’m no economist, but I think there’s a sense in which firms’ decisions about their customers’ privacy are analogous. They get the benefits, but they may not bear the costs. Or the costs may be time-discounted because IF they end up bearing costs, it may be years down the road. If you factor in the accountability/feedback problems, the costs may be even more heavily time-discounted.
Here is an example of how a serious violation of privacy can be made to look innocuous.
I received this piece of spam this evening, and opened it because it seemed to come from a friend. A visit to the URL given asks for the first name, the last name, date of birth and email address. It could be a genuine website and a genuine email from a friend so he would not fail to send greetings on my birthday. (I am not really sure if I wish to get automatically generated birthday greetings from anyone, knowing that they are not thinking about me).
In any case, given the potential for abuse, the potential for violations has to be taken seriously, whether it is birthdays or RFID. I hope a privacy organization (such as TRUSTe) will take up this challenge and work with the industry to develop norms of behavior as we gain experience with the technology. Leaving the industry totally free is too risky for privacy, and imposing tight regulation at this early stage may prevent about ability to benefit from the efficiency of the system.
Dr. Engels assuages concerns about promiscuous RFID systems by suggesting that consumers will be able to choose more expensive tags that will shield them from snooping. Likewise, he points out that consumers will always have the right and, in the case of Wal-Mart, the ability to deactivate tags.
Mr. Hoofnagle, however, suggests that companies have a history of being opaque on their use of customer data. If this is true, then it seems likely that companies would not necessarily inform consumers about the risks associated with promiscuous RFID tags.
A question for all, especially Prof. Sunder:
Does this mean that regulations are in order — at least, to require that companies inform their customers about RFID tags and potential exploits of same?
Or, in a more expansive scenario: should companies that use RFID tags provide their customers with the ability to deactivate them (not just the right)?
Does this mean that regulations are in order — at least, to require that companies inform their customers about RFID tags and potential exploits of same?
Or, in a more expansive scenario: should companies that use RFID tags provide their customers with the ability to deactivate them (not just the right)?
I definitely believe that consumers should be informed of the presence of RFID tags as well as of what they can do. I think the lack of good consumer knowledge about privacy-implicating practices is a major reason why we have privacy issues in our society today.
Here’s a little thought experiment. Imagine that every RFID-tagged item you have glows blue, and every RFID sensor in the environment glows yellow, and every time your RFIDs are read they and the reader glows green. Now individuals know a lot more about where RFIDs are, where RFID readers are, and how often reading goes on. Will RFID adoption — or public discourse about RFIDs — be the same in my hypothetical world as in our world?
If you think there would be a difference, then you probably believe consumer information matters, and the only question is how that is to be achieved.
It is in a company’s own best interest to inform its customers how customer data is used and collected.
The second part of the question — “kill” technology — is also important. EFF supports the idea of kill technology and the widespread availability of kill technology. If you think that there are privacy issues associated with RFIDs, what should be done about them? At present the primary social benefits of RFIDs appear to be in the supply chain. Meanwhile, consumer privacy isn’t at risk when the RFIDs are not yet in contact with consumers and their personal information. That situation is reversed once the RFIDs are “in the wild.” There are no real benefits and lots of risks. Now, you could approach this situation with legal safeguards, but that incurs all manner of secondary, administrative costs. Killing them seems a lot easier.
Again, another analogy. In the SF Bay Area, the BART subway system uses cash-like, anonymous farecards that aren’t associated with anyone’s personal identification. Even if you buy the BART farecard with a credit card, it is not associated with you personally. So there’s very little to worry about from a privacy perspective in terms of your BART [mass-transit] farecard.
Contrast that with a system of personally identifiable farecards that make it possible to track your movements. Protecting privacy in the latter system is going to be a lot more work, and there are more “points of trust” in the system.
Lee
Does this mean that regulations are in order — at least, to require that companies inform their customers about RFID tags and potential exploits of same?
Or, in a more expansive scenario: should companies that use RFID tags provide their customers with the ability to deactivate them (not just the right)?
The issue of privacy revolves around the collection of and use of data and information associated with a person.* Most corporations already collect copious amounts of data on their customers, virtually all of it given freely by their customers. The use of affinity cards and on-line personalities enables a company to associate a specific transaction to a specific person. Customers freely provide this information after they conclude that it is an acceptable trade-off for the services, cost reductions, or other benefits that they receive in exchange for revealing this information. (As an aside, for those persons that wish to receive the benefits of using an affinity card without having accurate information collected on them, I recommend attending an “Affinity Card Swapping Party.” Exchange cards with friends, family, or, better yet, complete strangers.)
How the data and information about a person is used may infringe a person’s privacy without their consent. A corporation’s privacy policy will delineate how information collected about a person is used, shared, and should also specify how it is protected. It is the use of personal information that has the potential to infringe a person’s privacy without their knowledge or consent.* For this reason, the collected data itself may require regulations on its use, dissemination, and protection.
It is in a company’s own best interest, for legal as well as public relations reasons, to inform its customers how customer data and information is used, disseminated, protected, and collected. Most retail stores, for example, will notify their customers about the use of non-invasive, non-obvious, data collection methods, such as the use of video cameras for security surveillance. RFID, like video surveillance, is a non-invasive, non-obvious, data collection method. When RFID is used on the retail floor, it is in the retailer’s interest to notify its customer’s of the use of RFID systems to improve their shopping
experience.
A company has a right and obligation to maintain control of its assets, including the tracking of those assets, from the time they are purchased until the time that they are sold. RFID enables the efficient tracking, tracing, and control of a companies assets; thereby admitting improved efficiencies and better customer service. Existing regulations and policies currently in place govern the use, dissemination, and protection of data and the association of data with an individual, regardless of how the data was collected.
I think we need to recognize that regulation is part of a public process that is internal to society, not a set of externally imposed rules.
Once a product, potentially tagged with an RFID tag, is sold, the new owner of that product, i.e., the customer, has the right to deactivate any affixed tags. As a service to its customers, a company should offer a service to deactivate any and all RFID tags owned by its customers, preferably at the point of sale. It may be prudent for a company to institute a sales policy that permanently deactivates all RFID tags as they are scanned at the point of sale, similar to the current EAS tag policies in place.
Companies are obligated to disclose their policies regarding what data is collected, the use of any collected data, the dissemination of collected data, the protection of that data, the technologies and methods used to collect data, and the methods used to associate specific data with an individual. Consumers are responsible for knowing these policies to enable them to make informed decisions that will protect their privacy.
One of the fundamental issues in the privacy debate is the meaning of “given freely” or “freely provide.”
Does anyone honestly believe that consumers usually engage in an informed cost-benefit analysis here?
Customers freely provide this information after they conclude that it is an acceptable trade-off for the services, cost reductions, or other benefits that they receive in exchange for revealing this information.
At the very least I think we have to recognize that it is an empirical question. I think it’s unwise and (for those defending expanded information-gathering practices) somewhat self-serving to assume that these decisions are informed and truly voluntary. This is part of a rhetorical strategy commonly seen in privacy debates, where it’s argued that consumers are OK with the status quo and that the new wrinkle is a small change from that status quo.
Maybe I can put it very simply: Acquiescence does not equal consent.
A classic example is when caller ID was introduced. This was, one might say, a small change in the privacy dynamics of phone calling. Called parties now could see the calling party’s phone number where they couldn’t before. Yet this was a huge public debate, and the very introduction of caller ID led policy makers to realize that a lot of people had not been happy about the former “default” of caller anonymity. But this was not expressed because it seemed there was no choice about it in the first place. Today, at least in California, we have caller ID, caller-ID blocking, and blocking of calls from caller-ID-blocked phones. And part of the reason why we have all of these was state PUC regulation.
I don’t mean to say that regulation is always or even usually the right answer. But I think we need to recognize that regulation (or even its possibility) is part of a public process that is internal to society, not a set of externally imposed rules.
P.S.
A reporter called me up a few months ago about the privacy issues surrounding a DNA collection program. I asked, don’t they have a consent protocol? It turned out that what they were planning to do (according to the reporter) was to focus on folks who were having their blood taken for hospital procedures, and to have the blood tech person administering the test ask them to sign a consent form for DNA collection. I don’t know if this is acceptable under health ethics.
I told the reporter it seemed the program was taking advantage of people in a vulnerable position, on the one hand, and slyly making the choice seem trivial or unimportant by not having an MD explain what was entailed.
Put another way, with information collection there are strong incentives to get the info. Once you’ve got it, there’s little the person can do.
Does this mean that regulations are in order — at least, to require that companies inform their customers about RFID tags and potential exploits of same?
At such an early stage of a new technology, it would be difficult to know what the right regulations ought to be. New technology needs some breathing space to evolve in its various forms and applications, and we have to learn about its consequences through some observation and experience. Writing regulations at this stage could strangle a new technology without allowing its promoters a chance to show its advantages, and without allowing consumers to learn ALL its consequences.
Instead of regulating RFID, I think it would be better at this stage to encourage the vendors and users of the technology to develop their own code with the help of industry and privacy experts, and publicize it to consumers. Perhaps TRUSTe, or other such organizations, could take a lead in this direction. After a few years of use, and observations about the ability of the industry to discipline itself, it would become easier to decide what, if any, regulation of RFID would be desirable.
Or, in a more expansive scenario: should companies that use RFID tags provide their customers with the ability to deactivate them (not just the right)?
Yes, the consumer should have the right to deactivate RFID, and the process of deactivation should be easy, quick, and inexpensive.
Wanted to chime in to offer a few updates for our discussion here.
First, the California senate bill put forth by Senator Debra Bowen (a guest on this “California Connected” episode) which would establish privacy standards for the use of RFIDs in stores and libraries passed the California Senate last Thursday, 22-8. For those not familiar, SB 1834 allows collection of the same sort of data that’s already possible to gather using bar codes, but bans the use of RFIDs to track user activity after they depart the site of a given transaction. The bill also restricts the range of data that can be gathered — only information on an actual item a customer/user is purchasing, borrowing, or renting. It would also prohibit tracking interactions that people have with things they pick up but later reject while in a store. Next step: the bill moves to a June hearing in the Assembly.
Secondly — during this program, we discussed ongoing efforts by Wal-Mart to prepare for a planned June, 2005 rollout of RFID technology with 100 of its suppliers. Last Friday, the company began testing live RFID tags with electronic product codes (EPC) at eight locations around Dallas/Fort Worth. The company has been testing field equipment in Texas for about a month already, but no products bearing RFID tags had been placed on store shelves before now. Eight vendors are also participating in the trial: Gillette, Hewlett-Packard, Johnson & Johnson, Kimberly-Clark, Kraft Foods, Nestle Purina PetCare, Proctor & Gamble, and Unilever.
And finally, wanted to point to a thought-provoking item on Declan McCullagh’s Politech list , which is one of my favorite sources for news about law, privacy, and technology in general. On the list, reader Rich Kulawiec sketches out one of many possible ways to “hack” an RFID marketplace. I’ll snip from the post here:
politechbot.com/2004-May/000665.html
[B]ack in the 1980’s, there were rumors that the NSA had a complete Usenet feed going into its data centers. In reaction, Usenet article authors began to include what were called “NSA fodder” in the headers and bodies of their articles; text strings like: “Moscow nuke Iran Kremlin secret spy CIA transmission” were put there to (at least in theory) cause the text-analysis programs and perhaps the human beings analyzing the incoming data at the NSA to work a bit harder.
Nobody (I hope) took this very seriously, but it does illustrate an interesting point about approaches to frustrating unwanted data collection, and that is that there are two ways to do that. (1) Deny the data to the collectors, [or] (2) give them all the data they could possibly hope for, but fill it with so much noise that it’s useless.
In the case of RFID tags, so many people are all over their deployment that approach #1 may now be effectively impossible. Fine. Let them knock themselves out putting RFID tags on and in everything and tracking them and accumulating all the data, and spending lots and lots of money and time setting all that up. Meanwhile, let’s try approach #2.
After all, there’s no reason why you and I can’t have our own RFID scanners, and locate the tags that we happen to find in our possession, now is there? And if I felt like, oh, removing the tag from my new shirt and sticking it in a city bus seat, or extracting the tag from a new lawn sprinkler and putting it in on a shopping cart back at the store where I bought it, well, why not? Now imagine the consequences if 20 million people did the same.
Granted, the likelihood that 20 million people would have the time, the wherewithall, and the interest to engage in digital disobedience is slim. But when I run accross colorful hypothetical examples like this, I’m reminded of a simple fact: any system that can be built can be hacked. What might those hacks be?
Much of our discussion here has focused on the privacy issues raised by the system architecture itself — for instance, how will Wal-Mart gather, save, and use data it collects about my activities inside a store.
But there’s another direction that interests me here: What about the privacy issues raised by the potential of those systems to be compromised with malicious intent? What sort of scenarios are RFID engineers planning for, what forms of attack or compromise are possible, and how are developers accounting for those possibilities?