February 29, 2004

RFID Tracking Concerns Lawmakers

If you're not yet concerned about RFID (Radio Frequency Identification) tags, you should be. These tiny devices can be included in many consumer goods. As such, there is growing concern about how they can be associated with individual consumer information and even tracked in public places by strategically-placed readers. Wired News has a good summary in "Lawmakers Alarmed by RFID Spying", which reports on several states' attempts to enact legislation. Not so coincidentally, Wired also reports German protesters have similar concerns.

Personally, I probably wouldn't care too much if someone knows I bought a pair of Levis, with the possible exception that I wouldn't want to get spammed by people trying to sell me more jeans (as least now I'm mostly protected by my state's Do Not Call List -- that has been a huge blessing from relentless and rather pesky telemarketers). Regardless, I'd categorize that as more of an annoyance. Now let's take it one step further: As one person commented here previously, it could be used to present personalized on-demand advertising, a la Minority Report (and this is also mentioned in the first Wired News story above).

However, after that unique identifier gets associated with me, readers in public places could track my whereabouts. My concern is once the genie is out of the bottle, where will it end? Several years ago, I posted to one of the legal tech listservs that online data collection (e.g., cookies, spyware, etc.) could eventually be tied into the brick and mortar companies' databases and the crossover effects would be chilling. Not too long after that, DoubleClick tried to do exactly that. Fortunately there was much public outcry and DoubleClick adolescently stated they were very sorry and wouldn't do it again. Suffice it to say, there are still serious public trust issues.

This quote pretty much sums it up: "'Some lawmakers now say that RFID tags in retail items may further erode consumers' privacy. "There is clearly an upside for the industry,' said Massachusetts state Sen. Jarrett Barrios, 'but underlying that is a burden borne by the consumers. It's unnerving to me that the companies have no incentive to protect consumer privacy.' " Sure, consumers can vote with their wallets and try to boycott merchandise with embedded RFID tags. That may work in the beginning, as a few select companies get scorned by consumers. But what happens if the manufacturers and retailers decide to tough it out until most items on retail shelves and in online stores have them? In my humble opinion, under that scenario consumers would have little choice but to succumb to the situation and buy them under protest if there are no other reasonable alternatives.

Thus unless sellers bow to public outcry, the free market model may not work in this case: "RFID technology is a surveillance tool that clearly can be misused, said Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union. 'To protect consumers, we need laws, not unenforceable policies," he said.' "

But what laws should we enact? Should RFID be banned outright? Should it stop merely at "truth in labeling" so consumers can make informed choices? Do we borrow a page from the online privacy debates to implement "opt in" vs. "opt out" strategies, and thus attempt to allocate who should bear the the burden that way? Or something different altogether? Certainly RFID has legitimate uses for inventory control. Somehow my gut tells me that none of the above will be the best solution, or worse, that there may not even be one due to the polarization that has already occurred. Only time and a lot of public debate will tell.

[Update 3/1/04: Techdirt has an interesting post on the potential for an RFID blocker tag. Apparently, researchers at RSA have begun demonstrating how the blocker tag works. As I mentioned above, I doubt a purely legal approach will adequately resolve the many RFID issues. As RFID is partially a technological problem, some creative technological approaches may help.]

Topic(s):   Privacy & Security
Posted by Jeff Beard
Comments

For the past 12 years, Gordon Cook has written about every aspect of the commercial Internet. Detailed interviews with the leaders of the field have given him a body of knowledge of unique breadth and depth. Gordon has used that broad knowledge to develop a complete analysis of the commercial, political, economic, system and technical issues surrounding the broad introduction of RFID technology into the Global Economy.

His research has resulted in an exhaustive examination of the technology, architecture, and business strategy of RFID, in inventory management and, much more importantly, in the supply chain. He examines the Auto-ID, EPCglobal VeriSign Alliance to create "wireless" bar codes. He explains why this will have little impact unless and until it is well integrated into a wide range of corporate ERP systems. He describes why some companies that use web services, RosettaNet and appropriate supply chain software don't have any ROI yet for using RFID. Finally he looks in great detail at a very innovative and comprehensive service grid approach where goods may be tracked with mobile agent software from manufacture to point of sale.

An extract from the report and the full contents list can be found on my web site - RFID Exchange.

Thanks

Steve Heap
RFID Exchange
www.rfidexchange.com

Posted by: Steve Heap at March 25, 2004 08:19 PM