This article first appeared in ALEC Policy Forum, Winter 2004, Volume 6, Number 3, pp. 49-54.
It was written for state lawmakers and other members of the American Legislative Exchange Council.



ALEC cover thumbnail
Click for larger image

RFID: The Big Brother Bar Code

By Katherine Albrecht and Liz McIntyre
CASPIAN Consumer Privacy


"The privacy impact of letting manufacturers and stores put RFID chips in the clothes, groceries, and everything else you buy is enormous."
- California State Senator Debra Bowen
  Statement issued February 2004


"…the RFID train is beginning to leave the station, and now is the right time to begin a national discussion about where, if at all, any lines will be drawn to protect privacy rights."
- Senator Patrick Leahy, Speech at Georgetown University Law Center
March 23, 2004

S
tate and federal lawmakers have joined a growing chorus of people sounding the alarm over RFID, a new technology with enormous potential for invading privacy. RFID has prompted bills in California, Utah, Missouri and Massachusetts, and raised the concern of civil liberties and privacy groups from around the world. Once you understand the stealthy nature of the technology, we think you'll agree that the privacy concerns it raises warrant immediate attention.


A Brief Introduction to RFID

RFID stands for Radio Frequency Identification, a tracking technology that uses tiny computer chips to identify items from a distance. We've nicknamed them “spychips"because of their stealthy potential. These chips are connected to miniature antennas so they can beam back information about items to which they are attached, invisibly and silently by radio waves.

These waves are similar to the ones used to broadcast FM radio programs. Like FM radio waves, RFID radio waves can travel through solid objects such as walls, briefcases, purses, and wallets -- the things we normally rely on to protect our privacy.

RFID chip and antenna combinations, called "tags," typically range from the size of postage stamps to the size of pagers. Some can be as small as the period at the end of this sentence. RFID tags without an independent power source, called "passive"tags, can transmit information from a couple of inches away to up to 20 or 30 feet. Tags with attached batteries can transmit information up to a mile or more.

RFID tags can be embedded into or affixed to virtually any physical item, from car tires and aircraft parts to underwear and eyeglasses. They can be undetectable when sandwiched between layers of cardboard, incorporated into product labels, encapsulated in plastic, or sewn into the seams of clothing.

RFID first hit the business headlines in 2003 when Wal-Mart and the Department of Defense issued requirements that companies supplying their inventory must invest in the technology. Both have mandated that their top suppliers affix an RFID tag to every crate and pallet slated for delivery to them. Other retailers, such as Albertsons and Target, have followed suit with RFID mandates of their own. These "supply chain" retailer mandates have fueled investment in RFID technology and the infrastructure required to implement it.

RFID/EPC Slated to Replace the Bar Code

While using RFID to track crates and pallets poses few consumer privacy concerns, the long term plan is for RFID tags to replace the bar code. This would mean affixing an RFID tag onto virtually every physical object manufactured and sold on Earth.

"…RFID chips are like supercharged barcodes – barcodes on steroids, if you will. They are so small they can be tagged onto almost any object. They do not have to be in open view; RFID receivers just have to be within the vicinity – at a security checkpoint, in a doorway, inside a mailbox, atop a traffic light. And RFID chips can carry a lot more information than barcodes. Some versions are recordable so that they can carry along the object's entire history."
- Senator Patrick Leahy

EPC Global, an organization formed from the Uniform Code Council (which handles the US UPC bar code) and EAN International (which handles the bar code overseas) are promoting this use of RFID. They have developed something called the EPC (electronic product code) to replace today's UPC bar code or "Universal Product Code."The EPC consists of a 96-bit string of data (think of 96 zeros and ones, or two to the 96th power). Their numbering scheme provides enough number combinations to uniquely number every product manufactured on the planet for the next one thousand years.

Each RFID chip affixed to a consumer good would contain a unique EPC code identifying the manufacturer and product type, along with a unique serial number. This serial number would differentiate the item from all others like it. For simplicity, the rest of this discussion will refer to RFID tags containing EPC codes, per industry plans.


RFID Tags are Very Different from Bar Codes

Industry proponents have called RFID the "improved bar code." However, RFID differs from bar codes in three important ways:
  1. UNIQUE ID
    Unlike bar code technology where every can of Coke has the same UPC number (i.e., bar code), proposed RFID tags would assign each individual can of Coke its own unique serial number. These serial numbers could be captured at the point of sale and recorded with the identity of the purchaser as gleaned from a credit card or frequent shopper card. Such linkage could lead to global "item registration" whereby items would transmit their ownership trail and could be used to monitor people's travels and activities.

  1. REMOTELY READABLE
    RFID tags can be read from a distance by anyone with the right reader device, right through people's clothes, wallets, backpacks or purses--without their knowledge or consent. It creates a form of x-ray vision that could enable strangers to identify people and the things they're wearing and carrying.

  1. HEALTH RISKS
    Unlike the optical readers associated with bar codes, RFID readers emit electromagnetic energy over wide swaths. Proponents hope to embed RFID readers into walls, floors, doorways, shelving -- even in the refrigerators and medicine cabinets of our homes. We and our children would be continually bombarded with the energy emanating from these devices. Medical researchers have begun to raise questions about the long-term health effects of this type of chronic exposure to low levels of electromagnetic radiation.
The RFID Privacy Threat

Marketers, criminals, and government agents will find the information on RFID tags to be a tempting target for exploitation and abuse.

Marketers will use RFID to identify people at a distance and determine their tastes and spending habits through the items they wear and carry.

Today, billions of dollars are spent annually to collect and share consumer "intelligence." In-store tracking technologies like floor sensors, heat sensors, hidden cameras, hidden microphones, GPS-enabled grocery carts, and phony shoppers are all used to gather information. RFID will greatly simplify the task of collecting such consumer data – particularly if consumers can be automatically identified while walking in the door.

RFID-based consumer tracking products are already available in the marketplace. For example, IBM offers a bank application called "Margaret" that would use RFID tags embedded in checkbooks, savings passbooks, and ATM cards to identify customers as they enter a bank lobby. According to IBM's description, a reader device would scan the tags and communicate the customer's bank balance to employees, allowing them to give preferential treatment to more valuable clients.

Texas Instruments is promoting an RFID-enabled loyalty card product that could be read right through a shopper's purse as she enters the store. Their website explains how "a consumer with a TI-RFid tag in their purse, pocket, or wallet can be detected by reader systems at doorways. Readout antennas can also be in counters, walls, and in floors." It also details how "the technology can tell retailers exactly who's in their store at any given moment, while offering full purchase histories for each shopper. In addition, stores will know what the customer bought at their last visit, and what they might need for accessories."

Criminals will also take a keen interest in RFID information. Thieves could use handheld RFID readers to determine the contents of suitcases or shopping bags and to identify "easy marks." Voyeurs and stalkers could scan the contents of women's purses or capture details about the style and color of their undergarments right through their clothes.

Perhaps most worrisome, government agencies and law enforcement officials could use the technology to violate the Fourth Amendment. The federal government has repeatedly expressed a desire to consolidate transaction information from commercial databases into a single, centralized database under its control. Once such transaction data includes unique EPC serial numbers linked to the identity of purchasers, RFID tags could be scanned at strategic locations and used to identify people that pass by as well as surreptitiously scan their belongings.

A rogue federal agency could use RFID to create dossiers on citizens engaged in peaceful, First-Amendment-protected activities. Depending on one's politics, this might be a union meeting, a gun show, a peace march, or a talk by a prominent Muslim cleric. By walking through the crowd with an RFID reader device hidden in a briefcase, agents could capture information from RFID tags on objects carried by people attending the event. That data could be cross referenced with records in commercial databases to determine who was present.

RFID Abuses to Date

Foreshadowing things to come, RFID has already been abused by the corporations most active in promoting its use.

Last year Gillette and Wal-Mart were implicated in a scheme to take close-up photographs of consumers' faces as they picked up RFID-tagged Gillette razor packages in a U.S. Wal-Mart store. Gillette has hinted at the continued use of these "smart shelves" elsewhere in the U.S. and abroad, but has refused to directly answer consumer queries on the subject.

In a similar case, RFID tags were hidden in Procter & Gamble Lipfinity lipstick on shelves in an Oklahoma Wal-Mart store last year. Customers interacted with the lipsticks, not knowing that Procter & Gamble executives had trained a webcam on the display to observe them from their offices 750 miles away.

Another scandal involved the RFID industry's flagship "future store" in Rheinberg, Germany. Over 10,000 of the store's customers (referred to as "guinea pigs"in an IBM press release) were given frequent shopper cards laced with RFID tracking devices – without their knowledge or consent. Once the tags were discovered, customers protested outside the store, forcing it to recall the tracking cards. Despite this incident, companies like Texas Instruments, Matrics, NCR and others continue openly promoting such cards.

The surreptitious tagging of consumer goods appears to be continuing unabated. At an industry conference this September, the authors discovered a cache of Calvin Klein, Abercrombie & Fitch, and Champion clothing labels with RFID tags concealed inside.1 The fabric labels, designed to be sewn directly into clothing, were displayed by anti-theft company Checkpoint, which specializes in incorporating "invisible" tracking devices into consumer products at the point of manufacture.

Checkpoint plans to upgrade its reader devices -- the anti-theft doorway portals currently installed in tens of thousands of retail locations -- to serve as RFID tag readers. Obviously, having RFID readers at building entrances capable of reading the serial numbers in people's clothing could create a fairly direct route to the surveillance scenarios outlined above.

While the RFID industry has assured lawmakers and consumer groups that they are interested only in "supply side" inventory tracking on crates and pallets, the efforts of Checkpoint and other major industry players make it clear that consumer products are in their sights.

Your Constituents are Concerned about RFID Privacy

Research indicates that consumers are deeply concerned about RFID technology. In October 2003, consulting firm Capgemini surveyed 1,000 consumers and found that in relation to RFID, "almost seven out of 10 respondents said they were 'extremely concerned' about the use of consumer data by a third party: 67% were concerned that they would be targeted with more direct marketing; and 65% were concerned about the ability to track consumers via their product purchases.'"

Concerned citizens are looking to state lawmakers to pass labeling requirements that will give them the tools they need to protect themselves from RFID privacy invasion. State legislators from both major parties have been proactive, including California Senator Deborah Bowen (D), Utah State Representative David Hogue (R), Missouri State Senator Maida Coleman (D), Virginia Delegate L. Scott Lingamfelter (R), and Massachusetts State Senator Jarrett Barrios (D), each of whom has proposed some form of mandatory labeling.

On the federal level, Florida Senator Bill Nelson and Vermont Senator Patrick Leahy have also pointed to an urgent need for America to address the RFID problem in a public forum.

What Lawmakers can do

CASPIAN operates under free market, libertarian principles. A healthy free market depends on consumers having access to information that impacts them so they can work to ensure that their best interests are met in the marketplace.

Members of the public have an absolute right to know when they are interacting with technology that could adversely affect their privacy and impact their health. Selling a pair of shoes that doubles as a tracking device without telling consumers about the RFID tag it contains is essentially a form of fraud. When a shopper buys a pair of shoes, she has a reasonable expectation that she is getting shoes, not something else.

While we generally do not think that legislation is the best way to solve consumer privacy problems, we do believe that legislation to prevent fraud and misrepresentation is appropriate. For that reason, CASPIAN has developed model legislation titled the "RFID Right to Know Act of 2003" that would require labeling on consumer items containing RFID tags. Several state bills have been patterned after this model.

Given their full knowledge and consent, people should be free to purchase shoes and other goods that double as tracking devices. Nevertheless, consumers must be informed of what such choices mean. It is difficult to envision how this will take place in the absence of a mandatory labeling requirement, since RFID can be so easily hidden.

Conclusion

"There is no downside to a public dialogue about [RFID], but there are many dangers in waiting too long to start. We need clear communication about the goals, plans and uses of the technology, so that we can think in advance about the best ways to encourage innovation, while conserving the public's right to privacy."
- Senator Patrick Leahy

CASPIAN believes the American public deserves to hear the truth about RFID from all sides of the debate. We applaud Senator Patrick Leahy and others in calling for an open dialog, and have joined privacy and civil liberties groups around the world to call for a voluntary moratorium on the use of item-level RFID until the societal impact of the technology can be assessed.

In the meantime, consumers have been interacting with this technology for over a year without proper notification. We must put a stop to secretive RFID testing on consumers while society sorts out the larger issues. Mandatory labeling legislation is a crucial first step to enable us to protect ourselves.



Footnote:

1 We have posted photographs of these labels on our website at http://www.spychips.com/press-releases/checkpoint-photos.html, despite efforts by RFID proponents to prevent our making them available to the public.

 

home | overview | faq | blog | press | get involved | about us

The Spychips website is a project of CASPIAN, Consumers Against Supermarket Privacy Invasion and Numbering.
© 2003-2007 Katherine Albrecht and Liz McIntyre. All Rights Reserved.