Metro Future Store
Special Report!

background…
Future Store Overview
Store Partners/Goals

tour report…
Katherine's Trip
Shopping Carts
RFID on Products
Other RFID in Store
Metro Photos

scandals…
Tag "Deactivation"
RFID in Loyalty Card
METRO Coverup

results…
Media Coverage
German Protest
METRO Reponse



The METRO "Future Store"
Special Report

Scandal: The RFID Tag Hidden in METRO's Loyalty Card


Background

22 million Germans reportedly carry a "Payback" loyalty card, which they scan at participating retailers to accumulate cash back rewards and qualify for discounts. 

What 10,000 of these consumers do not know is that the Payback cards they picked up at the METRO Future Store in Rheinberg, Germany contain more than just the promise of rewards -- they also carry hidden RFID remote tracking chips.

Superficially, the cards look like any other plastic card a shopper might carry in his or her wallet. There is no visual cue that the card can respond to radio waves and transmit a shopper's identity -- right through a closed purse or backpack -- to  reader devices 3 to 5 feet away.




Back of Card





X-Ray Confirms the Embedded Tag

Below is an x-ray scan of the Payback Extra Future card. Note the antenna running along its edge, linked to an RFID computer chip which contains unique customer information. (Image courtesy of German privacy organizaton FoeBuD.)


(Click for larger image)



No Mention of RFID in Card During my Tour

I discovered the RFID tag hidden in METRO's loyalty card entirely by accident, just one day after I toured the METRO Future Store in Rheinberg, Germany, accompanied by members of German privacy organization FoeBuD.  During that tour, three METRO executives spent several hours showing us "every detail" of the store's use of RFID, including RFID shelves, RFID tags on products, RFID in the back of the store, and RFID information and "deactivation" kiosks. They claimed they were being entirely open with us, revealing every detail of their grand retail experiment.

But they never once mentioned the RFID tag in their loyalty cards.



Tour Ends; Metro Executives Treat us to Coffee and Donuts

After three hours "showing us everything," METRO's Dr. Gerd Wolfert, Albrecht von Truchsess and Marcos Fernandez treated us to coffee in the store cafe. We chatted for a while (mostly about my concerns over the deactivation kiosk that doesn't deactivate), then we all shook hands and said a cordial goodbye.

They did a good job. I left feeling assured that I had learned everything there was to know about the METRO Future Store and its use of RFID, which, in hindsight, was probably METRO's goal. They must have breathed a huge sigh of relief as I left without having discovered their loyalty card secret.



Katherine Albrecht, METRO executives, and FoeBud members relax after a three-hour tour of METRO's Future Store in Rheinberg Germany on January 31, 2004. Clockwise from front are Dr. Gerd Wolfram of METRO, Claudia Fischer of FoeBuD, Rena Tangens of FoeBud, padeluun of FoeBud, Albrecht von Truchsess of METRO, Marcos Fernandez of METRO, an unidentified individual, and Katherine Albrecht of CASPIAN.


We Return Later for Loyalty Cards

We privacy advocates left METRO and went to a local restaurant for dinner.  Afterwards, as we were about to leave Rheinberg, I realized that I had forgotten to get a "METRO Payback Extra Future Card" for my collection and asked my companions if we could return to the store and pick up some cards as a souvenir. They agreed.

We sent someone in to grab a stack of cards while we waited in the car.  When fifteen minutes passed and she still hadn't returned, we sent someone in after her. Several minutes later, the two of them came out with a handful of card applications, explaining that the store employees had been reluctant to give them the cards. Apparently the employees had to call management and wait for authorization first before handing them over.

This struck me as strange at the time, but it was not until the following day that I found out the real story.



How we Found the Tag

My public talk on RFID privacy took place in Bielefeld the following afternoon (in, of all places, a converted underground WWII military bunker).

When I finished the slide portion of my lecture, FoeBuD's Co-Director, padeluun, hooked up FoeBuD's 13.56 MHz RFID reader to the laptop I was using and projected it onto a screen behind me. One by one he and Rena held the tagged Pantene shampoo, Kraft Philadelphia cream cheese, and Gillette razor blades we had bought at the Future Store up to the reader device so the audience could see the active tag data appear on the screen behind me.

Then came the extraordinary moment when padeluun picked up a METRO loyalty card and held it to the reader. Of course, this was just a joke and nothing was supposed to happen. So when a string of numbers DID appear on the screen, we all nearly jumped out of our seats!

This was such an unexpected shock that it took me several moments to regain my composure enough to explain to the audience the importance what they had just seen. Discussing the implications of finding tracking devices in METRO's loyalty cards was definitely the highlight of my lecture, and by the time I was done, the German audience wanted to see the Future Store shut down.

I believe METRO's use of RFID tags in its loyalty card is a worldwide first, by the way. To the extent that any other retailer has put an RFID tag in its loyalty, I am not aware of it.



Tag Specs

The following day I confronted METRO spokesman Albrecht von Truchsess with evidence of the RFID tag in the Payback card. Among other things, I asked him to provide its technical specs. He responded by email with the following: 

"...reading distance is the same as in the RFID tags on the items. Also the same frequency: 13.56 MHz. Manufacturer: Philips. The number stored on the RFID chip is the customer number which is also printed physically on the Future Card."

The read range on the RFID tags on the items has been variously stated as 1 meter and 1.5 meters in METRO's literature (somewhere between 3 and 5 feet).  Three feet would be plenty of distance to allow a hidden reader device to scan the RFID-laced Payback card in a shopper's wallet or purse as she walks through an RFID portal, passes through a doorway equipped with a hidden reader, or nears an RFID reader shelf such as the ones holding products at the Future Store.



RFID in Loyalty Card not Mentioned Anywhere

METRO's brochure promises shoppers that "wherever RFID is used, this will be made visible." But they broke this promise on the most invasive RFID use of all -- rigged loyalty cards designed for human tracking. From everything we have been able to gather, the tags were a closely guarded secret. (At least there is no way we could imagine a METRO customer ever finding out about them, since they are not mentioned anywhere in the store or METRO's customer literature.)
  • No disclosure in the Payback card application. To obtain a Payback card at the Future Store, a customer picks up a brochure containing an application form with an attached Payback card inside. She then fills out the application and turns it in to the store to activate the card. Nowhere in all the fine print of the brochure nor in the legal language of the application is there any disclosure or mention that the card contains an RFID tag.
  • No disclosure on the Payback card itself. There is no mention of RFID on either the front or the back of the card. (See enlarged images of the card above.)
  • No disclosure in the store signage. The METRO Future Store has several signs mentioning both the Payback program and the RFID initiative underway at the store. (See image below.) None of these signs mentions a link between the two.


  • No disclosure in the customer RFID brochure. While the RFID customer brochure claims that "wherever RFID is used, this is made visible," it contains no mention of loyalty cards. (To read the "RFID: A New Technology For Your Shopping Experience" brochure, click here:  inside  outside)
  • No disclosure during our tour of the store. On several occasions during the three hour tour  we specifically discussed the Payback card with METRO executives. It would have been appropriate for them to disclose the tags at that time. They failed to do so.


Store Signage Says Nothing about RFID in Payback Card




METRO's Empty Promises

At the Future Store, METRO makes three key promises to consumers (see scanned image below), then proceeds to break every one.

These promises are:

- Wherever RFID is used, this is made visible
- The chips exclusively store product data but no customer data
- Outside the Extra Future Store the RFID tags become inoperative
   


Actual text scanned from a METRO Future Store brochure titled "RFID: A New Technology
For Your Shopping Experience." To view the full brochure, click here: 
inside  outside


The brochure's promise of full disclosure is a fable, and its claim that "the chips store product data but not customer data" is also false.

Obviously, the chips in the Payback card store "customer data."  How can a shopper's loyalty card account number (associated with years worth of accumulated purchasing data) not be considered "customer data"?

And of course, the notion that the chips somehow become inoperable outside the store is ludicrous. (See the discussion on this at the bottom of the "Deactivation Scandal" page.)

I like to give people the benefit of the doubt, but I can't do so in this case. It is obvious that METRO hasn't been honest with its Rheinberg Future Store "guinea pigs."

Others can also use the Rigged Payback Card to Spy on Customers

The problems don't stop with METRO. Anyone who knows the RFID tag exists can capture its numerical information (cardholder account number) -- all they would need is a reader which can be bought online for a few hundred dollars. The data on the card is not encrypted and operates on an open standard, so any 13.56 MHz reader can pick it up. However, only someone with access to the database, or another way of determining an individual's identity from the customer number, would be able to use the card for individual tracking purposes.

While the Future Store is clearly equipped to do this (scan the identity and purchase history of anyone entering the store), it is not the only retailer that can potentially use the RFID-bugged cards to secretly identify and track shoppers. Over a dozen additional Payback "partners" have access to the card database, as well. The chart at right provides a partial partner list.


Any one of these companies could easily install a generic, inexpensive 13.56 MHz reader in a doorway, checkstand or shelf and use it to capture the data contained on the card. What's more, since these partners have access to the Payback customer database, they could link the card number to the shopper's personal information.



METRO Equates "Rewarding Customer Trust" with Watching Shoppers



(Actual text as it appears on METRO's website)

In a bit of unintended irony, METRO emphasizes on its website that the Payback card is designed to "tie customers closely to the company." That, indeed it does.

But the next, even more ironic line in their copy reads "this can be done successfully with the help of customer loyalty schemes that reward the consumer's trust in the company..."

Of course, trust is the last thing you're likely to get from your customers once they discover that you've hidden a secret device in their loyalty card to spy on them.

After paying lip service to trust, this copy clearly spells out the real purpose of the card: watching people more closely.


"...the retailer can adjust the offer precisely to the wishes and needs of the cardholder because he gets to know the customer's shopping patterns better and better."

METRO, we have one word for this:   Yecch.


Continue the tour to the next scandal: METRO's Clumsy Coverup Attempt >>

 

home | overview | faq | blog | press | get involved | about us

The Spychips website is a project of CASPIAN, Consumers Against Supermarket Privacy Invasion and Numbering.
© 2003-2006 Katherine Albrecht and Liz McIntyre. All Rights Reserved.

Photographs © Peter Ehrentraut, FoeBuD e.V., used with permission.