Metro Future Store
The METRO "Future Store"
The RFID Tag Hidden in METRO's Loyalty
22 million Germans reportedly carry a "Payback" loyalty card, which they scan at participating retailers to accumulate cash back rewards and qualify for discounts.
What 10,000 of these consumers do not know is that the Payback cards they picked up at the METRO Future Store in Rheinberg, Germany contain more than just the promise of rewards -- they also carry hidden RFID remote tracking chips.
Superficially, the cards look like any other plastic card a shopper might carry in his or her wallet. There is no visual cue that the card can respond to radio waves and transmit a shopper's identity -- right through a closed purse or backpack -- to reader devices 3 to 5 feet away.
Back of Card
X-Ray Confirms the Embedded Tag
Below is an
x-ray scan of the Payback Extra Future card. Note the antenna running
along its edge, linked to an RFID computer chip which contains unique
customer information. (Image courtesy of German privacy organizaton
No Mention of RFID in Card During my Tour
I discovered the RFID tag hidden in METRO's loyalty card entirely by accident, just one day after I toured the METRO Future Store in Rheinberg, Germany, accompanied by members of German privacy organization FoeBuD. During that tour, three METRO executives spent several hours showing us "every detail" of the store's use of RFID, including RFID shelves, RFID tags on products, RFID in the back of the store, and RFID information and "deactivation" kiosks. They claimed they were being entirely open with us, revealing every detail of their grand retail experiment.
But they never
once mentioned the RFID tag in their loyalty cards.
Tour Ends; Metro Executives Treat us to Coffee and Donuts
hours "showing us everything," METRO's Dr. Gerd Wolfert, Albrecht
von Truchsess and Marcos Fernandez treated us to coffee in the store
cafe. We chatted for a while (mostly about my concerns over the deactivation
kiosk that doesn't
deactivate), then we all shook hands and said a cordial goodbye.
They did a good
job. I left feeling assured that I had learned everything there was
to know about the METRO Future Store and its use of RFID, which, in
hindsight, was probably METRO's goal. They must have breathed a huge
sigh of relief as I left without having discovered their loyalty card
Katherine Albrecht, METRO executives, and FoeBud members relax after a three-hour tour of METRO's Future Store in Rheinberg Germany on January 31, 2004. Clockwise from front are Dr. Gerd Wolfram of METRO, Claudia Fischer of FoeBuD, Rena Tangens of FoeBud, padeluun of FoeBud, Albrecht von Truchsess of METRO, Marcos Fernandez of METRO, an unidentified individual, and Katherine Albrecht of CASPIAN.
We Return Later for Loyalty Cards
We privacy advocates left METRO and went to a local restaurant for dinner. Afterwards, as we were about to leave Rheinberg, I realized that I had forgotten to get a "METRO Payback Extra Future Card" for my collection and asked my companions if we could return to the store and pick up some cards as a souvenir. They agreed.
We sent someone
in to grab a stack of cards while we waited in the car. When
fifteen minutes passed and she still hadn't returned, we sent someone
in after her. Several minutes later, the two of them came out with
a handful of card applications, explaining that the store employees
had been reluctant to give them the cards. Apparently the employees
had to call management and wait for authorization first before handing
This struck me as strange at the time, but it was not until the following day that I found out the real story.
How we Found the Tag
My public talk on RFID privacy took place in Bielefeld the following afternoon (in, of all places, a converted underground WWII military bunker).
When I finished the slide portion of my lecture, FoeBuD's Co-Director, padeluun, hooked up FoeBuD's 13.56 MHz RFID reader to the laptop I was using and projected it onto a screen behind me. One by one he and Rena held the tagged Pantene shampoo, Kraft Philadelphia cream cheese, and Gillette razor blades we had bought at the Future Store up to the reader device so the audience could see the active tag data appear on the screen behind me.
Then came the extraordinary moment when padeluun picked up a METRO loyalty card and held it to the reader. Of course, this was just a joke and nothing was supposed to happen. So when a string of numbers DID appear on the screen, we all nearly jumped out of our seats!
This was such an unexpected shock that it took me several moments to regain my composure enough to explain to the audience the importance what they had just seen. Discussing the implications of finding tracking devices in METRO's loyalty cards was definitely the highlight of my lecture, and by the time I was done, the German audience wanted to see the Future Store shut down.
I believe METRO's use of RFID tags in its loyalty card is a worldwide first, by the way. To the extent that any other retailer has put an RFID tag in its loyalty, I am not aware of it.
The following day I confronted METRO spokesman Albrecht von Truchsess with evidence of the RFID tag in the Payback card. Among other things, I asked him to provide its technical specs. He responded by email with the following:
"...reading distance is the same as in the RFID tags on the items. Also the same frequency: 13.56 MHz. Manufacturer: Philips. The number stored on the RFID chip is the customer number which is also printed physically on the Future Card."
The read range
on the RFID tags on the items has been variously stated as 1 meter
and 1.5 meters in METRO's literature (somewhere between 3 and 5 feet).
Three feet would be plenty of distance to allow a hidden reader device
to scan the RFID-laced Payback card in a shopper's wallet or purse
as she walks through an RFID portal, passes through a doorway equipped
with a hidden reader, or nears an RFID
reader shelf such as the ones holding products at the Future Store.
RFID in Loyalty Card not Mentioned Anywhere
METRO's brochure promises shoppers that "wherever RFID is used, this will be made visible." But they broke this promise on the most invasive RFID use of all -- rigged loyalty cards designed for human tracking. From everything we have been able to gather, the tags were a closely guarded secret. (At least there is no way we could imagine a METRO customer ever finding out about them, since they are not mentioned anywhere in the store or METRO's customer literature.)
Store Signage Says Nothing about RFID in Payback Card
METRO's Empty Promises
At the Future Store, METRO makes three key promises to consumers (see scanned image below), then proceeds to break every one.
These promises are:
- Wherever RFID is used, this is made visible
- The chips exclusively store product data but no customer data
- Outside the Extra Future Store the RFID tags become inoperative
The brochure's promise of full disclosure is a fable, and its claim that "the chips store product data but not customer data" is also false.
Obviously, the chips in the Payback card store "customer data." How can a shopper's loyalty card account number (associated with years worth of accumulated purchasing data) not be considered "customer data"?
And of course, the notion that the chips somehow become inoperable outside the store is ludicrous. (See the discussion on this at the bottom of the "Deactivation Scandal" page.)
I like to give people the benefit of the doubt, but I can't do so in this case. It is obvious that METRO hasn't been honest with its Rheinberg Future Store "guinea pigs."
Others can also use the Rigged Payback Card to Spy on Customers
While the Future Store is clearly equipped to do this (scan the identity and purchase history of anyone entering the store), it is not the only retailer that can potentially use the RFID-bugged cards to secretly identify and track shoppers. Over a dozen additional Payback "partners" have access to the card database, as well. The chart at right provides a partial partner list.
Any one of these companies could easily install a generic, inexpensive 13.56 MHz reader in a doorway, checkstand or shelf and use it to capture the data contained on the card. What's more, since these partners have access to the Payback customer database, they could link the card number to the shopper's personal information.
METRO Equates "Rewarding Customer Trust" with Watching Shoppers
The Spychips website is a project of CASPIAN, Consumers
Against Supermarket Privacy Invasion and Numbering.
© 2003-2006 Katherine Albrecht and Liz McIntyre. All Rights Reserved.
Photographs © Peter Ehrentraut, FoeBuD e.V., used with permission.