Radio Frequency Identification, RFID, is an item-tagging technology which interests suppliers and retailers. RFID has potential to revolutionise supply chain management but also some potentially distressing social implications. When used inappropriately, RFID is capable of reducing or eliminating customer anonymity, thereby damaging privacy and threatening civil liberties.
I begin with an introduction to the technological background. Second, I explain pros and cons by means of some example scenarios and, third, outline how this technology may be introduced in a way that can preserve privacy.
Passive transponders were developed next. They need no power supply of their own, relying solely on the radio energy transmitted by a reading device for powering. Research began in the 1990s at the Massachusetts Institute of Technology, which called this technology ''Auto-ID''. Today many companies, especially large ones such as Philips, Intel, Texas Instruments and many more are pushing forward the development of this technology. They are accompanied by ''RFID user'' corporations, among them Procter & Gamble, Gillette, Philip Morris, Marks & Spencer, Walmart and Metro, who are marking products from livestock to cream cheese with ID numbers for several reasons [3].
That is one of the key abilities of this technology: The chips are capable of transmitting their identification - an unique serial number. EPCglobal, a consortium consisting of more than 100 of the most influential companies, including government organisations [4], is supervising the electronic product code (EPC) allocation process to ensure that these numbers are globally unique and will remain so for hundreds of years. ''Unlike the bar code, however, the EPC goes beyond identifying product categories - It actually assigns a unique number to every single item that rolls off a manufacturing line'' [5]. ''VeriSign, the company that maintains the Internet's .com and .net domain registry, has been hired to run a new directory to be used to keep tabs on consumer goods using a technology known as radio frequency identification'' [6]. Apart from this number, many chips are capable of storing, reading and rewriting some number of custom data bytes. But, clearly, there is no need to store voluminous data amounts on the chip itself to make tracking it a possibility. The unique number is enough for a computer linked to a reading device to look up or amend data linked to this particular unique number.
The second key feature of RFID is that no physical contact is required for reading because of the radio transmissions. Dependent on chip and antenna design, reading ranges vary from a few centimetres to a few meters for passive RFID tags. Contrary to claims that these distances are too short to track consumers, this is definitely possible: reader devices do not have to follow the RFID tag for it to be tracked. It is sufficient to install some reader devices at strategic points, e.g. bottlenecks such as doors or on-ramps [7]. Persons must pass those bottlenecks and are, thus, forced into reader range. This tracking is only limited by the number of reader devices installed and by the possible bottlenecks. Internal documents show that developers of RFID technology have a world in mind where RFID reader devices make up an all-embracing global network [8].
Another reason why RFID tags are increasingly favoured by companies is that the chips are becoming tinier and cheaper. The smallest chips cover only 0.2 mm² and antennas can already be printed directly on the product or the package with an ink jet technology [7]. Prices are predicted to fall below 1¢ each by 2004 [5]. The argument that RFID tags are too expensive for massive introduction is invalid because mass production has just begun: RFID tags are designed to be cheap.
Regarding privacy issues, another technology comes into play: databases and their supersets - archives. In principle, databases are independent of RFID technology. But, as I will show, the main threat to privacy lies in the combination of both technologies.
Of course there are other aspects and risks, e.g. the increased amount of customer-vicinity radio transmissions might lead to health problems, or the increased adoption of RFIDs taking over tasks now performed by humans may lead to more unemployment. These problems go beyond the scope of this paper. I will confine myself to privacy and civil-liberties issues.
Let's look at these points in detail.
But enough places remain. There is currently no law to notify customers of RFID tags, with two exceptions from 2004: ''On Feb. 24, the Utah House of Representatives passed a bill mandating clear labeling of any product in which an RFID chip is embedded. A bill introduced on Feb. 27 in the California Senate goes further, arguing that retailers should need consumers' permission'' [9].
The use of these keys could lead to every physical object being identified and linked to its purchaser or owner within a global registration system. For this, there is no need to store more than the ID information on the chip: If all systems are interconnected, an external database will do the trick. Leaked documents [10] show different number blocks to be reserved for different products - one is already reserved for ''human''.
Once data is in a database, it can be combined or linked with other data to form new data. Those databases are not publicly visible because the collected data is very valuable and companies reserve read and search access for themselves. As a consequence, there is the risk that false or wrongly linked data could persist in those databases. Until now cost-intensive data mining had to be performed to extract useful data from the masses of data. With unique IDs, this data mining can be broken down to a sequence of very much easier operations. This will reduce processing cost and time and can obviously lead to an expansion of data aggregations.
Accenture and Gillette are talking of and introducing ''silent commerce'' [13, 14]: The customer does not and will not know that his RFID tags are being read. Cheapest reader devices cost about 20 US-$ today. The smallest ones are as tiny as a 25 US-¢ coin. Portable reading devices are obviously possible to build. But there is the danger of surveillance if reader devices are installed in strategic places: bottleneck locations such as doors or on-ramps to freeways, carpets or the shelving of a store. Here, there is no need for long-range readability because everyone has to walk or drive by, through or over the reader device.
The next step would be to minimise the gap between item and individual by means such as embedding RFID tags into customer or loyalty cards. This is exactly what Metro did in its ''extra Future Store'' [15] located in Rheinberg, Germany. RFID tags are also used in contactless smart cards which then can be identified before the smart functions are enabled, because the RFID range is larger than that of the smart card functions. There are plans for using RFID tags in (federal) identity cards [16] and passports [17] as well, so that biometric data need not be stored on the identity card itself, but in a central database.
By minimising the gap, customers may be identified as they enter a store. Habits and preferences could then be recorded and later be used to optimise store layout and seduce or manipulate the customer to buy more or more expensive products in the future. Customer relationship management (CRM) can also benefit from the data collected and from the availability of customers' identities as soon as they enter the store: classification of customers into ''good'' and ''bad'' categories [18] may lead to gratification or penalisation of the customer through different prices or different service offers. The customer would not know about this. Such classification is already performed today, but the means to identify a customer before the point of sale were missing until now.
More far-reaching issues may arise, as the 2003 Big Brother Awards Germany laudation envisages: ''Marion Z. is sent a caution from the Duisburg authorities with a fine. The wrapping paper of a Mars bar she has bought was found in the town park, floating in the duck pond. After some pondering, Marion Z. remembers that she gave the sweet to a young carol singer. Grinding her teeth, she pays the 10 Euro fine'' [19].
At Enterprise Charter School, Buffalo, USA, pupils can already be identified via RFID tags. They are forced to carry around an identification card equipped with such a tag [20]. With these tags, data about course attendance and the pupils' presence and location is to be collected, according to the school's principal. This shows that data greediness is not limited to retailers. Similar to this school, companies might be eager to learn about their workers' presence and location. RFID tags sewn into working clothes would perform this job well.
The next step, implanting the chips directly underneath human skin, is currently pushed by Applied Digital Solutions, who intend to sell their VeriChip, VeriMed, VeriPrime, VeriPay and VeriKid systems, all based on RFID tags. E.g. in Mexico, the VeriKid tags are being implanted ''in children as an anti-kidnapping device'' [21] albeit the fact that it is unlikely today to fortuitously have a reader device near the hostage's position. Those tags might be used to clearly identify dead bodies, but they cannot prevent kidnapping. With the implantation of RFID tags, Applied Digital Solutions closes the identification gap [22]. Here in Germany, society is very sensitive to the thought of implanted ID numbers in view of the recent, worst part of our history. These concepts are therefore likely to be regarded as wholly unacceptable by a significant part of German society.
Metro, one of the biggest retailers in Europe, responding to a civil protest organised by the German privacy and data protection group FoeBuD that was supported by more than fourteen German consumer and civil liberties groups, has announced that it will discontinue its trials with embedding RFID tags into customer ''payback'' cards [23].
Addressing such concerns, RSA Security has announced the availability of a RFID blocker tag [24]. RSA wants to hand them out sewn into shopping-bags at the CeBIT 2004 trade show in Hannover [25]. But as c't, a renowned German computer magazine, figured out, those blocker tags are and will be only partially usable [26]: Blocker tags ''jam'' readers by sending out unrequested responses to reader signals, ''drowning'' out data from the RFID chips actually addressed. This works best if one of two main protocols, the Tree Walking Protocol, is being used. The other protocol, the Aloha Protocol (a classic protocol which stimulated the development of Ethernet), is and will be principally immune to passive blocker tags: because this protocol features delayed responses, blocker tags will not be able to gather enough energy to block all consecutive answers following a reading impulse.
Furthermore, RSA Security announced that its blocker tags will not ''drown out'' all possible RFID numbers in order not to interfere with planned industry applications. Having to rely on blocker tags is also a disadvantage for customers, because they would actively have to protect their privacy. But even if people were to accept the ''protection'' offered by blocker tags, after technology has been developed and stores have been equipped with RFID installations, blocker tags could just be banned by law or by store owners not allowing entrance to people found to carry blocker tags. Blocker tags can not be the ultimate solution to the perceived evils of RFIDs.
The most radical strategy of a total RFID ban is not feasible either. Once this technology exists it is not possible to uninvent it, especially as there are good reasons for using this technology safely and profitably. Therefore, a line must be drawn between the legitimate interest of tracking products in the supply chain and the damage to individual rights if tracking continues in store rooms and after products are purchased. The public-interest organisation CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), amongst others, proposes a three-part framework: ''First, RFID must undergo a formal technology assessment, and RFID tags should not be affixed to individual consumer products until such assessment takes place. Second, RFID implementation must be guided by Principles of Fair Information Practice. Third, certain uses of RFID should be flatly prohibited'' [8].
Such a balanced approach respects most valid interests. As efforts to introduce RFID technology secretly have already been made, a moratorium must be set up to cease these tests until a technology assessment has taken place involving civil, industry and commerce stakeholders with the purpose of agreeing on acceptable guidelines for laws and regulations.
At the time of writing, there is not much information available from industry and commerce about what they would regard as acceptable. But it may be assumed that the interest is largely in allowing RFID tags, readers and referencing database technology as far as possible.
On the ''civil liberties'' side of the debate, demands have already been made: No technology should be introduced secretly. It has to be clearly visible where RFID tags and reading devices are installed or used and for what purpose. Data that is not essential for the given purpose must not be collected. Security and integrity in transmission, databases and system access must be ensured. Installers and users of such technology should be legally responsible for complying with the agreed principles. Auditing by outside third-parties with publicly available results must be actively supported.
The following would not be acceptable [8]:
Acceptable uses of RFID are the tracking of goods in the supply chain up to the point where those goods are brought into contact with customers. That is the point at which those goods are put onto a shelf in the sales area, and not the point of sale, because the sales area is a shared space. Acceptable would also be a use as an additional warning mechanism for products containing toxic substances. The RFID tag could transmit a message relating to recycling or disposal of the product. The information stored would be generic to the product, not specific to the individual item.
These demands could be stated in a more abstract form and then become part of a legal right: the ''right for informational self-determination'' [27]. In Germany this right has been derived from the Basic Constitutional Law and was first introduced into German legislation by the Federal Constitutional Court in 1983 in a ruling about a population census [28]. The Constitutional Court is Germany's highest judicative body. One of its main functions is to rule on the compatibility of legislation or administrative acts with the constitutional law. The right for informational self-determination includes the individual's control over relinquishment and utilisation of personal data, including withdrawal: the right to know which data is being collected, where it is being collected, stored, connected to other data and processed, and who has access to the data. It also includes the right to designate what may be done with one's data and the right to instruct institutions storing someone's data to delete it or to correct data that is wrong. This right of informational self-determination that is currently threatened by RFID technology introduction must be maintained and strictly adhered to for the foreseeable future. The main objective of the RFID debate must be to ensure exactly this.
Copyright © 2004 Jan E. Hennig.