Radio Frequency
Identification (RFID) is an
item-tagging technology with profound societal implications. Used
improperly, RFID has the potential to jeopardize consumer privacy,
reduce or eliminate purchasing anonymity, and threaten civil
liberties.
As organizations and individuals committed to the protection of
privacy and civil liberties, we have come together to issue this
statement on the deployment of RFID in the consumer environment. In
the following pages, we describe the technology and its uses, define
the risks, and discuss potential public policy approaches to
mitigate the problems we raise.
RFID tags are tiny computer chips connected to miniature antennae
that can be affixed to physical objects. In the most commonly touted
applications of RFID, the microchip contains an Electronic Product
Code (EPC) with sufficient capacity to provide unique identifiers
for all items produced worldwide. When an RFID reader emits a radio
signal, tags in the vicinity respond by transmitting their stored
data to the reader. With passive (battery-less) RFID tags,
read-range can vary from less than an inch to 20-30 feet, while
active (self-powered) tags can have a much longer read range.
Typically, the data is sent to a distributed computing system
involved in, perhaps, supply chain management or inventory control.
THREATS TO PRIVACY AND
CIVIL LIBERTIES
While there are beneficial uses of RFID, some attributes of the
technology could be deployed in ways that threaten privacy and civil
liberties:
Hidden placement of tags. RFID tags can be embedded into/onto objects and documents without the knowledge of the individual who obtains those items. As radio waves travel easily and silently through fabric, plastic, and other materials, it is possible to read RFID tags sewn into clothing or affixed to objects contained in purses, shopping bags, suitcases, and more.
Unique identifiers for all objects worldwide. The Electronic Product Code potentially enables every object on earth to have its own unique ID. The use of unique ID numbers could lead to the creation of a global item registration system in which every physical object is identified and linked to its purchaser or owner at the point of sale or transfer.
Massive data aggregation. RFID deployment requires the creation of massive databases containing unique tag data. These records could be linked with personal identifying data, especially as computer memory and processing capacities expand.
Hidden readers. Tags can be read from a distance, not restricted to line of sight, by readers that can be incorporated invisibly into nearly any environment where human beings or items congregate. RFID readers have already been experimentally embedded into floor tiles, woven into carpeting and floor mats, hidden in doorways, and seamlessly incorporated into retail shelving and counters, making it virtually impossible for a consumer to know when or if he or she was being "scanned."
Individual tracking and profiling. If personal identity were
linked with unique RFID tag numbers, individuals could be profiled
and tracked without their knowledge or consent. For example, a tag
embedded in a shoe could serve as a de facto identifier for the
person wearing it. Even if item-level information remains generic,
identifying items people wear or carry could associate them with,
for example, particular events like political rallies.
FRAMEWORK OF RFID RIGHTS
AND RESPONSIBILITIES
This framework respects businesses' interest in tracking products in
the supply chain, but emphasizes individuals' rights to not be
tracked within stores and after products are purchased. To mitigate
the potential harmful consequences of RFID to individuals and to
society, we recommend a three-part framework. First, RFID must
undergo a formal technology assessment, and RFID tags should not be
affixed to individual consumer products until such assessment takes
place. Second, RFID implementation must be guided by Principles of
Fair Information Practice. Third, certain uses of RFID should be
flatly prohibited.
Technology assessment. RFID must be subject to a formal technology
assessment process, sponsored by a neutral entity, perhaps similar
to the model established by the now defunct Congressional Office of
Technology Assessment. The process must be multi-disciplinary,
involving all stakeholders, including consumers.
Principles of Fair Information Practice. RFID technology and its
implementation must be guided by strong principles of fair
information practices (FIPs). The eight-part Privacy Guidelines of
the Organisation for Economic Co-operation and Development (OECD)
provides a useful model (www.oecd.org). We agree that the following
minimum guidelines, based in part on these principles, must be
adhered to while the larger assessment of RFID's societal
implications takes place:
Openness, or transparency. RFID users must make public their policies and practices involving the use and maintenance of RFID systems, and there should be no secret databases. Individuals have a right to know when products or items in the retail environment contain RFID tags or readers. They also have the right to know the technical specifications of those devices. Labeling must be clearly displayed and easily understood. Any tag reading that occurs in the retail environment must be transparent to all parties. There should be no tag-reading in secret.
Purpose specification. RFID users must give notice of the purposes for which tags and readers are used.
Collection limitation. The collection of information should be limited to that which is necessary for the purpose at hand.
Accountability. RFID users are responsible for implementation of this technology and the associated data. RFID users should be legally responsible for complying with the principles. An accountability mechanism must be established. There must be entities in both industry and government to whom individuals can complain when these provisions have been violated.
Security Safeguards. There must be security and integrity in
transmission, databases, and system access. These should be verified
by outside, third-party, publicly disclosed assessment.
RFID Practices that Should be Flatly Prohibited:
Merchants must be prohibited from forcing or coercing customers into accepting live or dormant RFID tags in the products they buy.
There should be no prohibition on individuals to detect RFID tags and readers and disable tags on items in their possession.
RFID must not be used to track individuals absent informed and written consent of the data subject. Human tracking is inappropriate, either directly or indirectly, through clothing, consumer goods, or other items.
RFID should never be employed in a fashion to eliminate or reduce anonymity. For instance, RFID should not be incorporated into currency.
ACCEPTABLE USES OF RFID
We have identified several examples of "acceptable" uses of RFID in
which consumer-citizens are not subjected to "live" RFID tags and
their attendant risks.
Tracking of pharmaceuticals from the point of manufacture to the point of dispensing. RFID tags could help insure that these critical goods are not counterfeit, that they are handled properly, and that they are dispensed appropriately. RFID tags contained on or in the pharmaceutical containers should be physically removed or permanently disabled before being sold to consumers.
Tracking of manufactured goods from the point of manufacture to the location where they will be shelved for sale. RFID tags could help insure that products are not lost or stolen as they move through the supply chain. The tags could also assure the goods are handled appropriately. Tags should be confined to the outside of product packaging (not embedded in the packaging) and be permanently destroyed before consumers interact with them in the store.
Detection of items containing toxic substances when they are delivered to the landfill. For example, when a personal computer is brought to the landfill, a short-range RFID tag could communicate toxic content to a reader at the landfill. It is important to underscore that uses such as the landfill example do not require -- and should not entail -- item-level unique identifiers. The RFID tag would, rather, emit a generic recycling or waste disposal message.
CONCLUSIONS
We are requesting manufacturers and retailers to agree to a
voluntary moratorium on the item-level RFID tagging of consumer
items until a formal technology assessment process involving all
stakeholders, including consumers, can take place. Further, the
development of this technology must be guided by a strong set of
Principles of Fair Information Practice, ensuring that meaningful
consumer control is built into the implementation of RFID. Finally,
some uses of RFID technology are inappropriate in a free society,
and should be flatly prohibited. Society should not wait for a
crisis involving RFID before exerting oversight.
Although not examined in this position paper, we must also grapple
with the civil liberties implications of governmental adoption of
RFID. The Department of Defense has issued an RFID mandate to its
suppliers, schools and libraries in the have begun implementing
RFID, the EU and the Japanese government have considered the use of
RFID in currency, and British law enforcement has expressed an
interest in using RFID as an investigative tool. As an open
democratic society, we must adopt a strong policy framework based on
Principles of Fair Information Practice to guide governmental
implementation of RFID.
For more information, please visit the Privacy Rights Clearinghouse. PRC is a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy. It was established in 1992 and is based in San Diego, California. It is primarily grant-supported and serves individuals nationwide.
U.S. to require RFID chips in passports
By Grant Gross, IDG News Service, 10/26/05
The U.S. government will require nearly all of the passports it issues to have a computer chip containing the passport holder's personal information by October 2006, according to regulations published this week.
Starting in early 2006, the U.S. Department of State will begin issuing passports with 64K byte RFID (radio frequency identification) chips containing the name, nationality, gender, date of birth, place of birth, and digitized photograph of the passport holder.
The chip would match the data on the paper portion of the passport and improve passport security by making it more difficult for criminals to tamper with passports, backers say. The U.S. government began looking at ways to make passports harder to forge in response to the terrorist attacks on the U.S. on Sept. 11, 2001.
After the State Department proposed RFID chips for passports in February, privacy groups such as American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) expressed concerns. Some RFID chips can be remotely scanned, allowing for criminals to covertly scan groups of passport holders at airports, the EFF said in April. The RFID passport could act as "terrorist beacons" because they could indiscriminately expose U.S. residents' personal information to strangers.
In a letter commenting on the State Department proposal, the EFF argued that the agency lacked congressional authority to require RFID chips in passports.
"RFID in passports is a terrible idea, period," said EFF Senior Attorney Lee Tien, in a posting to the EFF's Web site. "But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis. It's asking Americans to sacrifice their safety and privacy 'up front' for a dangerous experiment that it hasn't even bothered to justify."
The State Department received 2,335 public comments on its February proposal to introduce electronic passports. More than 98 percent of the comments were negative, the State Department said, with most raising concerns about security and privacy.
In the passport rules released Tuesday, the State Department said it was taking several security precautions. The RFID chips will use encrypted digital signatures to prevent tampering, and they will employ so-called passive RFID chips that does not broadcast personal information unless within inches of an RFID reader machine. The e-passports will protect against data leaks by putting an "antiskimming" material to block radio waves on the passport's back and spine, the State Department notice said.
The new passports would comply with an International Civil Aviation Organization specification on e-passports, the State Department said.
Although the State Department changed its earlier proposal of a self-powered RFID chip to a passive one that relies on a reader machine's power, privacy concerns remain, said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. Steinhardt called the State Department's security measures a "step forward," but he said bar codes could be used to match electronic data with paper data on passports.
"It still raises the question whether or not this is an appropriate technology," Steinhardt said. "There are still some essential concerns about whether this is secure or not."
But Neville Pattinson, director of technology and Government affairs for Texas RFID card vendor Axalto, praised the State Department's changes, including the passive chips and anti-skimming materials. "This is a fine example of the government listening to public opinion and adopting technology that protects citizen’s privacy,” he said. "With the changes, information cannot be extracted from it."
State Department officials were unavailable for comment on this story.
The IDG News Service is a Network World affiliate.
Wal-Mart, P&G
Involved in Secret RFID Testing
American consumers used as guinea pigs for controversial technology
November 10, 2003
by Spychips
Wal-Mart and Procter & Gamble conducted a secret RFID trial involving Oklahoma consumers earlier this year, the Chicago Sun Times revealed on Sunday. Customers who purchased P&G's Lipfinity brand lipstick at the Broken Arrow Wal-Mart store between late March and mid-July unknowingly left the store with live RFID tracking devices embedded in the packaging. Wal-Mart had previously denied any consumer-level RFID testing in the United States.
"It proves what we've been saying all along," says Katherine Albrecht, Founder and Director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). "Wal-Mart, Procter & Gamble and others have experimented on shoppers with controversial spy chip technology and tried to cover it up. Consumers and members of the press should be upset to learn that they've been lied to."
The Sun Times also reported that a live video camera trained on the shelf allowed Procter & Gamble employees, sometimes hundreds of miles away, to observe the Lipfinity display and consumers interacting with it.
"This trial is a perfect illustration of how easy it is to set up a secret RFID infrastructure and use it to spy on people," says Albrecht. "The RFID industry has been paying lip service to privacy concerns, calling for notice, choice and control. But companies like P&G, Wal-Mart and Gillette have already violated all three tenets when they thought nobody was looking. This is exactly why we oppose item-level RFID tagging and have called for mandatory labeling legislation."
The Lipfinity tests were conducted while Wal-Mart and Procter & Gamble were sponsors of the MIT Auto-ID Center, a consortium of over 100 corporations and government agencies founded in 1999. Auto-ID Center trials were overseen by a Board of Directors, which included both Wal-Mart and Procter & Gamble, along with the Uniform Code Council (UCC), the standards body that oversees the bar code. The UCC (along with EAN International) took over commercial functions from the Auto-ID center on November 1, 2003.
"Given the players, the Wal-Mart Lipfinity trial probably isn't an isolated incident," says CASPIAN spokeswoman Liz McIntyre. "UCC and Auto-ID Center documents suggest that other products, including Huggies baby wipes, Pantene shampoo, Caress soap, Purina Dog Chow and Right Guard deodorant were also slated for live RFID field trials. Coca Cola, Kraft, Kodak and Johnson & Johnson products are also implicated. However, it may be difficult for consumers to learn the extent of those trials in the current climate of secrecy and denials."
(Links to documentation provided below.)
Disclosure of the Broken Arrow trial is only the latest scandal to hit the privacy plagued RFID industry. Early this year, CASPIAN called for a worldwide boycott of Italian clothing manufacturer Benetton when the company announced plans to equip women's undergarments with live RFID tracking tags (see http://www.boycottbenetton.org). This summer, CASPIAN uncovered an RFID-enabled Gillette "smart shelf" in a Brockton, Massachusetts Wal-Mart and helped disclose Gillette's scheme to secretly photograph consumers picking up Mach3 razor blades in UK Tesco stores (see http://www.boycottgillette.com/spychips.html). The group also revealed confidential industry plans to "pacify" consumers and "neutralize opposition" in the hope that consumers will be "apathetic" and "resign themselves to the inevitability" of RFID product tagging (see press release).
CASPIAN encourages consumers to contact Wal-Mart, P&G and the UCC to voice their opinion about the use of RFID spy chips in consumer products. Contact information for these companies is provided on the group's RFID website at Spychips home page.
For links to documents implicating other consumer products in item-level tagging trials, see:
"The EPC Network, RFID and data"
"Lessons Learned in the Real World" (note, for example, pages 25 & 26)
Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) is a grass-roots consumer group fighting retail surveillance schemes since 1999. With members in all 50 U.S. states and over 20 nations across the globe, CASPIAN seeks to educate consumers about marketing strategies that invade their privacy and to encourage privacy-conscious shopping habits across the retail spectrum.
We are members of this fine organization, and hope you will check out the work being accomplished by CASPIAN.
Websites that educate consumers about RFID technology.
1) EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. They have no clients, no customers, and no shareholders.
EPIC publishes an award-winning e-mail and online newsletter on civil liberties in the information age – the EPIC Alert. They also publish reports and even books about privacy, open government, free speech, and other important topics related to civil liberties.
2) CASPIAN was founded in October 1999 to oppose grocery store "loyalty cards." Their initial research into supermarket cards and data collection led them to look into the multi-billion dollar "CRM" or "Customer Relationship Management" industry that makes its living by collecting and trafficking in people's personal data. They were horrified at what they discovered, and even more concerned at how little the average American knew about this industry that daily invades our privacy. They began tackling the RFID issue in 2002.
3) The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy. It was established in 1992 and is based in San Diego, California. It is primarily grant-supported and serves individuals nationwide.
4) RFID Gazette Radio Frequency Identification news and commentary.
5) Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator.
6) AIM is a global trade association comprising providers of components, networks, systems, and services that manage the collection and integration of data with information management systems. Serving more than 900 members in 43 countries, AIM is dedicated to accelerating the growth and use of AIDC technologies and services around the world.
Their members are manufacturers or service providers of technologies such as radio frequency identification (RFID), bar code, card technologies (magnetic stripe, smart card, contactless card, optical card), biometrics, and electronic article surveillance (EAS).
7) The Johns Hopkins University Information Security Institute (ISI) is the University's focal point for research and education in information security, assurance and privacy. Securing cyberspace and our national information infrastructure is more critical now than ever before, and it can be achieved only when the core technology, legal and policy issues are adequately addressed. ISI is committed to a comprehensive approach that includes input from academia, industry and government.