Business says RFID technology is good for consumers-but others fear a complete loss of privacy.
It looks fairly innocuous, a metal-and-plastic square with wires coiled up like an angular snail, a lot like the anti-theft tag you'd find if you pried apart a book you'd just bought at a chain store. But it's a Radio Frequency Identification tag, RFID for short, and each one has a tiny antenna that can broadcast information about the product, or person, to which it is attached.
To the industry that makes and markets RFID, it's simply the next logical step from bar codes: providing a
cheap, easy way to keep products on the shelves, consumers happy and
companies making
money.
But to many privacy-rights advocates, RFID tags could be the forerunner to nightmare scenarios in which RFID technology is the Trojan horse that brings Big Brother into your home, snooping through your medicine cabinets, fridge and underwear drawer to find out what you do, buy and believe, and, ultimately, what you are.
This small tag has, so far, largely flown under the radar of consumers and the mainstream press. But in early October, privacy-rights advocates Katherine Albrecht and Liz McIntyre published a book,
Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID
, that has RFID proponents on the defensive.
The book holds up plenty of evidence to back up the fears of people who otherwise might be written off as tinfoil-hat-wearing conspiracy theorists: IBM taking out a patent for a "person-tracking unit" that uses RFID tags to identify individuals, their movements and purchases in stores. Procter & Gamble and Wal-Mart collaborating on a test that put cameras on a store shelf in Oklahoma and watched customers pluck lipsticks off an RFID-enabled shelf. A Sutter County grade school's experimental program requiring students to wear RFID-enabled badges to track
their on-campus movements, thanks to supplies donated by the InCom Corp. based 50 miles northwest of Sacramento. And the federal government plans to put RFID tags in passports, prescription medications and perhaps driver's licenses and postage stamps. One day, the
Spychips
authors fear, the tiny tags could be on everything from candy bars to dollar bills, compromising both privacy and personal security.
"I think the industry is waiting until they've done adequate PR to where the public will really embrace it," Albrecht says. "They want to get the infrastructure in place [and] find ways to integrate this technology in a way that is not going to scare people. They envision these things in our homes and our refrigerators and in the doorway of our kids' bedrooms."
In the weeks after
Spychips'
release, RFID supporters retaliated with rebuttals calling the book at best a futuristic fairy tale and at worst a delusional pack of lies by fringe alarmists.
As much as the RFID
industry might want to ignore the book and its authors, it can't afford to do so. One
RFID company has even bought space on Google, eBay and Amazon so when consumers search for "Spychips," a link to a 24-page rebuttal pops up.
"We felt we had a responsibility to educate consumers," says Nicholas Chavez, president of RFID Ltd., who co-authored the rebuttal released Nov. 4. "They may get first blanch at the consumers through the book," he says. "There's a big fear out there that people will go read
Spychips
and then go out and tell 10 people."
Spychips
, he says, casts RFID in "this sinister, Orwellian light" and presupposes applications that aren't within the current capabilities of the technology.
RFID was first envisioned in the 1940s, combining the existing
disciplines of radio broadcast technology and radar to communicate via reflected power, according to a history by AIM Global, the Association for Automatic Identification and Mobility. It wasn't until the late 1970s that technical capabilities caught up with the vision and RFID began to be applied commercially. While "active" RFID tags send out radio signals, the more typical "passive" tags lie dormant until
picked up by devices called readers, which can be positioned anywhere from a couple of inches to several feet away. The reader transmits the information to a database, where it can be stored. There's some debate over actual vs. intended read range, and Albrecht says she has registered results from as far as 15 feet away, but "you don't need these massive read ranges," Albrecht says, if RFID readers are placed in strategic locations, such as freeway onramps, grocery-store aisles, floors or doorways of homes. While some chips are smaller than a grain of sand, the ones currently in use on shipping crates are the size of a credit card.
It's a technology that ultimately will win over consumers through convenience and savings, says Gail Tom, a
California State University, Sacramento, professor who teaches marketing courses and has written two books
on consumer behavior.
And yet, she acknowledges, "if you went up to the average person on the street, they would not know what RFID is."
The
Spychips
book, she says, "alerts people to at least think about it."
"Whenever you have new technology,
there are concerns, and it's good to have concerns [due to] just the possibility that there could be Draconian and negative things. You would hope the good outweighs the bad," she says.
"When UPC codes
came out, it was somewhat
controversial, too," Tom says, remembering worries that unscrupulous retailers would switch prices on unsuspecting customers.
"Using the analogy of the bar code is a good one, because it tracks the product, it doesn't track you," she says.
"Marketers are not interested in individuals. They're interested in segments and clumps of people."
A lot of the technology's success depends on how the RFID industry plays it, and Tom agrees it's now somewhat on the defensive. "It may not have occurred to marketers that they needed to publicize this, because they may not have seen a lot of the privacy issues."
The RFID industry's adversaries are smart, passionate and
media-savvy. With each new development, the authors of
Spychips
fire off an e-mail press release touting their successes or assailing their critics, turning industry leaders' own words against them. They've organized pickets at Wal-Marts, along with boycotts of companies such as Gillette and European retail store Tesco. (In 2003, that store collaborated to package RFID tags with Mach3 razor blades and surreptitiously snap photos of customers taking them from the shelf, and later at the cash register, in a test designed in part to identify potential shoplifters.) The clothing company Benetton canceled its plans to put RFID in underwear and other products after Albrecht launched an "I'd rather go naked" campaign.
Their message is resonating with anti-government Libertarians, conservative Christians and liberal American Civil Liberties Union (ACLU) types. But that's not all. "It doesn't have a demographic," Albrecht says of
Spychips
. "Everyone's got a reason
not to be spied on."
Try to get
biographical information out of Katherine Albrecht, and you'll get some unintended insight into what she's all about. She started taking college courses at age 15 but won't say where she grew up. Along with a master's in instructional technology from Harvard (she's working on her doctorate there), she has a bachelor's degree in international marketing but won't say from where. She's married and has kids but won't say how many. Her family lives somewhere in the state of New Hampshire.
She'll
eat a loss before handing over her driver's license
to reverse an overcharge at Kmart.
She also refuses to use
credit or
ATM cards, only paying cash. Fittingly, she likes to wear mirrored sunglasses.
"I think I've always been kind of a rebel," Albrecht
says. "The ultimate irony is that by being the person who is so openly advocating for privacy, I've become a public figure."
Disturbed by the concept of supermarket loyalty cards, which she feels blackmail shoppers into turning over personal data in exchange for lower prices, Albrecht decided to study the practice for her master's thesis. In 1999, she founded CASPIAN, Consumers Against Supermarket Privacy Invasion And Numbering.
So, it wasn't a reach when, a couple of years later, Albrecht heard about "smart" shopping carts that use RFID to track shoppers throughout a store. She researched and wrote an article for the Denver University Law Review and began attending RFID trade shows in the United States and Europe, where she heard the multiple, often conflicting messages companies were sending to clients, consumers and the general and trade presses.
Also in 1999, corporations and academia were collaborating to create the Auto-ID Center on the
Massachusetts Institute of Technology (MIT) campus. The nonprofit research project was founded and funded by Procter & Gamble, Gillette and the Uniform Code Council, which manages the bar code.
"It was just down the street from Harvard, where I was working on my doctorate," Albrecht says. In the spring of 2002, she signed up as a member of the media to attend a meeting at the Auto-ID Center, which was in the midst of its successful quest to get $300,000 each from companies that wanted to be sponsoring partners. "I was a fly on the wall taking notes in the back."
By then, years into her anti-loyalty-card crusade, Albrecht was a confirmed skeptic and wasn't surprised that big business would want to gather personal information on and track customers, or that it would hope to fly under consumers' radar until RFID was embedded in society and it was too late to do anything about it. "What surprised and horrified me in 2002 was that they actually had a technology to do this."
And no one seemed to be talking about privacy issues.
"I came home that day so sickened and so reeling that I sat down with my husband and says, 'I feel like I have the weight of the world on my shoulders because I know what's coming.' This is
going to fundamentally change everything."
At another board meeting at MIT, Albrecht found herself sharing an elevator with the then-executive director of the Auto-ID Center, Kevin Ashton. Ashton, who was not available for comment and now works for a company that makes RFID readers, has told interviewers that item-level RFID tagging will become common between 2007 and 2010, with RFID common in the home between 2010 and 2020. He also envisions an "Internet of Things" that will link every item sold, from a can of Pepsi to an Armani dress shirt, to its own Web page, tracking it from manufacturer to warehouse to transport and beyond, until the tag is presumably killed by the consumer.
"He gets it. He sees the hugeness of this," Albrecht says of the man she considers her arch nemesis. "He embraces this future; I'm horrified."
On the corporate level, Wal-Mart has been leading the push
toward RFID in a retail setting. This year, the company began requiring the 100 top suppliers to its Texas stores to put RFID tags on their shipping pallets and cases of products at an estimated cost of millions of dollars a year.
"We are also on target to have the next top 200 suppliers live in January 2006," says Christi Gallagher, a media-relations representative for Wal-Mart.
"We don't anticipate each item in the store being tagged for 10 to 15 years," she added. "Wal-Mart is not looking at RFID technology to track customers, but rather to serve them by enhancing its supply-chain process."
The industry envisions "smart shelves," which would alert stores when inventory is low, so they could restock or reorder, decreasing frustration and increasing sales. RFID also has anti-theft applications and could help expedite returns, product recalls and warranties.
Theoretically, the stores would pass savings on to customers.
In November 2003, the Chicago Sun-Times reported on a trial by Procter & Gamble and Wal-Mart in which
shoppers in a Broken Arrow, Okla., store were viewed remotely from Procter & Gamble headquarters as they took packages of Max Factor Lipfinity lipstick off a shelf. The boxes contained small RFID chips, and readers were embedded in the shelf liner.
Although representatives from both companies initially denied such a study ever took place, Wal-Mart now says it was anything but secret.
"There were signs present saying a test was being conducted," Gallagher says.
Gallagher says Albrecht "may not fully understand the technology" and that, "because of our size, we are often the target of criticism by these special-interest groups with their own very narrow agendas, which typically do not reflect the philosophies of the majority of our customers."
The Department of Defense has ordered suppliers to affix RFID tags to shipping crates. The US Food and Drug Administration (FDA) has called for RFID tags on pharmaceuticals' shipping containers, which it says would reduce counterfeiting and theft, and the companies that manufacture OxyContin and Viagra are already on
board. The US State Department announced in May that it was backing off on RFID-enabled passports after privacy-rights advocates pointed out that, lacking encryption, the tags could be read remotely by anyone, including terrorists who could stand in airports with handheld RFID readers, separating out Americans and allowing precision-level targeting. The scheduled rollout had been last summer.
Already, Bay Area motorists use FasTrak to quickly traverse bridges and other toll areas, with an RFID-enabled device automatically debiting their accounts. A Mobil gas station Speedpass uses the same technology, as do VeriChips implanted in pets in case they get lost. More recently, appliance makers have developed microwave ovens and washing machines that can scan bar codes and, eventually, read RFID tags on products to determine how and how long to cook or wash a product. The food industry could tag and track meat and other products, making recalls much simpler. If you have a keyless remote for your car, you are carrying around an RFID tag.
For convenience's sake, the possibilities are exciting: Load up your shopping cart, wheel it through an RFID-enabled bay that will instantly scan the items, store loyalty card and payment card, and check out in seconds.
Simson Garfinkel, Ph.D., has seen all sides of the issue and says
it's not a Utopia-vs.-Armageddon scenario.
An author and instructor at Harvard, he is an expert in computer security and studies information policy and terrorism.
"The public is largely not participating in this debate, and unfortunately the decisions are being made right now," he says. For example, MasterCard and VISA claim they have deployed 1.5 million RFID-enabled cards with no customer complaints. "The fact is these people don't even know that they're carrying the cards," Garfinkel says.
Garfinkel is a member of the Electronic Frontier Foundation (EFF) and a signer of the nonprofit's Position Statement on the Use of RFID in Consumer Products. The statement, which also is endorsed by CASPIAN, the ACLU and various consumer and privacy organizations, calls for a voluntary moratorium on item-level tagging and also
seeks to preserve consumers' right to disable tags, avoid being tracked without consent and preserve anonymity.
"It's hardly a household word," Lee Tien, staff attorney for EFF, says of RFID. "But those people who are aware of it have fairly predictable reactions. [And] the more people know about it, they more concerned they are."
In October 2003, a survey commissioned by the National Retail Federation found that while 43 percent of those who had heard of RFID viewed it favorably, almost 70 percent of consumers were "extremely concerned" that data collected via RFID could be used by a third party, that it would make them the target of advertisers or that they themselves could be tracked through their purchases. "Should the industry fail to educate consumers about RFID, that role will default to consumer-advocacy groups," warned consulting firm CapGemini.
For Chavez, of RFID integrator RFID Ltd., it's a battle for consumers' trust.
"You can't take it personally," he says, but "I do take offense to the fact that they're influencing
consumers' opinions of anyone and everyone in the RFID industry as being secretive or Machiavellian in their efforts."
He wants Albrecht and McIntyre to agree to join his company's advisory board, participate in public debates and
train to become "certified" in RFID. "If they wish to be credible in talking about RFID technology, they need to be
certified."
Chavez tempers his criticism, acknowledging that others in the industry have directed "very well-publicized slurs" at the
Spychips
authors.
Privacy advocates raise important concerns, he says. "I'm all for labeling, and the consumers should have the option to kill the tag at the point of sale."
Most in the industry believe in some form of a code of ethics but ultimately want to police themselves.
RFID trade association AIM
Global, which also published a rebuttal to
Spychips
, calls the book a "great read" for "conspiracy buffs" and says it includes "a lot of conjecture, old news, unfounded assumptions, and a hodgepodge misrepresentation of the various types of RFID-even as the book admits the technology's limitations."
Mark Roberti, founder and editor of the RFID Journal, says RFID is a wonderful technology that is getting a bad rap by a vocal minority. "You can't see it-that's what creeps people out."
Roberti has written hundreds of articles about RFID and its
applications, editorialized against the
Spychips
book and says its authors "consistently overstate the truth."
"They don't understand the fundamentals of business," Roberti says of the idea that collected data could become common knowledge. "Businesses never share information about their customers. The company is always going to do what will make it money."
That's only the beginning of the "misguided" and "pathetic" ideas that Roberti says pervade
Spychips
. "The book is so stupid in the fact that it does not relate technology to reality…Wal-Mart cannot change the laws of physics."
"They're struggling to read tags on cases traveling through a dock door 10 feet wide at 5 miles an hour,"
Roberti says, and it's easy to disable or "jam" tags. Read ranges are only a few inches in most cases, and it will be years before RFID tags are cheap enough-5 cents, the industry hopes-to place on individual products.
And nowhere in the book, Roberti says, is there an example of a specific person whose privacy has been invaded.
"Every time you go into a store, video cameras are assuming you're guilty. Why is RFID suddenly the problem?" says Roberti, who is against tracking people by name and is disturbed that US privacy laws are not as advanced as those in Europe. Still, he says, "these are not evil people out to screw all these consumers. These are good people who want to sell products."
"In my view, RFID gives the consumer all the power," he says. "Wal-Mart has no power. We choose to shop there…Vote with your wallet. If you don't want someone to put an RFID tag in a product, don't buy that product."
Albrecht, who authored a rebuttal to Roberti's rebuttal, says he misrepresents what
Spychips
is all about. It's not about how corporations and the government have invaded people's privacy. It's about how they plan to invade their privacy in the future.
"Part of what the book does is show industry vision," she says. "Before 1910, when electrical outlets were invented, if you had said, 'There will be a way to tap into a worldwide power grid, and [devices] will be every 10 feet in your house,' people would say, 'You're nuts,'" she says.
It's largely the "what if" thought progression that has RFID proponents so mad about
Spychips
.
What if the "smart" medicine cabinet developed by Accenture didn't just warn people, by matching face-recognition software to FDA-mandated RFID tags on medicine bottles, that they were about to take the wrong medicine, but broadcast that information to their family members, doctor or the government?
What if the government or insurance companies start using information gathered by RFID to deny people health coverage?
What if the same refrigerator that lets
you know when you're out of cheese also radios the information to marketers, who in turn bombard you with unwanted advertisements?
What if police decide to use the passes carried by toll-bridge users to determine via RFID readers that a driver had gotten from Point A to Point B too quickly and issue speeding tickets?
What if you have your RFID-enabled passport in your pocket when you go to an anti-war rally, and government agents remotely scan it and put you in a database?
"That's the more dangerous, insidious side of RFID," says the EFF's Tien of the possibility of surreptitious government use of RFID. "The private sector and the government work hand in hand in many areas of surveillance…It's all one big blob a person has to worry about."
"Some people say, 'I don't care if people find out I wear size 8 Levi's jeans,'" Tien says. But what about more sensitive and personal possessions, such as a pregnancy home-test kit, or meds for bipolar disorder or HIV? "There are a lot of issues about your preferences and your beliefs," Tien says. "It's the same debate as the Patriot Act. Some people will say they have nothing to hide, and the government could find the same things out another way."
Tom, the CSUS professor, says that at the end of the day, most
consumers don't really care how a technology works; they just think "it's neat that it works."
If they don't like a technology, or how it's being applied, "the power is still in the hands of the consumer. The consumer still has the power at the very end to rip off the tag.
"I don't see industry in general using
RFID tags in a stealth manner," Tom says.
Garfinkel says it would be a shame if RFID were dismissed completely because the industry is "incompetent" at addressing privacy concerns. He embraces many uses of the technology and especially sees ways it could be used to help blind people.
RFID manufacturers contradict themselves, he says, when they talk about how powerful their tags are and then tell consumers not to worry about them being read covertly, or from a distance beyond the recommended read range.
"Lots of times, things we think are not possible under the laws of physics actually are possible because it's an engineering problem, not a physics problem," he says.
What it comes down to, he adds,
is whether you trust the government and big business to keep your privacy and other best interests at heart.
"I think it's a mistake to simply assume that business would never do anything secret," Garfinkel says. "The government is already following people around. I could easily see us being in a world where this is pervasively deployed. A lot of personal info could be leaked."
Albrecht says CASPIAN's intent has never been to ban RFID, but rather to make companies tell consumers when tags or readers are being used so they can make informed choices.
If consumers wait and hope for the best, it may be too late, says Tien, of the EFF. "Privacy violations are not like a lot of other kinds of violations. You don't see them right away," he says, drawing a comparison with identity theft. "There's really no reason to wait until a disaster happens until you deal with it. You can do something now rather than wait for a crisis."