Don't regulate RFID--yet

Industry deserves a chance to act responsibly, CNET's Declan McCullagh says, before ill-informed legislators step in.

Not many people may remember this, but Phil Donahue was one of the digital age's first technophobes.

In 1974, the TV talk show host denounced the Universal Product Code, better known as the bar code, as a dastardly plot that would let grocery stores trick consumers. Grocers would replace price tags with bar codes and confuse shoppers, Donahue informed his viewers repeatedly.

Donahue's predictions turned out to be nonsense, of course, and today, the humble bar code saves Americans more than $17 billion a year in grocery stores alone.

But the technophobe mentality just won't quit. Now a clutch of privacy fundamentalists is calling for new laws to target radio frequency identification (RFID) technology.

RFID tags are microchips that have already shrunk to half the size of a grain of sand--practically.

In a world where we can get a credit card over the phone and open a bank account over the Internet, why require an ink signature on a piece of paper?
They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries; they use the power from the initial radio signal to transmit their response.

The technology permits retailers to slim down inventory levels and reduce theft, which one industry group estimates adds up to $50 billion a year. With RFID tags reducing costs for businesses, consumers likely will end up with more choices and lower prices. And wouldn't it be handy to grab a few RFID'd items from store shelves and simply walk out, with the purchase price automatically debited from your (properly secured) RFID-equipped credit card?

There are legitimate privacy concerns about RFID tags, which I outlined in a column more than a year ago. But RFID companies already are proposing solutions, indicating that legislators should be extremely cautious before stepping in with one-size-fits-all solutions.

Instead, sadly, politicos are rushing to regulate. In February, California State Sen. Debra Bowen introduced a bill (SB1834) that seeks to regulate RFID technologies. It originally said that before such tags can be used for information collection, a business "shall obtain written consent."

Even if you agree with her approach, Bowen's approach seems chronologically backward. In a world where we can get a credit card over the phone and open a bank account over the Internet, why require an ink signature on a piece of paper? The only way Bowen's legislation makes sense is if she wants to make a new technology so unwieldy that few people will use it.

Other states have been equally busy. Proposals in legislatures such as Utah (HB251) and Missouri (SB867) would make it illegal to slap RFID tags on products unless consumers know about them. Virginia is considering (HB1304) "policies and guidelines" related to RFID tags, as is Maryland (HB32).

Feds to weigh in?
Congress also has signaled that laws could be on the way. One House subcommittee convened a hearing last month on the topic, where both Republicans and Democrats improbably likened RFID tags to "spyware." Sen. Patrick Leahy, D-Vt., has talked about corporate "excesses" that "suggest that Congress may need to step in at some point." The Federal Trade Commission has convened a workshop on the topic.

Cedric Laurent, a policy fellow at the Electronic Privacy Information Center (EPIC), says the European data protection commissioners are drafting regulations to cover RFID. "They're going to come up with some documents soon," extending the European Data Protection Directive, Laurent said. (Portugal's data protection commissioner is already there.)

Pro-regulation groups like EPIC, the American Civil Liberties Union, Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and Ralph Nader's Consumer Project on Technology are egging politicians on.

One way to eliminate most privacy concerns is to disable RFID tags after they leave the store.
They released a manifesto last November, demanding that merchants "be prohibited from forcing or coercing customers into accepting live or dormant RFID tags in the products they buy." CASPIAN has proposed sample federal legislation that would go even further by flatly outlawing some uses of RFID devices.

That flips the principle of consumer choice upside down. If Wal-Mart Stores eventually begins to sell toasters with RFID tags on the boxes, consumers can choose to remove the tags or shop elsewhere. Sam Walton's focus on customer satisfaction, part of Wal-Mart's corporate culture today, suggests that his company would be extraordinarily sensitive to customers' privacy concerns--even in the absence of specific RFID laws.

First cookies, then...
The legislative approach would set a precedent that should worry Silicon Valley--that tech-impaired politicos and activists can dictate the future of any technology they dislike. Instead of letting normal market forces take over and consumers embrace or reject new ideas, the privacy prohibitionist view says that only technologies approved by Washington or state capitols can be permitted to exist.

That almost happened with "cookies" a few years ago. Know-nothing members of the European Parliament wanted to outlaw cookies, which are records created by your Web browser that permit sites to look the same during your next visit. The Interactive Advertising Bureau UK had to launch a "Save Our Cookies" campaign, and in the United States, class-action lawyers began filing lawsuits of dubious merit against targets such as Excite@Home.

The cookie bans failed when saner heads prevailed--but not until after software companies spent considerable effort providing evidence to politicians that cookies weren't Big Brother in tiny packages. Now the RFID industry is being forced to beg legislators to back off.

"We feel that any efforts to prematurely legislate or regulate the technology before it has a chance to be implemented really will prevent industries from unlocking the benefits of the technology," said Jeff Oddo, a spokesman for the Uniform Code Council, which oversees bar codes and an RFID association called EPCglobal. "A lot of the work that we're doing is to address any concern that (would) prevent this technology from being deployed responsibly. Privacy is as important as anything else we're doing."

One way to eliminate most privacy concerns is to disable RFID tags after they leave the store. Standards organizations such as EPCglobal have specified a "kill command," and 13 companies, including Philips Semiconductors and Texas Instruments, elaborated on it in their own proposal, which would include a 32-bit kill switch. (Except in some pilot projects, RFID tags aren't being placed on individual products, just on pallets used inside stores.)

EPCglobal has published a set of substantial public-policy guidelines that say consumers should be informed of RFID tags and given the option to disable them. The guidelines take effect on Jan. 1, 2005.

In other words, the RFID industry already is responding to consumers in a responsible manner, knowing that retailers will lose business if Americans aren't reassured. Just don't expect the modern-day Phil Donahues to admit it.