CNET News.com's Washington watcher Declan McCullagh says that retailers may love the concept of miniscule RFID tags to track products but that consumers should be aware of the potential for massive exploitation by corporations, criminals and the government.
I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system, which I wrote about last week.
Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.
The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.
You should become familiar with RFID technology because you'll be hearing much more about it soon. Retailers adore the concept, and CNET News.com's own Alorie Gilbert wrote last week about how Wal-Mart and the U.K.-based grocery chain Tesco are starting to install "smart shelves" with networked RFID readers. In what will become the largest test of the technology, consumer goods giant Gillette recently said it would purchase 500 million RFID tags from Alien Technology of Morgan Hill, Calif.
Alien Technology won't reveal how it charges for each tag, but industry estimates hover around 25 cents. The company does predict that in quantities of 1 billion, RFID tags will approach 10 cents each, and in lots of 10 billion, the industry's holy grail of 5 cents a tag.
It becomes unnervingly easy to imagine a scenario where everything you buy that's more expensive than a Snickers will sport RFID tags, which typically include a 64-bit unique identifier yielding about 18 thousand trillion possible values. KSW-Microtec, a German company, has invented washable RFID tags designed to be sewn into clothing. And according to EE Times, the European central bank is considering embedding RFID tags into banknotes by 2005.
|It becomes unnervingly easy to imagine a scenario where everything you buy that's more expensive than a Snickers will sport RFID tags.|
You can imagine nightmare legal scenarios that don't involve the cops. Future divorce cases could involve one party seeking a subpoena for RFID logs--to prove that a spouse was in a certain location at a certain time. Future burglars could canvass alleys with RFID detectors, looking for RFID tags on discarded packaging that indicates expensive electronic gear is nearby. In all of these scenarios, the ability to remain anonymous is eroded.
Don't get me wrong. RFID tags are, on the whole, a useful development and a compelling technology. They permit retailers to slim inventory levels and reduce theft, which one industry group estimates at $50 billion a year. With RFID tags providing economic efficiencies for businesses, consumers likely will end up with more choices and lower prices. Besides, wouldn't it be handy to grab a few items from store shelves and simply walk out, with the purchase automatically debited from your (hopefully secure) RFID'd credit card?
The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.
In an interview with News.com's Gilbert last week, Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.
Wal-Mart, on the other hand, says that's not the case. When asked if Wal-Mart will disable the RFID tags at checkout, company spokesman Bill Wertz told Gilbert: "My understanding is that we will."
Cantwell asserts that there's no reason to fret. "At this stage of the game, the tag is no good outside the store," he said. "At this point in time, the tag is useless beyond the store shelf. There is no value and no harm in the tag outside the distribution channel. There is no way it can be read or that (the) data would be at all meaningful to anyone." That's true as far as it goes, but it doesn't address what might happen if RFID tags and readers become widespread.
If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.
|The privacy threat comes when RFID tags remain active once you leave a store.|
But what about a more powerful RFID reader, created by criminals or police who don't mind violating FCC regulations? Eric Blossom, a veteran radio engineer, said it would not be difficult to build a beefier transmitter and a more sensitive receiver that would make the range far greater. "I don't see any problem building a sensitive receiver," Blossom said. "It's well-known technology, particularly if it's a specialty item where you're willing to spend five times as much."
Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.
Matrics CEO Piyush Sodha said the RFID industry is still in a state of experimentation. "All of the customers are participating in a phase of extensive field trials," Sodha said. "Then adoption and use in true business practices will happen...Those pilots are only going to start early this year."
To the credit of the people in the nascent RFID industry, these trials are allowing them to think through the privacy concerns. An MIT-affiliated standards group called the Auto-ID Center said in an e-mailed statement to News.com that they have "designed a kill feature to be built into every (RFID) tag. If consumers are concerned, the tags can be easily destroyed with an inexpensive reader. How this will be executed i.e. in the home or at point of sale is still being defined, and will be tested in the third phase of the field test."
If you care about privacy, now's your chance to let the industry know how you feel. (And, no, I'm not calling for new laws or regulations.) Tell them that RFID tags are perfectly acceptable inside stores to track pallets and crates, but that if retailers wish to use them on consumer goods, they should follow four voluntary guidelines.
First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.
Given RFID's potential for tracking your every move, is that too much to ask?