Past readers of this column know that I occasionally hear from people who are deeply concerned about the privacy implications of RFID technology. The fringe elements among them tend to see government conspiracies everywhere-such things as black helicopters of the new world order flying in suspicious patterns over their houses.
Therefore, I was not very surprised to read the subject matter of the December 30 Wall Street Journal article entitled "Satan's Micro Minions-Is Radio Frequency Identification a tool of the Antichrist?" The article is a review of a recent book that ties item-level RFID tagging to a fulfillment of a particular element of the end-times prophecies found in the biblical book of Revelation. These folks see the use of RFID tags in common consumer items as driven by darker forces than simply a government conspiracy. I will leave the finer points of biblical interpretation to more competent hands, but I will simply note that end-timers and black helicopter crowds are often willing to unite against a perceived shared enemy. When such concerns rate even a skeptical review from a huge international publication like the Wall Street Journal, the issue of RFID privacy can be said to have truly left the fringe elements and entered the mainstream. So it is an issue that IW readers will need to keep in mind as they work on their own RFID compliance plans.
A Summary of the Worst-Case Scenario
If you go into any Internet search engine and type the words "RFID privacy" or "RFID information security," you will quickly find more hits than you ever thought possible. A review of even the most "out-there" Websites will show that the chorus of critical voices is very savvy about the details of RFID technology. They may reach seemingly bizarre conclusions, but they buttress their arguments with a wealth of technical detail. I will summarize their main points as follows:
- RFID tags are not just like barcodes. A barcode identifies a class of items (typically, a SKU number). For example, all cans of a particular soft drink have the same SKU and therefore the same barcode. RFID tags can identify each item in a class.
- The use of the EPC number in an RFID tag allows item-level serialization. In essence, the RFID tag contains the SKU plus a unique tracking number for that particular can of soft drink.
- Retailers could theoretically tie the EPC number for each item purchased to a customer's name, address, and other critical data elements of personal identity. Retailers could then share this information with third parties. In the most alarmist case, these third parties could be dark forces of government conspiracy or worse.
- The fact that RFID tags can be embedded in clothes or other items means that a thief or other third party could use a hidden RFID scanner to gain an inventory of what you're carrying. Information such as "Is that watch really a Rolex?" or "What's in your purse?" could be gained without you even knowing you were scanned.
- Governments could embed RFID readers throughout cities and towns. By scanning any RFID tags carried on your person, and linking to the previously-mentioned databases, they could track your every move.
I think that's a fair summary of the major points raised by the anti-RFID crowd. These concerns are not confined to fringe elements, but are also shared by such mainstream libertarian organizations as the Electronic Frontier Foundation. I think I am also correct in thinking that the typical IW reader has enough practical experience with RFID technology to say, "Wow, they really give us too much credit. I only wish we were that good!"
We're Not That Good
The framework of the anti-RFID argument rests on what could be done if accurate information could be reliably read. Unfortunately, for the sinister forces out there, even the most RFID-savvy supply-chain manager will tell you that getting 100% read-rates is difficult in a controlled warehouse or stock-room environment. Read-rates get much worse in uncontrolled environments (such as would be the case on a city street). In fact, the current thrust of software development in the industry is to develop predictive algorithms to determine, for example, that 100% of a pallet-load was really received, even though only 80% of the tags could be read.
Software developers will tell you that handling large volumes of EPC data presents huge demands for existing supply-chain applications. The FDA is pursuing item-level RFID tracking of food and drugs for the purposes of product safety, but the data demands of such an initiative have been in discussion for years without yielding an industry consensus. Thus far the combination of hardware limitations and data handling have frustrated progress on limited and legitimate uses of tracking technology. It is beyond the current state of the art to contemplate the worst-case scenarios listed above.
Finally, it is a truth of the Internet age that where there is a new technology, hackers will try to exploit it. A recent newspaper article announced that German hackers have claimed to develop a pocket-sized RFID chip zapper. With one push of a button, any and all nearby RFID tags would be fried by a pulse of electro-magnetic energy, thus rendering them useless for personal surveillance or even point-of-sale scanning by the cash register.
Industry And Government Respond
Despite these real-world limitations, the RFID industry and both the state and federal government are reacting to RFID privacy concerns. IBM recently demonstrated a peel-n-destroy RFID tag specifically designed to give consumers a means to deactivate tags (the tags have a perforated zip-strip that breaks the electrical pathways of the antenna). The State Department has recently cancelled plans to include an RFID chip in U.S. passports. States as different in political climate as Utah and California have both considered RFID privacy issues in the context of broader data-security and consumer-protection legislation. In the unlikely case that our industry develops the all-powerful capabilities imagined by the RFID activists, it seems very likely that lawyers will have already defined the data-sharing ground-rules.
As you can see, the world of RFID privacy issues is large and growing. When implementing RFID, keep privacy concerns in mind -- and prepare your press releases in advance for the inevitable inquiries from both the mainstream and the fringe press. Also, to guard against the threat of tag-zapping, print your EPC numbers in visible areas so that the person who runs the cash register can rely on such backup procedures as manually keying in the item purchase if the tag fails to read. Fight fire with fire by having the basic technical details of your RFID initiative on hand for those who are overly suspicious of the technology and tend to see the black helicopters everywhere.
Paul Faber is a principal with Raleigh, N.C.-based Tompkins Associates, a supply-chain-solutions consulting firm. As the chief manager of RFID equipment implementation at Tompkins Emerging Technology Center, Paul possesses extensive experience in material handling solutions, systems integration, and installation. He has managed field integration and operations activities at material handling sites around the world.
Interested in information related to this topic? Subscribe to our weekly RFID eNewsletter.