RFID policy panel raises privacy concerns

Radio frequency identification (RFID) technology has many current and future benefits, but U.S. policymakers need to be aware of potential privacy and security problems of the rapidly evolving technology, a privacy advocate and a security expert said Wednesday.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

A parade of RFID vendors and users championed the potential of the technology at a U.S. Department of Commerce workshop on RFID and its policy implications, but Paula Bruening, staff counsel at advocacy group the Center for Democracy and Technology, warned that RFID is one example of a growing trend toward businesses collecting and using their customers' personal data.

While most current forms of RFID aren't capable of compromising privacy by doing things such as tracking customers' movements, the technology is rapidly moving forward and may soon catch up to consumer and privacy advocates' fears, Bruening said. "We need to be forward-looking and address privacy concerns around this technology," she said.

RFID uses small processors and antennas that are integrated into a paper or plastic label. Those chips can then be read by an electronic scanner, and unlike barcodes, RFID chips withstand dirt and scratches. As the range of RFID scanning grows beyond the current 25 feet (7.6 meters), RFID could allow corporations and governments to track people's movements and purchases, privacy advocates have said.

But representatives of RFID technology vendors including Texas Instruments  and Microsoft, along with users PepsiCo  and General Motors, talked of the potential for RFID to revolutionize the way companies manage their inventories, fight counterfeiters and stop shoplifters.

No one offered concrete cost savings numbers, however, and Pam Stegeman, vice president of the Grocery Manufacturers of America, noted that because of the cost of RFID chips and readers, the technology is still not for everyone. Companies that often carry counterfeited or stolen products, or that ship mixed products on pallets, can most benefit from RFID, she said. RFID isn't a good solution for companies that sell many low-cost items, she said. RFID labels now cost about $0.50 each.

Already, RFID technology is used to track livestock, to find lost pets and to pay for gas and subway fares simply by passing an RFID-enabled card close to a reader. Applied Digital, an RFID hardware vendor, even received U.S. government approval in October 2004 to offer RFID chips that can be implanted in humans, just as the chips are now implanted in dogs and cats. Such chips could contain a person's health records that doctors could access in emergencies, said Scott Silverman, Applied Digital's chairman and chief executive officer.

"This is going to be bigger than cell phones," said Jeff Fischer, chief RF architect at Reva Systems, another RFID hardware vendor.

With large retailers including Wal-Mart Stores and Target requiring their suppliers to move to RFID on shipping containers, the technology will become more prevalent in the next couple of years. But Tom Kellermann, senior data risk management specialist at The World Bank Group, warned audience members at the U.S. Department of Commerce forum that like Wi-Fi and other wireless technologies, RFID has major security challenges.

"Radio frequency is impossible to secure," Kellermann said.

RFID labels don't check readers for authentication, so identity thieves could set up their own readers that impersonate legitimate ones, he said. And as with other wireless technologies, criminals will find ways to exploit RFID and "grab money out of the air," he added.

Kellermann advised companies against using RFID for financial transactions, even though oil company Exxon Mobil is already using RFID in its Speedpass "contactless" gas purchasing program, and major credit card companies are rolling out their own contactless cards. Mark MacCarthy, senior vice president for public policy at Visa International Service Association, predicted other retailers would begin rolling out contactless payment terminals within months.

Bruening encouraged policymakers in Washington, D.C., to engage in a debate broader than RFID, focusing more on what companies can do with their customers' personal information.

RFID has the potential to expand what people around you know about you, and its uses are worth a policy debate, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, a Washington think tank. "When you walk down the street now, people can see you," he said. "(With RFID), people will be able to see you and know more about you."

However, Lewis also warned policymakers not to focus new rules on all uses of RFID when many existing uses cause no privacy or security problems. "If you're putting a chip in the ear of a cow, is there really a privacy concern?" he said. "A one-size approach won't work." And although rules on the proper use of RFID are needed, they could be industry rules instead of ones set by the government, Lewis added.