'Tracking' Tags: Tool or Threat?

WASHINGTON -- The word "Orwellian" is uttered often on Capitol Hill these days, and it was said again this week in a warning of privacy dangers posed by radio frequency identification technology.

"The privacy issues raised by RFID tags are vitally important because they are representative of a larger trend in the United States--the seemingly inexorable drift toward a surveillance society," said Barry Steinhardt of the American Civil Liberties Union. He was among those urging caution about the technology at a hearing before the House Subcommittee on Commerce, Trade, and Consumer Protection on Wednesday.

Dr. Sanjay Sarma of the Massachusetts Institute of Technology described an RFID "tag" as a tiny chip containing data about the thing it's attached to, as well as a tiny antenna for communication. Devices called "readers" send out frequency waves that "wake up" the tag for just enough time to transmit the information on the chip, he said.

Early Applications

RFID technology is currently used in such benign applications as office security passes and inventory tracking systems. But privacy advocates worry that the same RFID technologies that track products through the supply chain may, by extension, begin tracking the consumers that carry them away from the stores.

"Soon we could have Big Brother and big business tuning into the same frequency, where not only will they know where you are, but what you're wearing," said Rep. Jan Schakowsky (D-Illinois).

Similar to the cookies that monitor browsing habits in cyberspace, privacy advocates worry that RFID tags could be used to match our movements with individualized product promotions (or worse) in the physical world.

"RFIDs could be secretly read through right through a wallet, pocket, backpack, or purse by anyone with the appropriate reader device, including marketers, identity thieves, pickpockets, oppressive governments, and others," Steinhardt added.

The Lipstick Tests

Witnesses representing Wal-Mart and Proctor & Gamble assured the panel that they use RFID technology exclusively to collect "aggregate data," not data specific to individual products or people. Even the technical capability to do that, the witnesses added, is "at least ten years away."

But panelists referred repeatedly to reports that a Wal-Mart store in Broken Arrow, Oklahoma in 2003 equipped its shelves with hidden RFID technology to track lipstick products. Cameras monitored customers at the shelves, then transmitted the images via the Web to Procter & Gamble researchers some 750 miles away in Cincinnati. The researchers could tell when lipsticks were removed from the shelves and could watch the consumers in action.

Wal-Mart responded that it had posted signs warning customers of the surveillance, but the story caught the attention of privacy rights groups such as the ACLU and Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN).

Wal-Mart chief information officer Linda Dillman said the test was meant to study "supply and demand issues" related to the proper placement of the lipstick on the shelves.

"On the surface, the Broken Arrow trial may seem harmless," CASPIAN founder Katherine Albrecht said. "But the truth is that the businesses involved pushed forward with this technology in secret, knowing full well that consumers are overwhelmingly opposed to it. This is why we have called for mandatory labeling of products containing RFID chips."

Broad Guidelines Urged

Witnesses representing RFID and industries that use the technology told the panel there is no need to enact privacy legislation specifically addressing RFID. Rather, witnesses said, broad-based and non-specific guidelines are needed when large amounts of consumer information are being collected electronically, whatever the means.

"Every time a new technology comes out we find ourselves back here in hearings discussing specific solutions to the specific problems it creates," said Paula Bruening of the Center for Privacy and Democracy.

"You end up with a better result if you have baseline privacy legislation that incorporates elements of various guidelines like Fair Information Practices and the Privacy Act of 1974," Bruening added.

The majority of panelists and witnesses agreed that mandatory warning labels should go on any product or packaging with a RFID tag attached.

But disagreement persists about the government's role in protecting consumer privacy. Privacy activists say immediate privacy legislation is appropriate, given the "newness" of RFID technology and the speed at which the technology is developing.

"RFID is not unique; it is part of a larger mosaic of technologies that collect data on things and people. I think we do need overarching legislation on the collection of this data," the ACLU's Steinhardt said.

Wal-Mart's Dillman and Proctor & Gamble's Hughes urged the federal government to allow industry to impose privacy guidelines itself, without new legislation.

Subscribe to the Security Watch Newsletter

Comments