RFID AND PRIVACY

Keynote address by Alex Allan to the 3rd Study Meeting
of the Information Network Law Association, Japan
Toin University, Yokohama, 8 November 2003

1. I am most grateful to the Information Network Law Association for inviting me to this conference, and to speak on a subject that I believe will be of increasing significance to those interested in privacy, the law and government regulation.

2. As the title of my speech indicates, I want to talk today about the privacy implications of RFID technologies, particularly as RFID tags become more and more widely deployed on everyday objects.

3. Is this a risk to humanity “on a par with nuclear weapons,” as Katherine Albrecht, the founder of Consumers Against Shopping Privacy Invasion and Numbering (CASPIAN) has said? (1) Or is it better viewed simply as a technology that will join “businesses and consumers together in a mutually beneficial relationship,” as the Auto-ID Center describes it. (2)

How I became involved

4. I first became interested in these issues about 18 months ago, when I was approached by Elliott Maxwell to join an international group to provide advice on public policy issues to the Auto-ID Center, based at MIT in Boston, who were working on the development of RFID tags and Electronic Product Codes. I had met Elliott in 2000, when he and I were doing similar jobs in the US and UK governments, dealing with policies on e-commerce and the growth of the internet. I had been appointed the British Government’s first e-envoy, and Elliott and I had compared notes on a number of common issues.

5. These had inevitably included concerns about privacy, and we were both well aware of the strong feelings which this topic can raise. We had kept in touch after we had moved to different jobs, and I was immediately interested in working in this area.

6. The group has provided the stimulus for much interesting discussions and debate about the issues of RFID and privacy. So I was delighted when Natsui Takato, another of the members of the group, invited me to speak on the subject here today.

7. I should stress that I’m speaking personally, and not on behalf of the International Advisory Group. Other members of the group may disagree with some of the points I want to make, though we are all in strong agreement that the issues need to be addressed if privacy is to be protected and if the technology is to be deployed successfully.

8. I want to start by giving a little of the history of RFID and then go on to discuss why we are seeing so much current interest in the technology. I then set out some of the planned and future applications. This is all intended to put the debate about privacy in context, and to suggest where the threats are likely to arise in practice, and what can be done about them.

History

9. Radio Frequency Identification (RFID) has been around for some fifty years. The first notable application was in identifying aircraft as friend or foe. Since then RFID has been deployed in a number of application such as identifying and tracking animals from implanted tags; tracking transport containers; access control systems; keyless entry systems for vehicles; and automatic collection of road tolls.

10. Until recently, RFID devices have been relatively expensive. But advances in manufacturing techniques and in miniaturizing components have reduced prices substantially, particularly for very large orders. So it has now become possible for plans to be made for RFID tags to be used much more widely—potentially on almost every object.

11. The particular insight of the Auto-ID Center at MIT was to see that RFID devices had the potential to replace the bar-code as an almost universal system for identifying objects. But to do this, the devices or tags had to be really cheap. This required making the tags as simple as possible, so that as their most basic they simply returned a unique serial number when scanned. This serial number, or Electronic Product Code (EPC), could then be used to look up information about the product in a large distributed database, using similar technologies to those underpinning internet applications.

12. The Auto-ID Center has attracted a number of prominent commercial partners, such as Wal-Mart, Proctor and Gamble, Gillette and many others. And the work is now being taken forward as an international standard by EAN International and the Uniform Code Council—the bodies which administer the barcode.

13. This is not, of course, the only way in which RFID technology can or will be deployed. There will still be many uses for more expensive tags which can themselves store information about a particular product, and can be reprogrammed to update that information. While I will focus much of my remarks on EPC tags, I will also mention issues where more sophisticated tags raise different or wider concerns.

Advantages of RFID tags

14. What are the advantages that have led to this surge of interest in RFID tags? The key advantage is that they can be read from a greater distance than bar codes, and do not necessarily need to be in line of sight. So it is possible for a distributor to install a scanning system at the door of a warehouse, and automatically read and record the goods entering or leaving. And it is possible for a retailer to install scanning systems on shelves, so as to monitor stock levels directly.

15. The second advantage is that they can be used to identify individual items, rather than just product types. So, for example, an EPC tag can identify an individual pack of razors, or an individual carton, rather than just the type of Gillette razor, which is what a bar code would show. This is not intrinsically a function of RFID: a more complicated bar code system could serve the same function. But a move to RFID tags provides an opportunity to switch to a new system. And the ability to store and retrieve the data electronically enables new applications.

16. A third advantage is the way that RFID tags can be combined with sensors that can automatically record information about an object’s environment. So it would be possible to check whether a packet of foodstuff or medicine had been stored at too high a temperature at some point in the supply chain. This is clearly a relatively high-end application, and its not the focus of my paper today.

Limitations of the technology

17. Having listed the advantages, I want to pause and set out some of the limitations, at least in the present state of development of the technology. You sometimes see claims implying that RFID tags can be read from great distances and through almost any material. As I’m sure many of you will realise, that simply isn’t so. Much depends on the type of tag and how it is powered: tags with their own power supply and large antennae can be read from a considerable distance. But small tags without power supplies of their own—as in basic EPC tags—can only be read from a distance of a few feet. And metal and liquids provide shielding that can make reading tags almost impossible.

18. I think some of the misconceptions arise very naturally from the examples given above about existing uses of RFID technology. People know that the RFID tag used for automatic tolling can be read from a distance as they drive past, and carry that concept across to all RFID tags, forgetting or not realising that automatic tolling systems use relatively sophisticated self-powered tags. People know that the RFID chip implanted in a pet is tiny, and assume that all tags can be that small. Whereas those sort of tags on pets can be scanned from a distance of millimeters only.

19. Another limitation remains that of cost. One of the objectives of the Auto-ID Center was to set up specifications that would enable economies of scale to drive down the cost of individual tags, from several dollars each down to a few cents. We are already seeing reports of very large orders, though the precise costing has not been revealed. But even if the cost of individual tags can be reduced to US$0.05, which the Auto-ID Center believes will be possible soon, that is still far too high to be deployed on many individual consumer items. Five cents might be a practicable cost for many items of clothing, but not for individual cans of coke or bars of candy. Bar codes will co-exist with EPC and other RFID tags for many years.

Benefits

20. I want now to turn to the applications where RFID tags may be used. What have been the main drivers behind the push towards more widespread use of this technology? What are the potential benefits to firms, to consumers and indeed to Governments?

21. The main commercial driving force has been the scope for improving efficiency in the supply chain. Firms such as Wal-Mart believe it will enable them to keep better track of inventory and to reduce costs from overstocking. Wal-Mart has already announced that it expects its top 100 suppliers to start using RFID tags on all pallets and cases by 2005.

22. In principle, greater efficiency in the supply chain will lead to lower costs for consumers, and better availability of product lines. That doesn’t, of course, take account of the initial investment that suppliers (and Wal-Mart) will have to make in setting up the new systems, in buying readers, in modifying software and so on. This is reinforced by the fact that firms will inevitably have to cope with running new and old systems in parallel for some years. We are already seeing the first skirmishes between retailers and suppliers on how large these initial costs will be, and how they should be shared.

23. The next step will be for RFID tags to be deployed in the store itself, rather than just to improve the delivery of goods to the stores. Some trials have already been reported, for example by Gillette with packets of razors, and Marks and Spencer with certain items of clothing. There are a number of potential in-store benefits. Once again, better control of inventory is likely to be an early focus. If shelves are equipped with RFID readers, then a store can monitor remotely when stock levels are low—it can tell, for example, whether a display has run out of size 12 shirts of a particular design. The technology may also make it easier for a store to tell when particular products are past their sell-by-date, and should be removed from display.

24. Another application that is particularly attractive for manufacturers of higher value goods is control of pilfering. A shelf can be set up to detect if someone takes, say, an unusually large quantity of expensive razors in one go, and to alert the control room to monitor whether the goods are paid for.

25. Much comment has—perhaps inevitably—focused on the way that RFID tags might speed up checkout: the possibility of having an entire shopping trolley scanned remotely, so that there is no need to remove items individually. That has attractions, both for the consumer in terms of speed, and for the store in terms of reducing costs. But there are many obstacles to overcome before that is practicable. It is technically difficult to read a lot of disparate tags in a basket, particularly when many items contain liquids. And it does assume that all items, including fresh produce, have had RFID tags attached.

26. I also mentioned benefits to Governments. I was not thinking in this of Governments seeking to improve their monitoring and tracking of individual citizens, though I am sure some will believe that to be the case! Rather, I was referring to benefits that Government can secure as a large purchaser of goods itself. This is particularly true of the military, which has been an enthusiastic adopter of RFID technology to improve its tracking and distribution of everything from ammunition to spares to food. The nature of its operations means that some more sophisticated applications may be cost-effective—for example tags that incorporate temperature sensors and can record if items have been stored at too high or too low temperatures. There will also be benefits in other areas of government procurement, for example in education or health services.

27. Another application that is of interest both to commercial firms and to Governments is in identifying counterfeit goods. RFID tags may make it easier for stores or distributors to identify whether, for example, medicines they had bought were counterfeit. It is relatively easy to copy labels and packaging, but much harder to forge an RFID tag with a valid EPC code.

28. Recycling offers another application where RFID tags may help Government, commercial firms and the community achieve their objectives. There is an increasing pressure—including in some countries through legislation—for manufacturers to be responsible for the safe recycling or disposal of goods once they have reached the end of their life. EPC tags could provide easy access to information about a product and its history, and hence make recycling more efficient. (3)

Consumer applications

29. The applications and benefits I have so far discussed have focused mainly on manufacturers and retailers, and only indirectly on consumers. Are there applications and benefits to consumer from purchasing an item with an RFID tag?

30. There are some obvious applications relating to returns and to repairs under warranty. RFID tags could be used to identify immediately that goods had been bought from a particular store and were or were not still covered by warranty. This could be a simpler approach for both the retailer and the consumer than relying on sales records, serial numbers and so on.

31. Another related application is dealing with manufacturers’ recalls of faulty goods. At present, this often involves complicated lists of products, batch numbers and so on. RFID tags would make it much simpler to check whether an item was the subject of a recall. This indeed was one of the motivations behind Michelin’s plans to imbed RFID tags in all tires, partly to meet legislative demands for new systems to make recalls easier.

32. But these are relatively mundane applications, so it is no surprise that it was some of the futuristic applications in the home that attracted the early hype. RFID tags on food packaging so that a microwave oven equipped with a reader could automatically tell the length of cooking time that was needed. Washing machines that could sense the tags on clothes and adjust water temperature accordingly. Fridges that could tell when a carton of milk was out-of-date and order more from the store.

33. These may come. But they are a very long way away from the market. And research has revealed that, not altogether surprisingly, consumers feel uneasy about this type of application. (4) They do not see them as a selling-point for the technology: if anything, the reverse. Focusing on them has done more harm than good to those promoting RFID.

34. There are, nonetheless, some home applications that might bring benefits that are more readily accepted by consumers. One would be in helping people with disabilities. For someone with impaired sight, RFID scanners might be able to check a packet of food and speak instructions about what it is and how it should be cooked. Similarly, RFID scanners might be able to provide help to the elderly on correct dosages of medicine, or to check whether different medicines should not be taken in conjunction with each other.

Fears about RFID

35. I have gone into some detail about the types of RFID applications, and the technology, since I think that background helps set the scene for analysing threats to consumer privacy.

36. The most widely-reported concerns about RFID tags have been over their potential use for tracking individuals through the goods they are carrying or the clothes they are wearing. In this, the past applications of RFID tags may be seen as a worrying precedent. As I indicated at the beginning, most of those applications are ones that do involve tracking, whether of aircraft, of vehicles or of animals. It is a natural jump to go from hearing that RFID tags are used to identify and track animals, to assuming that an RFID tag on an article of clothing would serve the same function for tracking a person.

37. I have already discussed the limitations on the range at which RFID tags can be scanned, but it is certainly possible that a store could scan tags on items carried or worn by people entering the shop—or that the same process could be carried out for people entering a government building, sporting arena etc.

38. The first issue is whether a store could identify someone from an RFID tag on their shirt. If I had purchased the shirt at that store, it would be reasonably straightforward. As I passed through a scanner on entry, the store would be able to match the code on the tag to its sales records, and pick me out as the customer who had purchased it—assuming of course that it was me and not my wife who had bought it! This does assume that the store had chosen to keep records enabling it to match individual tags with individual customers. Otherwise, all it would know was that I was a returning customer—something that might of course be useful information in itself.

39. Now suppose I walked into a rival store. How would it be able to identify me? It might be able to use the EPC code to identify the shirt as one made or sold by its rival. But in order to identify me as the owner of the shirt, it would need access to databases that held sales records from its rival. This seems implausible, though it highlights the importance of data protection, something I shall return to later.

40. Similar problems would arise for systems scanning individuals on entry to government buildings. In this case, it is just about possible to imagine law enforcement agencies getting subpoenas allowing access to databases that matched items and their owners, but it would still be a complex problem. It is easier to see it being done for one-off forensic analysis—identifying a jacket left at the scene of a crime, for example.

41. Another concern is that rather than just identifying an individual who entered a store or government building, a linked series of scanners might enable someone to be tracked as he walked through down streets and through shopping centres. This doesn’t necessarily require knowledge of who the owner of an item is: since EPC codes are unique, it would be sufficient just to know that the person wearing a shirt with a particular EPC code had passed by specific series of scanners.

42. One problem with this is that it is hard to imagine sufficient scanners linked together to provide real-time tracking. There are almost certainly easier ways to do this, using closed circuit security cameras, or even signals from mobile phones—much more powerful radio devices that people choose to carry with them. Nonetheless, it is possible to imagine a system that matched RFID tags carried by people entering a government building against tags recorded on, say, people who had visited a gun shop, or attended a particular political rally.

43. Another fear relates not to identifying the individual, but to identifying goods that he or she may be carrying or wearing. Examples include someone covertly scanning people in a bus queue and identifying what brand of underwear they were wearing, or discovering that someone had just bought Viagra from a pharmacy. This is potentially very intrusive.

44. A final issue to raise in this context is the reported interest of the European Central Bank in embedding RFID tags in banknotes. (5) While it is unclear how information from these tags would be monitored or used, the prospect of a shift away from the anonymity of banknotes has certainly raised privacy concerns.

Addressing privacy concerns

45. My conclusion from this is that the threats to privacy are real, though perhaps not as alarming as has sometimes been made out. That is not in any way meant to be an argument for complacency, either on the part of consumers or on the part of manufacturers. Not everyone will share my analysis or my conclusions. And from the perspective of firms using the technology, they need to take account of widely-held perceptions, even if the fears may seem to them exaggerated. While there is plenty of scope for education, it is very dangerous to assume that perceptions can be changed radically or swiftly.

46. This is something that comes across time and time again from experiences within Government. There are many examples, from food safety to transport safety, where public perceptions may seem at odds with scientific advice, but where Governments dismiss these views at their peril.

47. It is vital therefore to address public concerns about RFID tags in a clear way, and preferably by anticipating concerns before a head of steam has built up. Part of the strategy must include considering what benefits the public may expect from a new technology, and how that will impact on its acceptability. If the public see real advantages from a new technology, they are less concerned about risks—as for example in the debate the risks of radio emissions from mobile phones.

48. It was to the Auto-ID Center’s credit— to its Executive Director, Kevin Ashton, in particular—that they recognised early on that addressing privacy concerns could be vital to the successful adoption of RFID and EPC technologies. That was what led to the setting up of the international advisory group of which Natsui Takato and I are members.

49. It is an international group because of the recognition that, for a world-wide standard, it is vital to consider how issues may be perceived and addressed in other countries, and not to be US-centric. There have been, for example, considerable differences in the approaches to privacy adopted in the US and in the European Union, and indeed in other countries such as Japan. Different structures of government, different cultures, different consumer and business pressures have led to different systems of regulation.

50. If I am frank, I would say that the initiative in setting up the international advisory group has not worked as well as it should. We are only advisory, and the complex mix of interests involved in the Auto-ID initiative has made the process of setting guidelines slow. Some firms have rushed ahead with announcements without having clear policies in place to deal with privacy concerns—though it is only right to note that many of these instances have involved firms who were not directly involved with the Auto-ID Center and its work.

51. I am glad to say that the picture is now changing, and firms are beginning to recognise the importance of sound policies on privacy, though there is a lot more that needs to be done.

52. EPCglobal, the new body set up by EAN and UCC, has recently published its “Guidelines on EPC for Consumer Products,” following a meeting here in Japan last month. This recognises the importance of addressing privacy concerns about the new technology. It enunciates four guidelines, covering notice, choice, education and data collection. I refer you to the document itself for the full description of what is proposed. (6)

53. The first of the guidelines provides that consumer must be given clear notice of the presence of EPC tags on products, though the use of a logo. This is certainly necessary. But what it doesn’t do, at least so far, is to require notice of the use of RFID scanners. For the moment, that may be academic given the limited nature of the trials taking place in stores. But in the future, as new applications emerge, I believe the scope of this guideline will need to be widened.

54. The second guideline says that consumers will be informed of the choices they have to discard, disable or remove EPC tags from the products they acquire. This too is certainly necessary. Even though the likelihood of remote scanning of items outside the store may currently be small, any advantage from keeping an active tag on a product is equally small. So the safety-first principle is to remove or destroy the tag, and consumers should have the ability to do that.

55. The guideline falls short of mandating stores to provide a service to “kill” or deactivate tags, and is more cautious in its language than, for example, the equivalent proposition proposed last year by Simson Garfinkel in his RFID ‘Bill Of Rights.’ (7)

56. As I understand it, the caution in the EPCglobal guideline is largely due to uncertainties about the technology for deactivating tags, and the cost. This makes it important that other options are easy to deploy. In the UK, for example, Marks and Spencer have made a point of stressing in a recent trial that the tags will be put on cardboard labels attached to clothing and are designed to be cut off and thrown away.

57. The third guideline deals with education, and essentially says that consumers must have easy access to information about the technology.

58. It is the fourth guideline that I want to focus on in a bit more detail. It says: “As with conventional bar code technology, companies will use, maintain and protect records generated through EPC in compliance with all applicable laws. Companies will publish, on their Websites or otherwise, information on their policies regarding the retention, use and protection of any consumer specific data.”

59. I believe that this is increasingly going to be seen as a crucial aspect of the privacy debate so far as EPC tags are concerned—and one where the guidelines may well need to evolve as the technology is developed and implemented.

60. In some ways, the guideline is redundant, in that companies must of course protect records in compliance with all applicable laws. Quite what that will involve will vary from country to country. In the European Union, for example, if a company matches EPC data to information about the consumer, this is likely to be seen as processing of personal data under the Data Protection Directive. (8) This brings a range of measures into force, including a requirement to obtain “unambiguous consent” from the individual. More work is needed on the implications of this.

61. In Australia, the federal Privacy Commissioner has said that retail stores that collected profiling information without informing customers were “likely to be in breach” of the Privacy Act. And that “ if organisations use this data for purposes outside people’s reasonable expectations, that would breach National Privacy Principle 1.” (9)

62. I am sure you will be more familiar that me with the equivalent provisions in Japanese law.

63. So there will need to be clear principles governing how data from EPC tags will be stored, and who has access to it, covering not just those in the supply chain but anyone else who may use EPC technologies.

64. One of the most basic queries is to use the EPC to find out what type of product it is that has been scanned—a Marks and Spencer shirt or a Gillette razor. In most cases, this will be public domain information. But there may be examples of products whose identity could be sensitive if scanned remotely—Viagra and underwear were the two examples quoted earlier. For such products, there needs to be a system whereby only authorised applications or authorised scanners can access even basic information from the manufacturer.

65. More complex queries will require accessing information from a number of different companies. To find out where an order was delayed in the supply chain would require information from all the companies that had handled the item. Some of this will be commercially sensitive data, where there will need to be strict controls on access, as indeed is recognised by the Auto-ID Center’s proposals .(10)

66. This is closely linked to the question of identifying an individual from an RFID tag on something he is carrying or wearing. In most cases, to do this would require access to the whole supply chain, so as to trace the item from its manufacturer to its point of sale. It would then also require the retailer to supply information about the individual to whom that item had been sold—assuming of course that the retailer had known the identity of the purchaser (from a credit card or loyalty card) and had organised his database so as to match individual EPC tags to individual customers.

67. Many jurisdictions will place strict limits on the circumstances in which this may legitimately be done. There will need to be robust systems and clear policies about who can access the data and in what circumstances. It is an area where consumers will rightly be suspicious about lapses in security or in data protection policies.

68. There are other areas where the use of RFID tags raise privacy issues. I mentioned earlier that Gillette were trialing the use of RFID tags to counter pilfering, by raising alerts if someone in a store removed an abnormally large number of packets of razors or batteries from a shelf at one time. One suggestion was that they would use still or video images to record the identity of the individual concerned. Although I can well see the reasons behind this, it does bring in questions about how the images would be used and stored, and might raise issues under the EU Directive.

Future developments

69. Much of this paper has been written around the use of RFID tags containing just read-only EPC data. Over time, it is likely that manufacturing costs will reduce further, and it may be possible to deploy more sophisticated tags widely. Among the options will be tags that support reprogramming, encryption and password-protected access. These will have both positive and negative implications for privacy. On the positive side, it would be possible for someone to keep an RFID tag on an item, but to ensure that no one could read it without suitable permissions. On the negative side, a whole new set of options arise for adding data to tags without the owner’s knowledge or storing data on tags that the owner cannot access. It might also be difficult to distinguish between a tag that has been deactivated and a tag that has been programmed to respond only when supplied with the correct password.

70. Clear guidelines will be needed to cover these issues, as and when the technology is deployed commercially.

Conclusions

71. Some of the concerns about privacy seem exaggerated given the current state of deployment of the technology. But even if we rule out the more fantastical applications, there are legitimate privacy concerns that could arise from developments over the next few years. And it is important to act early, rather than allowing public concerns to grow without adequate response.

72. The risk is not just of consumer boycott, it is also of legislative action if governments feel that consumer concerns are not being adequately addressed. The EPCglobal guidelines are a welcome first step, but there are additional areas that will need to be addressed as the technology develops.


Notes

(1) quoted in http://www.usatoday.com/usatonline/20030925/5532478s.htm

(2) see http://www.autoidcenter.org/technology.asp

(3) see for example http://www.autoidcenter.org/publishedresearch/cam-autoid-wh017.pdf

(4) see http://www.autoidcenter.org/publishedresearch/cam-autoid-eb002.pdf

(5) see http://www.computerweekly.com/Article124554.htm

(6) see http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html

(7) see http://www.simson.net/clips/academic/2002_Ubicomp_RFID.pdf

(8) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and of the free movement of such data

(9) quoted in “The Australian,” 1st April 2003, p29: “Clothing Spy Chip Furore” by Karen Dearne

(10) see for example http://www.autoidcenter.org/publishedresearch/cam-autoid-wh015.pdf