The RFID Battle: Privacy vs. Business NeedPublished: April 06, 2005 in Knowledge@Emory
It sounded like a page from a science fiction novel. In October 2004, the Food and Drug Administration approved VeriChipä, a rice-sized implantable radio frequency identification (RFID) chip for hospitals to use in humans. The tiny device, designed for injection into the arm, wirelessly transmits a unique identifying number. A handheld, battery powered “pocket reader” picks up the ID from the chip at a maximum distance of about 2.5 inches away from the person, and the identifying number is then matched up with specific medical information contained in a secure computer database.
Produced by Applied Digital, a security products developer, VeriChipä is not yet at the marketing stage in the U.S. Applied Digital’s sister company, Digital Angel, already markets and sells a version of the product for use in farm animals, house pets and for aircraft tracking. However, privacy advocates, such as those at the Electronic Privacy Information Center, the ACLU, and CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) note that tagging cattle, the long lost family pet cat Fluffy, or a downed military jet may be one thing, but embedding this sort of device into humans presents very real privacy concerns.
According to Angela Fulcher, vice president of marketing and communications at Applied Digital, “the particular need for rapid access to healthcare information, for example, in patients with chronic diseases, is what will drive the acceptance of the product. It’s a gateway to accurate personal and medical information, particularly for those who are unable to speak for themselves. We are not anticipating that this is an overall consumer product, where individuals will simply want to be chipped. Those with compromised health situations will want to take advantage of the potential lifesaving capabilities of the VeriChipä system.”
In November, Applied Digital signed an agreement with Henry Schein Inc., a global distributor of healthcare products to office-based medical practitioners, moving the device closer to the marketing stage in the U.S. and Europe. A similar deal was struck in December 2004 with three separate distributors in Thailand, Indonesia, Malaysia and South Korea. Interestingly enough, the company drew considerable media attention in July 2004 when the Attorney General of Mexico, Rafael Macedo de la Concha, and members of his staff were chipped for security reasons. A similar announcement came in December 2004, when Dr. John D. Halamka, chief information officer for Harvard Medical School, noted that he was implanted with the device in order to give it a test run before using it on his patients.
Technology in Everyday Use
As with any new and evolving technology, the concerns and security issues are yet to be confronted, says Elliot Bendoly, professor of decision and information analysis at Emory University’s Goizueta Business School. He notes, “Ultimately, the use of an implantable chip should remain voluntary. Still, there are issues as to whether individuals are sufficiently informed regarding the use and voluntary nature of the application. Even without name recognition, there still remains some doubt as to whether such coding could be used in unintended ways.”
For many, the very concept of such a device gets into civil liberty terrain. Cédric Laurant, policy counsel for the Electronic Privacy Information Center, a public interest research center focused on privacy matters, notes, “The people who want to put it in the arm must have the most compelling justification to do so. There are many alternative solutions now. This is a matter of freedom of movement and autonomy. There are suggestions that the Department of Defense wants to put them in the arms of every soldier. The soldiers may not have the right to say no. What if we get to a point with an employer demanding, because of security reasons, which employees need to have these? Money could be the leverage.”
External RFID tags, which work in a similar manner to the internal one, are not new to the American public. Today, “smart cards,” or RFID-enabled ID entry cards, are common for employees at large security-conscious public and private corporate campuses. EZ-pass toll systems and electronic Speed Pass gas cards also use the technology. A limited number of libraries across the country employ RFID tags to track and catalog their books. Retailers are propelling the burgeoning industry, using RFID tags on the pallet and case level for inventory management. However, there has been some public protest in the U.S. and Europe to the installation of the chips on individual shaving and cosmetic items. Generally, the more expensive, often counterfeited or more heavily shoplifted items such as razor blades, certain drugs, and even individual lipsticks, are tagged by some of the major manufacturers.
When Wal-Mart, the world’s largest retailer, announced it would require its top 100 suppliers to use RFID tags on the case and pallet level by January 1, 2005, the pronouncement sent a shudder through the industry. (A December 27, 2004 story in the New York Times reported that some of the requested suppliers were finding it difficult to institute the technology within the retailer’s timeframe. Still, Wal-Mart is pushing ahead and many of its major manufacturers appear to be buying into the overhaul of their inventory systems.) Today, external tags used by product manufacturers and the pallet companies average about an inch square and may cost around 50 cents or more each. The actual readers cost thousands of dollars.
Readers can gather identifiers from a few feet to up to about 10 feet away from the RFID chip, collecting details such as product type, price, color, point of manufacture, and stops along the supply chain. The software systems and database network to manage the information produced by the tags is the largest outlay for the retailer, though these systems need to be in place, to some degree, for existing barcode and other inventory efforts. Unlike bar codes, however, RFID tags can be easily read in groups, making the move from bar coding to RFID a more palatable proposition for many larger companies.
The Future Applications of RFID
As the technology evolves, the size of the tags will continue to shrink and the costs will fall as well. This means that retailers may get to a point where the tags are more common on the individual item, not just on the case and pallet level. Privacy advocates and concerned citizens groups worry about the future potential for businesses and government entities to use the chip and/or readers without the knowledge of the public. Additionally, with advances in the technology, the range that the information can be transmitted will also increase. Some suggest that GPS tracking ability may eventually allow for satellite reads on the tags. There is also concern over companies sharing data, or the tag information being read by unintended parties, if it is not properly encrypted and secured.
Goizueta’s Bendoly observes, “There could be a problem with a firm that is able to recognize a consumer as a ‘repeat patron.’ If the code were fixed, then it would be a trivial matter to recognize the consumer as a “repeat” and cater to them accordingly once they re-enter a service setting. It wouldn’t take much for firms to then associate daily sales information with the IDs of patrons entering their stores. There needs to be regulation in place to limit the ability of commercial interests to read and associate ID-reads with other data regularly captured, for instance, through sales, video surveillance, and more.”
In a July 14, 2004 statement to the Commerce, Trade and Consumer Protection Subcommittee of the House Committee on Energy and Commerce, Barry Steinhardt, director of the ACLU technology and liberty program, noted, “While the technological bars are falling away, we should be strengthening the laws and institutions that protect against abuse.” Steinhardt added that this is an issue that will be “decided by policy.” The consumer privacy group CASPIAN proposes federal legislation that would make it mandatory for retailers to identify tagged items, thus giving consumers the option of buying products containing the chip. Legislative proposals at the state level in Missouri, Virginia and Utah, deal with a similar notification procedure for consumers. However, a bill in California would require customer consent to the tag or the choice to have it removed at point of purchase.
Few would argue that RFID technology is far superior to the old barcode systems. For retailers especially, there is no better way to handle inventory control and identity management of a product. Puneet Sawhney, program manager for RFID at CHEP, a global pallet and container company, says that at any given time, his company might have 200 million pallets containing around 2.5 million product loads moving somewhere in the world. “RFID technology becomes the supply chain enabler. It provides real time information on our assets.” He goes on to note, “As a focus on the item level RFID tag develops, hopefully there will be enough legislation and technology maturity to ensure that privacy is taken care of. But more than anything, all of it depends on how is it is communicated to the customer. We already give information out with the swipe of a credit card, but we accept this on a certain level in exchange for convenience, a price savings or targeted marketing.”
Sawhney admits that RFID mandates from major retailers to suppliers have sped the adoption of the technology. “We put the tags on our pallet and send them out to our customers—the manufacturers. We deal with the supermarket chains like Metro in Germany and Wal-Mart in the U.S. CHEP has a closed-loop operation. It supplies pallets to the manufacturers who ship their products on these pallets to the retailers. Upon consumption of the products at retail, these pallets are returned to CHEP. By using an RFID enabled CHEP pallet, the manufacturer will be able to track their product as well as the pallet, ensuring both asset and inventory management.”
The federal government, in tandem with the defense industry, is also pushing the move toward RFID technology, saying it helps to prevent smuggling and terrorist tampering. A recent U.S. government initiative dubbed “Operation Safe Commerce,” and funded through the Department of Homeland Security, involved RFID tag placement on cargo containers from Asia, Europe and Central America. In the wake of 9/11, RFID tags become a very useful, secure and cost-effective way to identify and track cargo, say government officials. However, as the federal government rolls out further applications for RFID, such as tags in passports, critics worry that the lack of encryption of the information could lead to use by unintended parties. An ACLU white paper from November 2004 notes that the lack of encryption could allow someone to tap into the name, date of birth, place of birth and a digital photograph of the passport holder.
On January 25, 2005, the Department of Homeland Security (DHS) announced the rollout of a new program called US VISIT, using RFID technology at the U.S. border to record the entry and departure of visitors. US-VISIT applies to all those holding non-immigrant visas, regardless of country of origin. Foreign visitors traveling to the U.S. have their two index fingers scanned and a digital photograph taken to match and authenticate their travel documents at the port of entry. By July 31, 2005, the testing of the program will begin at the ports of Nogales East and Nogales West in Arizona; Alexandria Bay in New York; and, Pacific Highway and Peace Arch in Washington. For now, the specifics of just how RFID technology will be used in this application are still unclear.
Balancing the Needs of Business and Consumers
But whether using RFID for public or private use, Rich Metters, professor of decision and information analysis at Goizueta Business School, notes that it is all about balancing the needs of the individual with the needs of business and government. He adds, “Particularly on the retail side of it, the customer wants to have products that cost less. The promise that RFID holds is that excessive inventories will not be necessary, and transaction costs will be less. If the technology moves into the mainstream, these cost savings on the part of businesses will be competed away as savings to the customer. Society becomes more efficient overall. Less excess production takes place in society as a whole, and less wasted production gets tossed into landfills.”
Alex Stuebler, business manager for Siemens Energy & Automation, an automation, power control, and industrial components supplier in the RFID business for twenty years, notes his company already offers a number of low-frequency RFID products. But in mid-2005, they will roll out additional UHF-enabled tags and readers specifically designed to withstand difficult environmental conditions. He notes, “This is an area that needs to be addressed. It’s new terrain—a developing application space. Everyone must be involved, especially the retailers in cooperation with the suppliers.” Still, says Stuebler, the ability for companies to secure their products from tampering, counterfeiting and shrinkage supports the notion that RFID technology needs to be in common use. It’s all about finding a balance, he says, between consumer need and business concerns.
In hopes of addressing consumer concern while supporting the adoption of the technology, EPCglobal, a nonprofit RFID standards organization, is in the process of laying the standards groundwork for the industry. Most of the players in the RFID field belong to this growing group. (EPCglobal is a joint venture of Europe’s EAN International and the U.S.’s Uniform Code Council, the two standards organizations overseeing electronic product coding.) Sanjay Sarma, who serves as a member of EPCglobal’s Board of Governors, notes, “We are now running a responsible standards process. We are not looking to brush the problems aside. We want to get to the point of saying that consumers will have the right to remove or deactivate the tags. For now, the range is low and the costs are prohibitive, so tracking isn’t a big issue currently.”
Many privacy experts note that bar coding, when coupled with customer relationship management software, credit card information and store loyalty or savings cards, already provides businesses with a voluminous amount of personal data. Says Sarma, “In many ways, RFID tags are the same as bar codes. The bar code does not know who the buyer is, and similarly, the RFID tag does not know who the consumer is. It is when the consumer pays by credit card that he or she is revealing his or her identity to a store. RFID doesn’t add anything to this.” Sarma also serves as chief technology officer for OATSystems, a maker of RFID-enabling software. He is also a founder of Auto-ID Labs, a RFID research center at the Massachusetts Institute of Technology (M.I.T.), with EPCglobal serving as an outgrowth of the facility there.
While standards get sorted out, a new market is emerging to deal with the concern over RFID tags. A number of firms are at work on so-called “blocker technology.” For example, RSA Security, an identity and asset management solutions company, is currently at work on their “blocker tag,” designed to prevent scans by unauthorized readers. While the firm’s technology is only in the research phase at present, Dan Bailey, an RFID solutions architect with RSA Laboratories, the research division of RSA Security, says, “Like the early days of the cell phone and the Internet, the industry is busily evolving. The best way to approach it all is to design the technology in the smart way now, and then we won’t have retrofit expenses, like with Internet firewalls.” Of course, the blocker technology remains to be tested in the marketplace, and as RFID tags evolve and improve, the blocker tag would need to evolve as well.
Ultimately, says Benn Konsynski, professor of decision and information analysis at Goizueta, any new technological space has its’ nay Sayers, who often serve to cloud the picture. He notes that while some of the fears are well founded, the initial “sky-is-falling” response from privacy advocates isn’t always conducive to reasonable discourse on the issue. “We need to move to a more realistic approach, based on case studies, to form a legal and privacy standard. There are vertical markets that can readily emerge from this. Retailers aren’t interested in that much intrusion for now. And, at the end of the day, they don’t want negative publicity to drive the customer away. In many ways, [retailers] are at the mercy of the consumer.”