The RFID Privacy Scare Is Overblown

Computerworld - The privacy scare surrounding radio frequency identification tags is greatly overblown. No company or government agency will be secretly scanning your house to find out what products you've purchased, because there's no feasible way to do so. But if RFID chip makers don't soon allay these fears, the escalating public emotion about this issue may effectively ban the most valuable implementations of this remarkable technology.
Hospitals imagine a day when RFID tags will help prevent medical errors by transmitting the correct medicine dosages to nurses. Appliance makers and food producers envision faster and more targeted recalls of defective products. Clothing and shoe stores expect RFID tags to help identify items of the right sizes for customers, enabling faster service. Clothing makers hope the tags will be able to tell washing machines how to best wash items.
Sound too good to be true? Wal-Mart and the Pentagon don't think so. They're counting on RFID tagging to bring them savings of several billion dollars from lower inventory management costs. Items will no longer need to be individually hand-scanned, thus expediting product loading, invoicing and customer checkout. Scanners might be placed on shelves to speed restocking and installed at building exits to prevent theft. These lucrative benefits prompted both organizations to mandate that their suppliers tag cases and pallets with RFID chips by January 2005.
So what's the problem? Privacy advocates are concerned about tags on products continuing to emit signals in the parking lot, on the road and at home. They're worried that using charge cards or loyalty cards during checkout could result in customer identities being written to the tags. In the worst scenario, they imagine stalkers and thieves scanning cars and homes for expensive goods and personal information.
Some companies are already experiencing a customer backlash with their product-level tagging trials. Shoppers at a New York clothing store recently complained about the prospect of their clothing sizes being beamed into the air. Wal-Mart reportedly had to cancel a pilot where it tagged packages of high-end razor blades because of negative consumer feedback.
Stories of people being tagged have only heightened worldwide fears of Big Brother. In Mexico, some children have reportedly had RFID chips implanted under their skin so they can be tracked if they're kidnapped. A company in Brazil has supposedly embedded chips into employees' skin to control their access to buildings. A school in Buffalo, N.Y., requires students to wear RFID-tagged badges to track arrival times. Some have speculated on the benefits of using implanted RFID chips to store patients' medical and criminal histories. With friends like these, does Wal-Mart need enemies?
The RFID hype has certainly outpaced reality. Manufacturers and retailers have yet to agree on a universal electronic product code. RFID scanning is also far from error-free. But more important, RFID signals are so weak that they're easily blocked by metals and dense liquids. It's infeasible today for someone driving a vehicle down your street to intercept signals from RFID-tagged goods inside your home.
The economics of RFID chips also limit how they're used. Until the price of RFID chips comes down to about a penny apiece, they'll mostly be used at the case and pallet level, clear of any personally identifiable activity. So we have several years to identify the privacy controls we want to see in RFID systems.
Some companies are already creating these privacy controls. Chip makers and users are discussing how the principles of data privacy could be built into the RFID process. A top priority is notifying customers that certain items are tagged with these transmitters -- which could be done by placing a common RFID logo on product packages. To give customers the ability to turn off the transmitters, some companies plan to make them peel-offs. RSA Security Inc. is also developing a chip that could be worn on watches or bags to block nearby RFIDs from transmitting certain information. So the RFID privacy ball is rolling.
But the gathering storm against RFID tags may soon outpace these positive efforts and make product-level RFID tagging taboo. RFID makers and users should take a time-out from their technical discussions and start talking more with the public about what's going on. Their dreams of big economic returns may well depend on it.
Jay Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at privacy@computerworld.com.
See more columns by Jay Cline.

Read more about security in Computerworld's Security Knowledge Center.