Consumers must be given notice if radio-frequency identification chips are ever used on individual products and packaging, and they need to be better educated about the technology's benefits and potential for misuse.
Privacy advocates and RFID backers appeared to agree on at least that much Saturday at a workshop on RFID and privacy involving several hundred representatives of RFID technology producers and users, privacy advocates, academics, and technologists. But the conference also showed that the two sides have a lot of work to do to find common ground.
The workshop was billed as the first major effort to bring together RFID backers and opponents. While companies with a stake in RFID, such as Intel, NCR, Philips Semiconductors, and ThingMagic (which makes RFID readers) attended and made presentations, the audience appeared weighted toward RFID skeptics. Some companies with big RFID plans, including Wal-Mart and Proctor & Gamble, didn't attend, while representatives of others, including Gillette, were present but did not speak.
The workshop was held at MIT's Media Lab in Cambridge, Mass., and was sponsored by the MIT Computer Science and Artificial Intelligence Laboratory, the MIT Media Lab, and RSA Laboratories. Retailers and consumer-packaged goods makers expect RFID will cut stocking costs by 25% and store labor expenses associated with receiving goods by 65%, said Mario Rivas, executive VP at the communications division of Philips Semiconductors. The company has already shipped 1 billion RFID chips for use in smart cards, such as those used for fare collection on the London Underground, and other applications. "But supply chain is the driver today," he said.
To help ensure privacy, Philips' RFID tags provide encryption algorithms and a "kill feature" that allows the chips to be deactivated, Rivas said. The latter is designed to address consumer concerns that RFID chips on products such as clothing would remain active after they leave a store. "We are committed to making this technology safe and user-friendly," Rivas said.
But representatives of privacy advocacy groups weren't convinced such steps are enough. "We seem to be rushing headlong into throwing this technology out into the world without discussing its possible ramifications," said Katherine Albrecht, head of Consumers Against Supermarket Privacy Invasion and Numbering (Caspian). She painted a dark picture of how RFID technology could be used to capture data on a person's purchasing preferences or even track people using RFID tags surreptitiously planted in clothing or shoes.
The workshop included a number of technical presentations about the present and possible future capabilities of RFID technology. There was, for example, some debate about the distance at which readers can pick up RFID signals--ThingMagic founding partner Matt Reynolds put the current maximum range at 20 meters--and discussion about ways that stores or consumers can deactivate RFID chips after checkout. NCR demonstrated a device for deactivating RFID tags.
Several presenters noted that RFID signals also are easily blocked by metal and water. That and other physical limitations, combined with cost, led some participants to predict that RFID is a long way--if ever--from being used on individual products.
Position papers were also presented on the possible use of RFID to monitor employees in a workplace and for competitive intelligence purposes.
The two sides may not be as far apart as the rhetoric during the daylong workshop might indicate. No one raised objections to plans by Wal-Mart and other companies to use RFID for tagging pallets and boxes shipped from manufacturers to retailers. A position paper issued by privacy advocates, for example, said using RFID to track goods from the point of manufacture to store shelves is acceptable.
Most concerns revolved around the possible tagging of individual products with RFID chips, how collected data would be used, and whether RFID chips would remain active when a product leaves the store.
Privacy advocates called for a formal assessment of RFID technology by an independent body, including possible implications for society, and argued that RFID tags should not be put on individual products until such an assessment is done.
In the position paper, the groups, including Caspian, the Privacy Rights Clearinghouse, and the American Civil Liberties Union, said the implementation of RFID technology should be guided by principles of fair information practices such as the privacy guidelines issued by the Organization for Economic Co-operation and Development. They also said merchants should be prohibited from forcing or coercing customers into buying products with RFID tags or taking steps that prevent consumers from detecting them.
EPCglobal Inc., the organization spearheading the development of the electronic product code RFID chips use, issued its own proposed guidelines that require consumers be notified of the presence of EPC devices on products through a logo or identifier. They should be informed of their options for disabling or removing RFID tags from products and be educated about RFID/EPC devices and their applications. Finally, data collected using the devices should be subject to applicable laws about the use, retention, and security for such data.
Position papers and other materials from the conference are online at www.rfidprivacy.org/agenda.php.