RFID-Privacy Law Debated

A California state senator is considering legislation that would regulate the use of RFID tags on individual retail products.
Before radio-frequency identification technology has arrived, it risks being regulated. California state Sen. Debra Bowen plans to introduce legislation this month to restrict the retail use of RFID tags.

According to a spokeswoman for Bowen, the senator is still considering the merits of several proposals. While the specifics have yet to be decided, she says, the likely focus of the bill would be retail-item RFID tags, as opposed to the more prevalent use of tags on cases and pallets in the supply chain.

Several major retailers, including Marks & Spencer in the United Kingdom, Metro Group in Germany, and Wal-Mart in the United States, have field tested item tagging. Only Metro has revealed plans to use the technology in retail. It intends to begin using RFID along its entire supply chain and in 250 stores starting in November.

Last August and November, Bowen held hearings to determine whether RFID legislation might be necessary to address privacy concerns. During the November hearing, she expressed concern about the possibility of RFID-enabled data collection. She said such activities had significant implications "because warrants and subpoenas do allow the dissemination of information that people expected would not be disseminated pursuant to the basic informational privacy practices."

At that hearing, a spokesman for the trade group Uniform Code Council Inc. argued that the industry could police itself by adhering to guidelines set forth by EPCglobal Inc., the organization promoting the Electronic Product Code Network, the infrastructure that links RFID devices and databases.

While supporting self-regulation for RFID, Vijay Sarathy, product-line manager for Sun Microsystems' RFID line, says some privacy protections have merit. "There's always going to be elements of society that try to put that data to nefarious uses," Sarathy says. "It's conceivable that you might have an RFID scanner attached to your cell phone. So you could walk into your retail store and use the reader on the cell phone to get more information about the products on the shelf." But the same scanner could scan the contents of a purse, he says, if RFID tags on those contents haven't been made inoperative. "There are legitimate privacy issues and concerns like that. So there is some legislation that's worth pursuing, I think."

Says computer-security researcher Simson L. Garfinkel, author of Database Nation: The Death Of Privacy In The 21st Century: "You can use technical solutions, but the problem is when someone figures a way around it, game over."

Effective laws would prevent a race between people with data and people wanting the data, he says. A technical answer alone would "mean that anybody who could convince people [to] give up their information would suddenly be entitled to it."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing