Information Systems Security, 16:6164, 2007 Copyright Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online

e DOI: 10.1080/10658980601051821

RFIDs and Personal Privacy

Edward H. Freeman, JD, MCP, MCT

Its not true that life is one damn thing after another; it is one damn thing over and over.Edna St. Vincent Millay (18921950) Security and privacy experts agree any new technology is always one step ahead of their best efforts to secure it. Each new advance redefines security and personal privacy and requires new levels of technical expertise and legal protection. As soon as (or before) these issues are clarified, a newer technology appears and the cycle starts again. Radio Frequency ID (RFID) technology uses a tiny tracking chip, often smaller than a grain of rice. RFID-tagged items can provide much more sophisticated information, down to the specifics of where that particular can of soda was made, which batch it is from, and when it was shipped, and so can serve as a tracking method beyond mere simple data.1 The EZPass system, used for reading vehicle information through tollbooths on state highways, is a common example of RFID technology. RFIDs can now be included in almost all consumer products: auto parts, groceries, currency, and clothing. RFID technology also has tremendous application to businesses: Attach an RFID tag to an object and, every time it passes a reader, information about what it is and where it is can be delivered to your business systems. This is real-time information that has not been readily available before, and can be used to add value to the business in many ways.2

RFID TRACKING SYSTEMS TECHNOLOGY

RFID technology is the next logical step after the Universal Product Code (UPC) that appears on virtually all consumer products. The UPC can tell the scanner that an item is a 15-ounce bag of Lays Potato Chips and sells for $2.99. The stores inventory of chips is then reduced by one. RFID technology can determine where and when the potato chips were made, which batch it was from, and when it was shipped. It can then serve as a tracking method that is much more sophisticated than mere inventory data.3 RFID uses radio frequency communication to automatically identify, track, and manage objects, people, or animals. RFID tags are attached to objects or animals that require a unique identification number. They are tiny, sophisticated radio transmitters and receivers. After they are powered-up, the tag will continuously transmit data. RFID has been available since World War II, when the British army used it to recognize aircraft as a friend or a foe.
61

Address correspondence to Edward H. Freeman, JD, MCP, MCT. E-mail: edfreeman@hotmail.com

The RFID reader has three main functions: energizing, demodulating, and decoding. The reader emits a low-frequency radio wave field that is used to power up the tag. The information sent by the tag must be demodulated, like an AM radio. The encoded information is decoded by the readers on-board microcontroller. A controlling computer can then use this information. Both the reader, tag, the antenna can be sized and shaped in different ways. Since there is no contact or viewing required, the RFID system allows great freedom of movement. Placement of the tag and reader are no longer critical.4 RFID tags could be included in items without public knowledge and could be read without anyones consent. RFID tags meant to track inventory are still part of the item or product when it leaves the store, allowing the item or product to be tracked later if the proper scanning arrangement is available. Because RFID scanners or readers do not need line-of-sight (as with, e.g., laser scanners of the UPC code on that bag of chips), the scanning modes themselves could be hidden. RFIDs come with the ability to be killed, that is, to be disabled permanently when the customer leaves the store. The fear is that the customer could be tracked through that item if the RFID is not disabled. In the pharmaceutical market, Texas Instruments HF-I Pro product has a feature designed to overcome some privacy concerns. Using the password-protected write feature, a wholesaler or retail pharmacist can decommission that data when the product enters the retail distribution center, or when the prescription is filled.5 While such a procedure would be useful in a retail environment, a public library would not find this as feasible, for it would require that a new RFID be installed each time an item is returned.6 Used properly, RFID technology is an exciting new technology that will gradually replace bar codes, resulting in increased efficiency on the wholesale and retail levels. Any solution must strike a careful and delicate balance to protect consumer privacy without threatening the viability and the great potential that this technology holds. Legislative initiative designed to protect location privacy could be one such answer. However, to succeed, this initiative must establish rules that are flexible enough to adapt to a changing technology and firm enough to provide the same level of privacy to physical location as is currently afforded for other technologies.7
Freeman

RFID is used by numerous organizations: Pfizer Inc. has begun to ship its first product containing radio frequency identification tags to customers in the United States.8 The Kings Daughters Medical Center in Ashland, Kentucky, is one of the first hospitals to adopt an RFID inventory system. The system was designed to track the use of cardiac devices and to automatically take note of when they are removed from a storage cabinet. There are two major purposes: patient monitoring and charge capture.9 Walgreens, the largest drugstore chain in the United States, in installing a tracking system that uses radio frequency identification at 5,000 stores. Walgreens will use an RFID system to analyze in real time the sales impact of store displays.10

Worldwide spending on RFID reached $504 million in 2005, up 39 percent from 2004. The adoption of RFID will gather momentum in late 2006 and 2007, and by 2010 worldwide RFID spending will surpass $3 billion. RFID tags will be used to identify, track, and locate mobile assets in such areas as retail environments and hospitals.11

THE BROKEN ARROW AFFAIR

The spread of RFID technology has raised privacy concerns, especially regarding its potential to track the movements of individuals. RFID tags can be included in items without public knowledge, and items with RFIDs can be tracked when they leave the store. Personal information is readily available online or in databases due to public records and other sources. Consumers have little or no control in suppressing or editing most of it. For example, paying just $26 for each person, the Foundation for Taxpayer and Consumer Rights obtained the social security numbers and home addresses of CIA Director George Tenet, Attorney General John Ashcroft, and Presidential Chief Political Advisor Karl Rove.12 Information about almost anyone can be acquired if data about these high profile figures are so easily accessible.13 For four months in 2003, Wal-Mart equipped shelves in their Broken Arrow, Oklahoma, store with a RFID technology capable of tracking the Max Factor Lipfinity lipstick containers. In its Cincinnati
62

headquarters, Procter & Gamble researchers detected when consumers removed lipsticks from the shelves. That action triggered a video monitor, which allowed researchers to watch consumers as they handled the lipstick.14 Wal-Marts Chief Information Officer Linda Dillman said the test was meant to study supply and demand issues related to the proper placement of the lipstick on the shelves.15 The range of the RFIDs was too small and its cost too prohibitive to use on most consumer products. The Wal-Mart test on lipstick had the RFID tags on large packages, not individual products, said Sandra Hughes, global privacy executive for Proctor & Gamble Co., Wal-Marts partner in the test. Consumers were notified of the RFID test, and although the lipstick display was monitored by a Web cam, the purpose was to track the supply of lipstick, not consumers, Hughes said. Hughes and other defenders of RFID said the technology has great potential to lower supply chain costs, reduce theft and counterfeiting, improve the rate of products being in stock and even track livestock diseases.16 After protests from privacy groups, Wal-Mart discontinued the tests in 2003. In response to Broken Arrow and other such cases, privacy bills regulating RFID were introduced in nine state legislatures in 2005. The (Wal-Mart) trial is a perfect illustration of how easy it is to set up a secret RFID infrastructure and use it to spy on people, said Katherine Albrecht, Director of the U.S.-based Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). A coalition of 35 consumer privacy and civil liberties organizations released a position paper addressing the threat that RFID technology poses to individual privacy.17 They called for manufacturers and retailers to agree to a voluntary moratorium on item-level RFID tagging of consumer items until a formal technology assessment could occur. They also declared that some uses of RFID technology, such as coercing customers into accepting live or dormant RFID tags in the products they buy, are incompatible with a free society and should be banned.18

LEGISLATIVE RESPONSE
In February 2004, Utahs House of Representatives passed the Radio Frequency Identification
63

Right to Know Act, the first-ever RFID privacy bill, 47-23. State Representative David Hogue, sponsor of the bill, said that without laws to ensure consumer privacy, retailers will be tempted to match the data gathered by RFID readers with consumers personal information. The RFID industry will carry the technology as far as they can, said Hogue. Marketing people especially are going to love this kind of stuff. The Act requires all goods bearing functioning RFID tags in stores to be labeled as such. The Act was not passed by the Utah State Senate and never became actual law.19 In 2005, a similar bill that would have required stores in that state to remove or disable RFID tags on purchased items to ensure the consumers privacy was tabled by New Mexicos House Judiciary Committee.20 The Federal Electronic Communications Privacy Act (ECPA) outlaws wiretapping and other forms of electronic eavesdropping and the use or disclosure of information obtained through illegal wiretapping or electronic eavesdropping.21 ECPA prohibits any person from intentionally intercepting, or endeavoring to intercept wire, oral or electronic communications by using an electronic, mechanical or other device unless the conduct is specifically authorized or expressly not covered Although wiretapping is not identical to RFID, it shares similarities that may carry over to RFID technology. Capturing wire, oral, or electronic communications violates the ECPA only if the conversation or other form of communication intercepted is among those kinds which the statue protects, in over simplified terms telephone (wire), face to face (oral), and computer [sic] electronic). RFID technology will likely fall under the electronic category. Congress used the definitions of three forms of communications to describe the communications beyond the Acts reach as well as those within its grasp. For example, radio and data transmissions are generally electronic communications. Electronic communication means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric or photo-optical systems that affects interstate or foreign commerce.22 The statute presents an overview of the possible legalities that may be applicable to RFID technology. It indicates that anyone who intercepts electronic communication will be held in violation of it
RFIDs and Personal Privacy

if proper consent has not been obtained. As RFID technology will most likely be classified as electronic communication, it is reasonable to assume that it, too, cannot be employed to obtain and use information legally unless consent is given. While the statute refers specifically to wiretapping, RFID is incredibly similar to wiretapping in its use in that those persons using a wiretap or RFID technology are trying to gather information. Even so, modifications to ECPA would be necessary to include the RFID technology: The ECPA provides a number of important regulations for electronic communications, including a general bar against peddling personal information culled through electronic transactions. Unfortunately, information under the EPCA only refers to the contents of communications; transactional records can lawfully be disclosed, even sold, so long as the purchaser is not the federal government. Thus, while RFID systems capable of recording consumer conversations could very well fall under the ECPA, this statute could not readily be used to prevent companies from culling and sharing transactional data.23

REFERENCES
1. Commentary: Radio Frequency ID: Revisiting a Privacy Alert, The Daily Record, June 6, 2005. 2. Data Business: The Tiny Tag That Promises to Add Value to the Business, VNU Computing, December 15, 2005. 3. Commentary: Radio Frequency ID: Revisiting a privacy alert, The Daily Record (Baltimore), June 6, 2005. 4. http://www.intersoft-us.com/intrfid.htm. (visited April 8, 2006). 5. RFID and Alternatives Make Their Case, Drug Industry Daily, March 27, 2006. 6. Norman Oder, RFID Use Raises Privacy Concerns, Library Journal, Nov. 15, 2003. 7. Oleg Kobelev, RECENT DEVELOPMENT: Big Brother on a Tiny Chip: Ushering in the Age of Global Surveillance Through the Use of Radio Frequency Identification Technology and the Need for Legislative Response, North Carolina Journal of Law & Technology, Spring 2005. 8. Tracking the little blue pill: Viagra maker introduces RFID to combat counterfeiting, Industrial Engineer, March 2006 v38 i3 p16(1). 9. Hospitals testing RFID inventory control for high-end equipment, Journal of Clinical Engineering, Oct-Dec 2005 v30 i4 p206(1). 10. Retailer rolls out RFID: drugstore chain is the first. Industrial Engineer, Feb 2006 v38 i2 p12(1). 11. RFID spending increases, R & D, Jan. 2006 v48 i1 p12(1). 12. Group Gets Private Data on Tenet, Ashcroft to Underscore Need for Tougher Laws, USA Today, Aug. 28, 2003. 13. Katherine Delaney, Privacy Year in Review: Americas Privacy Laws Fall Short with RFID Regulation, I/S: A Journal of Law and Policy for the Information Society, Spring/Summer 2006. 14. Howard Wolinsky, P&G, Wal-Mart Store Did Secret Test of RFID, Chicago Sun-Times, November 9, 2003, at 36. 15. Mark S. Sullivan, Tracking Tags: Tool or Threat? Growing use of RFID technology draws privacy concerns and defense by retailers, PC World, July 15, 2004. 16. Grant Gross, RFID Users Say No Privacy Law Needed, InfoWorld, July 14, 2004. 17. http://www.privacyrights.org/ar/RFIDposition.htm. (visited May 19, 2006). 18. Laura Hildner, Defusing the Threat of RFID: Protecting Consumer Privacy Through Technology-Specific Legislation at the State Level, 41 Harvard Civil Rights-Civil Liberties Law Review 133, Winter 2006. 19. Thomas Claburn, Privacy Fears Create Roadblocks For RFID, InformationWeek, March 8, 2004. 20. Claire Swedberg, New Mexico Kills RFID Privacy Bill, RFID Journal, March 15, 2005. 21. 18 U.S.C. 2511. 22. Reuven R. Levary, David Thompson, Kristen Kot and Julie Brothers, Radio Frequency Identification: Legal Aspects, 12 Richmond Journal of Law & Technology 6, Fall 2005. 23. John M. Eden, When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID, 2005 Duke Law & Technology Review 20.

CONCLUSION
RFID technology presents complex issues concerning the delicate balance between privacy, efficiency, technology, and the unintended consequences of its use. While by no means unsolvable, these problems are urgent enough to demand a vigorous and proactive approach, rather than passively reacting to the problems as the technology matures enough to make any coherent regulation impractical or, worse, impossible. One need look no further than the continuous problem of email spam, the futility of all technical and legislative initiatives to curb it, and the tremendous costs for both consumers and businesses associated with this problem to recognize the need to regulate emerging technologies early and often for the sake of all the participants involved. Amending ECPA to include location privacy as a form of protected communication, requiring built-in encryption in RFID tags themselves, and giving the FCC regulatory oversight over the use of the technology may help solve the problem before it is too late.
Freeman

BIOGRAPHY
Edward H. Freeman is an attorney and educational consultant in West Hartford, Conn. He has written over 40 articles on computer technology, privacy, security, and legal issues. He is also an adjunct faculty member at Central Connecticut State University, St. Joseph College in West Hartford, Connecticut, and the University of Connecticut.
64