22-03-2010, 08:06 PM
please read http://studentbank.in/report-rfid-techno...ull-report
http://studentbank.in/report-RFID-Technology--5298
http://studentbank.in/report-RFID-Techno...plications for understanding RFID technique
[attachment=2753]
RFID
Radio Frequency IDentification:
Rpplications and Implications for Consumers
Presented By:
Staff of the Federal Trade Commission
I. Introduction
Radio frequency identification technology, known as RFID, has been described as "tech's official Next Big Thing."1 RFID is not actually a new technology, but it is being applied in new ways, spurred by technological advances and decreased costs. Once used during World War II to identify friendly aircraft, RFID is now being used in a variety of public and private sector settings, from hospitals to the highway.
In RFID systems, an item is tagged with a tiny silicon chip and an antenna; the chip plus antenna (together called a "tag") can then be scanned by mobile or stationary readers, using radio waves (the "RF"). The chip can be encoded with a unique identifier, allowing tagged items to be individually identified by a reader (the "ID"). Thus, for example, in a clothing store, each particular suit jacket, including its style, color, and size, can be identified electronically. In a pharmacy, a druggist can fill a prescription from a bottle bearing an RFID-chipped label confirming the authenticity of its contents. On the highway, cars with RFID tags on their windshields can move swiftly through highway tollbooths, saving time and reducing traffic congestion. At home, pets can be implanted with chips so that lost animals can be identified and returned to their owners more readily. In each case, a reader must scan the tag for the data it contains and then send that information to a database, which interprets the data stored on the tag. The tag, reader, and database are the key components of an RFID system.
RFID proponents believe that the ability of these systems to deliver precise and accurate data about tagged items will improve efficiency and bring other benefits to businesses and consumers alike.2 One major retailer has already announced a mandate for its largest suppliers to begin tagging cases and pallets of merchandise.3 Other companies in the U.S. and abroad reportedly are exploring similar directives.4 Spending on RFID implementation in the retail supply chain alone has been estimated at $91.5 million last year - an amount expected by some to exceed $1 billion by 2007.5 Outside the retail sector, libraries across the country reportedly are already tagging books,6 and the FDA has announced that it is actively encouraging pharmaceutical manufacturers to use RFID to fight drug counterfeiting.7
While these developments may offer significant benefits for industry and consumers, some applications have raised privacy concerns. The capacity to encode unique identifiers at the individual item level may have revolutionized thinking about inventory management, but
it has also raised fears that this technology might be used to track individual products out of the store and into consumers' homes or otherwise monitor individual consumer behaviors. As with the Internet and other data-intensive technologies, these concerns must be addressed so that they do not hinder the development and deployment of RFID in the marketplace.
On June 21, 2004, the Federal Trade Commission explored these issues at a public workshop entitled "Radio Frequency Identification: Applications and Implications for Consumers." The Workshop brought together technologists, RFID proponents, privacy advocates, and policymakers to discuss the range of applications for RFID, the future of this technology, and its implications for consumers.8 This staff report will summarize the discussion at the Workshop and offer some preliminary recommendations for addressing the privacy concerns raised by some participants.9
Part I of the report provides an overview of the issues the report covers and a summary of the FTC staff's conclusions. Parts II through V summarize the Workshop panel discussions and highlight some of the key points made in the written comments submitted to the Commission in connection with the Workshop. Specifically, Part II discusses how RFID technology works. Part III describes current and emerging uses of RFID technology, both in the private and public sectors. Part IV discusses the consumer privacy implications of RFID applications and database security issues. Part V describes different proposals to address consumer privacy concerns, including technological approaches and self-regulatory efforts. Finally, Part VI offers Commission staff conclusions regarding steps that RFID users may take to alleviate RFID-related privacy concerns.
As explained in Part VI below, based on the information received in connection with the Workshop and other available information, the FTC staff concludes:
¢ Industry initiatives can play an important role in addressing privacy concerns raised by certain RFID applications. The goal of such programs should be transparency.
¢ Any industry self-regulatory program should include meaningful accountability provisions to help ensure compliance.
¢ Many of the potential privacy issues associated with RFID are inextricably linked to database security. As in other contexts in which personal information is collected from consumers, a company that uses RFID to collect such information must implement reasonable and appropriate measures to protect that data.
¢ Consumer education is a vital part of protecting consumer privacy. Industry members, privacy advocates, and government should develop education tools that inform consumers about RFID technology, how they can expect to encounter it, and what choices they have with respect to its usage in particular situations.
II. The ABCs of RFID
Understanding what RFID devices are and how they work is critical to an analysis of the policy issues surrounding this technology. Generic references to "RFID technology" may be applied incorrectly to a wide range of devices or capabilities. For example, RFID by itself is not a location-tracking technology. At sites where readers are installed, RFID may be used to track tagged objects, but this static readability differs from technology such as global positioning systems, or GPS, which uses a network of satellites to pinpoint the location of a receiver.10 And RFID technology itself can be used for a variety of applications, from contactless identification cards that can be scanned no farther than inches away from a reader, to highway systems utilizing "active" RFID tags that can initiate communication with a scanner 100 feet away.
A. Primary Components of RFID Devices
RFID devices have three primary elements: a chip, an antenna, and a reader. A fourth important part of any RFID system is the database where information about tagged objects is stored.
¢ The chip, usually made of silicon, contains information about the item to which it is attached. Chips used by retailers and manufacturers to identify consumer goods may contain an Electronic Product Code ("EPC").11 The EPC is the RFID equivalent of the familiar universal product code ("UPC"), or bar code, currently imprinted on many products. Bar codes must be optically scanned, and contain only generic product information. By contrast, EPC chips are encrypted with a unique product code that identifies the individual product to which it is attached, and can be read using radio frequency. These codes contain the type of data that product manufacturers and retailers will use to track the authenticity and location of goods throughout the supply chain.
An RFID chip may also contain information other than an EPC, such as biometric data (a digitized image of a fingerprint or photograph, for example).12 In addition, some chips may not be loaded with information uniquely identifying the tagged object at all; so-called "electronic article surveillance systems" ("EAS") may utilize
radio frequency communication to combat shoplifting, but not to uniquely identify individual items.
¢ The antenna attached to the chip is responsible for transmitting information from the chip to the reader, using radio waves. Generally, the bigger the antenna, the longer the read range. The chip and antenna combination is referred to as a transponder or, more commonly, as a tag. Participants at the workshop brought samples of tags currently in use. The pictures below show a common EPC tag that can be affixed to an object (Figure A) and a paper hang-tag that can be attached to individual articles of clothing (Figure B13).
¢ The reader, or scanning device, also has its own antenna, which it uses to communicate with the tag.14 Readers vary in size, weight, and power, and may be mobile or stationary. Although anyone with access to the proper reader can scan an RFID tag,15 RFID systems can employ authentication and encryption to prevent unauthorized reading of data.16 "Reading" tags refers to the communication between the tag and reader via radio waves operating at a certain frequency. In contrast to bar codes, one of RFID's principal distinctions is tags and readers can communicate with each other without being in each other's line-of-sight.17 Therefore, a reader can scan a tag without physically "seeing" it. Further, RFID readers can process multiple items at one time, resulting in a much-increased (again as compared to UPC codes) "speed of read."18
The pictures on the opposite page show various RFID readers: a stationary reader that could be used to track tagged cases of goods entering a warehouse (Figure C19); a mobile reader used to monitor inventory on a retail store floor (Figure D20); and a prototype of a glove embedded with a scanner used to track daily domestic living activities (Figure E21).
¢ The database, or other back-end logistics system, stores information about RFID-tagged objects. Access to both a reader and its corresponding database are necessary before information stored on an RFID tag can be obtained and understood. In order
to interpret such data, RFID readers must be able to communicate with a database or other computer program.
One protocol being developed for product manufacturers uses chips embedded with a 96-bit EPC code - a number - that includes several fields identifying the manufacturer ("ABC Company"), the product ("cola"), its size or its packaging ("24-pack of cola cans"), and a unique identifier.22 This system, the "EPCglobal Network," calls for a secure network of servers that will share information obtained from tagged objects moving through the supply chain. According to the network's architect, EPCglobal, the data will be stored on EPCglobal member company databases, access to which will be controlled by those individual companies.23 In order to interpret what these fields mean, a directory, or "object naming service" ("ONS"), will direct the reader to the appropriate server(s) where the data from the tag and associated information are stored. The ONS will function much like a reverse telephone directory or an Internet browser, which translates a URL into a Web site.24 In the RFID context, the ONS will identify what server has information about the tagged item, allowing an RFID user to interpret the meaning of the particular code on a particular tag.25 The database information will vary with the context. For example, with automatic highway toll payment systems, databases will page link account numbers stored on a tag to the appropriate prepaid account for billing purposes.26
Although all RFID systems have these essential components, other variables affect the use or set of applications for which a particular tag is appropriate. As discussed further below, key factors include whether the tag used is "active" or "passive"; what radio frequency is used; the size of the antennas attached to the chip and to the reader; what and how much information can be stored on a tag; and whether the tag is "read/write" or "read-only." These factors affect the read ranges of the systems as well as the kind of object that can usefully be tagged. They also impact the cost, which is an especially important commercial consideration when tagging a large volume of items.
B. Passive v. Active Tags
There are three types of RFID tags, differentiated by how they communicate and how that communication is initiated:
¢ Passive tags have no onboard power source - meaning no battery - and do not initiate communication. A reader must first query a passive tag, sending electromagnetic waves that form a magnetic field when they "couple" with the antenna on the RFID tag."27 Consistent with any applicable authorization, authentication, and encryption, the tag will then respond to the reader, sending via radio waves the data stored on it. Currently, depending on the size of the antenna and the frequency, passive tags can be read, at least theoretically, from up to thirty feet away. However, real-world environmental factors, such as wind and interference from substances like water or metal, can reduce the actual read range for passive tags to ten feet or less.28 Passive tags are already used for a wide array of applications, including building-access cards, mass transit tickets, and, increasingly, tracking consumer products through the supply chain. Depending on the sophistication of the chip, such as how much memory it has or its encryption capability, a passive tag currently costs between 20 cents and several dollars.29
¢ Semi-passive tags, like passive tags, do not initiate communication with readers, but they do have batteries. This onboard power is used to operate the circuitry on the chip, storing information such as ambient temperature. Semi-passive tags can be combined, for example, with sensors to create "smart dust" - tiny wireless sensors that can monitor environmental factors. A grocery chain might use smart dust to track energy use, or a vineyard to measure incremental weather changes that could critically affect grapes.30 Devices using smart dust, also known as "motes," currently cost about $100 each, but, in a few years, reportedly could drop to less than $10 apiece.31
¢ Active tags can initiate communication and typically have onboard power. They can communicate the longest distances - 100 or more feet. Currently, active tags typically cost $20 or more.32 A familiar application of active tags is for automatic toll payment systems, like the Northeast's "E-ZPass," that allow cars bearing active tags to use express lanes that don't require drivers to stop and pay.33
C. Radio Frequency
Communication between RFID tags and readers is also affected by the radio frequency used, which determines the speed of communications as well as the distance from which tags can be read. Higher frequency typically means longer read range. Low-frequency ("LF") tags, which operate at less than 135 kilohertz (KHz), are thus appropriate for short-range uses, like animal identification and anti-theft systems, such as RFID-embedded automobile keys.34 Systems that operate at 13.56 megahertz (MHz) are characterized as high frequency ("HF"). Both low-frequency and high-frequency tags can be passive. Scanners can read multiple HF tags at once and at a faster rate than LF tags. A key use of HF tags is in contactless "smart cards," such as mass transit cards or building-access badges.35
The third frequency, Ultra-High Frequency ("UHF"), is contemplated for widespread use by some major retailers, who are working with their suppliers to apply UHF tags to cases and pallets of goods. These tags, which operate at around 900 MHz, can be read at longer distances, which outside the laboratory environment range between three and possibly fifteen feet.36 However, UHF tags are more sensitive to environmental factors like water, which absorb the tag's energy and thus block its ability to communicate with a reader.
D. Read/Write Capacity
Finally, another important feature of RFID tags is their "read/write" capacity, or "read¬only" status. These terms refer to a tag's ability to have data added to it during its lifetime. The information stored on a "read-only" tag cannot be altered, but a writeable tag (with read/write capacity) can receive and store additional information. Read/write applications are most prevalent when tags are re-used.37 They are usually more sophisticated and costly than read-only applications. In addition, read/write applications have shorter read ranges. Read¬only tags are well-suited to applications like item-level tagging of retail goods, since they are less expensive and, as part of a networked system, can provide a great deal of information by directing the reader to the associated database(s) where information about the tagged item is maintained.38
III. RFID Today and Tomorrow
The Workshop included a comprehensive discussion of RFID's various current and anticipated applications. Both private and public sector users of RFID explained how they are applying this technology to improve their delivery of goods and services. Privacy advocates also addressed the implications of these initiatives, sounding a cautionary note about some of the emerging uses of RFID and their consequences for consumer privacy.
A. Current Uses of RFID
Workshop participants described a number of RFID applications that consumers may already be using. For example, some consumers are familiar with employee identification cards that authenticate the pass-holder before permitting access.39 A related use of RFID is for event access - to amusement parks, ski areas, and concerts, where tagged bracelets or tickets are used.40 Panelists also explained how RFID is being used in a variety of transportation-related contexts. Many automobile models already use RFID tags in keys to authenticate the user, adding another layer of security to starting a car.41 Another example, the "Speedpass," allows drivers to purchase gas and convenience store goods from ExxonMobil stations.42 RFID is also transforming highway travel, with the advent of E-ZPass in Northeastern and Mid-Atlantic states and similar programs in other regions of the country that allow drivers to pass through tolls without stopping to pay. An active tag on the vehicle's windshield lets a reader installed at the tollbooth know that a tagged vehicle is passing through; information flows from the tag, to the reader, and then to a centralized database, where the prepaid or checking account associated with that vehicle is charged.43
B. RFID in the Supply Chain
To the extent that the much-touted "RFID revolution" is underway, it is occurring somewhat out of public sight - in warehouses, distribution centers, and other stages of the supply chain.44 Workshop participants discussed how RFID's impact on the flow of goods through distribution channels has implications not just for manufacturers, suppliers, and retailers, but also for consumers.45 Many panelists reported that as a result of more efficient distribution practices generated by RFID use, consumers may find what they want on the store shelves, when they want it, and perhaps at lower prices.46
Workshop participants representing manufacturers and retailers described the anticipated economic benefits of RFID. According to one panelist, the retail industry suffers losses between $180 and $300 billion annually because of poor supply chain visibility - the inability to track the location of products as they make their way from manufacturer to retailer.47 As a result, this panelist stated, retailers are not always able to keep high-demand goods in stock, or they may have inventory that they can't move.48
Participants discussed how RFID may help prevent these lapses by improving visibility at multiple stages of the supply chain. RFID readers can gather information about the location of tagged goods as they make their way from the manufacturer, to a warehouse or series of distribution centers, and to the final destination, their store.49 Also, as one workshop participant explained, RFID enhances the accuracy of information currently obtained through bar code scanning, which is more vulnerable to human error.50 According to this panelist, access to more - and more accurate - information about where products are in the distribution chain enables retailers to keep what they need in stock and what they do not need off the
shelf.51
Workshop participants also touted the discipline that RFID imposes on the supply chain by, for example, reducing "shrinkage," or theft.52 One panelist explained how RFID may lower costs by keeping shipping volumes leaner and more accurate.53 Other panelists described how RFID tags can be read much faster than bar codes, citing tests indicating that RFID's scanning capability can result in goods moving through the supply chain ten times faster than they do when bar codes are used.54 According to another participant, RFID will facilitate quicker, more accurate recalls by enabling the tracking of a product's origin and its location in the distribution chain.55 Further, this panelist asserted, RFID will enhance product freshness by monitoring expiration dates of consumer goods, so retailers know when not to offer items for sale.56
C. RFID Use in the Public Sector
Panelists also discussed how RFID is being used or contemplated for use by government entities to meet objectives similar to those their private-sector counterparts hope to achieve. Workshop participants discussed a variety of ongoing and proposed government RFID applications, from the U.S. Department of Defense's ("DoD") October 2003 mandate
requiring its suppliers to use RFID tags by January 2005 to local library systems deploying this technology to track and trace their books.57 DoD's initiative reportedly will affect 43,000 military suppliers.58 And, according to panelists, public libraries in California, Washington State, and elsewhere have implemented internal RFID systems to facilitate patron usage and manage stock.59
One Workshop panelist, representing the U.S. Food and Drug Administration ("FDA"), highlighted that agency's RFID initiative.60 Although the FDA itself is not using this technology, it recently announced an initiative to promote the use of RFID in the pharmaceutical supply chain by 2007.61 For now, drug manufacturers will primarily tag "stock bottles" - those used by pharmacists to fill individual prescriptions - but eventually consumers may be purchasing packages labeled with RFID chips.62 The core objective of this initiative is to fight drug counterfeiting by establishing a reliable pedigree for each pharmaceutical.63 The FDA believes that this goal can most effectively be accomplished by its target date through the adoption of RFID, which offers distinct advantages over other identification systems that require line-of-sight scanning and are not as accurate or fast.64
Another government entity turning to RFID is the U.S. Department of Homeland Security ("DHS"). One program described by a DHS official at the Workshop uses RFID for tracking and tracing travelers' baggage.65 Both individual airports66 and airlines67 will use RFID technology to identify and track passenger luggage, from check-in to destination. Another DHS initiative addressed at the Workshop involves the agency's "US-VISIT" (U.S. Visitor and Immigrant Status Indicator Technology) program. That initiative will test RFID at the country's fifty busiest border-crossing locations by using RFID to read biometric identifiers, such as digital photographs and fingerprint scans, embedded in U.S. work visas issued to foreign nationals.68 According to the DHS representative, this program is expected to facilitate some of the approximately 330 million border-crossings each year by getting "the appropriate level of information to the right people at the right time."69 As this panelist noted as well, U.S. passports will also soon carry an RFID chip embedded with identifying information, including biometric data.70
D. Emerging RFID Applications
The Workshop also addressed emerging RFID applications and when such uses are expected to be implemented. According to panelists, one sector that is the focus of extensive RFID research is health care, where RFID devices can be used to track equipment and people within a medical facility.71 Other proposed applications contemplate using RFID in different ways. For example, one ongoing study discussed at the Workshop is exploring how RFID can enhance the quality of elder care.72 By tagging key objects in a senior's home - such as prescription drug bottles, food items, and appliances - and embedding small RFID readers in gloves that can be worn by that individual, that person's daily habits can be monitored remotely by a caregiver.73 This system would develop more accurate record-keeping for medical treatment purposes and could facilitate independent living for senior citizens.74
The Workshop also addressed the anticipated timeline for the adoption of item-level RFID tagging in the retail sector. According to one participant, some retailers are currently experimenting with embedding RFID tags in individual consumer goods, and cited as an example German retailer Metro AG's controversial use of RFID in its "Future Store."75 However, many panelists concurred that widespread item-level tagging of retail products was not imminent.76 The most commonly cited reason for this delay was cost: according to one panelist, the current price per tag of between 20 and 40 cents makes item-level RFID too expensive to deploy widely in the near term.77 Workshop panelists also asserted that the target cost of five cents per tag will likely not be realized until 2008.78 Even then, other costs may slow the evolution of item-level tagging. According to one Workshop participant, hardware costs account for only 3% of the expense of deploying RFID. Expenditures for developing the software necessary to interpret and store information generated by RFID constitute nearly three-quarters of the cost of implementing this technology.79
According to Workshop participants, other factors that could inhibit the evolution of item-level tagging include the lack of standardization for RFID frequency and power; inadequate end-user knowledge about how the technology works; and technical challenges, such as reader accuracy and interference from external substances (like water and metal).80
IV. Consumer Perceptions and Privacy Concerns
A. Consumer Survey Results
In addition to addressing how RFID works and can be used, Workshop participants discussed the implications of this technology for consumers. The Workshop included a presentation about the results of a study concerning consumer perceptions of RFID. According to a survey of more than 1,000 U.S. consumers conducted in October 2003, the majority of those polled were unfamiliar with RFID.81 Over three-quarters of the sample - 77% - had not heard of RFID. Confirming the general lack of knowledge about this technology, nearly half of the group aware of RFID had "no opinion" about it.82
Consumers who did have an opinion about RFID expressed a variety of views about whether or how this technology would affect them. When asked to rank a set of potential benefits of RFID, 70% identified recovery of stolen goods and improved food and drug safety high on the list. The majority (66%) also placed cost savings toward the top of the list of benefits, although some consumers were also concerned that RFID use would instead raise prices. Consumers placed access to marketing-related benefits, like in-aisle companion product suggestions, at the bottom of the list.83
The most significant concerns expressed by consumers familiar with RFID related to privacy. In response to both open-ended and prompted questions (with pre-programmed answers to select or rank), privacy emerged as a leading concern. For example, approximately two-thirds of consumers identified as top concerns the likelihood that RFID would lead to their data being shared with third parties, more targeted marketing, or the tracking of consumers via their product purchases. These findings are consistent with the views of consumers who submitted comments to the Commission about RFID.84 Many of those consumers voiced strong opposition to having RFID devices track their purchases and movements, with some citing as reasons for their position the potential for increased marketing or government surveillance.
A more recent consumer survey, conducted by two market research companies, revealed similar results.85 Of more than 8,000 individuals surveyed, fewer than 30% of consumers were aware of RFID technology. Further, nearly two-thirds of all consumers surveyed expressed concerns about potential privacy abuses.86 Their primary concerns centered around
RFID's ability to facilitate the tracking of consumers' shopping habits and the sharing of that information among businesses and with the government. Like the study discussed at the Workshop, this survey also demonstrated that the great majority of consumers remain unfamiliar with RFID. Additionally, consumers who fell into the "RFID non-aware" category were more likely to be concerned about RFID's implications for their privacy than were consumers who were familiar with the technology.87
B. RFID and Consumer Privacy
Against the backdrop of survey data about consumer perceptions of RFID, Workshop participants discussed the nature of privacy concerns associated with some of the emerging uses of this technology. While there was some consensus among Workshop panelists that certain uses of RFID today - such as in the supply chain - may not jeopardize consumer privacy,88 a number of consumer advocates voiced concerns about the potential impact of other RFID applications on consumer privacy.89 According to these panelists, such concerns may arise when consumers interact more directly with tags and readers, particularly in the context of item-level tagging of retail goods.
The concerns articulated by these Workshop participants implicated issues specific to RFID technology as well as more general privacy issues. Some panelists discussed how RFID's unique or distinguishing characteristics may jeopardize consumer privacy. First, these participants cited as a key concern the "bit capacity" of Electronic Product Codes ("EPCs"), which enable the assignment of individual identifiers to tagged objects.90 They argued that RFID's potential to identify items uniquely facilitates the collection of more - and more accurate - data.91
Other features of RFID that troubled these Workshop participants related to the devices' physical attributes. According to these panelists, the small size of tags and readers enables them to be hidden from consumers.92 One Workshop participant explained that if a long read-range is not required, scanners can be smaller than a U.S. quarter.93 Another Workshop participant focused on the privacy implications of the small size of RFID chips and how their shrinking dimensions facilitate their unobtrusive integration into consumer goods.94 Some panelists highlighted the ability of RFID devices to communicate with one another through materials, without line-of-sight, and at some distance.95 These technical characteristics, they
argued, distinguish RFID from bar codes, which in order to be read must be visible on the outside of product packaging.96 Some commenters pointed to these characteristics as evidence that RFID would allow surreptitious scanning to gather information about the products consumers wear or carry.97 Participants also raised concerns about what they termed the "promiscuity" of RFID devices98 - when tags can be accessed by multiple readers, it raises the specter of unfettered third-party surveillance.99
The combination of these factors, some Workshop participants asserted, will weaken consumers' ability to protect themselves from in-store tracking and surreptitious monitoring in public places, at work, and even at home. Certain panelists were especially concerned about RFID's potential to facilitate consumer tracking, by linking personally identifiable information in databases to the unique numbers on RFID tags. One participant described how a retailer could associate purchaser data with the uniquely identified product an individual buys.100 According to the participant, this practice would be similar to what retailers can currently do with customer loyalty cards or credit cards.101 However, a number of Workshop panelists maintained that RFID poses greater threats to consumer privacy because of the enhanced level of information it provides about each tagged item. They suggested that a tagged item carried by a consumer out of a store could be read covertly, and what it communicates could be more than just the presence of a particular item. If linked to purchase data, the identification of a particular product could also identify the individual who bought that item.102
Privacy advocates at the Workshop cited this latter potential as the basis for another privacy concern: consumer profiling. By tracking the movement of tagged goods and the people associated with them, more information can be gathered about the activities of those individuals.103 That in turn could make it easier to predict the behavior of others who buy the same items, even without monitoring them.104 Another concern raised at the Workshop relates to RFID's facilitation of "customer relationship management," whereby retailers customize pricing and service based on a consumer's potential profitability.105 According to one Workshop participant, if RFID tags were embedded in customer loyalty cards, consumers could be identified as soon as they entered the store that issued the card. This could result in targeted marketing or customer service directed at the consumer, depending on his or her purchase history or other information linked to the loyalty card.106
Many of these fears are associated with item-level tagging. As noted in Section III.D., however, a number of Workshop participants representing retailers and other RFID users maintained that RFID was not being used in this manner on a widespread basis now and would not be in the near future.107 Some panelists also argued that no real business case exists for the adoption of a network accessible to multiple users that contains information about these users' RFID-tagged goods. As one participant stated, "Wal-Mart doesn't want its competitors to read tags that are from Wal-Mart stores. Wal-Mart probably also doesn't want its suppliers to read information about its other suppliers. They want to control that information for competitive reasons."108
Even if and when item-level tagging is adopted on a widespread basis, some Workshop participants disputed that consumer privacy would be jeopardized as a result. They asserted that RFID's technological limitations will prevent its surreptitious use. For example, reading an RFID tag from a significant distance currently requires use of a sizable antenna ("about the size of a plate," according to one panelist) and significant energy.109 Another argument advanced at the Workshop focused on how cost factors will continue to slow retailers' adoption of RFID, limiting the sophistication and proliferation of readers on the store floor.110 One participant representing a retail chain argued that no business case exists for linking data collected via RFID to personally identifiable information about consumers, so fears about this potential are misplaced.111 In addition, many panelists addressed the emergence of a variety of technological protocols and products, such as encryption and blocker tags, that may offer a means to address privacy concerns associated with these devices.112
C. Database Security Issues
Regardless of panelists' views regarding the existence or extent of many privacy concerns, many participants agreed that database security was an important issue, especially in the manufacturing and retail environment. Rather than concentrating on how information may be collected via RFID devices, these participants discussed security issues that focus on how such data is stored and whether it is adequately protected.113 According to one panelist, database security is a critical aspect of any analysis of privacy concerns associated with RFID use, because the tags themselves may contain only limited data, such as a number in the case of EPC chips.114 The panelist further explained that the information associated with that number
will be stored on a server of the product manufacturer or other authorized user, where it can be linked to additional data.115
Although Workshop panelists did not analyze the specific database security concerns linked to RFID use, one commenter provided a detailed discussion of these issues.116 According to this commenter, security concerns are likely to arise in connection with interoperable tags, which can be read by different enterprises sharing information associated with those tags.117 The commenter explained that the security of any database in which that information is stored depends on traditional information technology protections - not RFID-specific practices.118 Further, the commenter asserted that these concerns are exacerbated when databases are maintained by third parties, outside of the RFID user's direct control.119 Thus, the commenter argued, security measures will be that much more critical if databases contain information from RFID tags linked to personally identifiable information about the purchasers of tagged items.120
Workshop participants representing a range of interests generally acknowledged the need to address these issues. One speaker emphasized that the EPCglobal Network will maintain the security of data associated with EPC tags, which will be stored on servers "beyond the firewalls of corporations, logistics providers and retailers all around the globe."121 However, others felt that insufficient attention has been devoted to database security122 and maintained that RFID use will exacerbate existing concerns, since information collected via RFID will be that much more detailed and accurate.123 Another Workshop participant argued that the focus on privacy concerns presented by RFID devices (i.e., tags and readers) are obfuscating the more important concerns related to general database security.124
V. Addressing Consumer Privacy Challenges: Best Practices and Principles
The Workshop concluded with a panel examining various approaches to addressing the privacy issues raised by RFID technology. As participants noted, these challenges are not insubstantial, in light of RFID's evolving nature and the uncertainty as to how various existing and potential uses may affect consumers.125 Industry guidelines, legislative developments,
and technological solutions designed to address privacy and security concerns were among the options discussed and debated.126
A. Existing Industry Practices and Standards
Panelists voiced a range of opinions as to what approach or combination of measures would be most effective at meeting the challenges posed by RFID. Many participants agreed that, at a minimum, businesses deploying RFID should take steps to protect consumer privacy. One self-regulatory model already in place is EPCglobal's "Guidelines on EPC for Consumer Products" ("EPCglobal Guidelines").127 According to a Workshop panelist, the Guidelines were developed with input from privacy experts and apply to all EPCglobal members.128 The Guidelines call for consumer notice, choice, and education, and also instruct companies to implement certain security practices.129
The first element, consumer notice, requires that companies using EPC tags "on products or their packaging" include an EPC label or identifier indicating the tags' presence. According to a Workshop participant, EPCglobal has developed a template label that companies can use to inform consumers of the presence of EPC tags.130 Displaying a copy of the model identifier, the speaker explained that the template label discloses that a particular product's packaging contains an EPC tag, which may be discarded by a consumer after purchase.131
The Guidelines' second requirement, consumer choice, concerns the right of consumers to "discard or remove or in the future disable EPC tags from the products they acquire." The Guidelines explain, "for most products, the EPC tags [would] be part of disposable packaging or would be otherwise discardable."
Consumer education is the third prong of the Guidelines, which provides that consumers should have "the opportunity easily to obtain accurate information about EPC tags and their applications." The Guidelines task companies using RFID with "familiariz[ing] consumers with the EPC logo and . . . help[ing] consumers understand the technology and its benefits."
Finally, the Guidelines call for companies to ensure that any "data which is associated with EPC is collected, used, maintained, stored and protected" consistent with "any applicable laws."132 They further instruct companies to publish "information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC
use."133 To help ensure compliance with these Guidelines, EPCglobal will provide a forum to redress complaints about failures to comply with the Guidelines.134
According to Workshop participants, some companies have already endorsed or implemented these practices as they test RFID systems.135 Panelists discussed how Wal-Mart, which is currently operating a pilot program with EPC tags in a limited number of stores, has posted a "shelf-talker" disclosing the presence of EPC tags.136 According to this tear-off notice reportedly made available to Wal-Mart shoppers, only cases of certain products or specific large items, like computer printers, include EPC tags and bear the EPCglobal logo. The disclosure further explains that the technology "will not be used to collect additional data about [Wal-Mart's] customers or their purchases."137 Consistent with that commitment, Wal-Mart has stated that it has no readers on store floors, so consumers should not be exposed to any communications between tags and readers.138
Workshop panelists also discussed the privacy guidelines adopted by Procter & Gamble ("P&G"), another company involved in RFID trials both in the U.S. and abroad.139 In addition to its global privacy policy, P&G has developed an RFID-specific position statement calling for "clear and accurate" notice to consumers about the use of RFID tags and consumer choice with respect to disabling or discarding EPC tags "without cost or penalty" as well as disclosure of whether any personally identifiable information about them is "electronically linked to the EPC number on products they buy."140 Further, P&G stated at the Workshop that it will not participate in item-level tagging with any retailer or partner that would page link personal information about consumers using RFID, "other than what they do for bar codes today."141
The Workshop also explored a case study of retail item-level RFID tagging in action. A representative of Marks & Spencer, one of the United Kingdom's largest retailers, described his company's in-store RFID pilot program, tagging menswear in select stores. Marks & Spencer's use of "Intelligent Labels," as it has designated its RFID program, is for stock control - a continuation of the supply chain management process.142 With this limited purpose in mind, the Marks & Spencer official explained how his company incorporated privacy-protective measures into its Intelligent Label program.143 According to the company, these considerations are reflected in the mechanics of its RFID deployment, which apply the notice, choice, and education principles advocated by EPCglobal and others. The hang-tags bearing the Intelligent Labels are large, visibly placed, and easily removable.144 No data is written to
the tags, and they are not scanned at the cash register, so there is no possibility of connecting the unique identifier on the tag to the purchaser. Indeed, the tags are not scanned at all during store hours, but rather are read for inventory control purposes when customers are not present. Finally, all of these practices are described in a leaflet that Marks & Spencer makes available to shoppers.145
Some Workshop participants stated that these industry initiatives represent effective ways to address consumer privacy concerns, but others maintained they are necessary, but insufficient, steps. Privacy advocates at the Workshop called for merchants to take additional precautions when using RFID tags on consumer items, including fully transparent use of RFID.146 With respect to company statements disclosing the presence of in-store RFID devices, privacy advocates argued that such disclosures should be clear and conspicuous.147 One participant stated that disclosures should contain specific information: that a product bears an RFID tag; that the tag can communicate, both pre- and post-purchase, the unique identification of the object to which it is attached; and the "basic technical characteristics of the RFID technology."148 Another Workshop panelist urged that any such disclosures be "simple and factual," avoiding "happy face technology" that is essentially "marketing hype."149 This panelist felt that by disclosing its RFID practices in a straightforward manner, a company will convey information in a way that consumers are more likely both to understand and trust.150
B. Regulatory Approaches
Privacy advocates at the Workshop also called for RFID to be subjected to a "formal technology assessment," conducted by a neutral body and involving all relevant stakeholders, including consumers.151 This process could examine issues such as whether RFID can be deployed in less privacy-intrusive ways.152 Until such an assessment takes place, these participants requested that RFID users voluntarily refrain from the item-level tagging of consumer goods.153
In addition, some Workshop panelists argued that government action to regulate RFID is necessary.154 One panelist urged the Commission to implement a set of guidelines for manufacturers and retailers using RFID on consumer products.155 According to this participant, other international standards that already apply to the use of RFID in this context support the need for comparable regulation in the U.S.156 Certain Workshop participants also
endorsed specific restrictions on RFID use, including prohibitions on tracking consumers without their "informed and written consent" and on any application that would "eliminate or reduce [individuals'] anonymity."157 In addition, these participants called for "security and integrity" in using RFID, including the use of third-party auditors that could publicly verify the security of a given system.158 Similarly, one panelist argued that consumers should be able to file with designated government and industry officials complaints regarding RFID users' non-compliance with stated privacy and security practices.159
Other Workshop panelists disputed the need for regulation at this point, contending that legislation could unreasonably limit the benefits of RFID160 and would be ill-suited to regulate such a rapidly evolving technology.161 According to one participant, the FTC's existing enforcement authority is adequate to address abuses of RFID technology, citing the Commission's ability to challenge misrepresentations by a company about its privacy and/or security practices.162 Therefore, this participant concluded that technology-specific privacy legislation is unnecessary at this juncture.163
C. Technological Approaches
Workshop participants also debated the merits of various technological approaches to addressing consumer privacy concerns. In addition to the database security measures discussed above, these proposals include protocols protecting communications between readers and tags, such as encryption or passwords.164 These methods would restrict access to the tag itself by requiring some measure of authentication on behalf of the scanning device. Even if a reader could get a tag to "talk," encryption would prevent the reader from understanding the message.165 One commenter strongly urged that "[authorization, authentication, and encryption for RFID . . . be developed and applied on a routine basis to ensure trustworthiness of RFID radio communications."166
A related technical approach discussed at the Workshop involves "blocker tags," which prevent RFID tags from communicating accurately with a reader.167 With blocker tags, which are tags literally placed over or in close proximity to the RFID tag, consumers would be able to control which items they want blocked and when. This would allow consumers to benefit from any post-purchase applications of RFID that may develop, such as "smart" refrigerators.168
Finally, Workshop participants discussed the "kill switch," a feature that permanently disables at the point-of-sale an RFID tag affixed to a consumer item.169 Such a function has been proposed as a way to provide "choice" to consumers in the context of item-level tagging.170 However, a number of Workshop participants disputed the effectiveness of this approach. Some privacy advocates found the options of killing or blocking tags both lacking because of the burden they could impose on consumers. For example, setting up a "kill kiosk," as one retailer abroad reportedly had done,171 contemplates that consumers first purchase an item and then deactivate an attached RFID tag. Some panelists argued that this process was cumbersome by requiring that consumers engage in two separate transactions when making a purchase. They argued that this process may dissuade consumers from exercising the option to disable tags on purchased items.172
Another critique of these technological "fixes" raised at the Workshop focused on their potential to reward - and thus foster - RFID use. Some participants argued that if the only method of protecting consumer privacy was to disable tags at purchase, any post-purchase benefits would accrue only to those who kept their RFID tags active.173 As a result, these panelists suggested, consumers would be more likely to keep tags enabled.174 Conversely, another participant argued that giving shoppers this option could drive up costs for all consumers, even those who do not object to the presence of active RFID tags on items they purchase.175 According to this speaker, merchants would likely be reluctant to charge higher prices for consumers who elect to deactivate RFID tags prior to purchase.176 Finally, as one commenter pointed out, the effectiveness of tag-killing technology depends on whether the presence of RFID is effectively disclosed: no consumer will seek to deactivate a tag of which she or he is unaware.177
VI. Conclusion
The Workshop provided Commission staff, panelists, and the public with a valuable opportunity to learn about RFID technology. In addition, the Workshop brought together RFID proponents, privacy experts, and other interested parties to discuss RFID's various current and potential applications and their implications for consumer privacy. It also highlighted proposals to address these implications and generated discussion about the merits of these different approaches.
Workshop participants generally agreed that certain RFID uses, like tagging cases and pallets of goods moving through the supply chain, may increase efficiency without jeopardizing consumer privacy. However, less consensus emerged about the implications of other potential RFID uses, such as item-level tagging of consumer products. Some panelists expressed concern about the physical characteristics of RFID devices, focusing on the small size of tags and readers and their ability to communicate even when concealed and at some distance from each other. These participants were also concerned that a third party could access information stored on RFID tags to monitor consumers surreptitiously.
Other panelists believed that privacy concerns about RFID technology were exaggerated. They doubted that RFID technology would ever have some of the capabilities that appear to raise privacy concerns, and they argued that costs will restrict the introduction of RFID into consumer environments. Finally, they asserted that RFID would not be deployed in privacy-intrusive ways, citing as evidence the range of industry self-regulatory efforts underway.
Panelists discussed a number of self-regulatory models, from RFID-specific practices to comprehensive privacy principles that implicitly incorporate RFID use. In general, these approaches incorporate disclosure of the presence of RFID technology ("notice"), providing the option to discard, remove, or disable the tags ("choice"), consumer education, and information security measures. Workshop participants agreed in particular that there is a need to protect information collected with RFID devices and stored in company databases.
Based on the Workshop discussions and comments submitted from technology experts, RFID users, privacy advocates, and consumers, Commission staff agrees that industry initiatives can play an important role in addressing privacy concerns raised by certain RFID applications. The staff believes that the goal of such programs should be transparency. For example, when a retailer provides notice to consumers about the presence of RFID tags, the notice should be clear, conspicuous, and accurate.178 The notice should advise consumers if an RFID tag or reader is present and if the technology is being used to collect personally identifiable information about consumers. This clarity is particularly important when a disclosure concerns an unfamiliar technology, as is the case with RFID.179 Similarly, if
a company's program provides consumers with the option of removing the RFID tag, the company's practices should make that option easy to exercise by consumers. However, given the variation in RFID applications, translating these goals into concrete steps may be challenging and should occur in a way that allows flexibility to develop the best methods to address consumer privacy concerns.
Commission staff also agrees with the Workshop participants who viewed many of the potential privacy issues associated with RFID as inextricably linked to database security. The Commission has worked vigorously, through a combination of law enforcement,180 public workshops,181 and business education materials,182 to ensure that companies secure consumers' personal information. As in other contexts in which personal information is collected from consumers, the staff believes that a company that uses RFID to collect such information must implement reasonable and appropriate measures to protect that data.183 As part of implementing an information security program, the staff encourages businesses to consider whether retention of information collected from consumers through RFID or other methods is necessary or even useful.184 The staff also recommends that any industry self-regulatory program include meaningful accountability provisions to help ensure compliance.
Another critical element of self-regulatory programs that many Workshop participants and commenters emphasized was effective consumer education.185 The staff agrees that consumer education is a vital part of protecting consumer privacy. Industry members, privacy advocates, and government should develop education tools that inform consumers about RFID technology, how they can expect to encounter it, and what choices they have with respect to its usage in particular situations. As new applications of RFID emerge, the staff will continue to monitor these developments and consider what additional guidance or other actions are appropriate, in light of the implications of those developments for consumers.
Endnotes
1. Jo Best, Cheat sheet: RFID, silicon.com, Apr. 16, 2004.
2. See, e.g., Allen, Texas Instruments, at 67-75. Unless otherwise noted, footnote citations are to the transcript of or comments submitted in connection with the Workshop. The Workshop transcript, specific panelist presentations, and comments are available online at http://ftc. gov/bcp/workshops/rfid/index.htm. Footnotes that cite to specific panelists cite to his or her last name, affiliation, and the page(s) where the referenced statement can be found in the transcript or appropriate comment. A complete list of Workshop participants can be found in Appendix A.
3. See Press Release, Wal-Mart, Wal-Mart Begins Roll-Out of Electronic Product Codes in Dallas/ Fort Worth Area (Apr. 30, 2004) (available at http://walmartstores.com).
4. See Jacqueline Emigh, More Retailers Mull RFID Mandates, eweek, Aug. 19, 2004.
5. See Boone, IDC, at 226.
6. Tien, Electronic Frontier Foundation ("EFF"), at 97.
7. Press Release, FDA, FDA Announces New Initiative to Protect the U.S. Drug Supply Chain Through the Use of Radiofrequency Identification Technology (Nov. 15, 2004) (available at http:// fda.gov).
8. Over the past decade, the FTC has frequently held workshops to explore emerging issues raised by new technologies. The Commission's earliest workshops on Internet-related issues were held in 1995. See http://ftc.gov/opp/global/trnscrpt.htm. More recently, the Commissions workshops have focused on such issues as wireless technologies, information security, spam, spyware, and peer-to-peer networks. For more information about each of these forums and the Commission's privacy agenda, see http://ftc.gov/privacy/privacyinitiatives/promises_ wkshp.html.
9. This report was prepared by Julie Brof and Tracy Thorleifson of the FTC staff. It does not necessarily reflect the views of the Commission or any individual Commissioner.
10. For an explanation of how GPS operates, see http://gps.faa.gov/gpsbasics/.
11. The EPCglobal Network: Overview of Design, Benefits, and Security §3 (2004) (available at http://epcglobalinc.org).
12. See John Carey, Big Brother's Passport to Pry, Business Week, Nov. 5, 2004.
13. Image courtesy of Marks & Spencer.
14. See RSA Laboratories, Technical Characteristics of RFID (available at http://rsasecurity. com/rsalabs/).
15. See Frequently Asked Questions (available at http://rfidjournal.com).
16. For a discussion of these and other approaches to securing communications between RFID tags and readers, see Section V.C., infra.
17. Bar codes, however, are typically less expensive and have longer read ranges, provided there is line-of-sight scanning. See Olga Kharif, Like It or Not, RFID IS Coming, Business Week, Mar. 18, 2004 (noting that RFID tags now cost "at least 20 times as much" as bar codes); Parkinson,
Capgemini, at 214 (stating that "as long a bar code is visible, [it can be read] from almost a mile away with a laser scanner").
18. See Stafford, Marks & Spencer, at 264.
19. Image courtesy of Intel Research Seattle.
20. Image courtesy of Marks & Spencer.
21. Image courtesy of Intel Research Seattle.
22. See Privacy FAQs (available at http://rfidjournal.com); see also Parkinson at 213.
23. The EPCglobal Network §§ 5-6, supra note 11. As a participant at the Workshop explained, "EPCglobal is a joint venture of the Uniform Code Council and EAN International . . . . [whose] mission is simply to create global standards for the EPCglobal Network." Board, EPCglobal Public Policy Steering Committee, at 269.
24. See Hutchinson, EPCglobal US, at 37-38.
25. Id.
26. See http://ezpassstatic/info/howit.shtml.
27. Frequently Asked Questions, supra note 15.
28. In fact, the proximity of some of those substances, particularly water or metal, may make it impossible to read an RFID tag. Engels, Auto-ID Labs, at 23-25, 27.
29. Costs are in U.S. dollars. See Glossary of RFID Terms (available at http://rfidjournal. com); see also Boone, IDC, at 219.
30. See Robert O'Harrow Jr., Tiny Sensors That Can Track Anything, Washington Post, Sept. 24,
2004.
31. See Aaron Ricadela, Sensors Everywhere, Information Week, Jan. 24, 2005.
32. See Glossary of RFID Terms, supra note 29.
33. See http://ezpassindex.html.
34. See Joshua Walker and Christine Spivey Overby, Forrester Research, What You Need to Know About RFID in 2004 (available at http://forresterER/Research/Brief/0,1317,33298,FF.
html).
35. Id.
36. As noted above, the theoretical distance for reading passive tags is up to 30 feet, but that longer range does not account for real-world conditions, such as interference from metals, liquids, or even wind. See Engels, Auto-ID Labs, at 24-25; Albers, Philips Semiconductors ("Philips"), at
35.
37. For example, Workshop attendees heard about how Marks & Spencer, a British retail chain, uses
writeable tags on trays used to ship products from the company's food supplier. Each time a tray
is used, the RFID tag on the outside of the tray is "written to," meaning that information about
the contents of the tray for that particular shipment is loaded onto the chip. Stafford, Marks &
Spencer, at 262-63.
38. The EPCglobal Network is an example of such a system. See supra note 11.
25
39. Id. ; Allen, Texas Instruments, at 73.
40. Allen, Texas Instruments, at 73; see also Laurie Sullivan, How RFID Will Help Mommy Find Johnny, InformationWeek, Sept. 15, 2004.
41. Allen, Texas Instruments, at 68; see also Albers, Philips, at 32-33.
42. According to a Workshop participant, seven million U.S. consumers currently use Speedpass. Allen, Texas Instruments, at 70. In addition to payment mechanisms like Speedpass, major credit card companies are developing "contactless smart cards" to facilitate purchases at a variety of venues. Albers, Philips, at 32 (noting that MasterCard, Visa, and American Express are developing such cards). One recent example is the acceptance of MasterCard's "PayPass" at McDonald's. McDonald's to Roll Out Contactless Payments in USA, UsingRFID.com, Aug. 30,
2004.
43. See, e.g., http://ezpassindex.html. A recently announced initiative by the Orlando/
Orange County Expressway Authority ("OOCEA") in Florida will take this concept even further.
OOCEA plans to install roadside RFID readers to gather data from about 1 million RFID tags
attached to cars. The program is designed to determine accurate travel times and improve traffic
flow. After the information is encrypted and stripped of any personal identifiers, drivers will
be able to access it from signs along the highway, by phone, and eventually through a Web site. Claire Swedberg, RFID Drives Highway Traffic Reports, RFID Journal, Nov. 17, 2004.
44. Sarah Lacy, Inching Toward the RFID Revolution, Business Week, Aug. 31, 2004.
45. Hughes, Procter & Gamble ("P&G"), at 167.
46. See Julie Hutto and Robert D. Atkinson, PPI, Radio Frequency Identification: Little Devices Making Big Waves, at 3-4 (Oct. 2004) (arguing that retailers' costs savings attributable to RFID would be quickly passed on to consumers because of "fierce competition"). However, a number of panelists at the Workshop suggested that the adoption of RFID by retailers would not necessarily result in lower prices for consumers, at least not in the near future. See Hughes, P&G, at 196; Duncan, National Retail Federation ("NRF"), at 196-97.
47. Wood, Retail Industry Leaders Association ("RILA"), at 52-53.
48. Id. According to the Grocery Manufacturers of America, an estimated 8 percent of the time consumers can't find what they want on retailers' shelves, and that number can climb to 15 percent during a product promotion. Barnaby J. Feder, RFID: Simple Concept Haunted by Daunting Complexity, N.Y. Times, Nov. 21, 2004.
49. Wood, RILA, at 54; Langford, Wal-Mart, at 62-64. According to Langford, Wal-Mart intends to monitor shipments as they leave suppliers, which will provide additional visibility early in the supply chain, not just when products arrive at a Wal-Mart distribution center.
50. Langford, Wal-Mart, at 62-63. As explained above, unlike bar codes, RFID tags do not require line-of-sight or individual scanning to be read.
51. This panelist explained how RFID could reduce the need for retailers to order "safety stock," which are the additional goods purchased in order to avoid having a shortage of necessary items. Safety stock sits unsold on the shelf, and is thus a source of inefficiency. Wood, RILA, at 53.
52. Wood, RILA, at 54; see also Langford, Wal-Mart, at 67; Grocery Manufacturers of America
("GMA"), Comment, at 3.
53. Woods, RILA, at 53.
54. Boone, IDC, at 218-19. See also Stafford, Marks & Spencer, at 264 (asserting that "[t]he business case for using RFID tags is entirely about the speed of read").
55. Wood, RILA, at 55.
56. Id. at 54-55 (explaining that RFID will help ensure that consumers don't "buy aspirin and then have it expire on [them] in three months"); see also GMA, Comment, at 3.
57. Tien, EFF, at 96-98; see generally Mulligan, Samuelson Law, Technology, and Public Policy Clinic ("Samuelson Clinic"), at 152-162. Another recent development that has emerged since the Wo
http://studentbank.in/report-RFID-Technology--5298
http://studentbank.in/report-RFID-Techno...plications for understanding RFID technique
[attachment=2753]
RFID
Radio Frequency IDentification:
Rpplications and Implications for Consumers
Presented By:
Staff of the Federal Trade Commission
I. Introduction
Radio frequency identification technology, known as RFID, has been described as "tech's official Next Big Thing."1 RFID is not actually a new technology, but it is being applied in new ways, spurred by technological advances and decreased costs. Once used during World War II to identify friendly aircraft, RFID is now being used in a variety of public and private sector settings, from hospitals to the highway.
In RFID systems, an item is tagged with a tiny silicon chip and an antenna; the chip plus antenna (together called a "tag") can then be scanned by mobile or stationary readers, using radio waves (the "RF"). The chip can be encoded with a unique identifier, allowing tagged items to be individually identified by a reader (the "ID"). Thus, for example, in a clothing store, each particular suit jacket, including its style, color, and size, can be identified electronically. In a pharmacy, a druggist can fill a prescription from a bottle bearing an RFID-chipped label confirming the authenticity of its contents. On the highway, cars with RFID tags on their windshields can move swiftly through highway tollbooths, saving time and reducing traffic congestion. At home, pets can be implanted with chips so that lost animals can be identified and returned to their owners more readily. In each case, a reader must scan the tag for the data it contains and then send that information to a database, which interprets the data stored on the tag. The tag, reader, and database are the key components of an RFID system.
RFID proponents believe that the ability of these systems to deliver precise and accurate data about tagged items will improve efficiency and bring other benefits to businesses and consumers alike.2 One major retailer has already announced a mandate for its largest suppliers to begin tagging cases and pallets of merchandise.3 Other companies in the U.S. and abroad reportedly are exploring similar directives.4 Spending on RFID implementation in the retail supply chain alone has been estimated at $91.5 million last year - an amount expected by some to exceed $1 billion by 2007.5 Outside the retail sector, libraries across the country reportedly are already tagging books,6 and the FDA has announced that it is actively encouraging pharmaceutical manufacturers to use RFID to fight drug counterfeiting.7
While these developments may offer significant benefits for industry and consumers, some applications have raised privacy concerns. The capacity to encode unique identifiers at the individual item level may have revolutionized thinking about inventory management, but
it has also raised fears that this technology might be used to track individual products out of the store and into consumers' homes or otherwise monitor individual consumer behaviors. As with the Internet and other data-intensive technologies, these concerns must be addressed so that they do not hinder the development and deployment of RFID in the marketplace.
On June 21, 2004, the Federal Trade Commission explored these issues at a public workshop entitled "Radio Frequency Identification: Applications and Implications for Consumers." The Workshop brought together technologists, RFID proponents, privacy advocates, and policymakers to discuss the range of applications for RFID, the future of this technology, and its implications for consumers.8 This staff report will summarize the discussion at the Workshop and offer some preliminary recommendations for addressing the privacy concerns raised by some participants.9
Part I of the report provides an overview of the issues the report covers and a summary of the FTC staff's conclusions. Parts II through V summarize the Workshop panel discussions and highlight some of the key points made in the written comments submitted to the Commission in connection with the Workshop. Specifically, Part II discusses how RFID technology works. Part III describes current and emerging uses of RFID technology, both in the private and public sectors. Part IV discusses the consumer privacy implications of RFID applications and database security issues. Part V describes different proposals to address consumer privacy concerns, including technological approaches and self-regulatory efforts. Finally, Part VI offers Commission staff conclusions regarding steps that RFID users may take to alleviate RFID-related privacy concerns.
As explained in Part VI below, based on the information received in connection with the Workshop and other available information, the FTC staff concludes:
¢ Industry initiatives can play an important role in addressing privacy concerns raised by certain RFID applications. The goal of such programs should be transparency.
¢ Any industry self-regulatory program should include meaningful accountability provisions to help ensure compliance.
¢ Many of the potential privacy issues associated with RFID are inextricably linked to database security. As in other contexts in which personal information is collected from consumers, a company that uses RFID to collect such information must implement reasonable and appropriate measures to protect that data.
¢ Consumer education is a vital part of protecting consumer privacy. Industry members, privacy advocates, and government should develop education tools that inform consumers about RFID technology, how they can expect to encounter it, and what choices they have with respect to its usage in particular situations.
II. The ABCs of RFID
Understanding what RFID devices are and how they work is critical to an analysis of the policy issues surrounding this technology. Generic references to "RFID technology" may be applied incorrectly to a wide range of devices or capabilities. For example, RFID by itself is not a location-tracking technology. At sites where readers are installed, RFID may be used to track tagged objects, but this static readability differs from technology such as global positioning systems, or GPS, which uses a network of satellites to pinpoint the location of a receiver.10 And RFID technology itself can be used for a variety of applications, from contactless identification cards that can be scanned no farther than inches away from a reader, to highway systems utilizing "active" RFID tags that can initiate communication with a scanner 100 feet away.
A. Primary Components of RFID Devices
RFID devices have three primary elements: a chip, an antenna, and a reader. A fourth important part of any RFID system is the database where information about tagged objects is stored.
¢ The chip, usually made of silicon, contains information about the item to which it is attached. Chips used by retailers and manufacturers to identify consumer goods may contain an Electronic Product Code ("EPC").11 The EPC is the RFID equivalent of the familiar universal product code ("UPC"), or bar code, currently imprinted on many products. Bar codes must be optically scanned, and contain only generic product information. By contrast, EPC chips are encrypted with a unique product code that identifies the individual product to which it is attached, and can be read using radio frequency. These codes contain the type of data that product manufacturers and retailers will use to track the authenticity and location of goods throughout the supply chain.
An RFID chip may also contain information other than an EPC, such as biometric data (a digitized image of a fingerprint or photograph, for example).12 In addition, some chips may not be loaded with information uniquely identifying the tagged object at all; so-called "electronic article surveillance systems" ("EAS") may utilize
radio frequency communication to combat shoplifting, but not to uniquely identify individual items.
¢ The antenna attached to the chip is responsible for transmitting information from the chip to the reader, using radio waves. Generally, the bigger the antenna, the longer the read range. The chip and antenna combination is referred to as a transponder or, more commonly, as a tag. Participants at the workshop brought samples of tags currently in use. The pictures below show a common EPC tag that can be affixed to an object (Figure A) and a paper hang-tag that can be attached to individual articles of clothing (Figure B13).
¢ The reader, or scanning device, also has its own antenna, which it uses to communicate with the tag.14 Readers vary in size, weight, and power, and may be mobile or stationary. Although anyone with access to the proper reader can scan an RFID tag,15 RFID systems can employ authentication and encryption to prevent unauthorized reading of data.16 "Reading" tags refers to the communication between the tag and reader via radio waves operating at a certain frequency. In contrast to bar codes, one of RFID's principal distinctions is tags and readers can communicate with each other without being in each other's line-of-sight.17 Therefore, a reader can scan a tag without physically "seeing" it. Further, RFID readers can process multiple items at one time, resulting in a much-increased (again as compared to UPC codes) "speed of read."18
The pictures on the opposite page show various RFID readers: a stationary reader that could be used to track tagged cases of goods entering a warehouse (Figure C19); a mobile reader used to monitor inventory on a retail store floor (Figure D20); and a prototype of a glove embedded with a scanner used to track daily domestic living activities (Figure E21).
¢ The database, or other back-end logistics system, stores information about RFID-tagged objects. Access to both a reader and its corresponding database are necessary before information stored on an RFID tag can be obtained and understood. In order
to interpret such data, RFID readers must be able to communicate with a database or other computer program.
One protocol being developed for product manufacturers uses chips embedded with a 96-bit EPC code - a number - that includes several fields identifying the manufacturer ("ABC Company"), the product ("cola"), its size or its packaging ("24-pack of cola cans"), and a unique identifier.22 This system, the "EPCglobal Network," calls for a secure network of servers that will share information obtained from tagged objects moving through the supply chain. According to the network's architect, EPCglobal, the data will be stored on EPCglobal member company databases, access to which will be controlled by those individual companies.23 In order to interpret what these fields mean, a directory, or "object naming service" ("ONS"), will direct the reader to the appropriate server(s) where the data from the tag and associated information are stored. The ONS will function much like a reverse telephone directory or an Internet browser, which translates a URL into a Web site.24 In the RFID context, the ONS will identify what server has information about the tagged item, allowing an RFID user to interpret the meaning of the particular code on a particular tag.25 The database information will vary with the context. For example, with automatic highway toll payment systems, databases will page link account numbers stored on a tag to the appropriate prepaid account for billing purposes.26
Although all RFID systems have these essential components, other variables affect the use or set of applications for which a particular tag is appropriate. As discussed further below, key factors include whether the tag used is "active" or "passive"; what radio frequency is used; the size of the antennas attached to the chip and to the reader; what and how much information can be stored on a tag; and whether the tag is "read/write" or "read-only." These factors affect the read ranges of the systems as well as the kind of object that can usefully be tagged. They also impact the cost, which is an especially important commercial consideration when tagging a large volume of items.
B. Passive v. Active Tags
There are three types of RFID tags, differentiated by how they communicate and how that communication is initiated:
¢ Passive tags have no onboard power source - meaning no battery - and do not initiate communication. A reader must first query a passive tag, sending electromagnetic waves that form a magnetic field when they "couple" with the antenna on the RFID tag."27 Consistent with any applicable authorization, authentication, and encryption, the tag will then respond to the reader, sending via radio waves the data stored on it. Currently, depending on the size of the antenna and the frequency, passive tags can be read, at least theoretically, from up to thirty feet away. However, real-world environmental factors, such as wind and interference from substances like water or metal, can reduce the actual read range for passive tags to ten feet or less.28 Passive tags are already used for a wide array of applications, including building-access cards, mass transit tickets, and, increasingly, tracking consumer products through the supply chain. Depending on the sophistication of the chip, such as how much memory it has or its encryption capability, a passive tag currently costs between 20 cents and several dollars.29
¢ Semi-passive tags, like passive tags, do not initiate communication with readers, but they do have batteries. This onboard power is used to operate the circuitry on the chip, storing information such as ambient temperature. Semi-passive tags can be combined, for example, with sensors to create "smart dust" - tiny wireless sensors that can monitor environmental factors. A grocery chain might use smart dust to track energy use, or a vineyard to measure incremental weather changes that could critically affect grapes.30 Devices using smart dust, also known as "motes," currently cost about $100 each, but, in a few years, reportedly could drop to less than $10 apiece.31
¢ Active tags can initiate communication and typically have onboard power. They can communicate the longest distances - 100 or more feet. Currently, active tags typically cost $20 or more.32 A familiar application of active tags is for automatic toll payment systems, like the Northeast's "E-ZPass," that allow cars bearing active tags to use express lanes that don't require drivers to stop and pay.33
C. Radio Frequency
Communication between RFID tags and readers is also affected by the radio frequency used, which determines the speed of communications as well as the distance from which tags can be read. Higher frequency typically means longer read range. Low-frequency ("LF") tags, which operate at less than 135 kilohertz (KHz), are thus appropriate for short-range uses, like animal identification and anti-theft systems, such as RFID-embedded automobile keys.34 Systems that operate at 13.56 megahertz (MHz) are characterized as high frequency ("HF"). Both low-frequency and high-frequency tags can be passive. Scanners can read multiple HF tags at once and at a faster rate than LF tags. A key use of HF tags is in contactless "smart cards," such as mass transit cards or building-access badges.35
The third frequency, Ultra-High Frequency ("UHF"), is contemplated for widespread use by some major retailers, who are working with their suppliers to apply UHF tags to cases and pallets of goods. These tags, which operate at around 900 MHz, can be read at longer distances, which outside the laboratory environment range between three and possibly fifteen feet.36 However, UHF tags are more sensitive to environmental factors like water, which absorb the tag's energy and thus block its ability to communicate with a reader.
D. Read/Write Capacity
Finally, another important feature of RFID tags is their "read/write" capacity, or "read¬only" status. These terms refer to a tag's ability to have data added to it during its lifetime. The information stored on a "read-only" tag cannot be altered, but a writeable tag (with read/write capacity) can receive and store additional information. Read/write applications are most prevalent when tags are re-used.37 They are usually more sophisticated and costly than read-only applications. In addition, read/write applications have shorter read ranges. Read¬only tags are well-suited to applications like item-level tagging of retail goods, since they are less expensive and, as part of a networked system, can provide a great deal of information by directing the reader to the associated database(s) where information about the tagged item is maintained.38
III. RFID Today and Tomorrow
The Workshop included a comprehensive discussion of RFID's various current and anticipated applications. Both private and public sector users of RFID explained how they are applying this technology to improve their delivery of goods and services. Privacy advocates also addressed the implications of these initiatives, sounding a cautionary note about some of the emerging uses of RFID and their consequences for consumer privacy.
A. Current Uses of RFID
Workshop participants described a number of RFID applications that consumers may already be using. For example, some consumers are familiar with employee identification cards that authenticate the pass-holder before permitting access.39 A related use of RFID is for event access - to amusement parks, ski areas, and concerts, where tagged bracelets or tickets are used.40 Panelists also explained how RFID is being used in a variety of transportation-related contexts. Many automobile models already use RFID tags in keys to authenticate the user, adding another layer of security to starting a car.41 Another example, the "Speedpass," allows drivers to purchase gas and convenience store goods from ExxonMobil stations.42 RFID is also transforming highway travel, with the advent of E-ZPass in Northeastern and Mid-Atlantic states and similar programs in other regions of the country that allow drivers to pass through tolls without stopping to pay. An active tag on the vehicle's windshield lets a reader installed at the tollbooth know that a tagged vehicle is passing through; information flows from the tag, to the reader, and then to a centralized database, where the prepaid or checking account associated with that vehicle is charged.43
B. RFID in the Supply Chain
To the extent that the much-touted "RFID revolution" is underway, it is occurring somewhat out of public sight - in warehouses, distribution centers, and other stages of the supply chain.44 Workshop participants discussed how RFID's impact on the flow of goods through distribution channels has implications not just for manufacturers, suppliers, and retailers, but also for consumers.45 Many panelists reported that as a result of more efficient distribution practices generated by RFID use, consumers may find what they want on the store shelves, when they want it, and perhaps at lower prices.46
Workshop participants representing manufacturers and retailers described the anticipated economic benefits of RFID. According to one panelist, the retail industry suffers losses between $180 and $300 billion annually because of poor supply chain visibility - the inability to track the location of products as they make their way from manufacturer to retailer.47 As a result, this panelist stated, retailers are not always able to keep high-demand goods in stock, or they may have inventory that they can't move.48
Participants discussed how RFID may help prevent these lapses by improving visibility at multiple stages of the supply chain. RFID readers can gather information about the location of tagged goods as they make their way from the manufacturer, to a warehouse or series of distribution centers, and to the final destination, their store.49 Also, as one workshop participant explained, RFID enhances the accuracy of information currently obtained through bar code scanning, which is more vulnerable to human error.50 According to this panelist, access to more - and more accurate - information about where products are in the distribution chain enables retailers to keep what they need in stock and what they do not need off the
shelf.51
Workshop participants also touted the discipline that RFID imposes on the supply chain by, for example, reducing "shrinkage," or theft.52 One panelist explained how RFID may lower costs by keeping shipping volumes leaner and more accurate.53 Other panelists described how RFID tags can be read much faster than bar codes, citing tests indicating that RFID's scanning capability can result in goods moving through the supply chain ten times faster than they do when bar codes are used.54 According to another participant, RFID will facilitate quicker, more accurate recalls by enabling the tracking of a product's origin and its location in the distribution chain.55 Further, this panelist asserted, RFID will enhance product freshness by monitoring expiration dates of consumer goods, so retailers know when not to offer items for sale.56
C. RFID Use in the Public Sector
Panelists also discussed how RFID is being used or contemplated for use by government entities to meet objectives similar to those their private-sector counterparts hope to achieve. Workshop participants discussed a variety of ongoing and proposed government RFID applications, from the U.S. Department of Defense's ("DoD") October 2003 mandate
requiring its suppliers to use RFID tags by January 2005 to local library systems deploying this technology to track and trace their books.57 DoD's initiative reportedly will affect 43,000 military suppliers.58 And, according to panelists, public libraries in California, Washington State, and elsewhere have implemented internal RFID systems to facilitate patron usage and manage stock.59
One Workshop panelist, representing the U.S. Food and Drug Administration ("FDA"), highlighted that agency's RFID initiative.60 Although the FDA itself is not using this technology, it recently announced an initiative to promote the use of RFID in the pharmaceutical supply chain by 2007.61 For now, drug manufacturers will primarily tag "stock bottles" - those used by pharmacists to fill individual prescriptions - but eventually consumers may be purchasing packages labeled with RFID chips.62 The core objective of this initiative is to fight drug counterfeiting by establishing a reliable pedigree for each pharmaceutical.63 The FDA believes that this goal can most effectively be accomplished by its target date through the adoption of RFID, which offers distinct advantages over other identification systems that require line-of-sight scanning and are not as accurate or fast.64
Another government entity turning to RFID is the U.S. Department of Homeland Security ("DHS"). One program described by a DHS official at the Workshop uses RFID for tracking and tracing travelers' baggage.65 Both individual airports66 and airlines67 will use RFID technology to identify and track passenger luggage, from check-in to destination. Another DHS initiative addressed at the Workshop involves the agency's "US-VISIT" (U.S. Visitor and Immigrant Status Indicator Technology) program. That initiative will test RFID at the country's fifty busiest border-crossing locations by using RFID to read biometric identifiers, such as digital photographs and fingerprint scans, embedded in U.S. work visas issued to foreign nationals.68 According to the DHS representative, this program is expected to facilitate some of the approximately 330 million border-crossings each year by getting "the appropriate level of information to the right people at the right time."69 As this panelist noted as well, U.S. passports will also soon carry an RFID chip embedded with identifying information, including biometric data.70
D. Emerging RFID Applications
The Workshop also addressed emerging RFID applications and when such uses are expected to be implemented. According to panelists, one sector that is the focus of extensive RFID research is health care, where RFID devices can be used to track equipment and people within a medical facility.71 Other proposed applications contemplate using RFID in different ways. For example, one ongoing study discussed at the Workshop is exploring how RFID can enhance the quality of elder care.72 By tagging key objects in a senior's home - such as prescription drug bottles, food items, and appliances - and embedding small RFID readers in gloves that can be worn by that individual, that person's daily habits can be monitored remotely by a caregiver.73 This system would develop more accurate record-keeping for medical treatment purposes and could facilitate independent living for senior citizens.74
The Workshop also addressed the anticipated timeline for the adoption of item-level RFID tagging in the retail sector. According to one participant, some retailers are currently experimenting with embedding RFID tags in individual consumer goods, and cited as an example German retailer Metro AG's controversial use of RFID in its "Future Store."75 However, many panelists concurred that widespread item-level tagging of retail products was not imminent.76 The most commonly cited reason for this delay was cost: according to one panelist, the current price per tag of between 20 and 40 cents makes item-level RFID too expensive to deploy widely in the near term.77 Workshop panelists also asserted that the target cost of five cents per tag will likely not be realized until 2008.78 Even then, other costs may slow the evolution of item-level tagging. According to one Workshop participant, hardware costs account for only 3% of the expense of deploying RFID. Expenditures for developing the software necessary to interpret and store information generated by RFID constitute nearly three-quarters of the cost of implementing this technology.79
According to Workshop participants, other factors that could inhibit the evolution of item-level tagging include the lack of standardization for RFID frequency and power; inadequate end-user knowledge about how the technology works; and technical challenges, such as reader accuracy and interference from external substances (like water and metal).80
IV. Consumer Perceptions and Privacy Concerns
A. Consumer Survey Results
In addition to addressing how RFID works and can be used, Workshop participants discussed the implications of this technology for consumers. The Workshop included a presentation about the results of a study concerning consumer perceptions of RFID. According to a survey of more than 1,000 U.S. consumers conducted in October 2003, the majority of those polled were unfamiliar with RFID.81 Over three-quarters of the sample - 77% - had not heard of RFID. Confirming the general lack of knowledge about this technology, nearly half of the group aware of RFID had "no opinion" about it.82
Consumers who did have an opinion about RFID expressed a variety of views about whether or how this technology would affect them. When asked to rank a set of potential benefits of RFID, 70% identified recovery of stolen goods and improved food and drug safety high on the list. The majority (66%) also placed cost savings toward the top of the list of benefits, although some consumers were also concerned that RFID use would instead raise prices. Consumers placed access to marketing-related benefits, like in-aisle companion product suggestions, at the bottom of the list.83
The most significant concerns expressed by consumers familiar with RFID related to privacy. In response to both open-ended and prompted questions (with pre-programmed answers to select or rank), privacy emerged as a leading concern. For example, approximately two-thirds of consumers identified as top concerns the likelihood that RFID would lead to their data being shared with third parties, more targeted marketing, or the tracking of consumers via their product purchases. These findings are consistent with the views of consumers who submitted comments to the Commission about RFID.84 Many of those consumers voiced strong opposition to having RFID devices track their purchases and movements, with some citing as reasons for their position the potential for increased marketing or government surveillance.
A more recent consumer survey, conducted by two market research companies, revealed similar results.85 Of more than 8,000 individuals surveyed, fewer than 30% of consumers were aware of RFID technology. Further, nearly two-thirds of all consumers surveyed expressed concerns about potential privacy abuses.86 Their primary concerns centered around
RFID's ability to facilitate the tracking of consumers' shopping habits and the sharing of that information among businesses and with the government. Like the study discussed at the Workshop, this survey also demonstrated that the great majority of consumers remain unfamiliar with RFID. Additionally, consumers who fell into the "RFID non-aware" category were more likely to be concerned about RFID's implications for their privacy than were consumers who were familiar with the technology.87
B. RFID and Consumer Privacy
Against the backdrop of survey data about consumer perceptions of RFID, Workshop participants discussed the nature of privacy concerns associated with some of the emerging uses of this technology. While there was some consensus among Workshop panelists that certain uses of RFID today - such as in the supply chain - may not jeopardize consumer privacy,88 a number of consumer advocates voiced concerns about the potential impact of other RFID applications on consumer privacy.89 According to these panelists, such concerns may arise when consumers interact more directly with tags and readers, particularly in the context of item-level tagging of retail goods.
The concerns articulated by these Workshop participants implicated issues specific to RFID technology as well as more general privacy issues. Some panelists discussed how RFID's unique or distinguishing characteristics may jeopardize consumer privacy. First, these participants cited as a key concern the "bit capacity" of Electronic Product Codes ("EPCs"), which enable the assignment of individual identifiers to tagged objects.90 They argued that RFID's potential to identify items uniquely facilitates the collection of more - and more accurate - data.91
Other features of RFID that troubled these Workshop participants related to the devices' physical attributes. According to these panelists, the small size of tags and readers enables them to be hidden from consumers.92 One Workshop participant explained that if a long read-range is not required, scanners can be smaller than a U.S. quarter.93 Another Workshop participant focused on the privacy implications of the small size of RFID chips and how their shrinking dimensions facilitate their unobtrusive integration into consumer goods.94 Some panelists highlighted the ability of RFID devices to communicate with one another through materials, without line-of-sight, and at some distance.95 These technical characteristics, they
argued, distinguish RFID from bar codes, which in order to be read must be visible on the outside of product packaging.96 Some commenters pointed to these characteristics as evidence that RFID would allow surreptitious scanning to gather information about the products consumers wear or carry.97 Participants also raised concerns about what they termed the "promiscuity" of RFID devices98 - when tags can be accessed by multiple readers, it raises the specter of unfettered third-party surveillance.99
The combination of these factors, some Workshop participants asserted, will weaken consumers' ability to protect themselves from in-store tracking and surreptitious monitoring in public places, at work, and even at home. Certain panelists were especially concerned about RFID's potential to facilitate consumer tracking, by linking personally identifiable information in databases to the unique numbers on RFID tags. One participant described how a retailer could associate purchaser data with the uniquely identified product an individual buys.100 According to the participant, this practice would be similar to what retailers can currently do with customer loyalty cards or credit cards.101 However, a number of Workshop panelists maintained that RFID poses greater threats to consumer privacy because of the enhanced level of information it provides about each tagged item. They suggested that a tagged item carried by a consumer out of a store could be read covertly, and what it communicates could be more than just the presence of a particular item. If linked to purchase data, the identification of a particular product could also identify the individual who bought that item.102
Privacy advocates at the Workshop cited this latter potential as the basis for another privacy concern: consumer profiling. By tracking the movement of tagged goods and the people associated with them, more information can be gathered about the activities of those individuals.103 That in turn could make it easier to predict the behavior of others who buy the same items, even without monitoring them.104 Another concern raised at the Workshop relates to RFID's facilitation of "customer relationship management," whereby retailers customize pricing and service based on a consumer's potential profitability.105 According to one Workshop participant, if RFID tags were embedded in customer loyalty cards, consumers could be identified as soon as they entered the store that issued the card. This could result in targeted marketing or customer service directed at the consumer, depending on his or her purchase history or other information linked to the loyalty card.106
Many of these fears are associated with item-level tagging. As noted in Section III.D., however, a number of Workshop participants representing retailers and other RFID users maintained that RFID was not being used in this manner on a widespread basis now and would not be in the near future.107 Some panelists also argued that no real business case exists for the adoption of a network accessible to multiple users that contains information about these users' RFID-tagged goods. As one participant stated, "Wal-Mart doesn't want its competitors to read tags that are from Wal-Mart stores. Wal-Mart probably also doesn't want its suppliers to read information about its other suppliers. They want to control that information for competitive reasons."108
Even if and when item-level tagging is adopted on a widespread basis, some Workshop participants disputed that consumer privacy would be jeopardized as a result. They asserted that RFID's technological limitations will prevent its surreptitious use. For example, reading an RFID tag from a significant distance currently requires use of a sizable antenna ("about the size of a plate," according to one panelist) and significant energy.109 Another argument advanced at the Workshop focused on how cost factors will continue to slow retailers' adoption of RFID, limiting the sophistication and proliferation of readers on the store floor.110 One participant representing a retail chain argued that no business case exists for linking data collected via RFID to personally identifiable information about consumers, so fears about this potential are misplaced.111 In addition, many panelists addressed the emergence of a variety of technological protocols and products, such as encryption and blocker tags, that may offer a means to address privacy concerns associated with these devices.112
C. Database Security Issues
Regardless of panelists' views regarding the existence or extent of many privacy concerns, many participants agreed that database security was an important issue, especially in the manufacturing and retail environment. Rather than concentrating on how information may be collected via RFID devices, these participants discussed security issues that focus on how such data is stored and whether it is adequately protected.113 According to one panelist, database security is a critical aspect of any analysis of privacy concerns associated with RFID use, because the tags themselves may contain only limited data, such as a number in the case of EPC chips.114 The panelist further explained that the information associated with that number
will be stored on a server of the product manufacturer or other authorized user, where it can be linked to additional data.115
Although Workshop panelists did not analyze the specific database security concerns linked to RFID use, one commenter provided a detailed discussion of these issues.116 According to this commenter, security concerns are likely to arise in connection with interoperable tags, which can be read by different enterprises sharing information associated with those tags.117 The commenter explained that the security of any database in which that information is stored depends on traditional information technology protections - not RFID-specific practices.118 Further, the commenter asserted that these concerns are exacerbated when databases are maintained by third parties, outside of the RFID user's direct control.119 Thus, the commenter argued, security measures will be that much more critical if databases contain information from RFID tags linked to personally identifiable information about the purchasers of tagged items.120
Workshop participants representing a range of interests generally acknowledged the need to address these issues. One speaker emphasized that the EPCglobal Network will maintain the security of data associated with EPC tags, which will be stored on servers "beyond the firewalls of corporations, logistics providers and retailers all around the globe."121 However, others felt that insufficient attention has been devoted to database security122 and maintained that RFID use will exacerbate existing concerns, since information collected via RFID will be that much more detailed and accurate.123 Another Workshop participant argued that the focus on privacy concerns presented by RFID devices (i.e., tags and readers) are obfuscating the more important concerns related to general database security.124
V. Addressing Consumer Privacy Challenges: Best Practices and Principles
The Workshop concluded with a panel examining various approaches to addressing the privacy issues raised by RFID technology. As participants noted, these challenges are not insubstantial, in light of RFID's evolving nature and the uncertainty as to how various existing and potential uses may affect consumers.125 Industry guidelines, legislative developments,
and technological solutions designed to address privacy and security concerns were among the options discussed and debated.126
A. Existing Industry Practices and Standards
Panelists voiced a range of opinions as to what approach or combination of measures would be most effective at meeting the challenges posed by RFID. Many participants agreed that, at a minimum, businesses deploying RFID should take steps to protect consumer privacy. One self-regulatory model already in place is EPCglobal's "Guidelines on EPC for Consumer Products" ("EPCglobal Guidelines").127 According to a Workshop panelist, the Guidelines were developed with input from privacy experts and apply to all EPCglobal members.128 The Guidelines call for consumer notice, choice, and education, and also instruct companies to implement certain security practices.129
The first element, consumer notice, requires that companies using EPC tags "on products or their packaging" include an EPC label or identifier indicating the tags' presence. According to a Workshop participant, EPCglobal has developed a template label that companies can use to inform consumers of the presence of EPC tags.130 Displaying a copy of the model identifier, the speaker explained that the template label discloses that a particular product's packaging contains an EPC tag, which may be discarded by a consumer after purchase.131
The Guidelines' second requirement, consumer choice, concerns the right of consumers to "discard or remove or in the future disable EPC tags from the products they acquire." The Guidelines explain, "for most products, the EPC tags [would] be part of disposable packaging or would be otherwise discardable."
Consumer education is the third prong of the Guidelines, which provides that consumers should have "the opportunity easily to obtain accurate information about EPC tags and their applications." The Guidelines task companies using RFID with "familiariz[ing] consumers with the EPC logo and . . . help[ing] consumers understand the technology and its benefits."
Finally, the Guidelines call for companies to ensure that any "data which is associated with EPC is collected, used, maintained, stored and protected" consistent with "any applicable laws."132 They further instruct companies to publish "information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC
use."133 To help ensure compliance with these Guidelines, EPCglobal will provide a forum to redress complaints about failures to comply with the Guidelines.134
According to Workshop participants, some companies have already endorsed or implemented these practices as they test RFID systems.135 Panelists discussed how Wal-Mart, which is currently operating a pilot program with EPC tags in a limited number of stores, has posted a "shelf-talker" disclosing the presence of EPC tags.136 According to this tear-off notice reportedly made available to Wal-Mart shoppers, only cases of certain products or specific large items, like computer printers, include EPC tags and bear the EPCglobal logo. The disclosure further explains that the technology "will not be used to collect additional data about [Wal-Mart's] customers or their purchases."137 Consistent with that commitment, Wal-Mart has stated that it has no readers on store floors, so consumers should not be exposed to any communications between tags and readers.138
Workshop panelists also discussed the privacy guidelines adopted by Procter & Gamble ("P&G"), another company involved in RFID trials both in the U.S. and abroad.139 In addition to its global privacy policy, P&G has developed an RFID-specific position statement calling for "clear and accurate" notice to consumers about the use of RFID tags and consumer choice with respect to disabling or discarding EPC tags "without cost or penalty" as well as disclosure of whether any personally identifiable information about them is "electronically linked to the EPC number on products they buy."140 Further, P&G stated at the Workshop that it will not participate in item-level tagging with any retailer or partner that would page link personal information about consumers using RFID, "other than what they do for bar codes today."141
The Workshop also explored a case study of retail item-level RFID tagging in action. A representative of Marks & Spencer, one of the United Kingdom's largest retailers, described his company's in-store RFID pilot program, tagging menswear in select stores. Marks & Spencer's use of "Intelligent Labels," as it has designated its RFID program, is for stock control - a continuation of the supply chain management process.142 With this limited purpose in mind, the Marks & Spencer official explained how his company incorporated privacy-protective measures into its Intelligent Label program.143 According to the company, these considerations are reflected in the mechanics of its RFID deployment, which apply the notice, choice, and education principles advocated by EPCglobal and others. The hang-tags bearing the Intelligent Labels are large, visibly placed, and easily removable.144 No data is written to
the tags, and they are not scanned at the cash register, so there is no possibility of connecting the unique identifier on the tag to the purchaser. Indeed, the tags are not scanned at all during store hours, but rather are read for inventory control purposes when customers are not present. Finally, all of these practices are described in a leaflet that Marks & Spencer makes available to shoppers.145
Some Workshop participants stated that these industry initiatives represent effective ways to address consumer privacy concerns, but others maintained they are necessary, but insufficient, steps. Privacy advocates at the Workshop called for merchants to take additional precautions when using RFID tags on consumer items, including fully transparent use of RFID.146 With respect to company statements disclosing the presence of in-store RFID devices, privacy advocates argued that such disclosures should be clear and conspicuous.147 One participant stated that disclosures should contain specific information: that a product bears an RFID tag; that the tag can communicate, both pre- and post-purchase, the unique identification of the object to which it is attached; and the "basic technical characteristics of the RFID technology."148 Another Workshop panelist urged that any such disclosures be "simple and factual," avoiding "happy face technology" that is essentially "marketing hype."149 This panelist felt that by disclosing its RFID practices in a straightforward manner, a company will convey information in a way that consumers are more likely both to understand and trust.150
B. Regulatory Approaches
Privacy advocates at the Workshop also called for RFID to be subjected to a "formal technology assessment," conducted by a neutral body and involving all relevant stakeholders, including consumers.151 This process could examine issues such as whether RFID can be deployed in less privacy-intrusive ways.152 Until such an assessment takes place, these participants requested that RFID users voluntarily refrain from the item-level tagging of consumer goods.153
In addition, some Workshop panelists argued that government action to regulate RFID is necessary.154 One panelist urged the Commission to implement a set of guidelines for manufacturers and retailers using RFID on consumer products.155 According to this participant, other international standards that already apply to the use of RFID in this context support the need for comparable regulation in the U.S.156 Certain Workshop participants also
endorsed specific restrictions on RFID use, including prohibitions on tracking consumers without their "informed and written consent" and on any application that would "eliminate or reduce [individuals'] anonymity."157 In addition, these participants called for "security and integrity" in using RFID, including the use of third-party auditors that could publicly verify the security of a given system.158 Similarly, one panelist argued that consumers should be able to file with designated government and industry officials complaints regarding RFID users' non-compliance with stated privacy and security practices.159
Other Workshop panelists disputed the need for regulation at this point, contending that legislation could unreasonably limit the benefits of RFID160 and would be ill-suited to regulate such a rapidly evolving technology.161 According to one participant, the FTC's existing enforcement authority is adequate to address abuses of RFID technology, citing the Commission's ability to challenge misrepresentations by a company about its privacy and/or security practices.162 Therefore, this participant concluded that technology-specific privacy legislation is unnecessary at this juncture.163
C. Technological Approaches
Workshop participants also debated the merits of various technological approaches to addressing consumer privacy concerns. In addition to the database security measures discussed above, these proposals include protocols protecting communications between readers and tags, such as encryption or passwords.164 These methods would restrict access to the tag itself by requiring some measure of authentication on behalf of the scanning device. Even if a reader could get a tag to "talk," encryption would prevent the reader from understanding the message.165 One commenter strongly urged that "[authorization, authentication, and encryption for RFID . . . be developed and applied on a routine basis to ensure trustworthiness of RFID radio communications."166
A related technical approach discussed at the Workshop involves "blocker tags," which prevent RFID tags from communicating accurately with a reader.167 With blocker tags, which are tags literally placed over or in close proximity to the RFID tag, consumers would be able to control which items they want blocked and when. This would allow consumers to benefit from any post-purchase applications of RFID that may develop, such as "smart" refrigerators.168
Finally, Workshop participants discussed the "kill switch," a feature that permanently disables at the point-of-sale an RFID tag affixed to a consumer item.169 Such a function has been proposed as a way to provide "choice" to consumers in the context of item-level tagging.170 However, a number of Workshop participants disputed the effectiveness of this approach. Some privacy advocates found the options of killing or blocking tags both lacking because of the burden they could impose on consumers. For example, setting up a "kill kiosk," as one retailer abroad reportedly had done,171 contemplates that consumers first purchase an item and then deactivate an attached RFID tag. Some panelists argued that this process was cumbersome by requiring that consumers engage in two separate transactions when making a purchase. They argued that this process may dissuade consumers from exercising the option to disable tags on purchased items.172
Another critique of these technological "fixes" raised at the Workshop focused on their potential to reward - and thus foster - RFID use. Some participants argued that if the only method of protecting consumer privacy was to disable tags at purchase, any post-purchase benefits would accrue only to those who kept their RFID tags active.173 As a result, these panelists suggested, consumers would be more likely to keep tags enabled.174 Conversely, another participant argued that giving shoppers this option could drive up costs for all consumers, even those who do not object to the presence of active RFID tags on items they purchase.175 According to this speaker, merchants would likely be reluctant to charge higher prices for consumers who elect to deactivate RFID tags prior to purchase.176 Finally, as one commenter pointed out, the effectiveness of tag-killing technology depends on whether the presence of RFID is effectively disclosed: no consumer will seek to deactivate a tag of which she or he is unaware.177
VI. Conclusion
The Workshop provided Commission staff, panelists, and the public with a valuable opportunity to learn about RFID technology. In addition, the Workshop brought together RFID proponents, privacy experts, and other interested parties to discuss RFID's various current and potential applications and their implications for consumer privacy. It also highlighted proposals to address these implications and generated discussion about the merits of these different approaches.
Workshop participants generally agreed that certain RFID uses, like tagging cases and pallets of goods moving through the supply chain, may increase efficiency without jeopardizing consumer privacy. However, less consensus emerged about the implications of other potential RFID uses, such as item-level tagging of consumer products. Some panelists expressed concern about the physical characteristics of RFID devices, focusing on the small size of tags and readers and their ability to communicate even when concealed and at some distance from each other. These participants were also concerned that a third party could access information stored on RFID tags to monitor consumers surreptitiously.
Other panelists believed that privacy concerns about RFID technology were exaggerated. They doubted that RFID technology would ever have some of the capabilities that appear to raise privacy concerns, and they argued that costs will restrict the introduction of RFID into consumer environments. Finally, they asserted that RFID would not be deployed in privacy-intrusive ways, citing as evidence the range of industry self-regulatory efforts underway.
Panelists discussed a number of self-regulatory models, from RFID-specific practices to comprehensive privacy principles that implicitly incorporate RFID use. In general, these approaches incorporate disclosure of the presence of RFID technology ("notice"), providing the option to discard, remove, or disable the tags ("choice"), consumer education, and information security measures. Workshop participants agreed in particular that there is a need to protect information collected with RFID devices and stored in company databases.
Based on the Workshop discussions and comments submitted from technology experts, RFID users, privacy advocates, and consumers, Commission staff agrees that industry initiatives can play an important role in addressing privacy concerns raised by certain RFID applications. The staff believes that the goal of such programs should be transparency. For example, when a retailer provides notice to consumers about the presence of RFID tags, the notice should be clear, conspicuous, and accurate.178 The notice should advise consumers if an RFID tag or reader is present and if the technology is being used to collect personally identifiable information about consumers. This clarity is particularly important when a disclosure concerns an unfamiliar technology, as is the case with RFID.179 Similarly, if
a company's program provides consumers with the option of removing the RFID tag, the company's practices should make that option easy to exercise by consumers. However, given the variation in RFID applications, translating these goals into concrete steps may be challenging and should occur in a way that allows flexibility to develop the best methods to address consumer privacy concerns.
Commission staff also agrees with the Workshop participants who viewed many of the potential privacy issues associated with RFID as inextricably linked to database security. The Commission has worked vigorously, through a combination of law enforcement,180 public workshops,181 and business education materials,182 to ensure that companies secure consumers' personal information. As in other contexts in which personal information is collected from consumers, the staff believes that a company that uses RFID to collect such information must implement reasonable and appropriate measures to protect that data.183 As part of implementing an information security program, the staff encourages businesses to consider whether retention of information collected from consumers through RFID or other methods is necessary or even useful.184 The staff also recommends that any industry self-regulatory program include meaningful accountability provisions to help ensure compliance.
Another critical element of self-regulatory programs that many Workshop participants and commenters emphasized was effective consumer education.185 The staff agrees that consumer education is a vital part of protecting consumer privacy. Industry members, privacy advocates, and government should develop education tools that inform consumers about RFID technology, how they can expect to encounter it, and what choices they have with respect to its usage in particular situations. As new applications of RFID emerge, the staff will continue to monitor these developments and consider what additional guidance or other actions are appropriate, in light of the implications of those developments for consumers.
Endnotes
1. Jo Best, Cheat sheet: RFID, silicon.com, Apr. 16, 2004.
2. See, e.g., Allen, Texas Instruments, at 67-75. Unless otherwise noted, footnote citations are to the transcript of or comments submitted in connection with the Workshop. The Workshop transcript, specific panelist presentations, and comments are available online at http://ftc. gov/bcp/workshops/rfid/index.htm. Footnotes that cite to specific panelists cite to his or her last name, affiliation, and the page(s) where the referenced statement can be found in the transcript or appropriate comment. A complete list of Workshop participants can be found in Appendix A.
3. See Press Release, Wal-Mart, Wal-Mart Begins Roll-Out of Electronic Product Codes in Dallas/ Fort Worth Area (Apr. 30, 2004) (available at http://walmartstores.com).
4. See Jacqueline Emigh, More Retailers Mull RFID Mandates, eweek, Aug. 19, 2004.
5. See Boone, IDC, at 226.
6. Tien, Electronic Frontier Foundation ("EFF"), at 97.
7. Press Release, FDA, FDA Announces New Initiative to Protect the U.S. Drug Supply Chain Through the Use of Radiofrequency Identification Technology (Nov. 15, 2004) (available at http:// fda.gov).
8. Over the past decade, the FTC has frequently held workshops to explore emerging issues raised by new technologies. The Commission's earliest workshops on Internet-related issues were held in 1995. See http://ftc.gov/opp/global/trnscrpt.htm. More recently, the Commissions workshops have focused on such issues as wireless technologies, information security, spam, spyware, and peer-to-peer networks. For more information about each of these forums and the Commission's privacy agenda, see http://ftc.gov/privacy/privacyinitiatives/promises_ wkshp.html.
9. This report was prepared by Julie Brof and Tracy Thorleifson of the FTC staff. It does not necessarily reflect the views of the Commission or any individual Commissioner.
10. For an explanation of how GPS operates, see http://gps.faa.gov/gpsbasics/.
11. The EPCglobal Network: Overview of Design, Benefits, and Security §3 (2004) (available at http://epcglobalinc.org).
12. See John Carey, Big Brother's Passport to Pry, Business Week, Nov. 5, 2004.
13. Image courtesy of Marks & Spencer.
14. See RSA Laboratories, Technical Characteristics of RFID (available at http://rsasecurity. com/rsalabs/).
15. See Frequently Asked Questions (available at http://rfidjournal.com).
16. For a discussion of these and other approaches to securing communications between RFID tags and readers, see Section V.C., infra.
17. Bar codes, however, are typically less expensive and have longer read ranges, provided there is line-of-sight scanning. See Olga Kharif, Like It or Not, RFID IS Coming, Business Week, Mar. 18, 2004 (noting that RFID tags now cost "at least 20 times as much" as bar codes); Parkinson,
Capgemini, at 214 (stating that "as long a bar code is visible, [it can be read] from almost a mile away with a laser scanner").
18. See Stafford, Marks & Spencer, at 264.
19. Image courtesy of Intel Research Seattle.
20. Image courtesy of Marks & Spencer.
21. Image courtesy of Intel Research Seattle.
22. See Privacy FAQs (available at http://rfidjournal.com); see also Parkinson at 213.
23. The EPCglobal Network §§ 5-6, supra note 11. As a participant at the Workshop explained, "EPCglobal is a joint venture of the Uniform Code Council and EAN International . . . . [whose] mission is simply to create global standards for the EPCglobal Network." Board, EPCglobal Public Policy Steering Committee, at 269.
24. See Hutchinson, EPCglobal US, at 37-38.
25. Id.
26. See http://ezpassstatic/info/howit.shtml.
27. Frequently Asked Questions, supra note 15.
28. In fact, the proximity of some of those substances, particularly water or metal, may make it impossible to read an RFID tag. Engels, Auto-ID Labs, at 23-25, 27.
29. Costs are in U.S. dollars. See Glossary of RFID Terms (available at http://rfidjournal. com); see also Boone, IDC, at 219.
30. See Robert O'Harrow Jr., Tiny Sensors That Can Track Anything, Washington Post, Sept. 24,
2004.
31. See Aaron Ricadela, Sensors Everywhere, Information Week, Jan. 24, 2005.
32. See Glossary of RFID Terms, supra note 29.
33. See http://ezpassindex.html.
34. See Joshua Walker and Christine Spivey Overby, Forrester Research, What You Need to Know About RFID in 2004 (available at http://forresterER/Research/Brief/0,1317,33298,FF.
html).
35. Id.
36. As noted above, the theoretical distance for reading passive tags is up to 30 feet, but that longer range does not account for real-world conditions, such as interference from metals, liquids, or even wind. See Engels, Auto-ID Labs, at 24-25; Albers, Philips Semiconductors ("Philips"), at
35.
37. For example, Workshop attendees heard about how Marks & Spencer, a British retail chain, uses
writeable tags on trays used to ship products from the company's food supplier. Each time a tray
is used, the RFID tag on the outside of the tray is "written to," meaning that information about
the contents of the tray for that particular shipment is loaded onto the chip. Stafford, Marks &
Spencer, at 262-63.
38. The EPCglobal Network is an example of such a system. See supra note 11.
25
39. Id. ; Allen, Texas Instruments, at 73.
40. Allen, Texas Instruments, at 73; see also Laurie Sullivan, How RFID Will Help Mommy Find Johnny, InformationWeek, Sept. 15, 2004.
41. Allen, Texas Instruments, at 68; see also Albers, Philips, at 32-33.
42. According to a Workshop participant, seven million U.S. consumers currently use Speedpass. Allen, Texas Instruments, at 70. In addition to payment mechanisms like Speedpass, major credit card companies are developing "contactless smart cards" to facilitate purchases at a variety of venues. Albers, Philips, at 32 (noting that MasterCard, Visa, and American Express are developing such cards). One recent example is the acceptance of MasterCard's "PayPass" at McDonald's. McDonald's to Roll Out Contactless Payments in USA, UsingRFID.com, Aug. 30,
2004.
43. See, e.g., http://ezpassindex.html. A recently announced initiative by the Orlando/
Orange County Expressway Authority ("OOCEA") in Florida will take this concept even further.
OOCEA plans to install roadside RFID readers to gather data from about 1 million RFID tags
attached to cars. The program is designed to determine accurate travel times and improve traffic
flow. After the information is encrypted and stripped of any personal identifiers, drivers will
be able to access it from signs along the highway, by phone, and eventually through a Web site. Claire Swedberg, RFID Drives Highway Traffic Reports, RFID Journal, Nov. 17, 2004.
44. Sarah Lacy, Inching Toward the RFID Revolution, Business Week, Aug. 31, 2004.
45. Hughes, Procter & Gamble ("P&G"), at 167.
46. See Julie Hutto and Robert D. Atkinson, PPI, Radio Frequency Identification: Little Devices Making Big Waves, at 3-4 (Oct. 2004) (arguing that retailers' costs savings attributable to RFID would be quickly passed on to consumers because of "fierce competition"). However, a number of panelists at the Workshop suggested that the adoption of RFID by retailers would not necessarily result in lower prices for consumers, at least not in the near future. See Hughes, P&G, at 196; Duncan, National Retail Federation ("NRF"), at 196-97.
47. Wood, Retail Industry Leaders Association ("RILA"), at 52-53.
48. Id. According to the Grocery Manufacturers of America, an estimated 8 percent of the time consumers can't find what they want on retailers' shelves, and that number can climb to 15 percent during a product promotion. Barnaby J. Feder, RFID: Simple Concept Haunted by Daunting Complexity, N.Y. Times, Nov. 21, 2004.
49. Wood, RILA, at 54; Langford, Wal-Mart, at 62-64. According to Langford, Wal-Mart intends to monitor shipments as they leave suppliers, which will provide additional visibility early in the supply chain, not just when products arrive at a Wal-Mart distribution center.
50. Langford, Wal-Mart, at 62-63. As explained above, unlike bar codes, RFID tags do not require line-of-sight or individual scanning to be read.
51. This panelist explained how RFID could reduce the need for retailers to order "safety stock," which are the additional goods purchased in order to avoid having a shortage of necessary items. Safety stock sits unsold on the shelf, and is thus a source of inefficiency. Wood, RILA, at 53.
52. Wood, RILA, at 54; see also Langford, Wal-Mart, at 67; Grocery Manufacturers of America
("GMA"), Comment, at 3.
53. Woods, RILA, at 53.
54. Boone, IDC, at 218-19. See also Stafford, Marks & Spencer, at 264 (asserting that "[t]he business case for using RFID tags is entirely about the speed of read").
55. Wood, RILA, at 55.
56. Id. at 54-55 (explaining that RFID will help ensure that consumers don't "buy aspirin and then have it expire on [them] in three months"); see also GMA, Comment, at 3.
57. Tien, EFF, at 96-98; see generally Mulligan, Samuelson Law, Technology, and Public Policy Clinic ("Samuelson Clinic"), at 152-162. Another recent development that has emerged since the Wo
