Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

The Electronic Frisk

Here's a look at the IT systems that would be required to match a person to an RFID tag in their clothes.
By Bob Violino
Tags: Standards
May 31, 2003By Mark Roberti

June 2, 2003 - In this week's feature, RFID, Privacy and Corporate Data, we look at some of the issues surrounding corporate privacy. I know a lot of companies haven't even begun thinking about this, but the last thing you want is an open standard that let's a competitor sit outside your distribution center and scan all the tags on items you are shipping to your best customers.

This is an important issue, and I don’t want to give it short shrift. But I'd like to go back to the consumer privacy issue one more time to try to dispel this myth that RFID tags in clothes or items you carry will be used to track you. It's worth trying to understand exactly how that might be done, so let me take a crack at it.

Let's say I go into a JC Penny store in New York, and I pick up a Dockers Twill Shirt With Stain Defender (a bargain at $24.99, if you ask me). I could pay with cash and remain anonymous, or have the tag killed or removed. But I like to live dangerously. So I whip out my credit card, and a girl with the Day-Glo fingernails rings up the sale. At this point, the store has captured only my name and the credit card number, which are stored in the mag-stripe on my card.

The retailer could ask for my name and address and then write that information to the tag in my twill shirt. That way, the next time I come in, the store could identify me. That's about as likely as cashier risking her nails by using a marker to write my name and address on my shopping bag. Even if Penny's wanted to help competitors out by giving them information about me, it would cost the store time and money (read-write tags are more expensive than read-only ones). So let's assume that the tag has only a serial number.

Next day, I'm wearing my sporty new shirt, and I'm feeling pretty good. Things are booming at the Journal, so I decide to stop into Kohl's, another department store in the area, to select a pair of pants that I can wear when I take my wife out this weekend. As I walk through the door at Kohl's, I'm suddenly bombarded with RF energy streaming in at 915 MHz. The UHF tag in my shirt gets excited. Without my knowledge or consent it starts transmitting to the reader a 96-bit serial number.

Now, they've got me, right? Well, not exactly. If Penny's is using a proprietary numbering system, the ID is completely meaningless to Kohl's. End of story. But let's fast forward a few years and assume the world has adopted Electronic Product Codes. With this ID number, Kohl's knows that someone wearing a Dockers Twill shirt has come through the door. To identify me, personally, it has to match that serial number to the person who bought that shirt.

Here's where it starts to get fun. The reader at the door feeds that number to a server in the back of the store. The server has been loaded with a new software program Microsoft has developed, called Snooper (I'm making this up, folks, I swear). Snooper is designed to sniff out information on potential customers. It checks its own database and finds that it didn't sell a Dockers twill shirt with that serial number.

Snooper knows that the first part of the ECP identifies the manufacturer and the second part the product category. So Snooper goes out to something called the Object Name Service (ONS), which is sort of like the domain name service that points computers to Web sites. ONS points Snooper to a server owned by Dockers.

In all likelihood, most companies won't have one central repository of EPC numbers. Instead, a factory might store all the numbers on items it created and a higher-level database may just store information on how many of those items were made. But for the sake of keeping this article to a reasonable length, let's say every company has a central database with all the information related to every EPC.

So Snooper finds the file with information related to the serial number in the tag in my shirt. The public information will be very limited -- basically what the item is, how it should be washed and so on. But let's say that manufacturers lose their marbles and decide to open their kimono to competitors. So the database would likely have information on where the item was made, where it was shipped and what store it wound up in. In this hypothetically case, Snooper learns that Dockers sold the shirt to JC Penny.

Snooper now goes knocking on the door of JC Penny's database. Penny's has no reason to provide this information to a competitor like Kohl's, but retailers have also lost their sanity and decide everyone should have free access to information. Snooper learns that the shirt with the serial number in question was sold at one of its stores in New York. Kohl's gives Snooper the credit card number that was used to pay for the shirt.

Now, Snooper has to go to some central database, perhaps hosted by a credit-reporting agency and find out who issued that specific card. These agencies don't usually give out such information, but they too have gone mad. An agency tells Snooper that Citibank, in fact, issued the card. Snooper heads on over to Citibank's vast repository of data to find out to whom the card in question had been issued.

Yes, Citibank, too, has been swept up in this new spirit of openness, so it gives out my name. Snooper has done it. This magical system has identified Mark Roberti as the person who has walked through the door.

In reality, none of the companies would open their databases, and this kind of "electronic frisk" would be impossible. In fact, the focus of this week's feature is on how to make sure competitor's don't get access to RFID data. So the scenario above, in my mind, will never happen. But reasonable people also have to ask themselves, why would Kohl's invest millions in the IT infrastructure needed to read tags in clothes and track down who owns the clothes? How exactly does a retailer profit from the information? Why is this better than creating a loyalty program or gathering aggregate data?

I know, maybe the company would like to create a huge database profile of me. That way, once I'm identified, the company sends information about me to a sales assistant holding a wireless computer. The sales person walks up to me at the racks and says: "Good afternoon, Mr. Roberti. I know your looking for a pair of pants to go with that twill shirt you bought at JC Penny's yesterday. Let me help you."

At which point, I run from the store as fast as I can, never to return again.

Mark Roberti is the Editor of RFID Journal. If you would like to comment on this article, send e-mail to mroberti@rfidjournal.com.

RFID Journal Home
  • Previous Page
  • 1
  • Next Page

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations