Banning Skimming

Washington State is close to passing a law that would prohibit people from reading RFID tags in items you own without your knowledge.
Published: March 24, 2008

On March 17, the Washington State Senate passed a bill that would ban the use of radio frequency identification technology as a means to collect personal data without the knowledge of the individual. The state’s House of Representatives passed a similar bill (but much more expansive) in February. All that is left, at the time of this writing, is for Washington Governor Chris Gregoire to sign the bill into law, and Washington State will become the first government anywhere in the world (to my knowledge) to ban skimming.

I agree with the intent of the law, which is to prevent abuses of RFID technology. It states: “A person that intentionally scans another person’s identification device remotely, without that person’s prior knowledge and prior consent, for the purpose of fraud, identity theft, or for any other illegal purpose, shall be guilty of a class C felony.”

The RFID industry has opposed almost all RFID regulations on the grounds that they could thwart adoption. This bill could help adoption by discouraging the use of RFID transponders to track people without their knowledge.

The main benefit of the law is that it will give consumers confidence that tags won’t be abused. The law is far better than an earlier version passed in the House, which said: “A consumer shall not be coerced into keeping an electronic communication device active on the item in order for the consumer to be able to exchange, return, repair or service the item.”

That bill didn’t define “coersion,” which was a problem. But also there are good reasons for businesses and consumers to want the tag to remain on the item. A functional tag prevents someone from stealing things and then returning them for cash (good for business). And studies in the consumer electronics industry, for example, have shown that tracking items can shorten repair time (good for both businesses and consumers).

The original bill also made some assumptions that could prove entirely false. It assumed RFID will be embedded in products we wear or carry and that consumers won’t have any control over these tags. That is the only reason why you would prohibit companies from making returns contingent on having a functioning transponder on the product. But I believe there are two reasons this provision makes no sense: Tags won’t be embedded in clothes. And if tags are embedded in consumer electronics items, people will have cheap readers that will enable them to kill the tags on their own.

The original bill also prohibited individuals, companies and other entities from combining or linking “a consumer’s personal information with information gathered by, or contained within, a device capable of engaging in electronic communication.” So if you are a retailer, you couldn’t link a serial number with my name and credit card, as you do today with bar codes. I think this was supposed to prevent a company from identifying me if I return to the store either wearing or carrying the tagged item it sold me. But the threat to privacy is not that companies will have a reader at the door and identify me when I enter. The threat is that they will use that information in some nefarious way. So the authors were right to amend the bill to outlaw bad behavior, nor capabilities.

Had this provision made its way into law, retailers in Washington State might be forced to use bar codes forever. Why? Because if retailers can’t scan an item and link it to a customer with RFID, they will do it with bar codes (as they do today). This is necessary in order to accept returns (if you don’t know what I bought, how can you credit my account for a returned item?).

Common sense prevailed on this one. And even though skimming is not yet a problem, outlawing the misuse of RFID can’t be a bad thing.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog.