Federal Trade Commission Holds RFID Workshop

By Beth Bacheldor

Wal-Mart's Simon Langford and other attendees discussed ways to protect consumer privacy, and the role the U.S. agency should play regarding the use of radio frequency identification.

Industry experts, government officials and consumer advocates from the United States and abroad met with the Federal Trade Commission (FTC) in Washington, D.C., on Wednesday to discuss RFID applications—specifically, contactless payment devices and item-level tagging—and their implications for consumer protection policy. The "Transatlantic RFID Workshop on Consumer Privacy and Data Security" is the latest in ongoing efforts by the FTC to better understand radio frequency identification so it can more thoughtfully construct public policy, and enforce that policy, if and when necessary.

"Just a few thoughts about how this program fits into our larger interests dealing with data security, privacy and RFID in particular," FTC chairman William Kovacic told forum attendees. "We treat the enforcement program as a deeply integral part of our efforts to draw attention to the importance of legal commands dealing with data protection and privacy, and to our effectiveness in developing larger policy messages throughout North America. But standing alone, we've come to realize that's an insufficient basis to be an effective policy maker. Other critical dimensions involve public education, cooperation with non-government organizations and business associations, with the research and development programs. That intuition has guided the pursuit of policy making on the part of both the U.S. authorities, and, indeed our counterparts in Europe. That is why so much attention is given to the development of workshops, and to the convening of events in which observers from a variety of different settings can come participate in a thoughtful discussion on how the technology is developed."

To better understand how Europe is approaching consumer security and privacy with regard to RFID, Hana Pechácková, a representative of the DG Information Society and Media within the European Commission (EC), discussed the details of the EC's upcoming RFID guidelines designed to protect consumer privacy rights.

The EC has been investigating privacy concerns with regard to RFID for some time. In March 2007, the commission announced plans to create a stakeholder's group to advise the European Union regarding its RFID strategy, with the goal of issuing a recommendation on data security and privacy, and of assessing the need for further legislative steps to safeguard both (see EC Floats Plan to Facilitate RFID Usage).

The commission released a draft of the guidelines earlier this year, and at this week's meeting, Pechácková said it expects to present the final guidelines soon. "The main purpose of this recommendation," he explained, "is to provide guidance by identifying principles in relation to RFID use that would seek to ensure maximizing benefits of RFID use, without compromising the right to integrate privacy of an individual in a democratic society." Among the various recommendations, the commission will suggest that companies planning to employ RFID should attach a symbol or sign to the tagged goods to alert customers to the presence of RFID. In addition, the commission will also recommend that any retailers selling tagged items must be able to deactivate the tags at the point of sale. "Customers should not be put in a position where they cannot be assured that the tags are deactivated because the retailer does not have the know-how, or does not have the capacity to do it," Pechácková stated. "We are arguing for this."

Not all of the experts that spoke at this week's forum agreed with point-of-sale deactivation, however. Paul Skehan, director of the European Retail Round Table, a network of European business leaders established to represent large retailers on a range of issues, told attendees he does not know exactly what the EC's final recommendation will be. But, he added, "I suspect I know what's in the final recommendations, so I'll speak about what we think is in there. Do we support the recommendation? Very clear answer: yes and no."

A good recommendation, Skehan said, could push EU member states in one direction, rather than having 27 different laws. However, he noted, a bad recommendation would be one calling for retailers to deactivate at the point of sale. "We don't have a difficulty with deactivation, per se," he said. "If a recommendation comes in the next couple of weeks which says deactivate at point of sale, I can tell you it will stop item-level tagging in the retail sector of Europe stone dead. Why? There are—in those 25,000 to 27,000 stores—hundreds of thousands of points of sales, and in those same stores, you might have a store with 30,000 units, or different types of products, going through checkout. Maybe a couple of hundred of those are tagged at the moment. Can you imagine the cost of putting deactivators into points of sale when a minuscule percentage of the products coming through are actually needing to be deactivated? It is inconceivable, and my members would walk away from it."

Simon Langford, director of EPC strategies at Wal-Mart Stores, offered an overview of the retailer's ongoing RFID initiatives, both in warehouses and in stores. He described the benefits RFID deployment brings to Wal-Mart and its customers, now and in the future, including reducing out-of-stocks so customers don't need to make return trips to a store because they can't get what they want, facilitating product recalls, eliminating counterfeit goods and speeding up checkout lines. He then described Wal-Mart's policy regarding RFID and privacy.

"When you look at the privacy principles of the FTC, that's a great foundation," Langford said. "Certainly at Wal-Mart...we take customers' privacy very seriously. In a very first pilot, back in 2004, the very first things we looked at was, How can we be open and transparent and communicate with our customers in that local market internationally? So we took the extra step for the very first time of inviting press into the back room of our stores, to show them what the technology was, how it works and what are we using it for. So they were then able to communicate that on TV and in the press to our consumers, and help that message and that transparency."

The challenge, Langford explained, is to finding a method for applying FTC's principles to EPC technology. "By informing our customers that we use the technology, by printing the logo on the tag on the product," he said, "the customer has the choice to remove that label from the packaging. Because today, the vast majority of RFID tags, EPC tags, are on packaging, so the customer can simply remove that post-purchase and throw that away. Where a consumer has applicable concern, [the RFID tag] is actually embedded in the product. And offering them a choice that they're able to go to a customer service area and have that tag disabled post-purchase."

"Think about a customer," he continued. "She's shopping with two or three children; her whole goal is to buy the products she wants and get back on with her life with the children as quickly as possible, not to have to slow down to unload that shopping cart. So I think, as we've heard, policy makers and industry action groups, retailers are fairly well aligned.... In conclusion, I think it's really about education—open and transparent with our customers."

Other presenters at the FTC workshop included Tom Karygiannis, a senior researcher with the National Institute of Standards and Technology, who discussed the need for companies to assess privacy and security risks with regard to their specific applications, and then develop ways to mitigate those risks; Susan Grant, director of consumer protection with the Consumer Federation of America, a consumer advocacy organization; and Ari Juels, chief scientist and director of IT security company RSA Laboratories.

The FTC forum was held this week in conjunction with an RFID symposium sponsored by the Trans-Atlantic Business Dialogue, the European-American Business Council, and EPCglobal, with the support of the U.S. Department of Commerce and the European Commission.

The FTC intends to continue accepting written comments or original research from interested parties until Oct. 23. Comments should refer to "Transatlantic RFID Workshop—Comment, Project No. P059106." To file electronically, follow the instructions and fill out the form here. Paper comments should include this reference, both in text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex R), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.