How to Create an RFID Privacy Plan

By Bob Violino

Kill the tag. Zero it out. Encrypt the data. There are many ways to protect consumer privacy. But at this early stage, how do you do it in a way that reassures customers and doesn't limit the benefits of RFID?

May 26, 2003 - There are some technologies that consumers have an almost instinctive negative reaction to. Genetically engineered food may be sound science and good policy if done right, but most people feel that there's great potential for scary unintended consequences. RFID may not provoke quite as strong a reaction as "Frankenfood," but the concept of putting tracking devices in products does raise privacy concerns among many consumers.

An RFID focus group (Photo courtesy of the Auto-ID Center)

If you're developing plans for an RFID pilot or initial deployment, consumer privacy is hardly your most pressing concern. You're probably struggling with standards, frequencies, RF interference, data management and many other practical considerations. And you may not have any plans to track consumer items for several years.

Nevertheless, if you make, move or sell consumer items, it's wise to begin formulating a privacy policy now. There are two reasons. First, you need to have good answers when a journalist calls asking not how you plan to use RFID but how you could use RFID. And second, privacy issues may be one factor in determining which hardware you choose. For instance, Benetton chose to use ISO-compliant technology, which does not feature a "kill switch." So Benetton could not inform the press that the tags would be permanently deactivated at checkout. On the other hand, you may not want or need a kill switch.

It's also important to understand that perception is reality. You may be running a supply chain pilot and have no plans to track customer purchases. But that's not the issue. The issue is how your plans are interpreted or portrayed in the press. Unless you have a convincing story to tell journalists, the media and consumers are likely to assume the worst about your companies' intentions.

The Auto-ID Center hired a consumer research firm to test the reaction of consumers around the world to the idea of tracking items with EPC tags. The center found, in almost all places, that consumer attitudes were neutral to negative toward RFID, and that opinion makers, including journalists, were not likely to embrace the technology. The center's report says that consumers and journalists in the US "are unlikely to believe that the network will not be abused and will look for regulations and controls for reassurance."

You can tell people that the tags have a very limited read range, but don't expect them to believe it. When one person in the Center's focus group in Japan was told that the tags could be read from only a few feet away, he responded: "In the future, the technology will develop; it will leave you naked." And one person in the UK said: "I can guarantee that they will be able to read through steel."

So how do you come up with a policy that will convince people (who may not want to be convinced) that your company will respect their privacy. You need an approach that includes technological safeguards, procedural safeguards and policy safeguards. The main focus of this article is on the technology, because that's the only area unique to RFID. But we'll also touch on the procedural and policy issues toward the end of the article.

This Tag Will Self-destruct in 10 Seconds

According to Richard M. Smith, a consultant and privacy advocate, concerns about RFID can be boiled down to two main issues. The first is that functioning tags embedded in things we wear or carry with us (or in our car tires) could be used to track our movements. The second is that by tracking the serial numbers in the RFID tags embedded in the things we buy or use, companies could gather a wealth of information about us. This could be used by law enforcement authorities, lawyers in civil suits and marketers in ways that we find unacceptable.

Kevin Ashton

Companies will need to deal with both issues. Let's first take on the issue of tracking people via the tags in items they carry with them. At this stage, very few individual items are being tagged. But item-level tagging isn't far off. Marks & Spencer will soon launch a pilot in which all the clothes in one store will be tagged (see EPC in Fashion at Marks & Spencer). Benetton still may go ahead with its clothes tagging. Recording companies are looking at tagging CDs, so some companies will deal with the privacy issue soon.

Many other companies will likely begin small pilots involving smart shelves. While these pose no threat to consumer privacy, there could be a potential PR problem if tagged items are brought home by consumers without their knowledge. Paul Fox, a spokesperson for Gillette, says in the stores where Gillette is testing smart shelf technology, signs let customers know that there are tags in the products. "The signs inform customers that if they are uncomfortable with that, their purchases can be exchanged for items without tags or the tags can be physically removed," Fox says.

As pilots are expanded, companies will need better ways to solve the problem. Signage is still essential, but you will need technological solutions to convince customers that they can't be tracked via tags your company puts in its products. One option is the so-called "kill command" in which the reader flips a single bit that instructs the chip never to respond to a reader again. This is part of the Auto-ID Center's specification for Class 0 and Class 1 EPC tags.

"The Auto-ID Center invented the kill command," says Kevin Ashton, the center's executive director. "It was first proposed by one of our big end user sponsors. There are other technologies under development here beyond kill that will be released in the coming months and years to ensure that we maximize the benefits of the technology and minimize the potential for abuse."

The center's privacy guidelines for using EPC technology will likely encourage end users to give consumers the option to kill the tag at checkout. Wal-Mart has gone a step further. Kevin Turner, the head of Wal-Mart's Sam's Club unit and its former CIO, told a technology conference in March that Wal-Mart would automatically kill RFID tags at the checkout counter. That's a good way to reassure customers that their privacy will be protected. RFID Journal has recommended companies kill or remove all tags until the privacy issues have been sorted out.

Keep in mind, however, there are some negatives to going this route. If you promise to kill all the tags, you will need to install readers at every checkout counter (an expensive proposition), or you have to force people buying tagged items into special lines. An even bigger drawback to killing or removing the tags is that this prevents the tag from being used to facilitate returns and track them back through the supply chain. It also prevents the tag from being used for recycling purposes.

Zeroing Out and Encryption

Piyush Sodha, CEO of Matrics, which markets systems based on the Auto-ID Center's Class O specification, points out that one way to deal with the issue of returns is to create another algorithm that would undo the kill command. That way, a company could reactivate an RFID tag and track the item back through the supply chain. But it's not a strategy he would advocate.

Matrics' Sodha

"The danger is that at some point, you make the chip so complex that you lose the value of a simple low-cost tag," he says. "The art is to find the balance that addresses customers' privacy concerns, yet doesn't overdo the complexity. I think the kill command strikes that balance."

Protecting consumer privacy may force companies to make tradeoffs, which is why it’s a good idea to think about the issues as you develop strategies for deploying RFID technology, instead of after the technology is in place. EPC tags have a feature where the serial number can be "zeroed out" -- that is, all the digits in the unique serial number can be turned to zeroes. The consumer would be able to confirm that the number had been changed. The tag is still active, so companies might write a new number to the tag for tracking returns.

As the technology develop furthers, new strategies might be developed to protect privacy without losing all of the benefits of post-sales tracking. For instance, Tom Pounds, VP of RFID products at Alien Technology, which sells EPC tags and readers based on the Class 1 specification, points out that you could zero out all the numbers and leave only the generic portion of the serial number that indicates this is a plastic bottle that needs to be recycled.

Read-write tags offer another level of protection. Companies like The Gap, Benetton and Marks & Spencer could come up with a proprietary numbering system, write the number on the tag and no one reading the tag, except the retailer's own staff, would know what that number means. They could also scramble data in their own applications and then write the data to the tag in scrambled form. Then, either the reader or the application unscrambles the data. Close business partners could share encryption schemes and use this technique even in open supply chains.

Beyond the basics of disabling, encrypting or removing tags, companies need think about how they handle the data gathered from RFID tags. One of the policy recommendations the Auto-ID Center is considering is that companies should not associate individual EPC numbers with individual customers, unless there's a legitimate reason to do so (such as providing customer support). That would prevent government agencies and lawyers from subpoenaing for records related to individual items a customer purchased. And it would prevent marketers from building large databases with personally identifiable information.

Andy Fano, senior researcher and associate partner at Accenture, says that companies must manage their RFID data in a way that engenders trust. "You can let customers know that after 60 days, information about what specific items they purchased is deleted automatically from your database," he says. "Or you could let them know that the system doesn't record which specific items they bought, only the type of item, so they could never be tracked by their purchases. The important thing is that your customers trust that they are not going to be tracked through RFID tags."

Policy Issues to Consider

In addition to addressing the technology questions, companies need to establish procedures and policies that ensure the privacy of their customers and then explain those policies and procedures to the public.

"Companies need to be clear about how they are using the technology, what data is going to be collected, what data is going to be stored in a central database, and how it will ultimately be used," says Mike Liard, an analyst at Venture Development Corp., a market research firm. "Benetton wasn't very clear about how they were going to use the technology and what the benefit for the consumer would be."

E&Y's Leizerov

Jon Heller, a former DoubleClick executive, who's planning to start a data business for retailers using RFID information, says that many of the lessons that the Internet companies learned the hard way can be used by those deploying RFID technology. "Most of this is a PR issue, so companies need to be up-front with people," he says. "Let them know that if they don't want this data collected, they can opt out. And be ready with armed with answers to questions from customers or journalists."

It will likely take your company a few years to figure out exactly how you will use RFID, so you won't be able to formulate extremely detailed policies. But you can institute general policies based on privacy principles that have become fairly widely accepted (see The Perception Question).

Remember, however, that if you have a valuable brand to protect, a sensitive product like Viagra, or customers who are particularly concerned about their privacy, you'll want to do more than the minimum. Sagi Leizerov, one of the leaders of Ernst & Young's privacy advisory services, says the issue needs to be looked at from a risk management perspective. "By managing privacy, you are managing the risk to your brand name, to the company's reputation, the risk of law suits and so on," he says."

Leizerov recommends companies establish internal controls for not just who has access to data, but for changes in how the data is used. "Individuals within the company will come up with new ways of using the technology or the data from it," he says. "Companies need to set up procedures for that. Do you need to get approval? If so, from whom? You want to have those things in place even when the technology is very new."

When it comes to collecting personal data, almost everyone agrees that this should be done on an opt-in basis. That is, companies should not collect data on an individual's purchases unless that person has joined a loyalty program. But David Diamond, president of emerging businesses at Catalina Marketing, a company that runs loyalty programs for supermarkets, says that opt-in is going to get a lot more complex with RFID.

Diamond points out that if you buy a microwave oven that can cook food automatically based on the RFID tag in the box, you may not want the oven maker to track everything you cook. But you may be willing to join a loyalty program from your local supermarket, or a company that makes frozen pizza.

Even within the same store, consumers may want different levels of privacy. For instance, you may say the store can track what items you put into your shopping basket and offer related coupons, but you may not want the retailer to track your movements within a store or flash promotions at you individually via interactive signs.

"Companies are going to have to develop a new set of marketing skills," says Diamond. "They'll need to use the technology to make customers feel that they are special and that the store is taking care of them every step of the way. A lot of this just comes down to good marketing."