A Privacy Expert’s Misguided View of RFID

Another so-called expert talks about how RFID "could" be a threat to privacy, rather than whether it is likely to be a threat.
Published: August 30, 2010

Some recent blogs about Wal-Mart Store’s use of RFID have indicated there is no threat to consumer privacy (see Wal-Mart’s Privacy Invasion—Not! and Global CIO: Wal-Mart Reignites RFID Hysteria, for example).

So when I came across a blog titled Wal-Mart’s RFID Tags: A Privacy Expert’s View, I clicked on it to see if this “expert” was also helping to counteract the many expected hysterical posts. Alas, I was disappointed. The blog by Barry Silverstein on BrandChannel quotes Richard Raysman, privacy and IP attorney for law firm Holland & Knight in New York, as saying, RFID tags initially applied to inventory control “could become ‘a legitimate privacy concern’ when they become commonly used.”

I don’t know Silverstein or Raysman, so it’s possible that Raysman is being misquoted. I hope so, because his comments are insipid, and he is obviously ignorant about RFID.

First, let me explain why his views are insipid. To say that the widespread use of RFID could become a legitimate privacy concern really says nothing. If I post a blog saying, “Within five years, beings from a far-off planet could invade Earth and kill everyone with ray guns,” I would have contributed exactly nothing to readers’ knowledge of the threat they face to their life and liberty.

The question is: What are the chances that RFID will become a privacy threat, and why do you believe that? And when you look at what Raysman is quoted as saying on that topic, he dredges up old issues that hold no water.

Silverstein, the blogger, writes that Raysman fears RFID technology “can ultimately be used to track customers’ purchases via shopper loyalty/rewards programs.” He quotes Raysman as saying: “This tracking could raise serious privacy concerns since many purchases are very private to the consumer. For example, prescription medicines can reveal the existence of certain embarrassing diseases—this is the type of information that is considered highly private under the HIPAA laws.”

I’m not sure if Raysman is aware, but retailers already track what you buy using bar codes on items linked to loyalty cards. Moreover, I can see no benefit to linking an individual serial number in an item to a specific customer. A retailer gets no value from knowing Mark Roberti bought the blue polo shirt, size medium, with the serial number 1234567. What the retailer wants to know is that Mark Roberti likes blue polo shirts, so it can sell me another one. And, as I said, it already knows this.

There are downsides to linking personally identifiable information to a specific item someone bought. A retailer could be brought into a court case to prove that a specific item was sold to a specific person. In an ugly divorce, for instance, a retailer might be subpoenaed to prove that a cheating husband bought a specific article of lingerie found in his girlfriend’s apartment. Another downside is the appearance of spying on customers with RFID, which would lead to bad press and a loss of customers.

So in my view, while RFID could be abused, it’s unlikely that it will be by most legitimate retailers. And abuses by individuals, such as trying to stalk someone by tracking them with RFID (also not likely in my view), can be dealt with via legislation.

Raysman is also quoted as saying the same technology that is used to track Alzheimer’s patients, which he agrees is reasonable, could be used to track nurses in hospitals and determine when they are not doing their jobs. This is a bigger concern in my view, but it will be dealt with the way other technologies are handled in the workplace. For instance, employers in the United States have a legal right to read their workers’ e-mail and track the Web sites they visit. People either get used to that kind of oversight or they leave. In some cases, unions will negotiate to prevent workers from being tracked with RFID.

I think it is helpful when people raise legitimate issues about RFID, so technology providers and users can address those issues. For instance, many people raised concerns that tags could be read after they left the store, so someone might know they bought Viagra, for instance. I think it’s unlikely that people will sit in the parking lot in an attempt to learn who has erectile dysfunction, but the industry addressed that concern with tags that have strong privacy features, such as the ability to hide the Electronic Product Code number and reduce the read range.

There might still be issues that need to be address. However, we need to have a serious debate about what’s likely to happen, rather than what could happen. Because after all, anything could happen.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or click here.