The RFID Privacy Conundrum

Is it better to address potential problems before they occur, or allow the technology to evolve and then address issues as they arise?
Published: August 27, 2010

I recently read an article online that said, “Installing special electronic inventory-tracking tags on products may seem like a good thing for companies to do, but in fact this may destroy our individual freedoms.” This conclusion was apparently reached by two information security experts at Purdue University (which writer Tudor Vieru referred to as Indiana University in the article), in West Lafayette, Ind. (see A Bad Mix: Consumer Privacy and RFID Chips).

The article quoted Eugene H. Spafford, the director of the Purdue Center for Education and Research in Information Assurance and Security (CERIAS), and an adviser to the White House and the Pentagon regarding national-security issues related to cybercrime and abuse.

I reached out to Spafford, who graciously agreed to speak to me last week by telephone. I pointed out that tags used on most consumer products are put in packaging or on a label, which is then thrown away. Moreover, I said, the tags can be killed, and new tags being introduced this year will enable retailers to reduce tag read range and mask serial numbers.

Spafford said he already knew most of what I told him, and that he was well aware that RFID technology could deliver many benefits to companies. He also noted that the writer of the article had slanted his comments to some degree. Spafford then made a number of interesting points, but two raised a potential RFID privacy conundrum.

While the tags do have these privacy features, Spafford said, Wal-Mart Stores and others are not using readers at the point of sale (POS), so they can’t kill the tags or mask the serial numbers. Later in the conversation, he said that the market couldn’t always address problems because once a technology is out there, it is difficult to fix security issues related to that technology. He cited problems with spyware, viruses and so on, that have plagued computer operating systems.

And therein lies the conundrum. On the one hand, we would like there to be no current privacy threats, which would mean installing tens of thousands of readers in stores to kill tags or hide their serial numbers. On the other hand, if we were to do that, there would be a danger of having a large, rigid infrastructure that could not be changed as new privacy (or security) issues arose.

What’s the best course of action? In my view, the current threat to consumer privacy is very small. Very few consumer items have tags. Those that do should bear the EPC logo, indicating there is a tag on that object, and the tag, in most cases, is on a label or external packaging that is thrown away after purchase. The only abuses that could potentially occur would be to read a tag on, say, a pair of jeans or a DVD player as a customer walks around a store, or from the store to the parking lot. I think retailers would be dumb to try to track people in a store—they would be exposed and have a PR nightmare on their hands—and I don’t see any benefit to criminals sitting in parking lots with readers. Most criminals lurk in a quiet area and try to get someone alone. They don’t target people because of what they might be carrying.

As the technology becomes more widely used, retailers likely will install readers at the point of sale. If most items in a store are tagged, then RFID can speed up the checkout process. And once that equipment is installed, the tags can be killed. Between now and then, researchers, hackers and privacy advocates might raise new issues that need to be addressed by new tag and reader features, so it seems to me that rushing to install an infrastructure to kill tags that are on less than one-tenth of one percent of all consumer items could lead to more problems down the road than it presently solves.

But individual businesses must make their own decisions. Just one incident in which a customer is tracked using a tag in an item the retailer sold could lead to a huge PR backlash. For some companies, the risk, however small, might be too great. For others, the cost of outfitting every POS terminal with an RFID reader might outweigh the small risk that a consumer might be tracked.

These are serious issues, worthy of an open, honest, intelligent discussion. In my opinion, RFID technology providers have done a good job of addressing the concerns raised so far. The solutions aren’t widely used, because the technology isn’t widely deployed and no abuses have ever been reported. As adoptions spreads, hackers are likely to dream up new ways to counteract privacy measures. This might require new approaches. Not having a massive infrastructure might be an advantage, because systems will be able to adapt to changing privacy demands.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or the Editor’s Note archive.