Privacy Group Focuses on RFID

By Bob Violino

The International Association of Privacy Professionals held an audio conference last week to make members aware of RFID privacy issues.

By Jennifer Maselli

Aug. 26, 2003 - The International Association of Privacy Professionals, a nonprofit association for privacy and security professionals, held an audio conference last week on radio frequency identification. The aim was to educate

Simson Garfinkel

corporate privacy officers and other IAPP members about the concerns surrounding RFID.

Representatives from 28 companies listened to the audio conference. "This is a timely topic," says Shara Prybutok, an administrator for IAPP, which was formed recently by the merger of the Privacy Officers Association and the Association of Corporate Privacy Officers. "We wanted to provide an in-depth tutorial on RFID technology and give some real-world privacy techniques and suggestions to our participants," she says.

The panelists for the conference were Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering and an outspoken opponent of RFID; Simson Garfinkel, an MIT graduate student who is on the Auto-ID Center's privacy advisory council; and Dan Mullen, interim CEO of the Association for Automatic Identification and Data Capture Technologies (AIM).

Albrecht said that RFID would allow the government and law enforcement agents to invade the privacy of citizens by tracking their whereabouts. For instance, RFID tags put in tires could be used by the government to track an individual. She also said that criminals might use a reader to identify the contents of a purse or briefcase, and law enforcement agents might invade the privacy of innocent individuals in an attempt to solve a crime.

Albrecht said it’s common for grocers to collect data on its consumers and record the credit card information along with each item purchased at their store. She said the government would want to gain access to this type of information for homeland security reasons. For instance, investigators tracking a potential suspect might learn what he or she purchased by linking, say, an RFID tag in a book with personal credit card information.

Garfinkel said that it would be difficult to track the location of individuals through RFID tags in their clothes. To do this, you would need satellites to cover large areas, but then, instead of an RFID tag, you would need a GPS device about the size of a cellular phone, which is obviously impractical. He pointed out that RFID tags are currently being used in the supply chain for asset management and warehouse automation, not to track individual items. The most widely deployed application for the technology on the consumer front is in some parking garages and at toll collection booths.

Once the price of the tags drops to five cents or less, companies will use them on consumer items, Garfinkel said, which will raise some privacy concerns. A store could use a covert RFID reader to inventory the contents of shoppers’ bags as they enter the store or even walk past the window of a store. Household electronics might covertly inventory what other products are in a consumer’s house and then report the information back to a central repository, assuming the consumer's appliance is linked to the Internet.

The panel discussed several means by which privacy could be protected. The tag could be completely deactivated at the point of sale, or the RFID identifier could be erased, leaving only a prefix number. Passwords could be assigned by purchasers of tags that would prevent the tag from being read without the owner’s permission.

Garfinkel says there needs to be an RFID "bill of rights." Consumers, he says should have the right to know whether a product contains an RFID tag; the right to have that tag removed or deactivated at the point of sale; the right to use RFID-enabled services without RFID tags; the right to access an RFID tag’s stored data, and the right to know when, where, and why the tags are being read.

The privacy debate surrounding RFID will likely continue, as the technology evolves. Whether RFID becomes an integral part of everything we wear, consume and utilize remains to be seen. AIM's Mullen pointed out that consumers have a role to play: "Ultimately, it’s the consumer that will dictate how and where the technology is used."

RFID Journal Home