July 5, 2004

Tuning out RFID panic

By: Jerry Brito

You walk into a boutique and look around for a new dress. A sales clerk notices you eyeing a particular red number and says he would like to tell you more about it. He takes a handheld device that looks much like a PDA and points it at the dress. An instant later flatscreens on the wall light up to show video of a model sporting the dress sashaying on a catwalk in Paris. Designer sketches and color swatches also appear and you notice a shade of blue that you like. Looking at his handheld for just a moment, the clerk confirms that the dress in blue, and in your size, is in stock; he’ll have someone bring it out.

Shoppers at the New York flagship store of Italian fashion house Prada didn’t have to imagine; such an experience was made possible using Radio Frequency Identification (RFID) technology. Simply put, RFID is a next generation barcode. Rather than print bars on paper, which are then scanned using a laser, RFID uses tiny chips that emit a radio signal containing their ID number. Readers are able to pick up the signal without the need for line-of-sight.

At Prada, every garment, shoe and bag in the store was tagged with an RFID chip. Handheld devices were linked to a real-time inventory system to let clerks know what colors and sizes were stocked. Dressing rooms had RFID-reader-equipped racks on which you could hang the clothes you wanted to try. The racks would know what garments you had selected and would display interactive information about them in the dressing room’s touchscreen.

This high-tech gadgetry can mean not just convenience for the customer, but also increased sales for the retailer. Less-exclusive retailer The Gap has found that it can increase sales in RFID-equipped stores by seven to 15 percent by freeing sales staff to spend more time with customers and less time in the stockroom.

There are a plethora of other commercial uses of RFID, including airport baggage tracking, subway fare cards, and highway toll passes. But the one application that has captured the imagination of corporate America — as well as that of privacy activists — is effectively replacing UPC barcodes on consumer goods by tagging every retail product with a uniquely numbered RFID chip.

The idea is that the entire supply chain — rom manufacturing to distribution to retailer — could be streamlined. Constant, automatic knowledge of inventory levels means less warehousing costs and getting ever closer to that state of nirvana known as just-in-time manufacturing. Suppliers could save money by keeping better track of their returnable assets like pallets and containers. The technology also promises to help manufacturers and retailers prevent ‘backshop’ theft, which is estimated to cost companies billions of dollars each year. And identifying whole shipments of goods automatically upon arrival at a loading dock could save labor all around. As one observer put it, “Wal-Mart would love to be able to point an RFID reader at any of the 1 billion sealed boxes of widgets it receives every year and instantly know exactly how many widgets it has. No unpacking, no unnecessary handling, no barcode scanners required.”

Retailers also expect RFID to result in greater customer satisfaction. ‘Smart shelves’ that keep track of how stocked they are — and that send automatic messages to the storeroom when the level of, say, Tickle-Me Elmo dolls gets too low — will ensure that customers always find the shelves full. And if this information is shared with suppliers, they could be better able to match supply to demand and reduce inventory sellouts. Also, consumer products that are tagged with unique identifying numbers at the item level could enable returns without a receipt, as well as the much-touted self-checkout. Unique identification could also reduce waste during product recalls by pinpointing the few defective items rather than sacrificing a whole batch.

But everything isn’t rosy in RFID Land. Many activists have been vocally concerned about the privacy implications of the technology. The ability to track objects is the ability to track persons, they say. But such fears are overstated; the truly worrisome potential uses of RFID are by government.

Privacy advocates fear that technologically savvy burglars could case homes by covertly cataloging their contents from the street. More ominously, some critics say RFID systems could also pose a fatal threat if stalkers manage to adapt the technology to monitor a victim’s belongings, embedded with RFID microchips, and track their whereabouts. Perhaps scarier still is the possibility that RFID technology could be used for targeted marketing. As one observer put it:

[The potential pervasiveness of tagged products] raises the disquieting possibility of being tracked though our personal possessions. Imagine: The Gap links your sweater’s RFID tag with the credit card you used to buy it and recognizes you by name when you return. Grocery stores flash ads on wall-sized screens based on your spending patterns, just like in ‘Minority Report’.

But today retailers already track people’s purchases to better market to them. The most obvious example is Amazon.com, which welcomes you by name when you visit their Web site, and makes eerily acute recommendations based on your past purchases. In the physical world, supermarkets and other retailers issue customer loyalty cards that help them track consumer spending patterns in order to better stock stores and price products. Checkout receipts now often include coupons targeted to the consumer based on her past purchases.

A ‘Minority Report’ type scenario using RFID, in which a retailer identifies you based on the clothes you are wearing and markets to you by name, is unlikely to occur for two reasons. First, it is very creepy. Such tactics are more likely to alienate customers than impress them; retailers recognize this and will avoid the practice. Second, such a scheme would not be very practical. Identifying an object is not the same thing as identifying a person. A sweater might be bought as a gift or lent out or sold second-hand on eBay. Retailers will not risk embarrassment by making assumptions about identity.

Similarly, while some worry that burglars will equip themselves with $500 RFID readers to drive by a home and say, “Look what we’ve got in there. An HDTV is in there, and she wears Benetton,” the fact is burglars today already case homes by such low-tech means as looking through windows. What’s more, the technical limitations of RFID might not make such casing very feasible. The range of RFID tags that will be used in consumer products is 20-30 feet at most. But the laws of physics prescribe that the further one is from the tag, the more energy a reader will have to employ to read it. This makes long-range readers hardly portable or easily powered. Also, RF signals cannot pass through metal, liquids, and other dense materials, making long-range reading even more difficult. And if you are still worried that a burglar will be able to read the contents of your home, you can install an RFID blocker device.

The nightmare scenario of RFID critics is the tracking of persons — either at a political rally, by a stalker, or by a retailer who wants to engage in targeted marketing. And although the use of RFID on consumer products to track individuals is impractical, if not impossible, there is one scenario that makes RFID tracking much more feasible: government assigning a unique number to each individual.

One critic, contemplating the various possibilities of a surveillance state, posited the following scenario:

A tourist walking through an unfamiliar city happens upon a sex shop. She stops to gaze at several curious items in the store’s window before moving along. Unbeknownst to her, the store has set up the newly available ‘Customer Identification System’ which detects a signal being emitted by a computer chip in her driver’s license and records her identity and the date, time, and duration of her brief look inside the window. A week later, she gets a solicitation in the mail mentioning her — and embarrassing her in front of her family.

But notice that without a government-mandated chip, which identifies the woman uniquely, this scenario could not take place so easily. Attempting to guess her identity by reading the numbers on her clothes, for example, might prove difficult. But a government ID number identifies the person, not an item. A database that correlates government ID numbers, names, and other personally identifying information could be reverse-engineered, much like the Internet Movie Database was developed without the help of industry. The less reputable a retailer is, the more likely they will engage in such ‘creepy’ direct marketing.

If one is truly concerned about government tracking of individuals at political rallies or anywhere else, then a national ID, especially one equipped with RFID or other automatic identification technology, should be the focus of one’s attention. It is the involuntary nature of a government mandate that makes it particularly dangerous. The recent Nevada v. Hibbel decision found that citizens cannot refuse to identify themselves when agents of the state demand it. It may only be a matter of time before government facilitates compulsory identification by mandating a national ID card embedded with RFID chips.

A national ID card was proposed and seriously considered after the terrorist attacks of September 11, 2001. Last year, delegates to the Chinese Communist Party Congress were required to wear an RFID badge at all times so that their movements could be tracked and recorded. Today, passports may soon be equipped with RFID tags, and the Department of Homeland Security is currently developing RFID-enabled IDs to be used at border crossings. The growing campaign by government to require its citizens to identify themselves, regardless of the technology employed, is the greatest threat to anonymity — not the private use of identification technology. Privacy activists, who today mention the threat from government only in passing, should refocus their efforts to where it really matters.

Jerry Brito is editor of Brainwash and a student at George Mason University School of Law. His Web site is jerrybrito.com.