US privacy advocates and some lawmakers are pushing a
debate over potential privacy abuses from the growing use of radio
frequency identification chips as huge retailers such as Wal-Mart
Stores move toward large-scale use of the technology.
While a number of privacy groups have raised concerns about the
potential uses of RFID chips, the US Congress has not yet drafted
legislation to regulate their use. The Utah and California
legislatures have both considered RFID privacy legislation this
year, and the US Federal Trade Commission has scheduled a workshop
on the uses of RFID and the effect on consumers for 21 June. The
FTC is asking for written comments about the uses of RFID; the
deadline to submit those comments is 9 July.
Privacy advocates worry that the technology will allow other
uses, such as real-time tracking of customers in stores, or even
after they leave stores. Privacy advocates see the potential for
retailers and other companies to be able to track consumers long
after a consumer purchases an item.
In early 2003, Wal-Mart and Procter & Gamble tested the use
of RFID chips on individual packages of lipstick in an Oklahoma
store, and the supposedly secret test raised the hackles of privacy
advocates everywhere. The RFID chips allowed Wal-Mart to track the
customers as they took the lipstick off shelves.
A US senator even suggested that federal legislation may be
necessary at some point, criticising what he called Wal-Mart’s
"clandestine" testing of RFID.
But Wal-Mart says its RFID tests have been less clandestine than
critics claim. Customers in the Oklahoma store where RFID chips
were tested on lipstick were notified with signs on the shelves.
After the lipstick test, Wal-Mart decided to focus on the storeroom
uses on RFID.
In the Dallas area, where Wal-Mart’s first large scale
implementation of RFID is scheduled to go live in early 2005, the
retailer has talked repeatedly to the media about its plans to use
RFID chips. The retailer will use "passive" RFID chips, which
require an RFID reader device to transmit information, and chips
will be placed on cases and pallets, not most individual items, he
said. In the cases where large items are shipped with RFID chips,
customers will be notified about the chips
When asked about concerns that customers picking up individual
products could be tracked with RFID chips, Wal-Mart spokesman Gus
Whitcomb downplayed those fears. "That’s all a big hypothetical
that we’re not planning to do in the first place," he said. "We
have tried to address the big concerns of privacy advocates."
So far, retailers and other RFID users have time to work out
privacy concerns with critics. While the US Congress has introduced
several technology-related privacy bills in the past year, none
deal specifically with RFID chips.
In November, a group of privacy advocates, including the
American Civil Liberties Union and the Electronic Frontier
Foundation (EFF), issued a position statement on the use RFID in
consumer products. The statement called for retailers to give
notice to consumers when RFID chips are being used, what the
purpose is and to have security measures in place verified by third
parties.
The statement calls on merchants to voluntarily comply with RFID
privacy measures, and asks retailers to comply with a moratorium on
item-level use of RFID chips until a technology assessment
involving consumers and other stakeholders can be completed.
The statement asked retailers not to force consumers to buy
products with RFID tags and advocated that consumers should be able
to remove or disable the tags, but the statement did not advocate
federal legislation.
Notifying consumers is a start, but notice alone is not enough,
said Ari Schwartz, associate director of the Center for Democracy
and Technology (CDT), one of the groups signing on to the November
privacy statement. "There has to be a way to kill these chips," he
added.
The CDT and other privacy groups have brought their concerns to
retailers and RFID suppliers. So far, the two sides are making
progress, Schwartz said. Most retail uses of RFID so far are
limited to stock rooms, and with retailers and vendors open to
privacy discussion, Schwartz does not yet see the need for federal
legislation.
"The question is really what it’s used for and how it’s done,
rather than the technology itself," Schwartz said. "Most of the
benefit out there comes on the back end, in the stock room, and
most of the privacy concerns come when it leaves the stock
room."
Grant Gross writes for IDG News
Service