Retail giant Walmart has said a US law enforcing privacy
rules for RFID is not needed because companies experimenting with
the technology are committed to protecting privacy.
Wal-Mart Stores continues to move forward with plans for case-
and pallet-level tagging of products with RFID chips.
But item-level tagging, where individual products are identified
with RFID chips, is about 10 years away, Linda Dillman, executive
vice-president and chief information officer of Wal-Mart, told the
US House Subcommittee on Commerce, Trade and Consumer
Protection.
Privacy advocates said that legislation is needed to protect
consumers from potential uses of RFID.
They offered few current examples of privacy concerns caused by
RFID, but as the range of RFID scanning grows beyond the current
10-20ft RFID could allow corporations and governments to track
people's movements and purchases, they said.
A United Nations-affiliated group, the International Civil
Aviation Organization, is already developing global standards for
passports that include RFID chips, with the group looking for a
chip that could be read up to a metre away, said Barry Steinhardt,
director of the Technology and Liberty Program for the American
Civil Liberties Union.
In the hands of a dictatorial government, RFID-chipped passports
or other identification could be used to track visitors to the
country or identify people attending a political rally, Steinhardt
said. Such uses could create "a whole new surveillance regime",
Steinhardt added.
Users of RFID defended it, however, saying that its range was
too small and its cost too prohibitive to use on most consumer
products.
Others at the hearing noted that Wal-Mart had conducted product
tests on lipstick in an Oklahoma store in early 2003.
Representative Jan Schakowsky questioned whether consumers had been
adequately warned about the lipstick tests.
With the potential to use RFID chips in passports and other
government identification, as well as consumer products such as
clothing, the misuse of RFID tracking raises "seriously Orwellian
concerns", she said.
"Soon we could have Big Brother and big business tuning into the
same frequency, where not only will they know where you are, but
what you're wearing," Schakowsky added.
The Wal-Mart test on lipstick had the RFID tags on large
packages, not individual products, said Sandra Hughes, global
privacy executive for Proctor & Gamble, Wal-Mart's partner in
the test. Consumers were notified of the RFID test, and although
the lipstick display was monitored by a web cam, the purpose was to
track the supply of lipstick, not consumers, Hughes said.
Hughes and other defenders of RFID said the technology has great
potential to lower supply chain costs, reduce theft and
counterfeiting, improve the rate of products being in stock and
even track livestock diseases.
With RFID chips in the ears of cattle, livestock sold could be
tracked within hours instead of the weeks it can take to track down
a paper-based sale, said John Molloy, managing director of
ViaTrace, a maker of tracking technologies.
The US is ahead of the rest of the world in experimenting with
RFID, he said, and its use could end threats of diseases like BSE.
"This is the opportunity [for the US] to lead the world in
traceability," Molloy said.
But safeguards are needed so that the potential of RFID is not
misused, privacy advocates said.
Witnesses at the hearing disagreed about what kind of
legislation is needed, however, with the Electronic Privacy
Information Center calling for RFID-specific legislation, and the
Center for Democracy and Technology repeating its call for general
privacy legislation that would cover all kinds of technologies.
When Representative Darrell Issa suggested that legislation
should focus on what companies and government agencies do with the
information they collect, instead of what technology is used to
collect the information, Paula Bruening, staff counsel for the
Center for Democracy and Technology, agreed.
Recent debates about a House spyware bill showed how difficult
it is to legislate based on specific technologies, she added. "You
end up with a better result if you have baseline privacy
legislation that focuses on the information itself," Bruening
said.
Hughes said legislation is premature because companies are being
responsible about data collection. Her company retains consumer
data only as long as necessary, she said.
In the case of a product sale, the company keeps the data only
long enough to complete the transaction, but in the case of an
opt-in customer newsletter, the company retains the data as long as
the consumer is subscribed.
Dillman also opposed RFID-specific legislation. "We don't
believe that data collected by RFID should be different," she said.
"We believe there should be a single standard."
Grant Gross writes for IDG News Service