US privacy advocates and some lawmakers are pushing a debate over potential privacy abuses from the growing use of radio frequency identification chips as huge retailers such as Wal-Mart Stores move toward large-scale use of the technology.
While a number of privacy groups have raised concerns about the potential uses of RFID chips, the US Congress has not yet drafted legislation to regulate their use. The Utah and California legislatures have both considered RFID privacy legislation this year, and the US Federal Trade Commission has scheduled a workshop on the uses of RFID and the effect on consumers for 21 June. The FTC is asking for written comments about the uses of RFID; the deadline to submit those comments is 9 July.
Privacy advocates worry that the technology will allow other uses, such as real-time tracking of customers in stores, or even after they leave stores. Privacy advocates see the potential for retailers and other companies to be able to track consumers long after a consumer purchases an item.
In early 2003, Wal-Mart and Procter & Gamble tested the use of RFID chips on individual packages of lipstick in an Oklahoma store, and the supposedly secret test raised the hackles of privacy advocates everywhere. The RFID chips allowed Wal-Mart to track the customers as they took the lipstick off shelves.
A US senator even suggested that federal legislation may be necessary at some point, criticising what he called Wal-Mart’s "clandestine" testing of RFID.
But Wal-Mart says its RFID tests have been less clandestine than critics claim. Customers in the Oklahoma store where RFID chips were tested on lipstick were notified with signs on the shelves. After the lipstick test, Wal-Mart decided to focus on the storeroom uses on RFID.
In the Dallas area, where Wal-Mart’s first large scale implementation of RFID is scheduled to go live in early 2005, the retailer has talked repeatedly to the media about its plans to use RFID chips. The retailer will use "passive" RFID chips, which require an RFID reader device to transmit information, and chips will be placed on cases and pallets, not most individual items, he said. In the cases where large items are shipped with RFID chips, customers will be notified about the chips
When asked about concerns that customers picking up individual products could be tracked with RFID chips, Wal-Mart spokesman Gus Whitcomb downplayed those fears. "That’s all a big hypothetical that we’re not planning to do in the first place," he said. "We have tried to address the big concerns of privacy advocates."
So far, retailers and other RFID users have time to work out privacy concerns with critics. While the US Congress has introduced several technology-related privacy bills in the past year, none deal specifically with RFID chips.
In November, a group of privacy advocates, including the American Civil Liberties Union and the Electronic Frontier Foundation (EFF), issued a position statement on the use RFID in consumer products. The statement called for retailers to give notice to consumers when RFID chips are being used, what the purpose is and to have security measures in place verified by third parties.
The statement calls on merchants to voluntarily comply with RFID privacy measures, and asks retailers to comply with a moratorium on item-level use of RFID chips until a technology assessment involving consumers and other stakeholders can be completed.
The statement asked retailers not to force consumers to buy products with RFID tags and advocated that consumers should be able to remove or disable the tags, but the statement did not advocate federal legislation.
Notifying consumers is a start, but notice alone is not enough, said Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), one of the groups signing on to the November privacy statement. "There has to be a way to kill these chips," he added.
The CDT and other privacy groups have brought their concerns to retailers and RFID suppliers. So far, the two sides are making progress, Schwartz said. Most retail uses of RFID so far are limited to stock rooms, and with retailers and vendors open to privacy discussion, Schwartz does not yet see the need for federal legislation.
"The question is really what it’s used for and how it’s done, rather than the technology itself," Schwartz said. "Most of the benefit out there comes on the back end, in the stock room, and most of the privacy concerns come when it leaves the stock room."
Grant Gross writes for IDG News Service