Retail giant Walmart has said a US law enforcing privacy rules for RFID is not needed because companies experimenting with the technology are committed to protecting privacy.
Wal-Mart Stores continues to move forward with plans for case- and pallet-level tagging of products with RFID chips.
But item-level tagging, where individual products are identified with RFID chips, is about 10 years away, Linda Dillman, executive vice-president and chief information officer of Wal-Mart, told the US House Subcommittee on Commerce, Trade and Consumer Protection.
Privacy advocates said that legislation is needed to protect consumers from potential uses of RFID.
They offered few current examples of privacy concerns caused by RFID, but as the range of RFID scanning grows beyond the current 10-20ft RFID could allow corporations and governments to track people's movements and purchases, they said.
A United Nations-affiliated group, the International Civil Aviation Organization, is already developing global standards for passports that include RFID chips, with the group looking for a chip that could be read up to a metre away, said Barry Steinhardt, director of the Technology and Liberty Program for the American Civil Liberties Union.
In the hands of a dictatorial government, RFID-chipped passports or other identification could be used to track visitors to the country or identify people attending a political rally, Steinhardt said. Such uses could create "a whole new surveillance regime", Steinhardt added.
Users of RFID defended it, however, saying that its range was too small and its cost too prohibitive to use on most consumer products.
Others at the hearing noted that Wal-Mart had conducted product tests on lipstick in an Oklahoma store in early 2003. Representative Jan Schakowsky questioned whether consumers had been adequately warned about the lipstick tests.
With the potential to use RFID chips in passports and other government identification, as well as consumer products such as clothing, the misuse of RFID tracking raises "seriously Orwellian concerns", she said.
"Soon we could have Big Brother and big business tuning into the same frequency, where not only will they know where you are, but what you're wearing," Schakowsky added.
The Wal-Mart test on lipstick had the RFID tags on large packages, not individual products, said Sandra Hughes, global privacy executive for Proctor & Gamble, Wal-Mart's partner in the test. Consumers were notified of the RFID test, and although the lipstick display was monitored by a web cam, the purpose was to track the supply of lipstick, not consumers, Hughes said.
Hughes and other defenders of RFID said the technology has great potential to lower supply chain costs, reduce theft and counterfeiting, improve the rate of products being in stock and even track livestock diseases.
With RFID chips in the ears of cattle, livestock sold could be tracked within hours instead of the weeks it can take to track down a paper-based sale, said John Molloy, managing director of ViaTrace, a maker of tracking technologies.
The US is ahead of the rest of the world in experimenting with RFID, he said, and its use could end threats of diseases like BSE. "This is the opportunity [for the US] to lead the world in traceability," Molloy said.
But safeguards are needed so that the potential of RFID is not misused, privacy advocates said.
Witnesses at the hearing disagreed about what kind of legislation is needed, however, with the Electronic Privacy Information Center calling for RFID-specific legislation, and the Center for Democracy and Technology repeating its call for general privacy legislation that would cover all kinds of technologies.
When Representative Darrell Issa suggested that legislation should focus on what companies and government agencies do with the information they collect, instead of what technology is used to collect the information, Paula Bruening, staff counsel for the Center for Democracy and Technology, agreed.
Recent debates about a House spyware bill showed how difficult it is to legislate based on specific technologies, she added. "You end up with a better result if you have baseline privacy legislation that focuses on the information itself," Bruening said.
Hughes said legislation is premature because companies are being responsible about data collection. Her company retains consumer data only as long as necessary, she said.
In the case of a product sale, the company keeps the data only long enough to complete the transaction, but in the case of an opt-in customer newsletter, the company retains the data as long as the consumer is subscribed.
Dillman also opposed RFID-specific legislation. "We don't believe that data collected by RFID should be different," she said. "We believe there should be a single standard."
Grant Gross writes for IDG News Service