[Med-privacy] RFIDs

pmarshall pwm@comcast.net
Fri, 11 Jun 2004 12:52:10 -0700 

www.internetnews.com/ec-news/article.php/3366811



RFID Privacy Gap?
By Susan Kuchinskas=20
<http://www.internetnews.com/feedback.php/http://www.internetnews.com/ec-=
news/article.php/3366811>
June 10, 2004

SAN FRANCISCO -- The drive to place RFID tags on consumer products is=20
relentless, but IT leaders say public policy on how to use and secure=20
the information they'll provide is lagging behind.

Where does consumer privacy fit into a world where every product has a=20
unique IP address? It's a question that consumer goods companies and=20
Federal regulators are only beginning to tackle. The issue was discussed =

Thursday during "Privacy Futures," a conference sponsored by the=20
International Association of Privacy Professionals and online security=20
software company, TRUSTe.

EPCglobal, a not-for-profit industry organization that is building a=20
global network to track RFID tagged products, formed a public policy=20
committee in March to examine how to balance privacy concerns with=20
industry practices, but its work has just begun. The Federal Trade=20
Commission will hold its first public workshop on RFID and privacy later =

this month.

Meanwhile, manufacturers are ramping up to meet a January 1, 2005=20
deadline from Wal-Mart, Target and the Department of Defense. These=20
companies kick-started an RFID boom by requiring their top suppliers to=20
tag all cases and pallets shipped to them.

EPCglobal Public Policy Committee chair Sandy Hughes, who is also=20
Procter & Gamble's global privacy executive, said the committee is=20
getting input to help with policy decisions. "At least we have a body=20
now that's actually looking at it," she told the audience.

Consumer advocates formed the committee following protests over early=20
attempts by retailers to use RFID to understand shopping behavior. Last=20
year, Gillette tested the use of RFID tags to trigger cameras when=20
shoppers removed razor blades from store shelves, while Procter & Gamble =

(Quote <http://www.internetnews.com/stocks/quotes/quote.php/PG>, Chart=20
<http://www.internetnews.com/stocks/quotes/chart.php/PG/chart>) used a=20
similar set-up with video cameras to watch consumers interact with=20
packages of lipstick.

RFID could provide huge benefits for businesses that move materials and=20
products through the supply chain. Businesses that go further than "slap =

and ship" hope to use the information provided by RFID tracking to=20
improve manufacturing and warehousing operations, identify trends and=20
spot glitches. HP, (Quote=20
<http://www.internetnews.com/stocks/quotes/quote.php/HPQ>, Chart=20
<http://www.internetnews.com/stocks/quotes/chart.php/HPQ/chart>) for=20
example, plans to roll out RFID in all aspects of its global operations=20
by the end of this summer and expects a quick payback.

But there are privacy issues at every stage of a product's movement,=20
said Malcolm Crompton, head of Australian consultancy The Trust=20
Dimension. In the warehouse, employers could analyze an employee's work=20
patterns by how many pallets were handled in a given time, or track=20
people's movements via tags embedded in their uniforms or badges. In=20
stores, retailers could track consumers' movements by way of tags=20
embedded in loyalty cards, as German retailer METRO Group did in a=20
demonstration store. That trial ended following consumer protests.

Once products leave the store with RFID tags attached or embedded, they=20
could create an "RFID cloud" around a person, said Beth Givens, director =

of the Privacy Rights Clearinghouse.

The RFID industry is considering several options to ease post-purchase=20
privacy concerns, including a "kill" mechanism to completely or partly=20
deactivate chips, making blocker chips available to consumers and=20
providing authentication mechanisms.

"We have to learn from our mistakes and design in a privacy component as =

they build the tags," Crompton said. "For the industry to have to go=20
back and say, 'Oops, we wish we had a kill switch' is a stunner."

P&G's Hughes admitted that privacy came late to the table. "A lot of=20
people coming up with the technology were focused on testing the=20
technology within their own little endeavor. Developing the technology=20
was their job," she said. "There wasn't a big awareness about public=20
policy. Now, we=12re engaged and all working on it, and it will go faster=
=2E"

Givens complained that there were no consumers or consumer advocates=20
participating in EPCglobal's policy committee. "Just as the privacy=20
implications of RFID have been considered as an afterthought, so has=20
consumers' part in their policy taskforce," she said.

But companies have to take charge of engineering and keep informed of=20
how engineering may affect consumer privacy, according to Nicole Wong,=20
senior compliance counsel for Google.

"A lot of times, engineers put in code that they think has no=20
ramifications just because it just makes the application run better,"=20
she said. "Privacy officers need to put the engineers in a room with a=20
bright light shining in their faces and not let them out until they find =

out what information they're collecting."