The E-Business Executive Daily
August 23, 2003

Line56 Home
Email Newsletters

Topic Centers
e-Business News
Ecosystem Stories
e-Biz In Action

Company Profiles
Research Reports
Research Library
E-Business Top56
Magazine Archives

Events Calendar

Logos link to
company profiles

About Line56
How to Advertise
Getting Covered
Site Map
Contact Us

Portals Magazine

Story Type

RFID Privacy Dustup
Consumerist group downloads confidential documents from Auto-ID Center site, claims parallels to privacy problems of RFID


Email this article...

Print this article...

Reader Comments...

Link to this article...

by Jim Ericson, Line56

Monday, July 07, 2003

A pro-consumer privacy group opposed to tagging products with radio frequency identification (RFID) chips says it has made its point after discovering a security hole in the website of the Auto-ID Center, the MIT-based organization working with companies on industry standards for RFID and electronic product codes (EPCs).

The group, called CASPIAN, which stands for Consumers Against Supermarket Privacy Invasion and Numbering, found that by typing the word "confidential" into the website's search tool, it could access documents reserved for sponsors of the Auto-ID Center. Line56 was able to confirm this until parts of the search function were modified or disabled. The Auto-ID Center's membership includes the largest global retailers, consumer-packaged goods makers, packagers and agencies such as the U.S. Department of Defense and U.S. Postal Service.

Among the documents returned in the search was an index of the group's board of overseers, which included the addresses and telephone numbers of 77 executives from companies like Coca-Cola, Procter & Gamble and Kodak. There were also research documents and presentations marked "confidential" that addressed public perception of RFID and strategies to allay fears, inform consumers and set public policy. At least one senior executive from a large consumer-packaged goods company was unaware of the information's availability.

"I was surprised to hear about that and it looks like a hole we should close down," says Kevin Ashton, executive director at the AutoID Center. "It's a little distressing [that] people are trying to circulate our addresses, that's something we'd rather didn't happen."

Ashton emphasizes though that most of the documents were or will be made public and the news proves that the Auto-ID Center doesn't have much to hide. "We don't put excessive security on the website because there's nothing on there that's particularly sensitive," he says. "You can't run a consortium of 103 companies and have meetings all over and make things available to them electronically and then assume it's all going to be very secret. The main thing is that we don't have many secrets."

The most rigorous security is around research papers the Auto-ID Center provides to paying sponsors looking for a head start with the technology. One such document marked confidential cited MIT research into reactions to consumer privacy. "That cost a lot of money, it was released to the public on May 1," Ashton says. "Some people would be surprised we're willing to make that information public at all." Ashton expects that an "honest person" would commend the center when they find things that could be used against it, and that the policy is deliberate.

Katherine Albrecht founded CASPIAN in 1999 in opposition to supermarket loyalty cards, which she says force consumers to reveal private information allowing sellers to track purchasing histories for marketing and other purposes. CASPIAN says many or most consumers are unaware their purchasing histories are tracked this way, but without the cards consumers pay a premium on many products sold in stores.

Now Albrecht says credit card numbers are being used for marketing research purposes. "At the supermarkets they're realizing that they don't even need loyalty cards because they're tracking people on the basis of the ID number on the credit card, which is exactly what we're afraid will happen with RFID." The insecure AutoID Center website demonstrates how personal information could be misused, she says.

Albrecht sees a slippery slope to the negative consequences of global data collection, but Ashton says all parties have been deeply aware of privacy issues for many years and it's the role of the Auto-ID center to set a course. "It is important to have the poles of the debate well-defined," says Ashton. "We recognize there are people like Katherine [Albrecht] who are worried about totalitarian governments using RFID to control the population. There are people at the other end who don't believe that people have any right to privacy at all. Those are the poles and our job is to steer down the middle."

RFID is actually a decades-old technology now being studied by businesses, especially in the retail and pharmaceutical industries. It involves planting tiny electronic chips into products and packaging to better manage the supply chain and also prevent theft and counterfeiting. Machine readers automatically sense the tags and their unique numbers within a limited range and report on their identity and location to computer networks. Though many significant technology and standards hurdles remain, hundreds of test projects are underway at shipping docks, distribution centers and warehouses as well as in retail stores.

While current fair information practices on notification and choice stem from the 1980s, Ashton says RFID and EPC also come with policy work to ensure that individually numbered products will be de-coupled from the people that buy them. EPC's agreement only extends to the identification of unique objects. Under the terms of its license, the technology cannot be used for people tracking with two exceptions: military personnel and patients in hospitals. "Knowing you own a particular can of Coke can be problematic from a privacy point of view if the can is found at a crime scene," Ashton says. Even in such an example if a consumer doesn't use a loyalty card and pays cash no one knows who owns it. "It's a silly thing to say MIT doesn't understand privacy," says Ashton. "Some of the world's experts in privacy are here."

But Albrecht says consumers are already buying "tagged" products like Gillette razor blades, Caress soap and Right Guard aerosol deodorant being sold in store pilots. "People are taking them home unknowingly and I don't think consumers should be the guinea pigs for item-level tagging," she says. For this reason CASPIAN is pushing for a labeling requirement for RFID-tagged products. "You can go to Alien Technologies' website that talks about a reader device in the door that can read everything the woman is wearing and carrying as they walk in so they can know where she bought it and what she paid," she says. This is not the case today outside of pilot testing, but it's the scenario Albrecht fears. In reality, the arrival date for such technology's widespread use is uncertain, part of what is fueling the debate today.

Ashton agrees with the absolute need for disclosure of RFID in use, but this again raises the polarized reactions and lack of understanding about the technology. At one extreme a person might want a disclaimer such as the health warning on cigarettes. "At the other extreme someone would want something so cryptic that no one knew what it meant," says Ashton. "We're looking for a symbol that doesn't take up too much of the package that doesn't require a magnifying glass to see it and there's public information what the symbol means." This might be a mark like the "K" within a circle signifying a kosher product or the "UL Approved" mark that demonstrates product safety testing.

It's easy to get people to agree on the principles, Ashton says, and part of the Auto-ID Center's role is to help define policies and to make sure policies are adhered to. "Thank God a couple of years ago as we were designing chips we decided to put this thing called 'kill,'" (which deactivates the chips as the result of a policy or customer request.) The feature is fairly unique to the EPC specification as opposed to other RFID solutions, Ashton says. "It's there because some of our big user companies told us it had to be there which gives you an idea of how seriously they take this."

One such policy would be opt-in, which would kill every tag at the checkout counter. Another policy would be opt-out, which would kill the tags at customer request. Both solutions could be burdensome, the latter requiring reading tag-killers at every checkout, resulting in higher consumer costs. "It's not that people don't want to solve this, it's simply about finding the most practical ways," Ashton says.

Albrecht finds commonality in this approach, though she's just launched another website, this one called "I am a free-market libertarian and I fully believe the market should decide this," she says. "I'm not looking for legislation to make RFID technology illegal, I am looking for open disclosure so that consumers are not inadvertently taking home tracking devices they don't want."

Comments? Questions? Email our Editors...

More Articles

Lombardi Updates TeamWorks BPM

Diageo: HP Out, IBM In

CFOs and the Supply Chain

webMethods Extends UAN Support

Hosted CRM from ACCPAC


Oracle9iAS can help with all your integration challenges. Click here.
Click here to see how one company uses J.D. Edwards CRM to increase revenues.
Click here to enter the 2003 WebAward Competition for web site development
Interested in having a link to your website here? Click Here!

Home | Get Line56's Portals Magazine | e-Business News | email Newsletters
e-Biz in Action | e-Business Ecosystem | Viewpoints | From Line56 Mag
Company Profiles | Research Reports | E-Business Top56 | Events Calendar
About Line56 | Advertise | Getting Covered | Report Problems | Contact Us

2000-2002, Use of this site indicates approval and acceptance of our Terms of Use and Privacy Policy.