EPIC logo

Testimony and Statement for the Record of

Cédric Laurant
Policy Counsel
Electronic Privacy Information Center

on

Radio Frequency Identification (RFID) Technology:
What the Future Holds for Commerce, Security,
and the Consumer

Before the
Subcommittee on Commerce, Trade, and Consumer Protection
House Committee on Energy and Commerce

July 14, 2004
2322 Rayburn House Office Building

Summary of Testimony

The use of Radio Frequency Identification (RFID) technology in retail products will lead to a fundamental change in the world's information technology infrastructure. Because both the tag and the reading process can be virtually silent and invisible, RFID, if left without privacy protections, would permit a wide range of private and public covert, database-linked surveillance, tracking and profiling applications whose operation will remain unknown to the person under observation. Moreover, RFID systems of all kinds are capable of generating a volume of consumer data several orders of magnitude greater than has been possible before. Industry solutions to consumer privacy concerns which have been offered, including EPCglobal's "tag killing" standard and the RSA Security blocker tag are unsatisfactory because they are overly complex, unreliable, and, in the case of the blocker tag, place too much burden on the consumer.

Public opinion polls consistently find strong support among Americans for privacy rights in law to protect their personal information from government and commercial entities. Opinion polls have also demonstrated that there is clear support for the meaningful protections that clear privacy principles, like the Fair Information Practices (FIPs) provide.

The impending emergence of RFID technology in consumer products and services, and the associated explosion of consumer generated data that is likely to follow, should stimulate a renewed call for the establishment of basic privacy principles applicable to the use of personal information collected through RFID technology. Fair Information Practices provide an excellent model for approaching RFID regulation. There is currently no federal law applicable to the collection and further processing of personally identifiable data gathered through RFID technology. Other nations already have regulations or guidelines that can help protect consumers against major privacy risks raised by RFID technology.

Congress should enact legislation specifically targeting the use of RFID in the retail sector and require clear labeling and easy removal of item-level RFID tagging on individual consumer products. Clear labeling and easy removal of tags will ensure that consumers receive proper notice of RFID systems and are able to confidently exercise their choice whether or not to go home with live RFID tags in the products they own. Consumers without high levels of technical capability have no way of knowing if a "killed" tag is merely disabled, physically destroyed, or in fact still fully functional. Tag removal, on the other hand, is transparent and 100 percent effective.

EPIC has drafted a set of industry guidelines that rearticulate Fair Information Practices in terms of the unique aspects of RFID. The guidelines allow businesses in the manufacturing and retail sector to adopt the technology in a wide range of applications while protecting consumer's basic privacy interests. The guidelines require users of RFID systems to refrain from linking personally identifiable information to RFID tag data whenever possible and then only with the written consent of the individual. Further, the guidelines prohibit the tracking or profiling of individuals via RFID in the retail environment; require tags and tag readers to be clearly labeled; and stipulate that tag reading events be perceptible to the consumers through their association with a light or audible tone. These guidelines should serve as a basis for new federal privacy legislation governing the use of RFID in the retail sector.

Testimony

My name is Cédric Laurant. I am Policy Counsel with the Electronic Privacy Information Center (EPIC) in Washington. EPIC is a public interest research and advocacy organization that focuses on emerging civil liberties issues.[1] I also am the editor of the 2003, and upcoming 2004, Privacy and Human Rights report[2], an annual survey of privacy laws and privacy-related developments in over 65 countries in the world.

I appreciate the opportunity to testify before the Subcommittee today on RFID technology.

1. Impact of RFID technology on privacy
Radio Frequency Identification (RFID) is a type of automatic identification system that enables data to be wirelessly transmitted by portable tags to readers that process the data according to the needs of a particular application. Tags in use today are small enough to be invisibly embedded in products and product packaging. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, or date of purchase. RFID readers are often connected to computer networks, facilitating the transfer of data from the physical object to databases and software applications thousands of miles away and allowing objects to be continually located and tracked through space. RFID may also be used to identify documents and currency. RFID may even be deployed to identify individuals. Today, major uses of RFID include supply chain management, animal tracking, and electronic roadway toll collection.

1.1. New risks for privacy
The debate over RFID technology touches upon many controversial policy issues. At its most fundamental, widespread use of RFID tags could enable corporations to track every move consumers make. Corporations which compile the data transmitted by the tags could determine which products a consumer purchases, how often products are used, and even where the product – and by extension the consumer – travels. By aggregating data to form consumer profiles, corporations could make inferential assumptions about a consumer's income, health, lifestyle, buying habits, and travels. This information could be sold to governments to create dossiers of individual citizens, or simply sold to other corporations for marketing purposes. While the ability of RFID readers to collect data from tags once a consumer has left a store or moved beyond the readers' range is currently limited, many consumer groups and privacy advocates note that RFID technology is quickly advancing, while measures to protect individual privacy by limiting the amount and type of information corporations can collect about consumers is lacking.

There have been several cases in the past year involving major, reputable companies where the technology of RFID has been used without informing consumers. In the retail industry, for example, some retailers have collected information on customers without providing them with the most basic notice.

Between March and July of 2003, shelves in a Wal-Mart store in Broken Arrow, OK, were equipped with hidden electronics to track lipstick products. Consumers at the store were unaware of the RFID tags contained in the lipstick and that they were being viewed 750 miles away by Procter & Gamble researchers in Cincinnati who could tell when the lipsticks were removed from the shelves and could even watch consumers in action thanks to a system of video surveillance installed in the store. Researchers had concealed the RFID readers in contact paper placed under the shelves and had embedded RFID antenna chips in the lipstick packaging.[3]

Gillette, the razor manufacturer, has tested smart-shelf technology in conjunction with major retailers such as Tesco in which a hidden camera took pictures of shoppers whenever they picked up razor blades from the shelf, and again when they pay for the item at the check-out counter. The smart shelves were tested at a Tesco store in Cambridge, England.[4] Planned testing in Brockton, MA, was publicly canceled by Wal-Mart after consumer protest.[5]

But an even more significant problem than what may happen in stores is the possibility of consumers being covertly tracked, profiled and otherwise monitored via live RFID tags in products they own. There are already a number of RFID applications in use worldwide which offer tracking and monitoring of individuals as part of their explicit feature set. Many of these applications make use of passive RFID tags similar to what might be used in consumer products. A significant portion of data generated over a product’s lifetime will be stored in a centrally-managed, Internet-accessible database known as the Object Name Service (ONS). If information in this database is associated with personally identifiable information, the potential for abuses of consumer data and individual privacy will dwarf any technology previously in use.

Moreover, it is important to note that RFID systems of all kinds are capable of generating a volume of consumer data several orders of magnitude greater than has been possible before. With in-store deployment, it is predicted that Wal-Mart will generate more than seven terabytes of RFID data a day.[6] Numerous retail industry white papers refer to the coming bonanza of high-resolution consumer information and the ease with which this information could be shared with third parties and aggregated for further data mining.[7] The indiscriminate use of personally identifiable information is already a significant issue for consumers in the US, as numerous surveys have shown. As RFID applications move into widespread use, this problem will only become more serious.

1.2. Consumer surveys
Public opinion polls consistently find strong support among Americans for privacy rights in law to protect their personal information from government and commercial entities.[8]
Opinion polls have also demonstrated that there is clear support for the meaningful protections that clear privacy principles, like the Fair Information Practices (FIPs) provide. A number of recent polls show that Americans are "highly concerned" about their privacy and that legislation is preferred over self-regulatory "trust" programs.

When polled Americans indicate that:

In the case of RFID, despite the growing media coverage, consumers are generally not aware of RFID.

A recent study conducted by Capgemini Group and the National Retail Federation found that 77% of the more than 1,000 consumers surveyed were not familiar with RFID.[9] Of those that were familiar with RFID, less than half (42%) had a favorable perception of the technology, while 31% had no opinion.

An internal Proctor & Gamble survey, not intended for public dissemination, found strong negative reaction to RFID use.[10] A document describing the November 2001 survey was located on an unsecured Auto-ID center server and publicized by CASPIAN. 317 consumers participated in Internet-based survey sponsored by Auto-ID center and Proctor & Gamble. 78 percent of respondents reacted negatively. The major findings were as follows:

This ongoing support for the right of privacy is not surprising as privacy protection has a long history in the United States. The US has a strong tradition of extending privacy rights to new forms of technology. Congress has repeatedly sought to protect people against the new privacy risks that new technologies brought. Congress enacted privacy laws for the telephone network, computer databases, cable television, videotape rentals, automated health records, electronic mail, and polygraphs. In each case, it was never the intent to prohibit the technology or to prevent the growth of effective business models. Instead, the purpose was to establish public trust and confidence in the use of new technologies that had the ability to gather a great amount of personal information and, if used improperly, to undermine the right of privacy.

The new technology of RFID raises important privacy risks for people. Those risks point to the urgent need to establish protections for personal information collected by RFID to safeguard consumers' privacy interests.

2. Recent legislative developments
2.1. In the United States
There is currently no federal law applicable to the collection and further processing of personally identifiable data gathered through RFID technology. Legislative developments in various States indicate that state legislatures are aware of their constituents' concerns for the privacy risks that RFID technology raises.
Some state legislation has been proposed, but not yet passed, in several state legislatures over the past year. Most of this legislation includes provisions for clear labeling of consumer products bearing RFID tags, a requirement originally proposed for federal legislation drafted by consumer advocacy group CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), the "RFID Right to Know Act of 2003."[11] RFID bills drafted in the US, (except for a Virginia bill which merely calls for a general review of RFID practices and privacy[12]) all share a "notice" clause first articulated in RFID expert Simpson Garfinkel's RFID Bill of Rights and CASPIAN's RFID Right to Know Act of 2003.[13] This clause requires any consumer products bearing RFID tags to be conspicuously labeled. A bill introduced, and still being debated, in the California senate requires that tags be destroyed or removed at checkout.[14] A bill in the Utah legislature, which failed, and bills in Missouri and Maryland require tags be labeled only.[15] There is no legislation currently being considered at the federal level, although the FTC recently conducted a workshop to debate the current and potential impact of RFID on consumers and individual privacy. Privacy advocates cautioned that without a framework of protection for personal information RFID use could have significant, negative impact on individual privacy.[16]

2.2. International landscape
Other nations already have regulations or guidelines that can help protect consumers against major privacy risks raised by RFID technology. Europeans have regulated privacy with an omnibus law that comprehensively protects the use and processing of personal information. Rules protecting personal information processed through the use of RFID technology are therefore already in place with two data protection directives (enacted in 1995 and 2002) that apply to both the issue of individual tracking and the association of data with personal identification. As a result, any use of RFID tags that involves the processing of personal data is likely to be subject to a number of data protection obligations.[17] Further, the more recent Directive on Privacy and Electronic Communications states that "location data may only be processed when it is made anonymous or with the consent of the individual."[18]

Over the past year there has been widespread activity on the part of governments and NGOs to begin the process of regulating the use of RFID to protect individual privacy. Data protection and privacy commissioners in Sydney, Australia, adopted an international resolution on RFID. Several individual countries, including Italy, Canada, Australia and Japan, have outlined guidelines for domestic industry to follow in their use of RFID.

The approach of regulatory movements worldwide varies considerably. Although it does not explicitly call for labeling (instead, it calls for openness and transparency), the joint resolution of international data protection and privacy commissioners in Sydney, Australia in November 2003 is similar to the California bill in that it requires tags on consumer items to be able to delete data and destroy or disable tags.[19] Joint guidelines released by Japan’s Ministry of Public Management, Home Affairs, Posts and Telecommunications (MPHPT) and the Ministry of Economy, Trade and Industry (METI) on June 8, 2004, call for consumers to be given options on how they might interfere with the reading of tags but appear to say nothing about rights to have the tag removed or destroyed.[20]

3. Need for a legal framework based on Fair Information Practices
Legislation is required because consumers have shown in polls that they view self-regulation as insufficient to effectively protect their privacy, and the RFID industry needs simple, predictable and uniform rules to regulate the collection and use of information through the use of RFID technology. This approach is consistent with US privacy legislation.

This legal framework could be based on the Fair Information Practices. The Fair Information Practices are a set of rights and responsibilities developed in the early seventies. They help ensure personal information is not used in ways that are inconsistent with the purpose for which they were collected. Fair Information Practices typically include the right to limit the collection and use of personal data, the right to inspect and correct information, a means of enforcement, and some redress for individuals whose information is subject to misuse. Fair Information Practices are in operation in laws that regulate many sectors of the US economy, from companies that grant credit to those that provide cable television services. Your video rental store is subject to Fair Information Practices as are public libraries in most states in the country. The government itself is subject to the most sweeping set of Fair Information Practices: the Privacy Act of 1974, that gives citizens basic rights in the collection and use of information held by federal agencies and imposes on these same agencies certain obligations not to misuse or improperly disclose personal data.

The current debate about whether to regulate RFID technology raises the same questions that previous new technologies collecting personal information had raised in the past. Congress by regulating RFID technology and by adapting the Fair Information Practices to this new technology would follow the tradition of providing people with basic rights to protect their privacy and the use of their personal information.

The Fair Information Practices would provide clarity and promote trust for consumers and businesses. They would also encourage the RFID industry and retailers using RFID technology to develop better techniques to protect privacy. If all stakeholders can rely on a set of clear and stable rules to guide their use of RFID, it is likely, in the long term, to reduce the need for government intervention.

3.1. Recommendations
Legislation should protect consumers from improper use and sharing of data in both the public and the private sector. The legislation would address all forms of RFID-based services, from travel security to employee monitoring, child tracking and amusement park patron management. Congress should rule on legislation specifically targeting the use of RFID in the retail sector and require clear labeling and easy removal of item-level RFID tagging on individual consumer products. Clear labeling and easy removal of tags will ensure that consumers receive proper notice of RFID systems and are able to confidently exercise their choice whether or not to go home with live RFID tags in the products they own. Notice and choice are in fact two key components of the Fair Information Practices and elements that consumers value, as shown in many opinion polls. Consumers without high levels of technical capability have no way of knowing if a "killed" tag is merely disabled, physically destroyed, or in fact still fully functional. Tag removal, on the other hand, is transparent and 100 percent effective.

In our comments to the Federal Trade Commission (attached as an appendix to this testimony), we limit our recommendations to the private sector and to the use of RFID technology in the retail industry.[21] We recommend a comprehensive assessment of RFID technology and global practice and recommend the FTC to publish and disseminate documents that educate the general public about RFID technology and with the purpose of educating businesses about RFID technology and the importance of protecting individuals' privacy.

3.2. EPIC's RFID Guidelines
EPIC has drafted a set of industry guidelines that adapt the Fair Information Practices to RFID technology.[22] The guidelines allow businesses in the manufacturing and retail sectors to adopt the technology in a wide range of applications while protecting consumer's basic privacy interests. The guidelines require users of RFID systems to refrain from linking personally identifiable information to RFID tag data whenever possible and only with the individual's written consent. The guidelines also prohibit the tracking or profiling of individuals via RFID in the retail environment; require tags and tag readers to be clearly labeled; and stipulate that tag reading events be perceptible to the consumers through their association with a light or audible tone. We suggest that these guidelines serve as a basis for new federal legislation governing the use of RFID in the retail sector.

Failure to establish strong safeguards in law has generally resulted in economic harm to commerce and growing public concern on privacy. The key to protecting people from the new challenges the RFID technology raises for their privacy is to ensure the effective enforcement of Fair Enforcement Practices or similar privacy principles. We suggest you to consult the RFID guidelines provided in the appendix to this statement when considering privacy legislation for RFID.

Thank you for your attention to the privacy implications of RFID. We look forward to working with the Committee on this and other issues.

 

[1] More information about EPIC is available at the EPIC web site http://www.epic.org.
[2] http://www.privacyinternational.org/survey/phr2003/.
[3] "Chipping away at your Privacy," Chicago Sun Times, November 9, 2003, available at http://www.suntimes.com/output/lifestyles/cst-nws-spy09.html.
[4] Alok Jha, "Tesco Tests Spy Chip Technology," Guardian, July 9, 2003, http://www.guardian.co.uk/uk_news/story/0%2c3604%2c1001211%2c00.html.
[5] Alorie Gilbert and Richard Shim, "Wal-Mart Cancels 'Smart Shelf' Trial," ZDNet.com, July 9, 2003, http://zdnet.com.com/2100-1103_2-1023934.html.
[6] Mark Palmer, "Overcoming the challenges of RFID," ZDNET.com, February 27, 2004 <http://zdnet.com.com/2100-1107_2-5165705.html.>.
[7] See, for example, "Sponsored Feature: A Vision for RFID In-Store Consumer Observational Research," RFIDNews.com, October 20, 2003, available at http://www.rfidnews.org/weblog/2003/10/20/sponsored-feature-a-vision-for-rfid-instore-consumer-observational-research/.
[8] See EPIC's Public Opinion on Privacy web page reviewing those opinion polls on a regular basis at http://www.epic.org/privacy/survey.
[9] Beth Bacheldor, "Study: RFID Not Well-Known By Consumers," InformationWeek, June 24, 2004, available at http://www.informationweek.com/story/showArticle.jhtml?articleID=22101950.
[10] Auto-ID Center/Proctor & Gamble Survey, available at http://cryptome.org/rfid/pk-fh.pdf.
[11] CASPIAN, "RFID Right to Know Act of 2003", available at http://www.nocards.org/rfid/rfidbill.shtml.
[12] Virginia House Bill 1304, available at http://leg1.state.va.us/cgi-bin/legp504.exe?041+ful+HB1304.
[13] See Simson Garfinkel, "An RFID Bill of Rights," Technology Review, October, 2002, at page 35, available at http://www.simson.net/clips/2002.TR.10.RFID_Bill_Of_Rights.pdf and the "RFID Right to Know Act of 2003," available at http://www.nocards.org/rfid/rfidbill.shtml.
[14] California Senate Bill 1834, available at http://info.sen.ca.gov/pub/bill/sen/sb_1801-1850/sb_1834_bill_20040401_amended_sen.pdf.
[15] Utah House Bill HB 251, available at http://www.le.state.ut.us/~2004/htmdoc/hbillhtm/hb0251.htm; Missouri Senate Bill 867, available at http://www.senate.state.mo.us/04INFO/bills/SB867.htm; Maryland House Bill 32, available at http://mlis.state.md.us/2004rs/billfile/HB0032.htm#Exbill.
[16] Radio Frequency Identification: Applications and Implications for Consumers, Federal Trade Commission Workshop, June 21, 2004, available at http://www.ftc.gov/bcp/workshops/rfid/.
[17] Eduardo Ustaran, "Data Protection and RFID Systems," Privacy & Data Protection Volume 3, Issue 6, at page 6, available at http://www.berwinleighton.com/download/PDP-RFIDtagsimplications.pdf. Article 8 of the EU Data Protection Directive of 1995, for example, prohibits the processing "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life." EU Data Protection Directive 95/46/EC, Official Journal of the European Communities of 23 November 1995 No L. 281 p. 31, available at < http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett>.Directive 1995/46/EC [full citation needed…] of the European Parliament and of the Council, available at http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett.
[18] EU Directive on Privacy and Electronic Communications 2002/58/EC , Official Journal, OJ L 201, 31.07.2002, p. 37, available at < http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf>.Directive 2002/58/EC of the European Parliament and of the Council, available at http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf.
[19] See International Conference of Data Protection & Privacy Commissioners "Resolution on Radio-frequency Identification," Final Version, 20 November 2003, available at http://www.privacyconference2003.org/resolutions/res5.DOC.
[20] "Japanese RFID Privacy Guideline Released," June 8, 2004, RFIDBuzz.com, available at http://www.rfidbuzz.com/news/2004/japanese_rfid_privacy_guideline_released.html; see also Nikkei BP news article, June 8, 2004, available at http://nikkeibp.jp/wcs/leaf/CID/onair/jp/flash/312386 (in Japanese).
[21] Available at http://www.epic.org/privacy/rfid/ftc-comts-070904.pdf
[22] Available at http://www.epic.org/privacy/rfid/rfid_gdlnes-062104.pdf.


EPIC Privacy Page | EPIC Home Page

Last Updated: July 14, 2004
Page URL: http://www.epic.org/privacy/rfid/rfidtestimony0704.html