Radio Frequency Identification (RFID) is an item-tagging technology with profound societal implications. Used improperly, RFID has the potential to jeopardize consumer privacy, reduce or eliminate purchasing anonymity, and threaten civil liberties.

As organizations and individuals committed to the protection of privacy and civil liberties, we have come together to issue this statement on the deployment of RFID in the consumer environment. In the following pages, we describe the technology and its uses, define the risks, and discuss potential public policy approaches to mitigate the problems we raise.

RFID tags are tiny computer chips connected to miniature antennae that can be affixed to physical objects. In the most commonly touted applications of RFID, the microchip contains an Electronic Product Code (EPC) with sufficient capacity to provide unique identifiers for all items produced worldwide. When an RFID reader emits a radio signal, tags in the vicinity respond by transmitting their stored data to the reader. With passive (battery-less) RFID tags, read-range can vary from less than an inch to 20-30 feet, while active (self-powered) tags can have a much longer read range. Typically, the data is sent to a distributed computing system involved in, perhaps, supply chain management or inventory control.

THREATS TO PRIVACY AND CIVIL LIBERTIES

While there are beneficial uses of RFID, some attributes of the technology could be deployed in ways that threaten privacy and civil liberties:

Hidden placement of tags. RFID tags can be embedded into/onto objects and documents without the knowledge of the individual who obtains those items. As radio waves travel easily and silently through fabric, plastic, and other materials, it is possible to read RFID tags sewn into clothing or affixed to objects contained in purses, shopping bags, suitcases, and more.
 

Unique identifiers for all objects worldwide. The Electronic Product Code potentially enables every object on earth to have its own unique ID. The use of unique ID numbers could lead to the creation of a global item registration system in which every physical object is identified and linked to its purchaser or owner at the point of sale or transfer.
 

Massive data aggregation. RFID deployment requires the creation of massive databases containing unique tag data. These records could be linked with personal identifying data, especially as computer memory and processing capacities expand.
 

Hidden readers. Tags can be read from a distance, not restricted to line of sight, by readers that can be incorporated invisibly into nearly any environment where human beings or items congregate. RFID readers have already been experimentally embedded into floor tiles, woven into carpeting and floor mats, hidden in doorways, and seamlessly incorporated into retail shelving and counters, making it virtually impossible for a consumer to know when or if he or she was being "scanned."
 

Individual tracking and profiling. If personal identity were linked with unique RFID tag numbers, individuals could be profiled and tracked without their knowledge or consent. For example, a tag embedded in a shoe could serve as a de facto identifier for the person wearing it. Even if item-level information remains generic, identifying items people wear or carry could associate them with, for example, particular events like political rallies.

FRAMEWORK OF RFID RIGHTS AND RESPONSIBILITIES

This framework respects businesses' interest in tracking products in the supply chain, but emphasizes individuals' rights to not be tracked within stores and after products are purchased. To mitigate the potential harmful consequences of RFID to individuals and to society, we recommend a three-part framework. First, RFID must undergo a formal technology assessment, and RFID tags should not be affixed to individual consumer products until such assessment takes place. Second, RFID implementation must be guided by Principles of Fair Information Practice. Third, certain uses of RFID should be flatly prohibited.

Technology assessment. RFID must be subject to a formal technology assessment process, sponsored by a neutral entity, perhaps similar to the model established by the now defunct Congressional Office of Technology Assessment. The process must be multi-disciplinary, involving all stakeholders, including consumers.

Principles of Fair Information Practice. RFID technology and its implementation must be guided by strong principles of fair information practices (FIPs). The eight-part Privacy Guidelines of the Organisation for Economic Co-operation and Development (OECD) provides a useful model (www.oecd.org). We agree that the following minimum guidelines, based in part on these principles, must be adhered to while the larger assessment of RFID's societal implications takes place:

Openness, or transparency. RFID users must make public their policies and practices involving the use and maintenance of RFID systems, and there should be no secret databases. Individuals have a right to know when products or items in the retail environment contain RFID tags or readers. They also have the right to know the technical specifications of those devices. Labeling must be clearly displayed and easily understood. Any tag reading that occurs in the retail environment must be transparent to all parties. There should be no tag-reading in secret.
 

Purpose specification. RFID users must give notice of the purposes for which tags and readers are used.
 

Collection limitation. The collection of information should be limited to that which is necessary for the purpose at hand.
 

Accountability. RFID users are responsible for implementation of this technology and the associated data. RFID users should be legally responsible for complying with the principles. An accountability mechanism must be established. There must be entities in both industry and government to whom individuals can complain when these provisions have been violated.
 

Security Safeguards. There must be security and integrity in transmission, databases, and system access. These should be verified by outside, third-party, publicly disclosed assessment.

RFID Practices that Should be Flatly Prohibited:

There should be no prohibition on individuals to detect RFID tags and readers and disable tags on items in their possession.
 

RFID must not be used to track individuals absent informed and written consent of the data subject. Human tracking is inappropriate, either directly or indirectly, through clothing, consumer goods, or other items.
 

RFID should never be employed in a fashion to eliminate or reduce anonymity. For instance, RFID should not be incorporated into currency.

ACCEPTABLE USES OF RFID

We have identified several examples of "acceptable" uses of RFID in which consumer-citizens are not subjected to "live" RFID tags and their attendant risks.

Tracking of manufactured goods from the point of manufacture to the location where they will be shelved for sale. RFID tags could help insure that products are not lost or stolen as they move through the supply chain. The tags could also assure the goods are handled appropriately. Tags should be confined to the outside of product packaging (not embedded in the packaging) and be permanently destroyed before consumers interact with them in the store.
 

Detection of items containing toxic substances when they are delivered to the landfill. For example, when a personal computer is brought to the landfill, a short-range RFID tag could communicate toxic content to a reader at the landfill. It is important to underscore that uses such as the landfill example do not require -- and should not entail -- item-level unique identifiers. The RFID tag would, rather, emit a generic recycling or waste disposal message.

CONCLUSIONS

We are requesting manufacturers and retailers to agree to a voluntary moratorium on the item-level RFID tagging of consumer items until a formal technology assessment process involving all stakeholders, including consumers, can take place. Further, the development of this technology must be guided by a strong set of Principles of Fair Information Practice, ensuring that meaningful consumer control is built into the implementation of RFID. Finally, some uses of RFID technology are inappropriate in a free society, and should be flatly prohibited. Society should not wait for a crisis involving RFID before exerting oversight.

Although not examined in this position paper, we must also grapple with the civil liberties implications of governmental adoption of RFID. The Department of Defense has issued an RFID mandate to its suppliers, schools and libraries in the have begun implementing RFID, the EU and the Japanese government have considered the use of RFID in currency, and British law enforcement has expressed an interest in using RFID as an investigative tool. As an open democratic society, we must adopt a strong policy framework based on Principles of Fair Information Practice to guide governmental implementation of RFID.

RFID Position Paper
Attachment 1
November 14, 2003

Limitations of RFID Technology : Myths Debunked

The following technological limitations have been proposed as reasons why consumers should not be concerned about RFID deployment at this time. We address each perceived limitation in turn, and explain why in themselves, these limitations cannot be relied upon as adequate consumer protection from the risks outlined above.

1. Read-range distances are not sufficient to allow for consumer surveillance.

RFID tags have varying read ranges depending on their antenna size, transmission frequency, and whether they are passive or active. Some passive RFID tags have read ranges of less than one inch. Other RFID tags can be read at distances of 20 feet or more. Active RFID tags theoretically have very long ranges. Currently, most RFID tags envisioned for consumer products are passive with read ranges of under 5 feet.

Contrary to some assertions, tags with shorter read ranges are not necessarily less effective for tracking human beings or items associated with them. In fact, in some cases a shorter read range can be more powerful. For example, if there were an interest in tracking individuals through their shoes as they come within range of a floor reader, a two-inch read range would be preferable to a two-foot read range. Such a short range would help minimize interference with other tags in the vicinity, and help assure the capture of only the pertinent tag positioned directly on the reader.

2. Reader devices not prevalent enough to enable seamless human tracking.

The developers of RFID technology envision a world where RFID readers form a "pervasive global network" It does not take a ubiquitous reader network to track objects or the people associated with them. For example, automobiles traveling up and down Interstate 95 can be tracked without placing RFID readers every few feet. They need only be positioned at the entrance and exit ramps. Similarly, to track an individual's whereabouts in a given town, it is not necessary to position a reader device every ten feet in that town, as long as readers are present at strategic locations such as building entrances.

3. Limited information contained on tags.

Some RFID proponents defend the technology by pointing out that the tags associated with most consumer products will contain only a serial number. However, the number can actually be used as a reference number that corresponds to information contained on one or more Internet-connected databases. This means that the data associated with that number is theoretically unlimited, and can be augmented as new information is collected.

For example, when a consumer purchases a product with an EPC-compliant RFID tag, information about the consumer who purchased it could be added to the database automatically. Additional information could be logged in the file as the consumer goes about her business: "Entered the Atlanta courthouse at 12:32 PM," "At Mobil Gas Station at 2:14 PM," etc. Such data could be accessed by anyone with access to such a database, whether authorized or not.

4. Passive tags cannot be tracked by satellite.

The passive RFID tags envisioned for most consumer products do not have their own power, meaning they must be activated and queried by nearby reader devices. Thus, by themselves, passive tags do not have the ability to communicate via satellites.

However, the information contained on passive RFID tags could be picked up by ambient reader devices which in turn transmit their presence and location to satellites. Such technology has already been used to track the real-time location of products being shipped on moving vehicles through the North American supply chain.

In addition, active RFID tags with their own power source can be enabled with direct satellite transmitting capability. At the present time such tags are far too expensive to be used on most consumer products, but this use is not inconceivable as technology advances and prices fall.

5. High cost of tags make them prohibitive for wide-scale deployment.

RFID developers point to the "high cost" of RFID tags as a way to assuage consumer fears about the power of such tags. However, as technology improves and prices fall, we predict that more and more consumer products will carry tags and that those tags will become smaller and more sophisticated. We predict that the trend will follow the trends of other technical products like computers and calculators.