Devanie Angel

Are You Being Tracked?

It looks fairly innocuous, a metal-and-plastic square with wires coiled up like an angular snail, a lot like the anti-theft tag you'd find if you pried apart a book you'd just bought at a chain store. But it's a Radio Frequency Identification tag, RFID for short, and each one has a tiny antenna that can broadcast information about the product, or person, to which it is attached.

To the industry that makes and markets RFID, it's simply the next logical step from bar codes: providing a cheap, easy way to keep products on the shelves, consumers happy and companies making money.

But to many privacy-rights advocates, RFID tags could be the forerunner to nightmare scenarios in which RFID technology is the Trojan horse that brings Big Brother into your home, snooping through your medicine cabinets, fridge and underwear drawer to find out what you do, buy and believe, and, ultimately, what you are.

This small tag has, so far, largely flown under the radar of consumers and the mainstream press. But in early October, privacy-rights advocates Katherine Albrecht and Liz McIntyre published a book, "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID," that has RFID proponents on the defensive.

The book holds up plenty of evidence to back up the fears of people who otherwise might be written off as tinfoil-hat-wearing conspiracy theorists: IBM taking out a patent for a "person-tracking unit" that uses RFID tags to identify individuals, their movements and purchases in stores. Procter & Gamble and Wal-Mart collaborating on a test that put cameras on a store shelf in Oklahoma and watched customers pluck lipsticks off an RFID-enabled shelf. A Sutter County grade school's experimental program requiring students to wear RFID-enabled badges to track their on-campus movements, thanks to supplies donated by the InCom Corp. based 50 miles northwest of Sacramento.

And the federal government plans to put RFID tags in passports, prescription medications and perhaps driver's licenses and postage stamps. One day, the "Spychips" authors fear, the tiny tags could be on everything from candy bars to dollar bills, compromising both privacy and personal security.

"I think the industry is waiting until they've done adequate PR to where the public will really embrace it," Albrecht said. "They want to get the infrastructure in place [and] find ways to integrate this technology in a way that is not going to scare people. They envision these things in our homes and our refrigerators and in the doorway of our kids' bedrooms."

In the weeks after "Spychips"' release, RFID supporters retaliated with rebuttals calling the book at best a futuristic fairy tale and at worst a delusional pack of lies by fringe alarmists.

As much as the RFID industry (which researchers say will be a $4.2 billion-a-year business by 2011) might want to ignore the book and its authors, it can't afford to do so. One RFID company has even bought space on Google, eBay and Amazon so when consumers search for "Spychips," a link to a 24-page rebuttal pops up.

"We felt we had a responsibility to educate consumers," said Nicholas Chavez, president of RFID Ltd., who co-authored the rebuttal released November 4. "They may get first blanch at the consumers through the book," he said. "There's a big fear out there that people will go read 'Spychips' and then go out and tell 10 people."

"Spychips," he said, casts RFID in "this sinister, Orwellian light" and presupposes applications that aren't within the current capabilities of the technology. RFID was first envisioned in the 1940s, combining the existing disciplines of radio broadcast technology and radar to communicate via reflected power, according to a history by AIM Global, the Association for Automatic Identification and Mobility. It wasn't until the late 1970s that technical capabilities caught up with the vision and RFID began to be applied commercially.

While "active" RFID tags send out radio signals, the more typical "passive" tags lie dormant until picked up by devices called readers, which can be positioned anywhere from a couple of inches to several feet away. The reader transmits the information to a database, where it can be stored. There's some debate over actual vs. intended read range, and Albrecht says she has registered results from as far as 15 feet away, but "you don't need these massive read ranges," Albrecht said, if RFID readers are placed in strategic locations, such as freeway onramps, grocery-store aisles, floors or doorways of homes. While some chips are smaller than a grain of sand, the ones currently in use on shipping crates are the size of a credit card.

It's a technology that ultimately will win over consumers through convenience and savings, said Gail Tom, a California State University, Sacramento, professor who teaches marketing courses and has written two books on consumer behavior.

And yet, she acknowledged, "if you went up to the average person on the street, they would not know what RFID is."

The "Spychips" book, she said, "alerts people to at least think about it." "Whenever you have new technology, there are concerns, and it's good to have concerns [due to] just the possibility that there could be Draconian and negative things. You would hope the good outweighs the bad," she said. "When UPC codes came out, it was somewhat controversial, too," Tom said, remembering worries that unscrupulous retailers would switch prices on unsuspecting customers.

"Using the analogy of the bar code is a good one, because it tracks the product, it doesn't track you," she said. "Marketers are not interested in individuals. They're interested in segments and clumps of people." A lot of the technology's success depends on how the RFID industry plays it, and Tom agreed it's now somewhat on the defensive. "It may not have occurred to marketers that they needed to publicize this, because they may not have seen a lot of the privacy issues."

Underwear tags and smart shopping carts

The RFID industry's adversaries are smart, passionate and media-savvy. With each new development, the authors of "Spychips" fire off an e-mail press release touting their successes or assailing their critics, turning industry leaders' own words against them. They've organized pickets at Wal-Marts, along with boycotts of companies such as Gillette and European retail store Tesco. (In 2003, that store collaborated to package RFID tags with Mach3 razor blades and surreptitiously snap photos of customers taking them from the shelf, and later at the cash register, in a test designed in part to identify potential shoplifters.) The clothing company Benetton canceled its plans to put RFID in underwear and other products after Albrecht launched an "I'd rather go naked" campaign.

Their message is resonating with anti-government Libertarians, conservative Christians and staunch American Civil Liberties Union (ACLU) types. But that's not all. "It doesn't have a demographic," Albrecht said of "Spychips." "Everyone's got a reason not to be spied on."

Try to get biographical information out of Katherine Albrecht, and you'll get some unintended insight into what she's all about. She started taking college courses at age 15 but won't say where she grew up. Along with a master's in instructional technology from Harvard (she's working on her doctorate there), she has a bachelor's degree in international marketing but won't say from where. She's married and has kids but won't say how many. Her family lives somewhere in the state of New Hampshire.

She'll eat a loss before handing over her driver's license to reverse an overcharge at Kmart. She also refuses to use credit or ATM cards, only paying cash. Fittingly, she likes to wear mirrored sunglasses.

"I think I've always been kind of a rebel," Albrecht said. "The ultimate irony is that by being the person who is so openly advocating for privacy, I've become a public figure."

Disturbed by the concept of supermarket loyalty cards, which she feels blackmail shoppers into turning over personal data in exchange for lower prices, Albrecht decided to study the practice for her master's thesis. In 1999, she founded CASPIAN, Consumers Against Supermarket Privacy Invasion And Numbering.

So, it wasn't a reach when, a couple of years later, Albrecht heard about "smart" shopping carts that use RFID to track shoppers throughout a store. She researched and wrote an article for the Denver University Law Review and began attending RFID trade shows in the United States and Europe, where she heard the multiple, often conflicting messages companies were sending to clients, consumers and the general and trade presses.

Also in 1999, corporations and academia were collaborating to create the Auto-ID Center on the Massachusetts Institute of Technology (MIT) campus. The nonprofit research project was founded and funded by Procter & Gamble, Gillette and the Uniform Code Council, which manages the bar code.

"It was just down the street from Harvard, where I was working on my doctorate," Albrecht said. In the spring of 2002, she signed up as a member of the media to attend a meeting at the Auto-ID Center, which was in the midst of its successful quest to get $300,000 each from companies that wanted to be sponsoring partners. "I was a fly on the wall taking notes in the back." By then, years into her anti-loyalty-card crusade, Albrecht was a confirmed skeptic and wasn't surprised that big business would want to gather personal information on and track customers, or that it would hope to fly under consumers' radar until RFID was embedded in society and it was too late to do anything about it. "What surprised and horrified me in 2002 was that they actually had a technology to do this."

And no one seemed to be talking about privacy issues.

"I came home that day so sickened and so reeling that I sat down with my husband and said, 'I feel like I have the weight of the world on my shoulders because I know what's coming.'

"This is going to fundamentally change everything."

At another board meeting at MIT, Albrecht found herself sharing an elevator with the then-executive director of the Auto-ID Center, Kevin Ashton. Ashton, who was not available for comment and now works for a company that makes RFID readers, has told interviewers that item-level RFID tagging will become common between 2007 and 2010, with RFID common in the home between 2010 and 2020. He also envisions an "Internet of Things" that will link every item sold, from a can of Pepsi to an Armani dress shirt, to its own Web page, tracking it from manufacturer to warehouse to transport and beyond, until the tag is presumably killed by the consumer.

"He gets it. He sees the hugeness of this," Albrecht said of the man she considers her arch nemesis. "He embraces this future; I'm horrified."

To track or to serve?

In October 2003, the Auto-ID Center dissolved, and EPCGlobal took its place as a nonprofit entity standardizing what's referred to as Electronic Product Code. Unlike a bar code, which can reveal only the type of product you purchased, an EPC is a unique identifier that attaches a serial number to tell a reader exactly which item you have.

On the corporate level, Wal-Mart has been leading the push toward RFID in a retail setting. This year, the company began requiring the 100 top suppliers to its Texas stores to put RFID tags on their shipping pallets and cases of products at an estimated cost of millions of dollars a year.

"We are also on target to have the next top 200 suppliers live in January 2006," said Christi Gallagher, a media-relations representative for Wal-Mart. "We don't anticipate each item in the store being tagged for 10 to 15 years," she added. "Wal-Mart is not looking at RFID technology to track customers, but rather to serve them by enhancing its supply-chain process."

The industry envisions "smart shelves," which would alert stores when inventory is low, so they could restock or reorder, decreasing frustration and increasing sales. RFID also has anti-theft applications and could help expedite returns, product recalls and warranties.

Theoretically, the stores would pass savings on to customers.

In November 2003, the Chicago Sun-Times reported on a trial by Procter & Gamble and Wal-Mart in which shoppers in a Broken Arrow, Okla., store were viewed remotely from Procter & Gamble headquarters as they took packages of Max Factor Lipfinity lipstick off a shelf. The boxes contained small RFID chips, and readers were embedded in the shelf liner.

Although representatives from both companies initially denied such a study ever took place, Wal-Mart now says it was anything but secret.

"There were signs present saying a test was being conducted," Gallagher said. Gallagher said Albrecht "may not fully understand the technology" and that, "because of our size, we are often the target of criticism by these special-interest groups with their own very narrow agendas, which typically do not reflect the philosophies of the majority of our customers."

The Department of Defense has ordered suppliers to affix RFID tags to shipping crates. The U.S. Food and Drug Administration (FDA) has called for RFID tags on pharmaceuticals' shipping containers, which it says would reduce counterfeiting and theft, and the companies that manufacture OxyContin and Viagra are already on board. The U.S. State Department announced in May that it was backing off on RFID-enabled passports after privacy-rights advocates pointed out that, lacking encryption, the tags could be read remotely by anyone, including terrorists who could stand in airports with handheld RFID readers, separating out Americans and allowing precision-level targeting. The scheduled rollout had been last summer.

Already, San Francisco Bay Area motorists use FasTrak to quickly traverse bridges and other toll areas, with an RFID-enabled device automatically debiting their accounts. A Mobil gas station Speedpass uses the same technology, as do VeriChips implanted in pets in case they get lost.

More recently, appliance makers have developed microwave ovens and washing machines that can scan bar codes and, eventually, read RFID tags on products to determine how and how long to cook or wash a product. The food industry could tag and track meat and other products, making recalls much simpler. If you have a keyless remote for your car, you are carrying around an RFID tag.

And for convenience's sake, the possibilities are exciting: Load up your shopping cart, wheel it through an RFID-enabled bay that will instantly scan the items, store loyalty card and payment card, and check out in seconds.

Privacy rights meet the spy chip

Simson Garfinkel, Ph.D., has seen all sides of the issue and says it's not a Utopia-vs.-Armageddon scenario. An author and instructor at Harvard, he is an expert in computer security and studies information policy and terrorism.

"The public is largely not participating in this debate, and unfortunately the decisions are being made right now," he said. For example, he said, MasterCard and Visa claim they have deployed 1.5 million RFID-enabled cards with no customer complaints. "The fact is these people don't even know that they're carrying the cards," Garfinkel said.

Garfinkel is a member of the Electronic Frontier Foundation (EFF) and a signer of the nonprofit's Position Statement on the Use of RFID in Consumer Products. The statement, which also is endorsed by CASPIAN, the ACLU and various consumer and privacy organizations, calls for a voluntary moratorium on item-level tagging and also seeks to preserve consumers' right to disable tags, avoid being tracked without consent and preserve anonymity.

Spurred in part by the Sutter County student-tagging controversy, the EFF and ACLU drafted a bill for the California Legislature that became Senate Bill 768, and Senator Joe Simitian, D-Palo Alto, agreed to carry it. The bill currently is parked on the Assembly floor, to be resurrected for discussion in January. It calls for a three-year moratorium on the use of RFID technology on driver's licenses, library cards, student-body cards, Medi-Cal cards and other "mass distribution" documents. It also would set fines for "intentional remote reading" of someone's personal information without his or her knowledge and would require personal information on RFID tags to be encrypted.

"It's hardly a household word," Lee Tien, staff attorney for EFF, said of RFID. "But those people who are aware of it have fairly predictable reactions. [And] the more people know about it, they more concerned they are."

In October 2003, a survey commissioned by the National Retail Federation found that while 43 percent of those who had heard of RFID viewed it favorably, almost 70 percent of consumers were "extremely concerned" that data collected via RFID could be used by a third party, that it would make them the target of advertisers or that they themselves could be tracked through their purchases. "Should the industry fail to educate consumers about RFID, that role will default to consumer-advocacy groups," warned consulting firm CapGemini.

The Sacramento-based California NOW (National Organization for Women) has signed on as an official supporter of S.B. 768 and is joining the ACLU, the Commission on the Status of Women and the California Partnership to End Domestic Violence in lobbying the Legislature in favor of the bill.

"California NOW's primary concern about the use of RFIDs is the threat to women and their children's safety," said Jodi Hicks, California NOW's legislative director. "Women and their children who are fleeing domestic violence need to be protected by having their whereabouts concealed from their abuser. RFIDs are the dream tool of an abuser or stalker, and we must do what we can to keep that technology out of the hands of those criminals."

For Chavez, of RFID integrator RFID Ltd., it's a battle for consumers' trust. "You can't take it personally," he said, but "I do take offense to the fact that they're influencing consumers' opinions of anyone and everyone in the RFID industry as being secretive or Machiavellian in their efforts."

He wants Albrecht and McIntyre to agree to join his company's advisory board, participate in public debates and train to become "certified" in RFID. "If they wish to be credible in talking about RFID technology, they need to be certified." Chavez tempers his criticism, acknowledging that others in the industry have directed "very well-publicized slurs" at the Spychips authors.

Privacy advocates raise important concerns, he said. "I'm all for labeling, and the consumers should have the option to kill the tag at the point of sale." Most in the industry believe in some form of a code of ethics but ultimately want to police themselves.

RFID trade association AIM Global, which also published a rebuttal to "Spychips," calls the book a "great read" for "conspiracy buffs" and says it includes "a lot of conjecture, old news, unfounded assumptions, and a hodgepodge misrepresentation of the various types of RFID--even as the book admits the technology's limitations."

Mark Roberti, founder and editor of the RFID Journal, said RFID is a wonderful technology that is getting a bad rap by a vocal minority. "You can't see it--that's what creeps people out.

"The fact is, everywhere RFID has been introduced, people love it."

Roberti has written hundreds of articles about RFID and its applications, editorialized against the Spychips book and said its authors "consistently overstate the truth."

"They don't understand the fundamentals of business," Roberti said of the idea that collected data could become common knowledge. "Businesses never share information about their customers. The company is always going to do what will make it money."

That's only the beginning of the "misguided" and "pathetic" ideas that Roberti said pervade "Spychips." "The book is so stupid in the fact that it does not relate technology to reality. ... Wal-Mart cannot change the laws of physics."

"They're struggling to read tags on cases traveling through a dock door 10 feet wide at 5 miles an hour," Roberti said, and it's easy to disable or "jam" tags. Read ranges are only a few inches in most cases, and it will be years before RFID tags are cheap enough--5 cents, the industry hopes--to place on individual products.

And nowhere in the book, Roberti says, is there an example of a specific person whose privacy has been invaded.

"Every time you go into a store, video cameras are assuming you're guilty. Why is RFID suddenly the problem?" said Roberti, who is against tracking people by name and is disturbed that U.S. privacy laws are not as advanced as those in Europe. Still, he said, "these are not evil people out to screw all these consumers. These are good people who want to sell products."

"In my view, RFID gives the consumer all the power," he said. "Wal-Mart has no power. We choose to shop there. ... Vote with your wallet. If you don't want someone to put an RFID tag in a product, don't buy that product."

Albrecht, who authored a rebuttal to Roberti's rebuttal, said he misrepresents what "Spychips" is all about. It's not about how corporations and the government have invaded people's privacy. It's about how they plan to invade their privacy in the future.

"Part of what the book does is show industry vision," she said. "Before 1910, when electrical outlets were invented, if you had said, 'There will be a way to tap into a worldwide power grid, and [devices] will be every 10 feet in your house,' people would say, 'You're nuts,'" she said.

It's largely the "what if" thought progression that has RFID proponents so mad about "Spychips."

What if the "smart" medicine cabinet developed by Accenture didn't just warn people, by matching face-recognition software to FDA-mandated RFID tags on medicine bottles, that they were about to take the wrong medicine, but broadcast that information to their family members, doctor or the government? What if the government or insurance companies start using information gathered by RFID to deny people health coverage?

What if the same refrigerator that lets you know when you're out of cheese also radios the information to marketers, who in turn bombard you with unwanted advertisements?

What if police decide to use the passes carried by toll-bridge users to determine via RFID readers that a driver had gotten from Point A to Point B too quickly and issue speeding tickets?

What if you have your RFID-enabled passport in your pocket when you go to an anti-war rally, and government agents remotely scan it and put you in a database?

"That's the more dangerous, insidious side of RFID," said the EFF's Tien of the possibility of surreptitious government use of RFID. "The private sector and the government work hand in hand in many areas of surveillance. ... It's all one big blob a person has to worry about."

"Some people say, 'I don't care if people find out I wear size 8 Levi's jeans,'" Tien said. But what about more sensitive and personal possessions, such as a pregnancy home-test kit, or meds for bipolar disorder or HIV? "There are a lot of issues about your preferences and your beliefs," Tien said. "It's the same debate as the Patriot Act. Some people will say they have nothing to hide, and the government could find the same things out another way."

Tom, the CSUS professor, said that at the end of the day, most consumers don't really care how a technology works; they just think "it's neat that it works."

If they don't like a technology, or how it's being applied, "the power is still in the hands of the consumer. The consumer still has the power at the very end to rip off the tag."

"I don't see industry in general using RFID tags in a stealth manner," Tom said. Garfinkel said it would be a shame if RFID were dismissed completely because the industry is "incompetent" at addressing privacy concerns. He embraces many uses of the technology and especially sees ways it could be used to help blind people.

"The industry is acting very poorly." RFID manufacturers contradict themselves, he says, when they talk about how powerful their tags are and then tell consumers not to worry about them being read covertly, or from a distance beyond the recommended read range.

"Lots of times, things we think are not possible under the laws of physics actually are possible because it's an engineering problem, not a physics problem."

What it comes down to is whether you trust the government and big business to keep your privacy and other best interests at heart, he said.

"I think it's a mistake to simply assume that business would never do anything secret," Garfinkel said. "The government is already following people around. I could easily see us being in a world where this is pervasively deployed. A lot of personal info could be leaked."

Albrecht said CASPIAN's intent has never been to ban RFID, she said, but rather to make companies tell consumers when tags or readers are being used so they can make informed choices.

If consumers wait and hope for the best, it may be too late, said Tien, of the EFF. "Privacy violations are not like a lot of other kinds of violations. You don't see them right away," he said, drawing a comparison with identity theft.

"There's really no reason to wait until a disaster happens until you deal with it. You can do something now rather than wait for a crisis."