Watching Out Feb. 16, 2004

The closer RFID gets to consumers, the hotter privacy issues become

By Thomas Claburn

German retailer Metro Group hasn't shied away from its role as a living laboratory for radio-frequency identification technology. And it hasn't always been pleasant. Just this month, Metro invited one of the most-vocal critics of RFID to its "future store," where the tags are being field-tested--and ended up defending itself against charges it hid RFID chips in its loyalty cards.

It's going to be that kind of year. At a time destined to determine the viability of this technology as a means of supply-chain management, privacy fears could stall it. Beyond a rising storm of privacy activism, there are public doubts and even the prospect of regulation. Most companies can't afford to wait for the privacy concerns to sort themselves out before experimenting with RFID technology, so they need to do more to prove that RFID is about big savings and not Big Brother.

"We say it's absolutely not Big Brother, and we are absolutely willing to explain that to people," says a spokesman for Metro, which this fall plans to be the first to use RFID technology along its entire product chain.

Metro's experience shows that openly addressing the issue won't necessarily be comfortable. After visiting Metro's Extra Future Store, RFID's leading critic, Katherine Albrecht, founder and director of a group called Consumers Against Supermarket Privacy Invasion and Numbering, known as Caspian, which opposes marketing data collection, raised the alarm about Metro's loyalty cards and warned that the serial numbers in the store's RFID tags couldn't be deleted. Metro says Albrecht was told the tag deactivator was a first-version test that can delete only the Electronic Product Code number, which functions much like a bar code, and the technology to erase the serial number from the tag will arrive in about six months.

Metro uses the chip-based Payback loyalty cards to let customers preview age-restricted DVDs. Metro has RFID tags on CDs and DVDs for theft protection and to let customers preview films. Without a loyalty card as a key, customers can watch only the equivalent of G-rated films. There are no readers in the store tracking customers, the Metro spokesman says. "It's a bit crazy to be saying that [our test] is the beginning of the end of the world," he says.

Most retailers and their suppliers, particularly in the United States, are concentrating on using RFID to better track and manage pallets or cases of products. That's Wal-Mart Stores Inc.'s mandate to its top 100 suppliers, with a January deadline. And most of the privacy concerns come from the possibility that every item in a store might include a tag and might therefore be tracked.

Still, even scientists familiar with the technology say companies haven't done enough to address privacy concerns. "RFID privacy hasn't really been thought through past the checkout," says Kenneth Fishkin, a researcher at Intel Research Seattle and an affiliate professor of computer science at the University of Washington. Fishkin notes that the technology for past-checkout scenarios is years away, but that shouldn't stop companies from tackling the issue. "It's sort of a premature concern. But better premature than never, I guess," he says.

A few lawmakers, too, are starting to raise concerns. California state Sen. Debra Bowen plans to introduce legislation this month to restrict the use of RFID tags, most likely on retail items.

Manufacturers and retailers are depending on each other to implement RFID in a way that works for everyone, Procter & Gamble's Hughes says.

Industry members say they're doing their best to address these issues even as the technology emerges. Sandy Hughes, global privacy officer for consumer-products manufacturer Procter & Gamble Co., heads a newly formed subcommittee at RFID industry group EPCglobal, called the Chief Privacy Officer Forum. "One thing that's really important with this technology is the reliance that retailers and manufacturers have in this together," she says. "So it's not something where we can just say for P&G, here's our privacy program, so everybody implement it the way we say. Since it's supply chain, we're all dependent on each other on how we implement it."

Procter & Gamble used RFID tags on Max Factor Lipfinity lipstick packaging at an Oklahoma Wal-Mart last October and brought a raft of criticism that it didn't do enough to let customers know the chips were being used to track packages off the shelf, with video monitoring to boot. (A Procter & Gamble spokeswoman says there were notices that an RFID test was under way.) A Wal-Mart spokeswoman says the Oklahoma RFID trial confirmed the retailer's focus on case and pallet tagging was the right one, and that item-level tagging remains years away.

Several European retailers are more directly tackling the privacy issues, in part because they're planning to put tags closer to the customer.

Metro begins using RFID from production through checkout at some 250 of its stores in November. And U.K. department store Marks & Spencer plc is experimenting with using the tags in-store. At the end of last month, Marks & Spencer disclosed the results of an RFID trial it conducted last fall. Its findings: positive overall, with the caveat that the equipment needs some work and customers are surprisingly unconcerned.

The trial involved throwaway paper RFID tags called Intelligent Labels that were attached to, though not embedded in, men's suits, shirts, and ties. Each tag contained a unique number that pointed to an entry in a database detailing product characteristics such as size, color, and style. Because the tag numbers weren't scanned at purchase, no personal information ended up being associated with them. The scanners reading the tags of all garments passing through the distribution center and through store loading bays proved less accurate than the mobile scanner employees used to check inventory on the sales floor. The mobile scanner, linked to a PC in a pushcart, consumed too much power for the battery provided and wasn't durable enough.

Of 50 people surveyed about their experience, according to Marks & Spencer, only one noticed the tags without prompting. "To be honest, quite a lot of our customers didn't really pay much attention," says a Marks & Spencer spokeswoman. "They just want to come in and buy their product, really."

Yet anyone ready to let his or her guard down need only look at how critics like Lee Tien, staff attorney for cyberliberties advocacy group The Electronic Frontier Foundation, frame the debate. Tien contends people can't accurately gauge the value of the privacy they might be tempted to trade away based on an incremental benefit. RFID is "like pollution," he says. "An individual company will often find it rational to pollute. The costs are borne by all these other people." Caspian's Albrecht paints a picture of an "everything-registration system" in which any item's purchase history could be tracked.

Even if retailers were interested in tracking how often you changed your underwear, there are major technical and practical obstacles in the way of such systems (see sidebar story, "Tech Tools: Companies Look For Ways To Protect Privacy"). Still, there's the question of motivation: If legitimate merchants want to please their customers, there's a strong disincentive to violate customer privacy. And there's an issue closely related to privacy that companies often overlook, says Ari Juels, manager of applied research at security firm RSA Laboratories: corporate espionage, such as tapping into a warehouse reader or secretly scanning goods as they leave a distribution point. "Privacy isn't just a consumer problem," he says. "It's also a problem for enterprises deploying RFID."

RFID-specific privacy issues remain largely theoretical, but privacy issues surrounding data collection--a practice that RFID will one day make more efficient--are very real. Recent revelations that JetBlue Airways and Northwest Airlines voluntarily turned over passenger data to the government demonstrate that a privacy policy isn't enough to prevent companies from violating their customers' privacy expectations. A survey of 347 consumers and 223 business respondents--comprised of privacy officers, marketing executives, and customer-relationship-management executives--released in January by consulting firm Accenture found that 51% say fear of inadequate protection of their personal data has compelled them to "reject or cancel" doing business with a company.

As data collection becomes easier, data-possession policies will face greater scrutiny. As Michelle Dennedy, Sun Microsystems' chief privacy officer, puts it, "Collecting too much data that you're not interested in, and not getting rid of it at the appropriate time, not only hurts consumer privacy, it hurts your business."

While the privacy risks are mostly theoretical so far, so are the potential benefits. That's where RFID will face the test: 69% of those surveyed by Accenture will part with personal information in exchange for rewards such as cash, convenience, and bonus points.

That's essentially the conclusion research firm Forrester Research came to in its December report, "The X Internet And Consumer Privacy" (the X stands for "extended" and refers to the set of technologies, such as RFID, that connect business information systems to physical assets, products, and devices). The report observes that the "fight for the public mind" being waged between privacy groups and industry can be won by companies that offer the public real value for its information, particular higher security, better health, more time and money, or an improved lifestyle.

Many technologies with privacy implications have been accepted because they provide obvious value and the data hasn't been abused. Glover Ferguson, a chief scientist at Accenture, points to automatic toll-payment systems such as FasTrak in California. "Some people have gotten edgy about that, but most have not," he says.

But with RFID so new, there aren't many uses available to show people that the value-privacy risk balance can work.

The Alexandra Hospital in Singapore is one. The hospital's Department of Emergency Medicine is running a pilot program in which ER patients are tracked using RFID tags. With patients turning over daily and moving in unpredictable patterns around the ER, the system was created to let staff spend less time tracking people down. According to a hospital official, the system was developed with patient privacy in mind. All information--patient names and contact numbers--is accessible by designated staff with individual passwords. And tracking data is kept for only 21 days, as required by the Ministry of Health.

The U.S. Department of Defense is another early RFID adopter, with one pilot program under way and more planned as it pushes its suppliers to adopt the technology. Though insulated from consumer concerns, it certainly faces far greater security questions than most companies. But Alan Estevez, assistant deputy undersecretary of defense, emphasizes the department's confidence in being able to protect RFID-generated data. "I would argue that RFID enables a more secure supply chain," he says, "because you're able to have a better handle on where your material is and what you're doing with it."

It's the Marks & Spencer RFID trial, however, that people in the industry point to as an example of best practices. Employees discussed the project with Albrecht of Caspian and the United Kingdom's National Consumer Council. When the main privacy concern that came up was the possibility of RFID embedded in products, they put them on the removable tags.

Yet openness won't prevent mistakes, bad decisions, and emotional charges when it comes to collecting and using data. Metro's approach didn't prevent accusations of deception when the first-generation technology it uses for tag deactivation didn't do all that the company wants or that customers expect.

It also shows that the closer RFID technology comes to the customer, the hotter the privacy issues. "Customers are naturally going to be worried about items being tagged at the item level," says Vijay Sarathy, product line manager for Sun's RFID solutions. "There are some very germane concerns and there are some very uninformed concerns." It's clear from companies' experience so far that the privacy discussion needs to reach customers before the chips do.

InformationWeek, 16. Februar 2004
Original: http://www.informationweek.com/story/showArticle.jhtml?articleID=17603415