CNET NEWS.COM Perspectives By Declan McCullagh - RFID tags: Big Brother in small packages.

Could we be constantly tracked through our clothes, shoes or even our cash in the future?

I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system, which I wrote about last week.

Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.

The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.

[ ... ]

You can imagine nightmare legal scenarios that don't involve the cops. Future divorce cases could involve one party seeking a subpoena for RFID logs--to prove that a spouse was in a certain location at a certain time. Future burglars could canvass alleys with RFID detectors, looking for RFID tags on discarded packaging that indicates expensive electronic gear is nearby. In all of these scenarios, the ability to remain anonymous is eroded.

Don't get me wrong. RFID tags are, on the whole, a useful development and a compelling technology. They permit retailers to slim inventory levels and reduce theft, which one industry group estimates at $50 billion a year. With RFID tags providing economic efficiencies for businesses, consumers likely will end up with more choices and lower prices. Besides, wouldn't it be handy to grab a few items from store shelves and simply walk out, with the purchase automatically debited from your (hopefully secure) RFID'd credit card?

The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.

In an interview with News.com last week, Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.

[ ... ]

If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.

[ ... ]

But what about a more powerful RFID reader, created by criminals or police who don't mind violating FCC regulations? Eric Blossom, a veteran radio engineer, said it would not be difficult to build a beefier transmitter and a more sensitive receiver that would make the range far greater. "I don't see any problem building a sensitive receiver," Blossom said. "It's well-known technology, particularly if it's a specialty item where you're willing to spend five times as much."

Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.

[ ... ]

To the credit of the people in the nascent RFID industry, these trials are allowing them to think through the privacy concerns. An MIT-affiliated standards group called the Auto-ID Center said in an e-mailed statement to News.com that they have "designed a kill feature to be built into every (RFID) tag. If consumers are concerned, the tags can be easily destroyed with an inexpensive reader. How this will be executed i.e. in the home or at point of sale is still being defined, and will be tested in the third phase of the field test."

If you care about privacy, now's your chance to let the industry know how you feel. (And, no, I'm not calling for new laws or regulations.) Tell them that RFID tags are perfectly acceptable inside stores to track pallets and crates, but that if retailers wish to use them on consumer goods, they should follow four voluntary guidelines.

First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.

Given RFID's potential for tracking your every move, is that too much to ask?

[Privacy Digest]

12:42:08 AM    

Dan Gillmor:

I'd like to address the following statement from Kling's essay:

The Commons enthusiasts believe that content publishers earn their profits by using copyright law to steal content from its creators and charge extortionary prices to consumers.

No, that's not what I believe, though it does happen on occasion.

What I do believe includes the following:

Copyright is a good thing, not a bad thing.

Copyright has been abused by the copyright industry in a number of ways including endless extension of terms and relentlessly aggressive political pushes to restrict fair use and other rights of customers.

The copyright cartel has stolen from the public domain -- from all of us.

Some balance is needed.

12:19:48 AM