Let's see some ID

Rupert Goodwins: Radio frequency ID tags may have privacy worries, but the biggest problem is the RFID industry itself.
Written by Rupert Goodwins, Contributor

It's always fun to predict the next technology scare story to hit the mainstream media. We've had RSI, mobile phone radiation, computer addiction and Internet porn -- if you got lucky, you could suffer from all four on the same day. We'll probably always have hackers, Internet chatroom abductions and mouse potatodom. The best candidate for the next temporary panic, though, is RFID, the radio frequency ID tags that will one day replace barcodes.

There are lots of technical caveats about the capabilities of current RFID, but in the end there's little doubt they'll end up as near-invisible motes of silicon capable of reporting their identity via radio requests. They'll cost effectively nothing, they'll work forever and they'll be everywhere.

Lots of things are happening. In Japan, the government has allocated a frequency band for exclusive RFID use, and there are trials happening everywhere in the world. Tesco has one such going on in its Sandhurst store, where the DVD section has intelligent shelves that monitor each package. As soon as a particular disc is taken off the shelves, the main stocking computer knows about it -- as it does if discs are removed from the storeroom but don't end up on display. Wal-Mart, the huge American retailer that owns Asda, is investing millions in trials. The benefits to retailers, distributors and manufacturers are potentially huge: having every item in the supply chain machine-locatable will be like the invention of X-rays in medicine.

Yet the young RFID industry is terrified that people will perceive this technology as an invasion of privacy. It's not so much what happens in-store, even if that does have a security aspect -- after all, companies have a perfect right to track goods that are 'high shrinkage' in the parlance, in other words small, expensive and easy to steal. The worry comes when you leave the store and the tag goes with you. You may have ten barcodes on your person right now, but nobody can tell: it's a different story when some hidden radio device halfway down the street can scan you and report back to HQ. This is where the scare stories come in: Big Brother corporations watching your every move from afar, muggers automatically scanning for people with expensive toys, your wallet reporting on its contents to the cold-eyed chap behind you in the Tube.

Such worries are valid, but the RFID makers have got the first step in coping with them very badly wrong. They went into secret session to work out ways to pretend that the concerns were mistaken. They hired PR companies to come up with strategies to mislead the public. This heavy-handed nonsense produced cloddish ideas, such as renaming RFID tags as 'green tags' -- as if we're all too thick to have noticed the cynical exploitation of ecological worries by companies in the past. They then compounded the sin by leaving the briefing documents around on a public access Web site. Thus they stand indicted on two counts of corporate stupidity: grossly underestimating public nous, and of publicly cocking up basic computer security while simultaneously trying to reassure us on the advanced stuff.

The solution is for the RFID people to take a hint from the location-based services people, who are thinking about ways to sell our physical position back to us. Currently this involves interrogating the mobile phone networks to zero in on your Nokia, and then cross-referencing the location with those of nearby services and other things of interest.

This might seem quite different to RFID, but the two technologies are remarkably similar conceptually. They may even be the same problem looked at from two different angles. But the location mob have been up front about their privacy problems. They've designed in safeguards at every step, creating multiple barriers to abuse and ensuring that personal choice remains at the top of the food chain.

Doubtless, they will make mistakes: there will be cases of unauthorised access to location systems just as there are to existing databases of personal information. There will be slip-ups, hacks, and hard disks filled with sensitive information left on rubbish tips. But the designers can show that privacy is built into the system: they've talked about it in conferences, encouraged input at all stages and published their thinking and the end results.

Ironically, the RFID privacy issues are much easier to solve than those of location-based services. Limit the range over which readers can read tags. Make all tags able to be permanently disabled at the request of the customer after purchase, and have a legal requirement for the presence of a tag to be made obvious somewhere on the host item.

None of this affects RFID's prime cost benefits, which are after all for the supply chain and not for the consumer. There are consumer applications for RFID, but those really do merge seamlessly with the location-based services and should be treated as such. What will kill RFID -- and what will put it on the front pages of the mainstream media -- is if the industry insists on treating the consumer with such a lack of respect that it really does seem as if they've got something to hide.

Editorial standards