The Ultimate Privacy Argument Against RFID

Written by Evan Schuman
October 21st, 2005

Privacy arguments tend to be emotional, often expressed in terms of “security versus privacy.”

A new book out about the future of RFID goes far beyond that. The authors of Spychips do not hesitate to go for the emotional jugular frequently, using references and examples from the Bible, the Nazis, the Russian government and the George Orwell classic 1984.

But they also make a stunningly powerful argument against plans for RFID being mapped out by government agencies, retail and manufacturing companies. Sources and evidence for their arguments come from patent applications, interviews and confidential documents carelessly left on vendors’ Web sites.

This won’t be comfortable reading in the IT departments of major retailers and manufacturers, but it is essential. IT is the group charged with being creative and making the technology do the magic that marketing needs it to do.

But who is charged with being the corporate conscience? Whose job is it to make sure that the corporation, in its pursuit for greater profits and market share, doesn’t go too far in exploiting information on their customers? Far too often, that decision falls on marketing executives who, the book eloquently argues, are stunningly ill-suited to the task.

A favorite anti-marketing passage: “Researchers have found that marketing students score lower on measures of ethics and academic integrity than any other university majors.”

The passage said business majors cheated more than their peers and that “marketing majors cheat significantly more than their peers in other business disciplines.”

The book’s thrust, though, is a detailed analysis of RFID trends. It effectively debunks many of the top arguments about why RFID is not a privacy worry.

Consider the use of RFID in hospitals and the frequently-cited media comment that the leading cause of death due to medical errors in caused by patient or drug misidentification. The book talks about that comment on the Web site for Precision Dynamics Corp., which is attributed to The Institute of Medicine Report, written by two doctors from the Harvard Medical School of Public Health.

There’s just one problem with that reference, the book says: That report makes no reference whatsoever to patient or drug misidentification having any impact on patient deaths.

The book quotes one of the report authors as saying the attribution as “a complete misrepresentation” and adds that, in reality, misidentification accounts for fewer than five percent of medical errors.

When Ziff Davis contacted PDC, the claim was still on their Web site and they promised to get back to us with an explanation. No one ever did but the claim has magically vanished from their site.

The biggest RFID argument that the authors attacked was the industry’s claim that retailers and manufacturers have no interest nor intention in tracking products once they leave the stores and certainly no intent to track consumers.

The authors?Katherine Albrecht and Liz McIntyre?use vendors’ own patent filings to show their thinking, such as an IBM filing titled “Identification and Tracking of Persons Using RFID-Tagged Items.” A Phillips Electronics 2003 patent application talks about placing RFID tags in shoes so that they can be detected by RFID scanners embedded in floors.

Note to vendors: A little subtlety is probably not a bad idea when trying to patent ideas that your PR people are denying you’re thinking about.

Consider Procter & Gamble’s August 2001 RFID patent filing dubbed “Systems and Methods For Tracking Consumers In A Store Environment.” The book then quotes Sandy Hughes, P&G’s “global privacy executive” as assuring that P&G has “never even considered tracking consumers with RFID.”

It then quotes Gillette’s Dick Cantwell, the manufacturer’s VP of global business management, saying the company wants to use RFID “to track consumer use of its products at home.”

The authors had the most fun with a promotional RFID piece produced by NCR, including using RFID to price-discriminate against customers, especially those trying to bargain hunt.

“With RFIDs on loyalty cards to identify the customer and a customer shopping history database, items could be priced differently depending on characteristics of the person who was buying them.” One appalling possibility: A consumer known to be hungry or who just got a raise could get charged more for groceries.

The book methodically debunks the argument that RFID chips can only be read from very short distances, making the idea of tracking consumers outside of stores difficult.

The authors argue that strategically placed readers?such as at highway exits?could track consumers quite effectively, particularly as RFIDs get themselves into the home (refrigerators that alert the retailers when certain groceries run low), the car (for repairs or intelligent navigation systems) and cell phones (for payment).

The retail and manufacturing tracking capabilities are spooky, but the book gets downright freaky as it discusses government plans for embedding RFID chips into the flesh of people (military, prison inmates, sensitive government employees, etc.).

The book talks of the implants and casually debunks the frequently-cited claim that the glass-encased insert is “about the size of a grain of rice.” The chip “actually measures 12 mm (.47 inches) long, making it a bit shorter than the diameter of a dime.

That’s a lot larger than any rice we’ve ever seen?and we both eat long grain rice.” That one hurt as Ziff-Davis has used the “grain of rice” comment often enough, but we won’t anymore.

The books talks about former Mexican attorney general Rafael Macedo de la Concha having an RFID chip inserted into himself and some of his employees “as a way to secure access to a sensitive records room.” It then makes the case that, far from being secure, it encourages those employees to be kidnapped and have the chip removed by force.

The authors found a patent application from an RFID company called Persephone Inc. that proposes installing RFIDs deep within the body and it discusses ways for the implanted chip to “electroshock the implantee.”

There’s no question that the books pushes the anti-RFID a bit far?citing biblical passages and asking how a Hitler would use RFID?but those arguments are still something that RFID developers and retail/manufacturing execs need to hear.

If you need to hear a worst-case scenario and know the perception?and possibly reality?challenges of RFID, reading SpyChips is the ideal first step.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.