Spy games

“Tell me what you like, I’ll tell you what you are.”
—John Ruskin (1819-1900)

It looks fairly innocuous, a metal-and-plastic square with wires coiled up like an angular snail, a lot like the anti-theft tag you’d find if you pried apart a book you just bought at a chain store. But it’s a Radio Frequency Identification tag, RFID for short, and each one has a tiny antenna that can broadcast information about the product, or person, to which it is attached.

To the industry that makes and markets RFID, it’s simply the next logical step from barcodes: providing a cheap, easy way to keep products on the shelves, consumers happy and companies making money.

But to many privacy rights advocates, RFID tags are the beginning of a series of nightmare scenarios in which RFID technology is the Trojan horse that brings Big Brother into your home, snooping through your medicine cabinets, fridge and underwear drawer to find out what you do, buy and believe, and, ultimately, what you are.

This small tag has a big industry on the defensive, playing catch-up on an issue that has largely flown under the radar of consumers and the mainstream press.

In early October, privacy rights advocates Katherine Albrecht and Liz McIntyre published Spychips: How Major Corporations and Government Plan to Track Your Every Move With RFID.

The heavily researched and footnoted book holds line after line of evidence to back up the fears of people who might otherwise be written off as tin foil hat-wearing conspiracy theorists: IBM taking out a patent for a “person-tracking unit” that uses RFID tags to identify individuals, their movements and purchases in stores. Procter & Gamble and Wal-Mart collaborating on a test that put cameras on a store shelf in Oklahoma and watched customers pluck lipsticks off an RFID-enabled shelf. A Sutter County middle school’s experimental program requiring students to wear RFID-enabled badges to track their on-campus movements. The federal government’s plans to put RFID tags in passports, prescription medications and perhaps drivers’ licenses and postage stamps. One day, the Spychips authors fear, the tiny tags could be on everything from candy bars to dollar bills, compromising both privacy and personal security.

“I think the industry is waiting until they’ve done adequate PR to where the public will really embrace it,” Albrecht said. “They want to get the infrastructure in place [and] find ways to integrate this technology in a way that is not going to scare people. They envision these things in our homes and our refrigerators and in the doorway of our kids’ bedrooms.”

In the weeks since Spychips‘ release, RFID supporters have retaliated with rebuttals calling the book at best a futuristic fairy tale and at worst a delusional pack of lies by fringe alarmists.

As much as the RFID industry, which researchers say will hit $4.2 billion a year by 2011, might want to ignore the book and its authors, it can’t afford to do so.

One RFID company has even bought space on Google, eBay and Amazon so when consumers search for “Spychips” a link to a 24-page rebuttal pops up.

“We felt we had a responsibility to educate consumers,” said Nicholas Chavez, president of RFID, Ltd., who co-authored the rebuttal released Nov. 4. “They may get first blanch at the consumers through the book,” he said, acknowledging that the industry hasn’t been proactive enough with the general public. “There’s a big fear out there that people will go read Spychips and then go out and tell 10 people.”

Spychips, he said, casts RFID in “this sinister, Orwellian light” and presupposes applications that aren’t within the current capabilities of the technology.

RFID was first envisioned in the 1940s, combining the existing disciplines of radio broadcast technology and radar to communicate via reflected power, according to a history by AIM Global, the RFID trade association. It wasn’t until the late 1970s that technical capabilities caught up with the vision and RFID began to be applied commercially. While “active” RFID tags send out radio signals, the more typical “passive” tags lay dormant until picked up by devices called readers, which can be positioned anywhere from a couple of inches to several feet away. The reader transmits the information to a database, where it can be stored. There’s some debate over actual versus intended read range, and Albrecht says she has registered results from as far as 15 feet away, but, “You don’t need these massive read ranges,” Albrecht said, if RFID readers are placed in strategic locations, such as freeway onramps, grocery store aisles, floors or doorways of homes. While some chips are smaller than a grain of sand, the ones currently in use on shipping crates are the size of a credit card.

The industry’s adversaries are smart, passionate and media-savvy. With each new development, the authors of Spychips fire off an e-mail press release touting their successes or assailing their critics, turning industry leaders’ own words against them. They’ve organized pickets of Wal-Marts, along with boycotts of companies such as Gillette and European retail store Tesco, which in 2003 collaborated to package RFID tags with Mach3 razor blades and surreptitiously snap photos of customers taking them from the shelf, and later at the cash register, in a test designed in part to identify potential shoplifters. The clothing company Benetton cancelled its plans to put RFID in underwear and other products after Albrecht launched an “I’d rather go naked” campaign.

Their message is resonating with anti-government Libertarians, conservative Christians and liberal ACLU types.

“It doesn’t have a demographic,” Albrecht said of Spychips. “Everyone’s got a reason not to be spied on.”

Try to get a personal bio out of Katherine Albrecht and you’ll get some unintended insight into what she’s all about. She started taking college courses at age 15, but won’t say where she grew up. Along with a master’s in instructional technology from Harvard (she’s working on her doctorate there), she has a bachelor’s degree in international marketing, but won’t say from where. She’s married, and has kids, but won’t say how many. Her family lives somewhere in the state of New Hampshire.

She’ll eat a loss before handing over her driver’s license to reverse an overcharge at Kmart. She also refuses to use credit or ATM cards, only paying cash. And she likes to wear mirrored sunglasses.

“I think I’ve always been kind of a rebel,” Albrecht said. “The ultimate irony is that by being the person who is so openly advocating for privacy I’ve become a public figure.”

Disturbed by the concept of supermarket loyalty cards, which she feels blackmail shoppers into turning over personal data in exchange for lower prices, Albrecht decided to study the practice for her master’s thesis. In 1999, she founded CASPIAN, Consumers Against Supermarket Privacy Invasion and Marketing.

So, it wasn’t a reach when, a couple of years later, Albrecht heard about “smart” shopping carts that use RFID to track shoppers throughout a store. She researched and wrote an article for the Denver Law Review, and began attending RFID trade shows in the United States and Europe, where she heard the multiple, often-conflicting messages companies were sending to clients, consumers and the general and trade presses.

Also in 1999, corporations and academia were collaborating to create the Auto ID Center on the Massachusetts Institute of Technology (MIT) campus. The nonprofit “research project” was founded and funded by Procter & Gamble, Gillette and the Uniform Code Council, which manages the bar code.

“It was just down the street from Harvard, where I was working on my doctorate,” Albrecht said. In spring of 2002, she signed up as a member of the media to attend a meeting at the Auto ID Center, which was in the midst of its successful quest to get $300,000 each from companies who wanted to be sponsoring partners. “I was a fly on the wall taking notes in the back.”

By then, years into her anti-loyalty card crusade, Albrecht was a confirmed skeptic, and wasn’t surprised that big business would want to gather personal information on and track customers, or that they would hope to fly under consumers’ radar until RFID was embedded in society and it was too late to do anything about it. “What surprised and horrified me in 2002 was that they actually had a technology to do this.”

And no one seemed to be talking about privacy issues.

“I came home that day so sickened and so reeling that I sat down with my husband and said, ‘I feel like I have the weight of the world on my shoulders because I know what’s coming.'”

“This is going to fundamentally change everything.”

At another board meeting at MIT, Albrecht found herself sharing an elevator with the then-executive director of the Auto-ID Center, Kevin Ashton. Ashton, who was not available for comment and now works for a company that makes RFID readers, has told interviewers that item-level RFID tagging will become common between 2007 and 2010, with RFID common in the home between 2010 and 2020. He also envisions an “Internet of Things” that will link every item sold, from a can of Pepsi to an Armani dress shirt, to its own Web page, tracking it from manufacturer to warehouse to transport and beyond, until the tag is presumably killed by the consumer.

“He gets it. He sees the hugeness of this,” Albrecht said of the man she considers her arch nemesis. “He embraces this future; I’m horrified.”

In October 2003, the Auto-ID Center dissolved and EPC Global took its place as a nonprofit entity standardizing what’s referred to as Electronic Product Code. Unlike a barcode, which can only reveal the type of product you purchased, an EPC is a unique identifier that attaches a serial number to tell a reader exactly which item you have.

On the corporate level, Wal-Mart has been leading the push toward RFID in a retail setting. This year, the company began requiring the 100 top suppliers to its Texas stores to put RFID tags on their shipping pallets and cases of products at an estimated cost of millions of dollars a year.

“We are also on target to have the next top 200 suppliers live in January 2006,” said Christi Gallagher, a media relations representative for Wal-Mart.

“We don’t anticipate each item in the store being tagged for 10 to 15 years,” she added. “Wal-Mart is not looking at RFID technology to track customers but rather to serve them by enhancing its supply chain process.”

The industry envisions “smart shelves,” which would alert stores when inventory is low so they can restock or reorder, decreasing frustration and increasing sales. RFID also has anti-theft applications and could help expedite returns, product recalls and warranties.

Theoretically, the stores would pass savings on to customers.

In November 2003, the Chicago Sun-Times reported on a trial by Procter & Gamble and Wal-Mart in which shoppers in a Broken Arrow, Okla. store were viewed remotely from P&G headquarters as they took packages of Max Factor Lipfinity lipstick off a shelf. The boxes contained small RFID chips and readers were embedded in the shelf liner.

Although representatives from both companies initially denied such a study ever took place, Wal-Mart now says it was anything but secret.

“There were signs present saying a test was being conducted,” Gallagher said.

Gallagher said Albrecht “may not fully understand the technology,” and that, “Because of our size we are often the target of criticism by these special interest groups with their own very narrow agendas which typically do not reflect the philosophies of the majority of our customers.”

The Department of Defense has ordered suppliers to affix RFID tags to shipping crates. The U.S. Food and Drug Administration has called for RFID tags on pharmaceuticals’ shipping containers, which it says would reduce counterfeiting and theft, and the companies that manufacture Oxycontin and Viagra are already on board. The U.S. State Department in May announced that it was backing off on RFID-enabled passports after privacy rights advocates pointed out that, lacking encryption, the tags could be read remotely by anyone, including terrorists who could stand in airports with handheld RFID readers, separating out Americans and allowing precision-level targeting. The scheduled rollout had been last summer.

Already, Bay Area motorists use FasTrack to quickly traverse bridges and other toll areas, with an RFID-enabled device automatically debiting their accounts. A Mobil gas station Speedpass uses the same technology, as do Verichips implanted in pets in case they get lost. More recently, appliance-makers have developed microwave ovens and washing machines that can scan barcodes, and, eventually, read RFID tags on products to determine how and how long to cook or wash a product. If you have a keyless remote for your car, you are carrying around an RFID tag.

RFID tags in hospitals could limit patient misidentification, which sometimes results in deaths. The food industry could tag and track meat and other products, making recalls much simpler.

And for convenience’s sake, the possibilities are exciting: Load up your shopping cart, wheel it through an RFID-enabled bay that will instantly scan the items, store loyalty card and payment card, and check out in seconds.

“It’s about the industry playing this correctly,” said Matt Meuter, an associate professor of marketing at Chico State University and expert in consumer adoption of technology.

“Customers will use a technology and accept it if it gives them value,” he said. “There will always be this Big Brother privacy thing floating around. People walk around with GPS in their cell phones. They make the tradeoff, and they’re OK with that.

“I remember the same thing with online banking—the same reaction. … It was very, very slow to adapt but now it’s second-nature. I think in my gut the same thing is going to happen with RFID,” he said.

“It’s all about the positioning and marketing of this. Is it an intrusion—big companies making money off of this—or is it a convenience for customers?”

Simson Garfinkel, Ph.D., has seen all sides of the issue and it’s not the Utopia-vs.-Armageddon scenario the RFID industry nor the Spychips authors forsee.

An instructor at Harvard and a book author, he is an expert in computer security and studies information policy and terrorism.

“The public is largely not participating in this debate, and unfortunately the decisions are being made right now,” he said. For example, he said, MasterCard/Visa claims it has deployed 1.5 million RFID-enabled cards with no customer complaints. “The fact is, these people don’t even know that they’re carrying the cards,” Garfinkel said.

Garfinkel is a member of the Electronic Frontier Foundation (EFF) and a signer of the nonprofit’s Position Statement on the Use of RFID in Consumer Products. The statement, which is also endorsed by CASPIAN, the ACLU and various consumer and privacy organizations, calls for a voluntary moratorium on item-level tagging and also seeks to preserve consumers’ right to disable tags, avoid being tracked without consent and preserve anonymity.

The EFF and ACLU drafted a bill for the California legislature that became SB 768, and Sen. Joe Simitian, D—Palo Alto, agreed to carry it. The bill is currently parked on the Assembly floor, to be resurrected for discussion in January. It calls for a three-year moratorium on the use of RFID technology on drivers’ licenses, library cards, student body cards, Medi-Cal cards and other “mass distribution” documents. It would also set fines for “intentional remote reading” of someone’s personal information without his or her knowledge, and would require personal information on RFID tags to be encrypted.

“It’s hardly a household word,” Lee Tien, staff attorney for EFF, said of RFID. “But those people who are aware of it have fairly predictable reactions. [And] the more people know about it, they more concerned they are.”

In October 2003, a survey commissioned by the National Retail Federation found that while 43 percent of those who had heard of RFID viewed it favorably, almost 70 percent of consumers were “extremely concerned” that data collected via RFID could be used by a third party, that it would make them the target of advertisers or that they themselves could be tracked through their purchases. “Should the industry fail to educate consumers about RFID, that role will default to consumer advocacy groups,” warned consulting firm CapGemini.

For Chavez, of RFID integrator RFID, Ltd., it’s a battle for consumers’ trust.

“You can’t take it personally,” he said, but, “I do take offense to the fact that they’re influencing consumers’ opinions of anyone and everyone in the RFID industry as being secretive or Machiavellian in their efforts.”

He wants Albrecht and McIntrye to agree to join his company’s advisory board, participate in public debates and train to become “certified” in RFID. “If they wish to be credible in talking about RFID technology, they need to be certified.”

Chavez tempers his criticism, acknowledging that others in the industry have directed “very well-publicized slurs” at the Spychips authors.

Privacy advocates raise important concerns, he said. “I’m all for labeling, and the consumers should have the option to kill the tag at the point of sale.”

Most in the industry believe in some form of a code of ethics, but ultimately want to police themselves.

AIM Global (the Association for Automatic Identification and Mobility), which also published a rebuttal to Spychips, calls the book a “great read” for “conspiracy buffs” and says it includes “a lot of conjecture, old news, unfounded assumptions, and a hodgepodge misrepresentation of the various types of RFID—even as the book admits the technology’s limitations.”

Mark Roberti, founder and editor of the RFID Journal, said RFID is a wonderful technology that is getting a bad rap by a vocal minority. “You can’t see it—that’s what creeps people out.

“The fact is, everywhere RFID has been introduced, people love it.”

Roberti has written hundreds of articles about RFID and its applications, editorialized against the Spychips book and said its authors “consistently overstate the truth.”

“They don’t understand the fundamentals of business,” Roberti said of the idea that collected data could become common knowledge. “Businesses never share information about their customers. The company is always going to do what will make it money.”

That’s only the beginning of the “misguided” and “pathetic” ideas that Roberti said pervades Spychips. “The book is so stupid in the fact that it does not relate technology to reality. … Wal-Mart cannot change the laws of physics.”

“They’re struggling to read tags on cases traveling through a dock door 10 feet wide at 5 miles an hour,” Roberti said, and it’s easy to disable or “jam” tags. Read ranges are only a few inches in most cases, and it will be years before RFID tags are cheap enough—5 cents, the industry hopes—to place on individual products.

And nowhere in the book, Roberti says, is there an example of a specific person whose privacy has been invaded.

“Every time you go into a store, video cameras are assuming you’re guilty. Why is RFID suddenly the problem?” said Roberti, who is against tracking people by name and is disturbed that U.S. privacy laws are not as advanced as those in Europe. Still, he said, “These are not evil people out to screw all these consumers. These are good people who want to sell products.”

“In my view, RFID gives the consumer all the power,” he said. “Wal-Mart has no power. We choose to shop there. … Vote with your wallet. If you don’t want someone to put an RFID tag in a product, don’t buy that product.”

Albrecht, who authored a rebuttal to Roberti’s rebuttal, said he misrepresents what Spychips is all about. It’s not about how corporations and the government have invaded people’s privacy. It’s about how they plan to invade their privacy in the future.

“Part of what the book does is show industry vision,” she said. “Before 1910, when electrical outlets were invented, if you had said there will be a way to tap into a worldwide power grid, and [devices] will be every 10 feet in your house, people would say you’re nuts,” she said.

It’s largely the “what if” thought progression that has RFID proponents so mad about Spychips.

What if the “smart” medicine cabinet developed by Accenture didn’t just warn people, by matching face-recognition software to FDA-mandated RFID tags on medicine bottles, that they were about to take the wrong medicine, but broadcast that information to their family members, doctor or the government?

What if the government or insurance companies start using information gathered by RFID to deny people health coverage?

What if the same refrigerator that lets you know when you’re out of cheese also radios the information to marketers, who in turn bombard you with unwanted advertisements?

What if police decide to use the passes carried by toll bridge users to determine via RFID readers that a driver had gotten from Point A to Point B too quickly and issue speeding tickets?

What if you have your RFID-enabled passport in your pocket when you go to an anti-war rally and government agents remotely scan it and put you in a database?

“That’s the more dangerous, insidious side of RFID,” said the EFF’s Tien of the possibility of surreptitious government use of RFID. “The private sector and the government work hand-in-hand in many areas of surveillance. … It’s all one big blob a person has to worry about.”

“Some people say, ‘I don’t care if people find out I wear size 8 Levi’s jeans,” Tien said. But what about more sensitive and personal possessions, such as a pregnancy home test kit, or meds for bipolar disorder or HIV? “There are a lot of issues about your preferences and your beliefs,” Tien said. “It’s the same debate as the Patriot Act. Some people will say they have nothing to hide, and the government could find the same things out another way.”

Garfinkel said it would be a shame if RFID were dismissed completely because the industry is “incompetent” at addressing privacy concerns. He embraces many uses of the technology, and especially sees ways it could be used to help blind people.

“The industry is acting very poorly.” RFID manufacturers contradict themselves, he says, when they talk about how powerful their tags are and then tell consumers not to worry about them being read covertly, or from a distance beyond the recommended read range.

“Lots of times things we think are not possible under the laws of physics actually are possible because it’s an engineering problem, not a physics problem.”

What it comes down to is whether you trust the government and big business to keep your privacy and other best interests at heart, he said.

“I think it’s a mistake to simply assume that business would never do anything secret,” Garfinkel said. “The government is already following people around. I could easily see us being in a world where this is pervasively deployed. A lot of personal info could be leaked.”

Albrecht said CASPIAN’s intent has never been to ban RFID, she said, but rather to make companies tell consumers when tags or readers are being used so they can make informed choices.

If consumers wait and hope for the best, it may be too late, said Tien, of the EFF. “Privacy violations are not like a lot of other kinds of violations. You don’t see them right away,” he said, drawing a comparison with identity theft. “There’s really no reason to wait until a disaster happens until you deal with it. You can do something now rather than wait for a crisis.”