Radio Frequency Identification (RFID) Systems
- EPIC Supports Moratorium on RFID Student Tracking : EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civil liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology "designed to monitor physical objects," such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the "e-Passport," to address privacy and security concerns. For more information, see EPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy. (Aug. 21, 2012)
- Wal-Mart Begins Tagging and Tracking Merchandise with RFID: Wal-Mart has announced that it will begin inserting Radio Frequency Identification (RFID) chips into some of its men's clothing, including jeans, underwear, and socks, starting August 1. The retailer has stated that its goal is to expand the use of the tags to its other merchandise as well. Previously RFID tags have only been used in larger packages for warehouse and distribution use, but this will be the first time the tags are used in the stores for individual products that will be taken home by consumers. The tags will remain readable from a short range even after they are removed from the store. For more information, see EPIC RFID Systems. (Jul. 30, 2010)
- Senators Take a Pass on REAL ID: Senators Daniel K. Akaka (D-HI) and George V. Voinovich (R-OH) have introduced the Providing for Additional Security in States' Identification Act of 2009. PASS ID, should it become law, would replace the controversial REAL ID Act of 2005. The REAL ID Act has faced ongoing criticisms from state governments, technical experts, and privacy advocates. In 2007 EPIC and the Privacy Coalition organized a national campaign against REAL ID implementation. The PASS ID proponents say the bill follows the recommendations of the 9/11 Commission for improving the security of drivers licenses while avoiding the problems of REAL ID. For more information on National ID, visit EPIC National ID and the REAL ID Act page. (Jun. 16, 2009)
- Despite Privacy Objections, Enhanced Identity Documents Required for Travel: The Western Hemisphere Travel Initiative went into effect today despite substantial privacy and security risks. The federal government now requires US citizens to present identity documents when entering the US. These documents incorporate RFID technology that jeopardizes the privacy and security of US travelers. EPIC has previously urged the State Department to abandon the proposal. Senator Leahy has also criticized the program. See also EPIC's Spotlight on Surveillance. (Jun. 1, 2009)
- European Commission Sets Out RFID Privacy Guidelines: The European Commission has announced Recommendations and provided a Citizens Summary for the implementation of privacy and data protection safeguards for radio-frequency identification. RFID applications transfer personal data wirelessly between an embedded tag, typically in an ID card or product, and a reader. Many privacy concerns have been raised. The EC Recommendations reaffirm the privacy rights and obligations in the European Privacy Directives. The guidance directs organizations to perform privacy impact assessments, apply risk minimization techniques, and inform individuals about RFID. In the US, EPIC has urged strong consumer protections for RFID before the Alaska and New Hampshire state legislatures, the Federal Trade Commission and the DHS on the use of RFID embedded passports. For more information, see EPIC's page on Radio Frequency Identification (RFID) Systems. (May. 13, 2009)
- EPIC Urges FTC to Establish Privacy Safeguards for RFID Tags. In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. (Sept. 22).
- Legal Battle May Disallow Publication on Cracked RFID Chip. Researchers from the Dutch Radboud University have cracked and cloned London's Oyster travel card, after cracking the Dutch Mifare Travel card. The latter would be used in a nationwide network for billing of public transportation. Both cards use the Mifare Classic RFID tags, which relies for its security on an algorithm that can be cracked with modest effort. The troubled card provides for contact-less entrance to public transportations and office buildings worldwide. The manufacturer of the chip, NXP, follows Dutch secretary of state Tineke Huizinga in claiming that publication of the results is irresponsible. While NXP is taking the researchers to court, the University issued a statement (Dutch) valuing scientific publication of security leaks and mentioning that the publication will help NXP to develop a better chip. The results will be published at the European computer security (Esorics) conference in Spain in September of this year.
- EPIC Urges Strong Consumer Protections in RFID Legislation in New Hampshire. In response to a request from the New Hampshire Senate, EPIC today expressed support (pdf) for HB 686, concerning radio frequency identification (RFID) technology. "The legislation would establish important safeguards for New Hampshire residents including: (1) penalties for illegal use of RFID technology; (2) a private right of action for individuals; (3) restrictions on the use of RFID technology by the State of New Hampshire with few exceptions; (4) prohibitions on electronic tracking of individuals without a valid court order or consent; and (5) prohibitions against forced implantation of RFID devices in humans." EPIC also recommended the NH Senate "also (1) address unique identifiers linked to databases containing personally identifiable information, and (2) label RFID readers and interrogators, as well as RFID tags and products containing tags." (Apr. 14)
- Homeland Security Releases Final Rule on Controversial Traveler System. The Department of Homeland Security has released the final regulations (pdf) for the Western Hemisphere Travel Initiative (WHTI), a system that requires U.S. citizens and foreign nationals to present a passport or other documents to prove identity and citizenship when entering the United States from certain countries in North, Central or South America. Senators Leahy and Stevens authored a law that postponed the document requirements until June 2009 or until seven conditions are met, whichever is later. In response to the final rule, Senator Leahy said, DHS "still [has] given the American people no reason to believe they will meet the readiness conditions in the new law. [â€¦] In DHS's hands, WHTI is not an advance in security but smoke and mirrors with little real benefit and the potential for a great deal of collateral damage to our economy." EPIC has detailed (pdf) problems in the agency's plan for a travel card under this system, explaining that the tracking technology proposed would jeopardize the privacy and security of US travelers. (Mar. 28)
- EPIC Urges Alaska Senate to Protect Consumers From RFID Misuse. In testimony (pdf) to the Alaska Senate Judiciary Committee today, EPIC Senior Counsel Melissa Ngo supported Alaska's SB 293, which included prohibitions against unauthorized scanning and reading of RFID tags and against allowing RFID technology users' to require continued activation of RFID tags in order for consumers "to exchange, return, repair, or service an item that" contain RFID tags. However, EPIC recommended four changes to the bill: "(1) including regulations on the use of unique identifiers and the profiles that can be created; (2) including an enforcement provision with a private right of action; (3) stronger provisions on deactivation of tags, including the possibility of permanent deactivation; and (4) clearly and prominently labeling RFID readers or transponders." These additions would strengthen protections for consumers against misuse or abuse of data collected through RFID tags. (Mar. 17)
- EC Opens Public Consultation on RFID Recommendations. The European Commission has published draft guidelines on the use radio frequency identification (RFID) technology in member countries. Among other proposals, the commission recommends RFID operators conduct privacy impact assessments before deploying the technology and immediate deactivation of RFID tags containing personal data when goods are purchased. The public is encouraged to submit comments; the deadline is April 25. A final version of the recommendations is expected in Summer 2008. EPIC has experience detailing (pdf) the privacy and security problems that can accompany use of RFID technology. (Feb. 25, 2008)
Radio Frequency Identification (RFID) is a type of automatic identification system. The purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, date of purchase, etc. The use of RFID in tracking and access applications first appeared during the 1980s. RFID quickly gained attention because of its ability to track moving objects. As the technology is refined, more pervasive-and invasive-uses for RFID tags are in the works.
In a typical RFID system, individual objects are equipped with a small, inexpensive tag which contains a transponder with a digital memory chip that is given a unique electronic product code. The interrogator, an antenna packaged with a transceiver and decoder, emits a signal activating the RFID tag so it can read and write data to it. When an RFID tag passes through the electromagnetic zone, it detects the reader's activation signal. The reader decodes the data encoded in the tag's integrated circuit (silicon chip) and the data is passed to the host computer for processing.
RFID tags come in a wide variety of shapes and sizes. Some tags are easy to spot, such as the hard plastic anti-theft tags attached to merchandise in stores. Animal tracking tags which are implanted beneath the skin of family pets or endangered species are no bigger than a small section of pencil lead. Even smaller tags have been developed to be embedded within the fibers of a national currency.
While barcodes have historically been the primary means of tracking products, RFID systems are rapidly becoming the preferred technology for keeping tabs on people, pets, products, and even vehicles. One reason for this is because the read/write capability of an active RFID system enables the use of interactive applications. Also, the tags can be read from a distance and through a variety of substances such as snow, fog, ice, or paint, where barcodes have proved useless.
Currently, RFID tags are not widely used in consumer products because the price of the tags is still prohibitively expensive. However, as companies push for enhanced means of tracking products and profiling consumers, the increased demand and production of RFID technologies will drive down prices. Already, developments in RFID technology are yielding systems with larger memory capacities, wider reading ranges, and faster processing. In response, the market for RFID tags is growing explosively, projected to reach $10 billion annually within the decade.
RFID systems have gained popularity, and notoriety, in recent years. A driving force behind the rapid development of RFID technology has been the rise of pervasive commerce, sometimes dubbed the quiet revolution. Pervasive commerce uses technologies such as tracking devices and smart labels embedded with transmitting sensors and intelligent readers to convey information about key areas where consumers live and work to data processing systems. To gather this data, retailers can choose from a range of options.
RFID systems may be roughly grouped into four categories:
- EAS (Electronic Article Surveillance) systems: Generally used in retail stores to sense the presence or absence of an item. Products are tagged and large antenna readers are placed at each exit of the store to detect unauthorized removal of the item.
- Portable Data Capture systems: Characterized by the use of portable RFID readers, which enables this system to be used in variable settings.
- Networked systems: Characterized by fixed position readers which are connected directly to a centralized information management system, while transponders are positioned on people or moveable items.
- Positioning systems: Used for automated location identification of tagged items or vehicles.
These RFID systems enable business owners to have real-time access to inventory information, as well as a broader, clearer picture of consumers' buying habits. RFID technology also enables retailers and corporations to peek into the lives of consumers in ways that were, until recently, off limits. Products embedded with RFID tags can continuously transmit information ranging from an electronic product code (EPC) identifier, to information about the item itself, such as consumption status or product freshness. Data processing systems read and compile this information, and can even link the product information with a specific consumer.
This composite information is vastly superior-and more invasive-than any data that could be obtained from scanning bar codes, or even loyalty cards. Frequent shopper cards link consumers to their purchases, but this limited information gives retailers only a narrow view of a consumers' in-store purchasing trends. In contrast, RFID systems enable tagged objects to speak to electronic readers over the course of a product's lifetime-from production to disposal-providing retailers with an unblinking, voyeuristic view of consumer attitudes and purchase behavior.
Currently, RFID technology is still too expensive to be used by retailers en masse. The cost per electronic tag now stands at about 30 cents apiece, but is expected to fall to as little as three cents in the next three years. RFID tags will probably not become pervasive until the per chip cost dips below one penny. Retailers will still have to purchase sensors to read the tags, which can cost $1,000 each.
In spite of the costs, some retailers are willing to pay the price for the insight RFID tags provide into the lives of consumers. Over the next few years, industry experts expect to see a broad range of RFID pilots, and even several fully integrated systems, launched. A handful of corporations have already signed on, and are moving ahead with plans to embed products with RFID tags. Recently, Microsoft Corporation announced that it would develop software that will enable retailers, manufacturers, and distributors to use RFID tags to track goods within stores and factories, as well as programs specifically designed to use the new retail tagging technology.
Other proposed uses of RFID technology include:
- Tracking apparel: Clothing maker Benetton planned to embed retail items with RFID tags. The implanted devices would enable Benetton to track individuals and inventory their belongings by linking a consumer's name and credit card information with the serial number in an item of clothing. Privacy advocates noted the potential abuses of a system, and Benetton agreed not to tag clothing with tracking devices-for now.
However, Marks & Spencer, one of the largest retailers in the UK, announced that it will begin tagging apparel items with ultra high frequency (UHF) tags beginning in Fall, 2003. UHF tags are a new generation of RFID technology that provide faster data transfer speeds and longer read ranges. Marks & Spencer has already used tracking devices extensively in its food supply division.
- Tracking consumer packaged goods (CPGs): Gillette, Wal-Mart, and the U.K.-based supermarket chain Tesco are teaming up to test specially designed shelves that allow for real-time tracking of inventory levels. The "smart shelves" will be able to read radio frequency waves emitted by microchips embedded in millions of shavers and other products. Wal-Mart plans to test the Gillette shelf initially in a store located in Brockton, Mass. If the technology is successful, Wal-Mart also plans to join forces with Procter & Gamble to test a similar system with cosmetic products, and has encouraged its top 100 suppliers to use wireless inventory tracking equipment by 2005. So far, Wal-Mart executives say the company plans to use RFID chips only to track merchandise, and will remove the tags from items that have been purchased. However, Wal-Mart's decision to implement RFID technology will likely propel the ubiquity of the tags in CPGs.
- Tracking tires: Tire manufacturer Michelin recently began fleet testing of a radio frequency tire identification system for passenger and light truck tires. The RFID transponder is manufactured into the tire and stores tire identification information, which can be associated with the vehicle identification number (VIN). Critics argue the tags could ultimately become tracking devices that can tell where and when a vehicle is traveling.
- Tracking currency: The European Central Bank is moving forward with plans to embed RFID tags as thin as a human hair into the fibers of Euro bank notes by 2005, in spite of consumer protests. The tags would allow currency to record information about each transaction in which it is passed. Governments and law enforcement agencies hail the technology as a means of preventing money-laundering, black-market transactions, and even bribery demands for unmarked bills. However, consumers fear that the technology will eliminate the anonymity that cash affords.
- Tracking patients and personnel: Alexandra Hospital in Singapore recently began a new tracking system in its accident and emergency (A&E ) department in the wake of the Severe Acute Respiratory Syndrome (SARS) scare. Under this system, all patients, visitors, and staff entering the hospital are issued a card embedded with an RFID chip. The card is read by sensors installed in the ceiling, which record exactly when a person enters and leaves the department. The information is stored in a computer for 21 days. Officials say that the technology enables health care workers to keep tabs on everyone who enters the A&E department, so that if anyone is later diagnosed with SARS, a record of all other individuals with whom that person has been in contact can be immediately determined. Other hospitals in Singapore are expected to adopt similar technology.
- Payment systems: In 1997, ExxonMobil developed the wireless payment application known as Speedpass. Since then, six million consumers have utilized the payment option at 7,500 Speedpass-enabled locations. Now, a wide range of merchants and retailers are looking for ways to implement radio frequency (RF) wireless payment systems. Sony and Phillips are leading the way. The two corporations will soon begin field testing an RFID system called Near Field Communication (NFC), which will enable RFID communication between PCs, handheld computers, and other electronic devices. The companies envision that consumers will log on to their personal online portal by swiping their smart cart-embedded with a Sony or Philips RFID-which will be read by a RFID reader plugged into the USB port on the computer. Next, consumers would shop online, say, for tickets to a local event. The consumer would pay for the tickets online, download them to their PC and then transmit them with NFC technology to an RFID tag in their mobile phone. Then, at the event, consumers would wave their cell phone near a reader in the turnstile, and be automatically admitted.
While corporate giants tout the merits of RFID technology, civil liberties advocates point out that the ability to track people, products, vehicles, and even currency would create an Orwellian world where law enforcement officials and nosy retailers could read the contents of a handbag-perhaps without a person's knowledge-simply by installing RFID readers nearby. Such a fear is not unfounded. Currently, some RFID readers have the capacity to read data transmitted by many different RFID tag. This means that if a person enters a store carrying several RFID tags-for example, in articles of clothing or cards carried in a wallet-one RFID reader can read the data emitted by all of the tags, and not simply the signal relayed by in-store products. This capacity enables retailers with RFID readers to compile a more complete profile of shoppers than would be possible by simply scanning the bar codes of products a consumer purchases.
- EPIC Response to Request for Analysis of New Hampshire's HB 686, Concerning RFID Technology (pdf) (April 14, 2008)
- Melissa Ngo, EPIC Senior Counsel, Testimony on "SB 293 and RFID Technology" before the Alaska Senate Judiciary Committee (pdf) (March 17, 2008).
- EPIC Guidelines on Medical Use of RFID Technology (PowerPoint) (2005)
- EPIC Guidelines on Commercial Use of RFID Technology (pdf) (2004)
- EPIC's VeriChip page
- EPIC's Children and RFID Systems page
- Elementary school nixes electronic IDs, by Alorie Gilbert, CNET News, Feb. 17, 2005.
- Flap Forces Halt to Student-Tracking Experiment, by Eric Bailey, Los Angeles Times, Feb. 17, 2005.
- Brittan ID program dropped, by Kymm Mann, Appeal-Democrat, Feb. 16, 2005.
- Parents ignore mobile phone health issues, Reuters, Feb. 14, 2005.
- School RFID Plan Gets an F, by Kim Zetter, Wired, Feb. 10, 2005.
- In Texas, 28,000 students test e-tagging system , by Matt Richtel, The New York Times, Nov. 17, 2004.
- Tiny Antennas to Keep Tabs on U.S. Drugs, by Gardiner Harris, New York Times, Nov. 15, 2004.
- Schools test IC tags to track students, by Kanko Ida, The Asahi Shimbun, Nov. 4,2004.
- Legoland RFID Tracks Lost Kids, Collects Data, by Kelly Shermach, CRM Buyer, Oct. 28, 2004.
- Schools in Japan turn to high-tech tags for security, by Kenji Hall, CNEWS Canada, Oct. 9, 2004.
- How RFID Will Help Mommy Find Johnny, by Laurie Sullivan, InformationWeek, Sept. 15, 2004.
- How we are becoming a micro-chipped population, by Mika Belle, Boise Weekly, Aug. 11, 2004.
- Chip allows parents to track children, by Sam Diaz, Knight Ridder News Service, Aug. 7, 2004.
- Japanese children to be RFID'd, National Business Review, July 8, 2004.
- RFID chips on kids makes Legoland safer, by Will Sturgeon, Silicon Reports, June 24, 2004.
- Privacy and AutoID, RFID News, May 2004.
- Privacy protection is not a luxury, RFID industry told, by Jo Best, Silicon.com, May 11, 2004.
- Wal-Mart turns on radio tags, by Matt Hines, ZDNET.com, April 30, 2004.
- RFID deadline hits a wall, study says, by Matt Hines, CNET News.com, March 31, 2004.
- Tracking tags may get congressional scrutiny, by Alorie Gilbert, CNET News.com, March 24, 2004.
- RFID goes to war, by Alorie Gilbert, CNET News.com, March 22, 2004.
- RFID Revolution: Are we close?, by Matt Hines, ZDNET.com, March 3, 2004.
- California lawmaker introduces RFID bill, by Alorie Gilbert, CNET News.com, Feb. 24, 2004.
- 'Smart shelf' test triggers fresh criticisms, by Alorie Gilbert, CNET News.com, Nov. 14, 2003.
- Big brother or the mark of the beast?, by Becky Blanton, Sierra Times.com, Oct. 28, 2003.
- Three R's: Reading, Writing, RFID, by Julia Scheeres, Wired, Oct. 24, 2003.
- RFID Ripples Through Software Industry, by Ephraim Schwartz, InfoWorld, Sept. 26, 2003.
- Microsoft to Develop Software for Radio Tags, Reuters, June 10, 2003.
- Retail future: painless checkout, knowing scanners, by Paul Hoskins, Forbes, May 14, 2003.
- Sony, Philips to Test RFID Platform, RFID Journal, May 8, 2003.
- Benetton takes stock of chip plan, by Winston Chai and Richard Shim, CNET News, April 7, 2003.
- Glowing Beads Make Tiny Bar Codes, Technology Research News, April 3, 2003.
- Wal-Mart to remove ID tags, by Joanna Glasner, Wired News, March 26, 2003.
- A Radio Chip in Every Consumer Product, by Claudia H. Deutsch and Barnaby J. Feder, NY Times, Feb. 25, 2003.
- Opposition to RFID Tracking Grows, RFID Journal, Jan. 20, 2003.
- Michelin Embeds RFID Tags in Tires, RFID Journal, Jan. 17, 2003.
- RFID tags: Big Brother in small packages, by Declan McCullagh, CNET News, Jan. 13, 2003.
- Major retailers to test "smart shelves," by Alorie Gilbert, CNET News, Jan. 8, 2003.
- Gillette Confirms Purchase of EPC Tags, RFID Journal, Jan. 6, 2003.
- Radio Frequency ID: A New Era for Marketers?, by John Stermer, Consumer Insight, Winter 2001.
- Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy.EPIC's Spotlight on Surveillance Project turns to Homeland Security's plan to transform several states' driver's licenses into federal identification cards, so-called "enhanced" driver's licenses. The proposed cards would cost more more than current licenses, transmit data to remote readers, and contain citizenship status. The Government Accountability Office recommended (pdf) against RFID chips in ID cards, stating that this could allow for the "tracking and profiling" of individuals. Spotlight on Surveillance report. (Dec. 19)
- California Bans Forced RFID Implantation. The California Senate yesterday passed SB 362, which forbids companies from requiring employees to implant RFID chips in their bodies. Earlier this year, North Dakota also banned (pdf) forced RFID implantation in humans. Wisconsin passed similar legislation iin 2006. Colorado, Ohio, Oklahoma and Florida are also debating such legislation. (Aug. 31)
- EPIC Warns Federal Agencies About RFID in US Travel Cards. In comments (pdf) to the State Department and Homeland Security, EPIC recommended against the use of "long-range" RFID technology (which transmits personal data to remote tracking devices) in the proposed "PASS card" for travel between the United States, Canada, Mexico, and the Caribbean. EPIC explained that the tracking technology would jeopardize the privacy and security of US travelers. Earlier this year, Homeland Security abandoned (pdf) a similar proposal for US-VISIT travel documents, following comments from EPIC (pdf) and the Government Accountability Office (pdf). See EPIC's page on US-VISIT. (Aug. 1)
- ANEC & BEUC Issue Joint Policy Paper on RFID. European consumer groups ANEC and BEUC have issued a joint policy paper (pdf) in response to a March communication (pdf) by the European Communication on RFID policy. ANEC and BEUC recommended that the Commission begin "impartial and comprehensive information campaigns on the RFID technology, its potential benefits and risks," to help consumers choose whether to use RFID. The groups also suggested the formation of "a European committee dealing with ethics should be created and consultedâ€ù concerning any RFID or near field communication (NFC) technology applications." The European Commission is considering proposing legislation in 2007 to ensure privacy safeguards in the use of RFID technology. (July 30)
- The American Medical Association (AMA) Releases RFID Report. The AMA's report Radio Frequency ID Devices in Humans came as a result of a resolution "RFID Labeling in Humans." The report focused on the ethical consequences surrounding the use of RFID implants in humans. The report outlined potential risks with the technology: physical risk to patients; confidentiality; patient privacy; effective informed consent; and security of the information contained on the device. The report recommends that the medical community support investigation of the technology to be able to make informed medical decisions regarding the use of these devices. (July 18)
- NIST Issues RFID Guidelines. The National Institute of Standards and Technology (NIST) has issued its "Guidelines for Securing Radio Frequency Identification (RFID) Systems" (pdf). NIST detailed how to address, in the context of an RFID system, the basic principles of the Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. NIST urged retailers, federal agencies, and other organizations to evaluate the potential security and privacy risks of RFID technology and use best practices to reduce them. "As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location and build personal profiles in ways that increase the privacy risk," NIST said. (Apr. 30)
- North Dakota Bans Forced RFID Implantation. North Dakota has become the second state to ban (pdf) forced RFID implantation in humans. Wisconsin passed similar legislation last year. Voluntary implantation is still permissible. However, the two-line bill does not address what is considered "voluntary." (Apr. 12)
- UK Airport Tracks Passengers With RFID. The United Kingdom's Manchester Airport has just completed a six-month trial where 50,000 people were tracked with RFID technology. The airport authorities have requested that the pilot test be implemented permanently. If so, RFID-enabled boarding passes would be issued to all passengers. Those who print out boarding passes at home will have RFID tags attached at the airport. (Apr. 11)
- Washington State Pilot Tests RFID-enabled licenses. Washington State and the Department of Homeland Security are jointly testing a project where the state driver's licenses and identification cards will be accepted for use under the Western Hemisphere Travel Initiative, which regulates travel between the United States, Canada, Mexico, and the Caribbean. The Washington State ID cards would include proof of citizenship and other sensitive personal data beyond what current licenses hold. The licenses will include long-range radio frequency identification (RFID) technology, which EPIC has repeatedly warned (pdf) is a privacy and security risk. The Department of Homeland Security's Data Privacy and Integrity Advisory Committee also has recommended against (pdf) the use of RFID in ID documents. For more information, see EPIC's August 2006 Spotlight on Surveillance on the Western Hemisphere Travel Initiative. (Mar. 23)
- European Commission Issues Communication on RFID Policy. The European Commission has held an RFID forum in Brussels and released a communication (pdf) on steps toward a policy framework. "[A] clear and predictable legal and policy framework is needed to make this new technology acceptable to users," the Commission said. "This framework should address: ethical implications, the need to protect privacy and security; governance of the RFID identity databases; availability of radio spectrum; the establishment of harmonised international standards; and concerns over the health and environmental implications." The Commission outlined ideas for such a framework and asked for comments. (Mar. 15)
- EPIC Urges State Dept. to Drop Plan for Flawed ID System. In comments (pdf) to the State Department, EPIC warned that a proposed "PASS card" for travel between the United States, Canada, Mexico, and the Caribbean would jeopardize the privacy and security of US travelers. The PASS card is based on long-range wireless technology, "vicinity" RFID, that would enable remote tracking of individuals. The card also lacks basic access controls and security features that were eventually incorporated in the electronic passport. For more information, see EPIC's August 2006 Spotlight on Surveillance. (Jan. 8)
- Two Reports Criticize Security, Privacy Holes in RFID Technology. The federal government has increasingly required radio frequency identification (RFID) tags for identity documents, even though an expert panel has opposed the adoption of the wireless technology. The draft report (pdf) has yet to be finalized for official release. In another report (pdf), researchers revealed serious security vulnerabilities in RFID-enabled credit cards that would allow for fraud. (Nov. 1)
- European Commission: More Privacy Safeguards for RFID. The European Commission is calling for stricter privacy controls for radio frequency identification (RFID) technology. The increasing use of RFID technology "will raise tremendous challenges for sovereignty, individual liberties and economic independence. It will be necessary that citizens keep control of how the information concerning them is utilized and updated and how the tags can be deactivated," EU Information Society Commissioner Viviane Reding said (pdf) at the EU RFID 2006 Conference. The Commission is considering proposing legislation to ensure privacy safeguards in RFID use. (Oct. 16)
- California RFID Bill Nears Approval. The California legislature has recently passed the Identity Information Protection Act, which requires that state-issued IDs that contain remotely-readable RFID chips must contain adequate security features to prevent them from being read by unauthorized parties. The bill now goes to Governor Schwarzenegger for approval. California civil liberties groups are urging residents to write the governor, encouraging him to sign the bill. (Sept. 1)
- DHS Inspector General: More Security Needed for RFID. According to a report (pdf) recently released by the Department of Homeland Security's Office of the Inspector General, the Department's use of radio frequency identification (RFID) technology leaves critical information open to unauthorized access. RFID chips store data and broadcast it via radio waves in response to another radio signal. The small, remotely-readable chips are being placed in immigration documents, passports, and are may soon be used to track cargo and passenger baggage. The report also found a lack of systematic inventories of RFID technology and consistent policies, and identified security concerns regarding user access permissions, password management, and auditing in the Department's RFID databases. (Aug. 25)
- RFID Passport Hacked. A security researcher in Germany has shown that he can clone the radio frequency identification (RFID) tags that the United States and other countries will be placing in passports later on this year. Lukas Grunwald, at the Black Hat security conference in Las Vegas, demonstrated that he could, with readily available technology, access the information on the RFID chip, copy it, and place it onto another document containing another RFID chip. (Aug. 10)
- Government to Test E-Passports in San Francisco. The Department of Homeland Security will begin testing e-Passports on Sunday at San Francisco International Airport. The e-Passports contain Radio Frequency Identification chips, which transmit information wirelessly. Testing conducted last year revealed that RFID-enabled passports impede the inspection process, according to documents (pdf) recently obtained by EPIC under the Freedom of Information Act. EPIC has urged (pdf) the agency to abandon the use of such technology in passports because of significant security and privacy issues. (Jan. 13)
- EPIC Uncovers Government Documents that Reveal Passport Problems. According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found signiifcant problems with new hi-tech passports. Tests conducted last year revealed that "contactless" RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security to abandon the use of RFID technology in E-Passports and the US-VISIT program. (Dec. 6)
- Government Report: Federal Agencies' RFID Plans Flawed. In a report (pdf) released last week, the Government Accountability Office found that thirteen government agencies are using or plan to use Radio Frequency Identification tags. However, only one agency identified any legal or privacy issues with the use of the tags, which can be read remotely. The agencies plan to use RFID to track employees' movements and in ID cards. This report comes a month after the State Department reversed plans to include RFID tags in American passports because of security and privacy concerns. (May 31)
- State Department Backs Off RFID Passport. The State Department said today it will not go forward with a controversial plan that would have made personal data contained in hi-tech passports vulnerable to unauthorized access. The agency said it will impose new security techniques, require encryption for data transfers, and ensure that passports contain a metallic layer. The announcement comes amid pressure from EPIC, other civil liberties groups, technical experts, and air travellers who said the original proposal was deeply flawed. (Apr. 27)
- California Considers Prohibition on RFID's in State ID Cards. "Tag and Track" devices, known as RFIDs (Radio Frequency Identification tags), are being considered for use in government documents. California State Senator Joe Simitian has introduced "The Identity Information Protection Act" which would prohibit the inclusion of RFIDs that can be read remotely without the person's knowledge in state identity documents, such as driver's licenses, student identification badges, and medical cards. (Apr. 8)
- EPIC Presses Agency to Abandon Plans for RFID Passports. EPIC and other civil liberties groups have filed comments (pdf) to urge the State Department to scrap its plans to require RFID passports for all American travelers. The proposal is flawed because the Department lacks legal authority to require RFID travel documents. The State Department has also failed to show the benefits of the passports. Furthermore, it has failed to conduct a meaningful assessment of RFID technology or to consider more reliable technologies. (Apr. 5)
- EPIC Urges Privacy Safeguards for RFID, Copyright Technology. In comments to the Article 29 Working Group, an association of leading European privacy officials, EPIC has recommended strong safeguards for RFIDs and techniques to track the use of digital works. EPIC's Comments on RFID (pdf) recommend a prohibition on " chipping" people and warn that unencrypted RFID passports pose significant security risks. EPIC's Comments on Digital Rights Management (pdf), submitted in collaboration with the Yale Law School Information Society Project, focus on the intersection of copyright protection and user's privacy. (Apr. 1)
- California School Drops RFID Tracking Program. Brittan Elementary School in Sutter, CA, has abandoned an experimental RFID program after InCom, the company which developed the technology, pulled out of its agreement with the school. Last week, EPIC, along with the Electronic Frontier Foundation and ACLU-Northern California, urged the Brittan School Board in a joint letter (pdf) to terminate the program that used mandatory ID badges to track children's movements in and around the school with RFID technology. The letter argued that the program breached children's right to privacy and dignity by treating them like cattle or pieces of inventory. See the press release. (Feb. 16)
- EPIC Urges to Stop RFID-Tracking Scheme for School Children. EPIC, along with EFF and the ACLU-Northern California, urged the Brittan School Board in a joint letter to terminate an experimental program using mandatory ID badges tracking children's movements in and around the school with RFID technology. The letter argues that the program breaches children's right to privacy and dignity as human beings by treating them like cattle or a piece of inventory, and that the RFID badges jeopardize the safety and security of students by broadcasting their identity and location information to anyone with a chip reader. For more information, see the EPIC Children and RFID Systems page. (Feb. 8)
- Security Flaws Revealed in RFID Enabled Products. Students at Johns Hopkins University have discovered serious security flaws in the Radio Frequency Identification (RFID) chips which are used to protect cars from theft and prevent fraudulent use of Speedpass keys. The research shows that even RFID systems considered to be secure remain vulnerable, which only highlights the need to prioritize anaylsis of privacy and security prior to implementation of RFID technology. The potential for exploitation of the security deficiencies serves as a warning to all industries and governments that would hastily assemble RFID enabled systems in order to identify and/or track people as they cross borders. (Feb. 1)
- EPIC Proposes New Framework for Regulation of RFID in Health Care Settings. In a presentation to a committee of the Department of Health and Human Services, EPIC Executive Director Marc Rotenberg recommended the establishment of a new Four Tier Framework for RFID Regulation for medical information. The framework builds on EPIC's earlier Privacy Guidelines for RFID Technology. EPIC said that privacy rules should apply to most RFID applications and that additional safeguards will be necessary given RFID's unique tracking capabilities. EPIC proposed no privacy restrictions on the use of RFIDs in bulk products not associated with specific patients, but urged the prohibition of RFID implants. (Jan. 11, 2005)
- EPIC Recommends Privacy Protections for RFID. In testimony before the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, EPIC Policy Counsel Cédric Laurant urged Congress to adopt a framework of fair information practices to govern collection of personal information through RFID. The testimony follows detailed comments (pdf), including EPIC's Privacy Guidelines for RFID Technology, filed at a Federal Trade Commission Workshop on RFID. (July 14, 2004)
- EPIC Surveys the RFID Industry. EPIC recently surveyed developers and manufacturers of RFID technology, as well as retailers who have begun to employ RFID in the supply chain and in the retail setting. EPIC asked how they used RFID tags in the retail environment and requested details about how they were enabling customers to disable tags (a process known as "tag killing") or remove tags from retail merchandise. See survey. (June 23, 2004)
- EPIC Urges FTC to Safeguard Consumers' Interests at RFID Workshop. In testimony to the Federal Trade Commission on radio frequency identification technologies, EPIC called for the adoption of strong Privacy Guidelines for RFID Technology to protect consumers against potential abuses of the tracking technology. (June 21, 2004)
- Federal Trade Commission to host a public workshop on RFID in June. The workshop will explore the uses, efficiencies, and implications for consumers associated with RFID technology. It will address both current and anticipated uses of RFID tags and their impact on the marketplace. (April 12, 2004)
- San Francisco library foregoes hearing and votes to fund RFID tracking. The San Francisco Library Commission voted to approve funding for the implementation of RFID chips in books and on other library materials before holding a hearing on the matter, which the Commission had promised to do. The ACLU and the Electronic Frontier Foundation are among the groups that oppose the RFID tracking at the library without implementation of privacy safeguards. (Mar. 2, 2004)
- Metro AG scales back tracking technology. In the face of heated contention, the German Company Metro AG back-peddled away from their ambitious plans to start using RFID chips in supermarket loyalty cards for Extra Future Store. The supermarket had hoped to use the tracking system to verify ages of customers so that DVD trailers could be tailored accordingly. (Mar. 1, 2004)
- The discount retailer Target announced plans to use RFID on all shipped pallets. Citing cost reduction, inventory accuracy and theft concerns, Target announced that it would implement RFID technology into all pallets of merchandise shipped to regional distribution centers. The company assured customers that they have no plans to use RFID transmitters to track customer purchases at this time. (Feb. 24, 2004)
- A California design firm uses RFID to make Prada shopping very personal. California design company Ideo played a part in creating the Prada "experience" for return Prada shoppers. When a shopper enters the store carrying a frequent shopper card with a RFID chip, a store clerk instantly knows the shopper's preferences, past purchases and vital statistics before the shopper even starts to look around thanks to the clerk's handheld RFID reader. Once in the dressing room, which the card allows shoppers to reserve ahead of time, the RFID reader suggests coordinating pieces to match the items that the shopper selected, which are all displayed on a video screen. (Feb. 1, 2004)
- Coalition Recommends Privacy Practices for RFID. EPIC and a coalition of privacy organizations have released a position paper on the use of RFID in consumer products. The paper, which was delivered at a RFID Policy Workshop at MIT, recommends a framework of Fair Information Practices for data collected by the technology. (Nov 17, 2003)
- Secret RFID testing amid denials. Wal-Mart and Procter & Gamble recently admitted to secret RFID testing of consumers who interacted with Lipfinity brand lipstick in an Oklahoma Wal-Mart store earlier this year. Triggered by a RFID tracking device imbedded in the lipstick packaging, consumers were videotaped when they had contact with the product. The revelation contradicts repeated assurances by Wal-Mart that it was not conducting such tests on consumers. (Nov. 12, 2003)
- Marks & Spencer has begun using RFID in the U.K. The retailer Marks & Spencer, a U.K.-based retailer, has already begun using RFID technology in clothes and in returnable food delivery trays. The retailer hopes the technology will increase stock accuracy and thereby facilitate product accessibility for shoppers. While the RFID tags are attached to certain items, Marks & Spencer assures that the tags can be removed from clothing, and the collection of information about shoppers will be restricted. The implementation of the RFID technology is just in the trial stages, according to the company, and the success of the program will be assessed after a month. (Oct. 16, 2003)
- U.S. Department of Defense Requires RFID tags on all DoD Purchases. The DoD plans to require RFID tags on all products purchased by 2005 in order to "improve [the Department's] business functions and facilitate all aspects of the DoD supply chain," according to the Department. The DoD plans to use the Electronic Product Code (EPC) technology which is under development by the Uniform Code Council. This move is predicted to hasten the deployment of RFID tags and lower the cost by increasing visibility and demand for the technology. However, while the producers of the tags expect a huge financial benefit, the cost of the implementing the technology will fall on suppliers, who will likely then transfer the cost to consumers. (Oct. 13, 2003)
- RFID Developers Public Relations Plans Revealed. Consumers Against Supermarket Privacy Invasion and Numbering has located a number of internal public relations documents that discuss how Radio Frequency Identification (RFID) developers plan to "neutralize opposition" to the technology. The documents, prepared by Fleishman-Hillard, suggest that: "Political climate and shifting public perception require a proactive plan that…mitigates possible public backlash" to RFID adoption. (Jul. 7, 2003)
- Benetton: No Microchips in Clothes (Yet): Italian-based clothing company Benetton announced that it has not put Radio Frequency Identification (RFID) tags in its clothing, despite some reports to the contrary. The company said it will undertake a study of the tracking technology, "including careful analysis of potential implications relating to individual privacy." Consumers Against Supermarket Privacy Invasion and Numbering had organized an anti-RFID boycott of the international clothes manufacturer and vendor. For more information, see Junkbusters' page on RFID. (Apr. 7, 2003)
- Digital Security research group from the Dutch Radboud University: page on RFID (July 2008).
- Cryptography analysis of the secret Cypher that the Mifare Classic RFID chip uses (July 2008).
- Office of the Privacy Commissioner of Canada, Consultation Paper, "Radio Frequency Identification (RFID) in the Workplace: Recommendations for Good Practices" (March 2008).
- ANEC & BEUC, "Consumers' Scenarios for a RFID Policy: Joint ANEC/BEUC Comments on the Communication on Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework" (July 2007).
- National Institute of Standards and Technology, "Guidelines for Securing Radio Frequency Identification (RFID) Systems" (Apr. 2007).
- Commission of the European Communities, "Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Radio Frequency Identification (RFID) in Europe:Steps Towards a Policy Framework" (Mar. 15, 2007).
- Article 29 Data Protection Working Party, Working document on data protection issues related to RFID technology (Jan. 1, 2005).
- Food and Drug Administration, "Radiofrequency Identification Feasibility Studies and Pilot Programs for Drugs - Guidance for FDA Staff and Industry - Compliance Policy Guides" (Nov. 16, 2004).
- Ontario Information and Privacy Commissioner, Tag, You're It: Privacy Implications of Radio Frequency Identification (RFID) Technology (Feb. 2004).
- Materials submitted at the Massachusetts Institute of Technology RFID Privacy Workshop (Nov. 2003).
- International Conference of Data Protection & Privacy Commissioners, Resolution on Radio-Frequency Identifiation (Nov. 20, 2003).
- Cynthia Leonardatos, Paul H. Blackman, & David B. Kopel, Smart Guns/Foolish Legislators: Finding the Right Public Safety Laws, and Avoiding the Wrong Ones, 34 Conn. L. Rev. 157, (Fall, 2001).
- Timothy P. Terrell, Anne R. Jacobs, Privacy, Technology, and Terrorism: Bartnicki, Kyllo, and the Normative Struggle Behind Competing Claims to Solitude and Security, 51 Emory L.J. 1469, (Fall, 2002).
- CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) is an information clearinghouse and resource for community and national action opposing consumer tracking devices, such as loyalty cards and RFID tags.
- CASPIAN has proposed federal legislation known as "RFID Right to Know Act of 2003," which calls for mandatory labels on RFID-equipped products so that consumers can identify and make informed choices about purchasing products installed with tracking chips. CASPIAN issued a press release outlining the proposed legislation on June 11, 2003.
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.