RFID, or Radio Frequency Identification, tags comprise a microchip, loaded with a unique code number, and a tiny antenna that transmits data from the chip to a reader. The reader is activated whenever the antenna comes into range and the data can be used to trigger an event – such as ringing up a purchase or ordering more stock.
The chips can be incorporated into a range of products and could largely replace barcodes, their big advantage being that they do not require a line of sight between the chip and the reader. They offer a means of navigating complex global supply chains, allowing companies to track their products from factory to distribution centre, from warehouse to sales floor.
Many retailers have experimented with RFID and the biggest of them all, Wal-Mart, is requiring its top 100 goods suppliers to tag shipping cases and pallets with RFID technology by 2005. It will require the rest of its suppliers to start using RFID tags by 2006.
But pressure groups are worried by the technology and in November last year issued a statement calling on manufacturers and retailers "to agree to a voluntary moratorium on the item-level RFID tagging of consumer items until a formal technology assessment process involving all stakeholders, including consumers, can take place."
On Tuesday, Californian State Senator Debra Bowen introduced the country's first privacy standards for the use of RFID technology.
"The privacy impact of letting manufacturers and stores put RFID chips in the clothes, groceries, and everything else you buy is enormous," said Bowen. "There's no reason to let RFID sneak up on us when we have the ability to put some privacy protections in place before the genie's out of the bottle."
Her bill would require any business or state government agency using an RFID system that can track products and people to:
Tell people they are using an RFID system that can track and collect information about them;
Get express consent before tracking and collecting information; and
Detach or destroy RFID tags that are attached to a product offered for sale before the customer leaves the store.
"It really comes down to three basic principles," continued Bowen. "First, you have a right to know when and where RFID technology is being used. Second, anyone using RFID should get your consent before they collect information about you. Third, the 'default' should be that RFID tags on products get removed or destroyed when you walk out the door, which takes care of many of the privacy concerns - not the least of which is the fear that as you walk through the mall, everything you're wearing and carrying could one day be identified as you walk by RFID readers."
Meanwhile, IT security giant RSA Security, a member of the pro-RFID organisation EPCglobal, is addressing similar concerns with a technology solution.
"In a naive, RFID-enabled world without technical forethought, there is risk that sensitive information could be visible in secret to anyone with an RFID reader," said Burt Kaliski, director and chief scientist of RSA Laboratories.
He acknowledged that the unique serial numbers emitted by RFID tags could be used to track people and objects surreptitiously. For businesses he points out that RFID introduces a whole new dimension to the potential for corporate espionage.
His company's solution, also announced Tuesday, is the RSA Blocker Tag: a special RFID tag designed to prevent readers from performing unwanted scanning and tracking of people or goods, without any disruption to normal RFID operation.
The system works by "spamming" any RFID reader that attempts to scan tags without the right authorisation, thereby creating a hostile environment for the reader.
When ordinary RFID tags are in range of an RSA Blocker Tag, they benefit from its shielding behaviour; when the RSA Blocker Tag is removed, the ordinary RFID tags may be used normally.
Due to its selective nature, RSA says its Blocker Tag helps prevent unwanted scanning of, for example, purchased items, but does not interfere with the normal operation of RFID systems.
The prototype was demonstrated by the company at the RSA Conference held in San Francisco this week, using the example of a mock chemist's shop. Customers are given medication in a bottle with an RFID tag; then, at the checkout, the medication is placed in special paper 'blocker bags' that effectively shield the contents from unwanted scanning.
"The promise of RFID will require infrastructure and process changes, and it will also present huge security and privacy challenges," concluded Kaliski. "Whereas retailers think about tracking inventory, piracy advocates worry about what happens when the RFIDs leave the store. It's up to companies like RSA Security to help bridge that gap."