Saturday, October 02, 2004

Article: Product ID tags raise privacy concerns

Delaware Online has an article referring to a recent conference on RFID technology an includes a brief discussion of the privacy issues raised by the use of the chips:

www.delawareonline.com : Product ID tags raise privacy concerns:

"The potential for tracking more than just products has prompted the formation of groups such as Consumers Against Supermarket Privacy Invasion and Numbering.

RFID devices can be read from 20 to 30 feet away and the antennas, first made from copper, can now be printed with conductive ink, making it difficult for consumer to know if products they buy contain RFID transmitters, the group argues. The group has proposed legislation that would require the complete disclosure of products containing RFID devices.

While some have concerns about the tags being used to track more than just products, Ed Coyle, head of the Department of Defense's Logistics Automatic Information Technology office, said at the confer- ence that the key to security, or privacy concerns, is limiting the amount of information on the tags, which also makes the system speedier. "

I am not sure I agree with this last sentiment. The privacy impact of the technology has very little to do with the amount of information embedded in the chip. What matters is the database that the unique identifier is connected with. Afterall, your social insurance number is only nine digits long but has the potential to be a universal tracking code. The VIN on your car is longer, but is connected with your driver's license, which is connected to you.

The following scenario demonstrates the potential of these simple codes: If you buy a pair of shoes with RFID embedded in them at your local mega store, ostensibly for inventory tracking purposes, it will have a unique serial number. At the point of purchase, that unique number can be attached to your visa card number or your debit card in the back office database. The database can connect that to your address, etc. If the RFID in the shoes is linked to your personal unique identifier, anybody who scans the code from the shoes can connect it with you. And it can be scanned from twenty feet away. If your local mega storage puts scanners at the entrances, it will know, for example, if you visited the store again wearing those shoes. It can follow you around the store and know more about your behaviour in the store than you'd probably like. This micro tracking has the potential to be taken to the macro level if scanners, linked to databases, become pervasive.

More information on the privacy impact of RFID is available from Consumers Against Supermarket Privacy Invasion and Numbering at http://www.spychips.com/ (bonus points if you can figure out what side of the issue they espouse).

No comments: