Privacy advocates have been sounding the alarm about RFID ever since Wal-Mart and other retailers first started using the technology on consumer goods. Most of their concerns center around the availability of personal data, remote tracking of consumers or employees, and unauthorized tag scanning from a distance.
But these fears are largely unfounded. The bulk of the RFID technology used in ID tags and many of those in item-level retail tracking can’t be read from any distance away, which means that unauthorized tracking or scanning by a third party would be nearly impossible. The reason they have such a short read range is to avoid accidental scanning of multiple tags.
In retail applications, most tags follow the Electronic Product Code (EPC) standard. EPC tags are encoded with ID numbers that identify products. In order for anyone reading those tags to learn anything useful, that number would have to be compared to information in an EPC-based database, and even then, the most anyone scanning the tag would learn is what the EPC tag was once attached to. An EPC does not include any type of personal information, and very little could be gained from obtaining that information.
Further, many applications include a tag deactivation process—in other words, the tag is effectively shut off or even removed at the point of purchase (say, in retail or pharmaceutical) eliminating the ability for the tags to be read by an unauthorized scanner.
In fact, most of the privacy concerns raised about RFID, particularly when it comes to retail-oriented applications, have little to do with the tags themselves, and more to do with how retailers or other organizations plan to use the data they collect. That’s true whether the data comes from RFID tags, bar code scans, or customer loyalty card use. The data doesn’t travel with the tag or label; its security is a function of how well the company protects its servers, and the kinds of privacy policies it has in place. This is where privacy advocates should focus their energies, not on the enabling technologies.
There are of course “people tracking” applications for RFID, usually in the form of ID badge scanning to gain access to different parts of a facility. Most of these applications utilize proximity cards that can only be read from a few inches away, and so could not be read remotely when the employee was offsite. Further, these types of badge applications can improve employee safety and security by ensuring that only authorized personnel are permitted inside a facility, and provide a record of which employees are in which building in case of an emergency. In this case, while there may be some limited privacy concerns (your employer knows when you enter and leave the building), they are outweighed by improved safety.
So this Fourth of July, don’t worry that RFID will affect your privacy freedoms. Instead, celebrate the freedoms that RFID enables—the freedom to automate business processes, to ensure accuracy of data, to improve the efficiency of supply chain and maintenance processes, and to improve employee safety.
Have a safe and happy Fourth!