Return to the
Watching Them, Watching Us
Home Page
email: rfid@spy[dot]org[dot]uk
N.B. This old RFID page has been revived for archival reasons - we will probably get around to updating it eventually - 11th April 2008
Tell us what you think
email: rfid@spy[dot]org[dot]uk
Despite the hype, RFID tags are not a new technology, they have been around for many years, and are used in re-usable tags and transponders (due to the cost) to track pallets, stillages, containers etc around factories, warehouses etc. Due to their cost and size they have never been as widespread as printed barcodes, and despite the hype, are unlikely to ever fully displace barcodes.
From a privacy point of view, a barcode label is much less likely to be read or scanned remotely without a customer being aware of the process than a still active RFID tag on consumer goods.
These EPCs could be used with barcode technology, but they seem to be keen on promoting the potentially more privacy intrusive RFID tags, although the standards bodies which set the rules for barcodes seem to fully support EPCs.
Ultimately, the back-end database systems being proposed for Electronic Product Codes could prove to be far more of a privacy threat to consumers than the RFID tags themselves.
These are not just some academics doing research, they have funding from some of the largest companies. It is only through privacy advocate pressure, that they have had to pay lip service to deactivating or "killing" RFID tags, a concept which was not in their original plans, and which none of the RFID trials so far have demonstrated.
They have not come up with any answers to questions such as:
This technology is in the early stages and consumer privacy pressure could still influence their plans.
People have been worried about the potential health risks of GSM Mobile Phones and Phone Transmitters, which are much more powerful radio energy sources than RFID tag readers.
Are there potential health risks to customers and staff from the hundreds of RFID tag readers in a supermarket full of "intelligent shelves" constantly transmitting, as they read each unique RFID tag in sequence ? Nobody knows, because the trials so far have not yet wired up a whole supermarket with this technology.
The Auto-ID Center and the large supermarkets should be sponsoring and publishing research into possible long term health effects now, not years after the widespread introduction of the technology as happened with the Mobile Phone industry.
Do we really need more electrosmog ?
What are the Shopworkers Trades Unions doing to inform themselves and their members about these potential risks ?
Nobody should be fooled into granting the manufacturers of RFID tags or EPC database technology legal protection from criminal or civil liability for selling products which fail to prevent terrorist attacks or which give false alarms, which some of them are seeking under the dubious so called SAFETY Act (Support Anti-Terrorism by Fostering Effective Technologies Act) of 2002 in the USA.
Such products already have product barcodes and lot traceability numbers. The Auto-ID approach to individual identification of such items via a unique Electronic Product Code will make no appreciable difference to the speed at which possibly contaminated or faulty goods can be recalled or removed from sale.
If mineral water contains traces of benzene, or citrus fruits contain mercury, or headache capsules contain cyanide, or beef products contain prions or any of these are even suspected of being contaminated then all the current stock on the shelves has to be withdrawn. Consumers cannot trust a manufacturer or distributor to say these items may be risky, but these others on the same shelf are ok, even if this is actually true.
There is now some hype about research programmes which hope to link biosensor chips with RFID tags These are supposed to react to Chemical or Biological weapons and then let the RFID tags signal an alert, rather than causing a colour change on a label etc.
This plan must inevitably lead to hugely expensive and disruptive false alarms, when, for example, organophosphorus pesticide residues get mistaken for the chemically similar nerve agents (just like during the invasion of Iraq, where state of the art, non-miniaturised equipment operated by trained soldiers gave false alerts, leading to the donning of gasmasks and to as yet unsubstantiated claims about having found Weapons of Mass Destruction). If the RFID tags which are linked to these biosensors are of the "stupid" insecure variety, then a hoaxer or terrorist or extortionist would be able to sit in a van in the car park of a supermarket and trigger false anthrax etc alerts remotely by radio.
Before anybody lets Biosensor RFID tags loose in the food supply chain, it should be established what is the acceptable level of false alert for such systems. If the system only falsly reported the presence of a pathogen once in a million times, then we would have a Bioterror alert every single day of the year, rendering the emergency services useless.
We simply do not believe that such biosensors can be made reliable enough and cheaply enough with cheap RFID tags to be deployed as envisaged.
There is a case for much more CBRN (chemical, biological, radiological or nuclear) monitoring, which may well make use of cheap biosensor chips, but these should be from permanent monitoring stations run by trained people and inspectors, who can corroborate alerts. Leaving this up to fully automated systems run by the food industry (parts of which is criminally negligent) is literally a recipe for disaster.
It is hardly likely that the ammunition and weapons used by criminals and terrorists will ever get RFID tagged, so the talk about using RFID to fight terrorism or serious crime is just hype.
Some RFID promoters seems to be trying to get their products on the US Government Homeland Security approved list for exemption from civil liability for causing false alarms under the so called SAFETY Act (Support Anti-Terrorism by Fostering Effective Technologies Act) of 2002, presumably to get funding to subsidise their research and development budgets, and to get the US Government to purchase lots of their products.
Lessons should be learned from Wi-Fi 802.11b Wireless LAN cards and Access points which are nominally designed for a range of less than 30 metres. These can be used with better commercial or homebrew antenna designs, up to 70 kilometres or more.
Unless RFID tags are deactivated as a matter of routine, they will be snooped upon by the unscrupulous, at ranges far in excess of that of standard reader equipment.
If the tag "killing" /deactivation process is not secure, then they could be re-activated in secret at extended ranges as well.
It may be possible to "kill" a whole supermarket full of RFID tags, from a vehicle in the car park.
Hitachi are now denying reports about embedding their RFID tags in banknotes, etc as an anti-forgery device. Their mu chip has its antenna onboard the silicon chip, and therefore has a very short range.
The technical problems presented in trying to discriminate each individual RFID tag in a stack of banknotes are formidable. How do you stop the RFID antennas from interfering with each other when hundreds of them might be stacked one on top of the other ? Random placement of RFID tags in a banknote would surely cause lots of counterfeit false alerts, they will have to be in a standard position, only separated by the thickness of a piece of banknote paper i.e. much less than the wave length of the radio signals.
How will it be possible to provide enough Radio Frequency energy to remotely power all the passive RFID tags, in a wad of say 50 banknotes, without exceeding the safety/interference power levels laid down for the Radio Frequencies ?
It might just be possible to track a single RFID embedded banknote, but this would be impractical, if several such banknotes together in a wad cannot be tracked.
If it were possible to make these chips cheap enough for Auto-ID RFID tags on everything you buy in the shops, then some of our privacy concerns would be assuaged. However, this is simply not the case, and the style of primitive RFID tag shown above in the Tesco trial, without all the built in safeguards could overtake the market, unless consumers and privacy advocates say no.
These bodies which are developing future international standards for RFID tags and their Electronic Product Code, should explicitly forbid the use of RFID tags and readers which are too stupid to be securely disabled permanently or which can be easily spoofed, like the ones used in the Tesco trial described above.
NoTags organised a protest at the Tesco Sandhurst store on Monday 15th September from 5.30pm. c.f. Re-scalable map showing the location of the Tesco Extra superstore in Sandhurst. Here is a photo of the event:
MeadWestvaco Radio Frequency ID tags used on DVDs - trial at Tesco, Meadow Park, Sandhurst, UK - July 2003 | |
MeadWestvaco RFID tag embedded in a paper label on DVD case, one pound coin for size reference |
MeadWestvaco RFID tag with top layer of paper removed on standard DVD case |
MeadWestvaco RFID tag with top layer of paper removed |
Closeup of MeadWestvaco RFID tag with top layer of paper removed |
RFID Journal has an article: Tesco Tests Low-Cost RFID System Tesco are trialling MeadWestvaco Intelligent Systems tags for their pilot at their Sandhurst Tesco Extra superstore south west of London. These RFID tags are embedded in paper labels and operate at High Frequency i.e. 13.56 MHz and use an innovative reader antenna sharing scheme which reduces the number of expensive readers required, at the cost of taking longer to poll all the stock on the shelves. This has the effect of making these readers less useful for linking to RFID triggered CCTV surveillance, which has been attempted in the Auto-ID labs, and possibly at the Gillette razor trial in the Cambridge Tesco store (which has now ended, almost certainly not due to any privacy or consumer activist pressure). Since most supermarkets have lots of continuous CCTV Surveillance anyway, the extra "security" that RFID triggered CCTV Surveillance provides must be doubtful. However the combination of RFID Smart shelves and CCTV will be potentially very privacy intrusive if it is aimed at analysing the "browsing" habits of consumers. The DVDs in this trial are already encased in standard Sensormatic (one of the Auto-ID sponsors) tagged anti-theft plastic cases which are removed at the checkout. The DVDs already have standard printed product barcodes. N.B. The MeadWestvaco RFID tag is NOT "killed" or deactivated when the customer pays for the DVDs at the checkout, and can still be read remotely, as was demonstrated by Channel 4 television "Chips with everything" by David Rowan on 27th July 2003. Unless such RFID tags are deactivated permanantly at the checkout, this technology should not be permitted to be inflicted on unsuspecting customers, and should remain where it belongs in the warehouse and supply chain. Tesco deserve criticism for not informing their customers about the privacy implications of these particular RFID tags.
| |
The previous trial of 13.56MHz High Frequency tags on the plastic trays used to transport food deliveries from Marks & Spencer's suppliers i.e. not on the individual food packaging, and therefore does not present a consumer privacy problem.
It still remains to be seen if Marks & Spencer plans to go down the route of secret experiments on their customers, using RFID tags that are not deactivated at the checkout, like Tescos have done, or if they have learned from the privacy concerns of the public.
Update on the M&S High Wycombe trial
It seems that Marks and Spencer are giving some attention to consumer privacy in the first of their clothing RFID tag trials, initially for 4 weeks (October - November 2003) on
on suits, shirts and ties.
at their High Wycombe store. They seem to plan to at least have leaflets explaining something about the RFID tags to their customers (unlike Tesco who try to
keep their customers in ignorance). The paper label RFID tags will be removeable i.e. a separate price label or on the
shirt wrapping, rather than the Texas Instruments type RFID tags designed to be embedded in clothing and capable
of withstanding laundry processes.
Given the public relations silence on the topic so far, it must be assumed that this latest M&S RFID tag trial still/b> does not seem to comply with the Auto-ID Center's idea of a tag that can be "killed" or disabled electronically at the checkout, or that there is a strong authentication handshake which would allow only M&S RFID readers to interrogate them.
Therefore the privacy concerns (similar to those over "third party cookie tracking" profiles compiled from internet web site surfing) still remain.
Here are some photos of these RFID label tags:
 |
 |
 |
The Home Office has spent £5.5 million of taxpayers money on their Chipping of Goods Initiative, on some pilot schemes aimed at combating stolen or counterfeit goods, some of which involve RFID tags. Apparently at least one of the Tesco RFID trials got some public money under this scheme.
It might be worth the media and others asking the Minister and other keynote speakers at the Chipping of Goods Initiative Conference in London on 13th-14th of November 2003 about what they intend to do to allay our Consumer Privacy fears.
Shortly thereafter, the RFID Privacy Workshop is to be held at 9:00am - 5:00pm, Saturday November 15th 2003, Bartos Theater, Massachusetts Institute of Technology, Cambridge (near Boston), USA.
Return to the
Watching Them, Watching Us
Home Page
email: rfid@spy.org.uk
revision date: 30th September 2003
