Paul Moskowitz, a Ph.D. researcher at IBMs Watson Research Center, believes security is definitely an issue with RFID-tagged goods. Along with his colleagues, Moskowitz has invented whats referred to as Clipped Tag technology to help solve some of those basic security issues.
IBM, commercializing Moskowitzs work, announced Nov. 8 that it will license the Clipped Tag technology to RFID (radio-frequency identification) tag and label manufacturer Marnlen RFiD—the first manufacturer to license IBMs technology, which was announced earlier this summer. Marnlen, based in Markham, Ontario, will began producing and marketing the technology immediately.
To help move various industries along with RFID adoption—retail and pharmaceutical are most notably looking for ways to implement item-level RFID tags—Moskowitz has come up with a fairly simple answer to the increasingly convoluted privacy issue: the clipped tag. The idea is that by adding perforations to an RFID-chipped tag on a pair of jeans, for example, a consumer can rip the tag in half and at the same time rip the antenna that transmits radio waves that are in turn read by an RFID reader.
Ripping the tag, however, doesnt make the RFID chip unreadable. Rather it shrinks the read range in which the information on the tag can be transmitted—from about 30 feet down to two inches.
“The clipped tag is a simple structure where youre tearing off a piece of the antenna,” said Moskowitz, in Yorktown Heights, N.Y. “If you wanted to protect your privacy you could also take a hammer and smash [an RFID-chipped] tag once you buy an item, or kill it with the Gen 2 kill feature, but this cuts off the tag for downstream use like authentication of an item, recycling, and warranty.”
Gen 2, the tag and reader standard ratified by EPCglobal in 2004, does have a kill feature. However, a password is required to access the back-end data of the tag, which makes the kill option really only available to companies implementing the tags, not to consumers.
The retail and pharmaceutical industries are the two most lauded markets for going after item-level RFID tagging—the point where consumers are potentially most negatively affected by the consequences of easily broadcasted tag information. RFID tags can contain different types of information based on the tags memory, the industry its being used in, and the intended use of the tag itself. What is common to all tags is a unique identifier number that is specific to a tag, and in turn to the item it is affixed to.
“Personal information such as credit card information and addresses are not usually on the tag, but based on the unique identifier number (developed by EPCglobal) it is easy to track what items have been purchased” and by whom, said Moskowitz.
“Imagine this scenario: if you were to purchase a diamond necklace and leave the store with the tag on the box, anyone within a 30-foot radius could potentially read the tag using an RFID tag reader.”
Once the reader links the purchase to the item on the box, anyone with knowledge of the unique identifier number knows what that box contains—a scenario that could make individuals susceptible to a robbery, for example, according to Moskowitz. Even more onerous, he said, “The organizations owning this data could track your shopping habits to learn more about you without your consent.”
While Marnlen has made the first prototypes of the Clipped Tag for garments, it could also manufacture adhesive labels for pharmaceuticals where the clip mechanism is a little different, but nonetheless serves the same purpose. “There is a zip tear like on express envelopes when you open them,” said Moskowitz. “It separates the top from the bottom so you can open the thing.”
Currently RFID tags are used primarily at the case and pallet level to track goods along the supply chain. But there are numerous pilots in process that add RFID chips at the item level.
Wal-Mart, which really kick-started the whole RFID revolution with its 2003 mandate that its top 100 suppliers RFID-tag items at the case and pallet level, is looking heavily into item-level tagging. And it has been for a while. In 2003 it (along with Tesco in Great Britain) worked with Gillette to implement RFID at the shelf level to secretly monitor customers. Shelf sensors triggered a hidden camera to take close-up photographs of consumers when they picked up a Mach3 razor package, according to a Boycott Gillette campaign waged by CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering). The “smart shelves” were pulled following consumer protests.
Levi Strauss & Co., one of the nations largest clothing manufacturers, confirmed in April that its testing RFID “hang tags” on clothing shipped to two retail outlets in Mexico and one in the United States—a move that many consumer advocates point to as an outright invasion of privacy rights given the tags will be attached to individual items consumers wear.
Levi is using RFID to track inventory at the test stores at the retailers requests; it has no plans to use RFID in any of its 18 Levis brand stores, according to Jeff Beckman, director of worldwide and U.S. communications for Levi Strauss, in San Francisco.
“Our philosophy is that [RFID tests] are being driven by retailers,” Beckman said in an April interview. “So future tests, whether it happens, is being driven by retailers, and only if they are consistent with guidelines [put forth by consumer privacy advocate group CASPIAN], which is very transparent.”
CASPIAN along with about 40 other privacy and civil liberties organizations published guidelines for using RFID at the item level that call for tags to be removed before they reach consumers.
Others are also working on privacy guidelines that allow the tag to remain on purchased goods—if a consumer is informed of the tag and aware of its removal potential. Last May a working group led by the CDT (Center for Democracy & Technology), announced a set of RFID best practices to protect consumer privacy as it relates to item-level tagging. The group—IBM is the charter member—includes a whos who list of companies involved one way or another in RFID testing or software development, including: Microsoft, Intel, Cisco Systems, Proctor & Gamble, Eli Lilly and Co., American Library Association, National Consumers League, aQuantive, VeriSign and Visa.
The CDT document outlines how consumers should be notified about RFID data collection, what choice they should have with respect to their own personal information, and how that information should be treated by companies that collect it. It also offers guidance to companies that collect RFID data in providing that information.
At the same time EPCglobal developed guidelines for the “responsible use of electronic product code data,” according to the organizations Web site. The guidelines suggest clear consumer notice of the presence of RFID tags on products; consumer choice to remove the tags; and consumer education about EPC and its applications.
EPC is also working on a nationally recognized logo that would immediately alert consumers that an RFID tag is on a product.
The question now, if RFID use at the item level persists, is who should be responsible for notifying and educating consumers about RFID technology and its potential risks?
Moskowitz, who clearly represents the corporate interest, along with others in the industry, believes the onus for consumer education and notification is at the front end of the supply chain.
“You have to put the option of privacy in the hands of the consumer, and that should come from retailers,” said Moskowitz.