Wal-Mart, other RFID users say no privacy law needed

A U.S. law enforcing privacy rules for RFID (radio frequency identification) isn't needed because companies experimenting with the technology are committed to protecting privacy, two such corporations told a U.S. House subcommittee Wednesday.

Wal-Mart Stores Inc. continues to move forward with plans for case- and pallet-level tagging of products with RFID chips, but most item-level tagging, where individual products are identified with RFID chips, is about 10 years away, Linda Dillman, executive vice president and chief information officer of Wal-Mart, told the House Subcommittee on Commerce, Trade and Consumer Protection.

But others in the hearing noted Wal-Mart conducted product tests on lipstick in an Oklahoma store in early 2003. Representative Jan Schakowsky, an Illinois Democrat, questioned if consumers were adequately warned of the lipstick tests. With the potential to use RFID chips in passports and other government identification, as well as consumer products such as clothing, the misuse of RFID tracking raises "seriously Orwellian concerns," she said.

"Soon we could have Big Brother and big business tuning into the same frequency, where not only will they know where you are, but what you're wearing," Schakowsky added.

Privacy advocates told the committee legislation is needed to protect consumers from potential uses of RFID. Three privacy advocates testifying Wednesday offered few current examples of privacy concerns caused by RFID, but as the range of RFID scanning grows beyond the current 10 to 20 feet (305 to 610 centimeters), RFID could allow corporations and governments to track people's movements and purchases, they said. RFID uses small computer chips and antennas that are integrated into a paper or plastic label. Those chips can then be read by an electronic scanner.

A United Nations-affiliated group, the International Civil Aviation Organization, is already developing global standards for passports that include RFID chips, with the group looking for a chip that could be read up to a meter away, said Barry Steinhardt, director of the Technology and Liberty Program for the American Civil Liberties Union. In the hands of a dictatorial government, RFID-chipped passports or other identification could be used to track visitors to the country or identify attendees of a political rally, Steinhardt said.

Such uses of RFID could create "a whole new surveillance regime," Steinhardt added.

Users of RFID defended it, however, saying its range was too small and its cost too prohibitive to use on most consumer products. The Wal-Mart test on lipstick had the RFID tags on large packages, not individual products, said Sandra Hughes, global privacy executive for The Proctor & Gamble Co., Wal-Mart's partner in the test. Consumers were notified of the RFID test, and although the lipstick display was monitored by a Web cam, the purpose was to track the supply of lipstick, not consumers, Hughes said.

Hughes and other defenders of RFID said the technology has great potential to lower supply chain costs, reduce theft and counterfeiting, improve the rate of products being in stock and even track livestock diseases.

With RFID chips in the ears of cattle, livestock sold could be tracked within hours instead of the weeks it can take to track down a paper-based sale, said John Molloy, managing director of ViaTrace LLC, a maker of tracking technologies. The U.S. is out front of the rest of the world in experimenting with RFID, he said, and the use of RFID could end threats of diseases like so-called Mad Cow disease.

"This is the opportunity (for the U.S.) to lead the world in traceability," Molloy said.

But safeguards are needed so that the potential of RFID is not misused, privacy advocates said. Witnesses at the hearing disagreed about what kind of legislation is needed, however, with the Electronic Privacy Information Center calling for RFID-specific legislation, and the Center for Democracy and Technology repeating its call for general privacy legislation that would cover all kinds of technologies.

When Representative Darrell Issa, a California Republican, suggested that legislation should focus on what companies and government agencies do with the information they collect, instead of what technology is used to collect the information, Paula Bruening, staff counsel for the Center for Democracy and Technology, agreed. Recent debates over a House spyware bill showed how difficult it is to legislate based on specific technologies, she added.

"You end up with a better result if you have baseline privacy legislation that focuses on the information itself," Bruening said. "If we had that kind of baseline law, we could avoid a lot of those tortured conversations that go on about what falls in and what falls outside of the line."

Hughes, of Proctor & Gamble, said legislation is premature because companies are being responsible about data collection. Her company retains consumer data only as long as necessary, she said. In the case of a product sale, the company keeps the data only long enough to complete the transaction, but in the case of an opt-in customer newsletter, the company retains the data as long as the consumer is subscribed.

Wal-Mart's Dillman also opposed RFID-specific legislation. "We don't believe that data collected by RFID should be different," she said. "We believe there should be a single standard."

Instead of a law, Congress should encourage companies to follow privacy guidelines developed by private groups such as EPCglobal Inc., Dillman said.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon