Section 5.3. Resolution Attempts | RFID Sourcebook (paperback)

5.3. Resolution Attempts

Current attempts to assuage privacy concerns posed by RFID generally fall into the following three categories:

Political and legal (governmental). Politicians, lobbyists, and privacy-rights advocacy groups are attempting to enact legislation (and guidelines) regarding RFID use so that it does not pose a threat to the privacy rights of individuals.
Business community. This second category represents the second most crucial element in the privacy equation after consumersthe business community. Businesses can proactively take effective measures against privacy-infringement issues as an independent effort.
Technology community. Developers of RFID technology and related products are attempting to provide solutions to prevent the unauthorized use of RFID tags to snoop on individuals.

Within each of these categories, and sometimes overlapping, people are working on solutions to provide a satisfactory resolution to the privacy issues RFID raises. The following section discusses some of their current activities.

5.3.1. Political and Legal

Senator Patrick Leahy (D-VT) has expressed concerns that federal laws might be necessary before the privacy-infringement issues of RFID go too far.^[2] Senator Leahy proposed that answers should be sought on what information is collected; how it is collected, stored, accessed, secured, corrected in case of mistakes; and conditions under which it can be used by law-enforcement agencies. He also acknowledged that it is important to let RFID mature without needless roadblocks.

^[2] Remarks of Senator Patrick Leahy. "The Dawn of Micro Monitoring: Its Promise and Its Challenges to Privacy and Security." Georgetown University Law Center, March 23, 2004.

In November 2003, eight privacy-rights advocates, including Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), the American Civil Liberties Union (ACLU), and the Privacy Rights Clearinghouse (PRC), issued a privacy position statement. This statement proposed the following three-part framework for the proper use of RFID:

A formal technology assessment
Adherence to a set of proposed principles of fair information practices
Outright rejection of certain types of uses of RFID

In addition, it is also requested that manufacturers and retailers impose a voluntary moratorium on unit-level RFID tagging of consumer items until a formal assessment of the technology by all stakeholders and consumers is performed.

In Missouri, SB 0867, otherwise known as the RFID Right to Know Act of 2004, was introduced by State Senator Maida Coleman (D) on January 7, 2004. This bill requires that an RFID tag on an item have a clearly visible label that explicitly mentions that the item contains an RFID tag and that the tag can transmit unique identification data to a reader both before and after the sale of the item. The bill failed to pass when its hearing was cancelled on March 9, 2004.

On January 28, 2004, the Radio Frequency Identification Right to Know Act (HB 251) was introduced in Utah and sponsored by David L. Hogue (R). It was initially approved by the Utah house of representatives and the Utah senate's Business and Labor Committee. One amendment to this bill would have required retailers to destroy a tag unless they notified consumers of its existence and capabilities. This amendment seemed unpopular with retail associations. However, the bill expired in March 2004, before the Utah senate could vote on it. It is expected that this bill will be reintroduced.

In April 2004, the California state senate approved bill SB 1834, introduced by Senator Debra Bowen (D), to impose regulations on the uses of RFID by libraries, retailers, and other private bodies. The bill proposed the following three rules for acceptable use of RFID by a business to collect data related to personal identity:

Inform customers whenever RFID is used in items to collect data.
Customer permission is mandatory before his purchases can be tracked.
All RFID tags must be deactivated before a customer leaves the store. (This was subsequently modified.)

This bill was defeated by the members of the California State Assembly on June 25, 2004.

In June 2004, an RFID Privacy Guideline statement was jointly released by the Ministry of Economy, Trade, and Industry (METI) and the Japanese Ministry of Public Management, Home Affairs, Posts and Telecommunications. Some of the salient points of these guidelines are as follows:

Notify that RFID tags are attached to items.
Provide consumers with an opt-out policy with regard to linking the RFID tags to their personal information. The guide proposes informing customers how to defeat RFID technology so that the tags cannot be read (for example, using metal foil to cover the tag or physically removing it from the item).
Restrict the collection and use of information when private data is stored on tags.
Ensure information accuracy when tags carry private information.
Share information with the customers.

Privacy-advocacy groups strongly urged discussion at the federal level regarding large-scale use of RFID by retailers and the government. The U.S. Federal Trade Commission (FTC) responded by hosting an RFID workshop in June 2004. At this workshop, the privacy-advocacy groups called for the FTC and other governmental agencies to conduct an impartial assessment of RFID technology. The supporters of RFID expressed concerns that such an assessment might be too premature. FTC has prepared a report based on its research and findings at this June workshop.^[3] This report calls for self-regulation of the manufacturers and users of the RFID technology. At the same time, FTC has not completely ruled out issuing future RFID guidelines.

^[3] Radio Frequency Identification: Applications and Implications for Consumers. A Workshop Report from the Staff of the Federal Trade Commission, March 2005.

On January 19, 2005, Article 29 Working Party, the European Union's advisory on privacy and data protection, published a report that provided privacy guidelines regarding RFID use. The report called for obtaining clear consent from an individual when RFID is used and making him aware of the following:

The presence of RFID tags in the merchandise
What type of personal data is collected and how it is processed
The right to access and check accuracy of personal information collected by a business

In March 2005, the New Mexico house of representatives Judiciary Committee dismissed the bill HB215, titled Removal of Radio Frequency ID Tags, sponsored by representative Mimi Stewart (D). This bill called for attaching a label with a tagged item clearly stating that the item contains an RFID tag. The bill proposed that all tags be removed from items before they leave the store and that a business should provide a customer, upon a written request, all personal information that it has collected.

In May 2005, Massachusetts State Senator Jarrett Barrios (D) introduced bill No. 181, a bill similar to SB 1834, in the state senate. However, Senator Barrios did not support the deactivation or "kill" feature for a tag. His concern was that if a tag is deactivated, useful information required for recycling (for example) might be unavailable for such a tagged item. He also expressed a concern that laws that enacted today might not be applicable in the future because of the evolving nature of RFID.

5.3.1.1. Privacy-Rights Advocacy Groups

Several privacy-rights advocacy groups are involved in the RFID privacy debate with the supporters of the technology. Some of the most prominent among these advocacy groups are the following:

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering; http://www.nocards.org/, http://www.spychips.com/) organizes and participates in privacy-related events and debates and publishes privacy-related policy documents.
The ACLU (American Civil Liberties Union; http://www.aclu.org/) champions freedom-of-speech rights, equal protection rights, due process rights, and last, but certainly not least, privacy rights.
The PRC (Privacy Rights Clearinghouse; http://www.privacyrights.org/) publishes information about protecting consumer privacy rights.
The IAPP (International Association of Privacy Professionals; http://www.privacyassociation.org/) is an association of privacy and security professionals that provides interaction, education, and discussion regarding privacy matters.
The EFF (Electronic Frontier Foundation; http://www.eff.org/) is an organization devoted to protecting the fundamental rights of individuals and raising and debating the civil liberties issues associated with technology.
EPIC (Electronic Privacy Information Center; http://www.epic.org/) is a public interest research center whose primary goals are to protect privacy and bring public attention to emerging civil liberties issues.

5.3.2. Business Community

Instead of solely depending on the government and technology community to resolve RFID privacy concerns, the business community has an equally crucial role to play. Direction and guidelines have already started to emerge. For example, EPCglobal provides a set of guidelines targeted at the business community that relate to the use of EPC in consumer products.^[4] The following list provides sample general guidelines (strictly for informational purposes only):

^[4] Guidelines on EPC for consumer products (http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html).

Unambiguously document the corporate privacy policy.
Publicly share this policy with employees and customers.
Implement an effective feedback system that captures and resolves concerns related to the published corporate policy.
Clearly state on tagged item packaging the presence of RFID tags in the merchandise, and make customers aware of RFID use in the store.
Inform the customers as to what data is stored on the tags and how it is going to be used and the benefits (both for the business and the customer) associated with it.
Provide customers the option to either accept or reject associating their CID with the purchased item tag data. If the customer opts out, disable or remove the tag at the point of sale.
Educate customers about the capabilities and limitations of RFID.
Implement proper record keeping and security measures to retain and secure generated data (including end-to-end security from the tag readers, underlying networks to the databases that store the final data, and so on).

Communication, compliance, and consistency regarding RFID use are represented in the preceding guidelines; such guidelines will help businesses preserve customer goodwill and trust. However, guidelines such as these might impact existing business processes and, therefore, call for careful planning and execution.

5.3.3. Technical Community

While political, legal, and business interests engage intensely regarding RFID use, the technology researchers and vendors are also working feverishly to provide technical solutions to RFID privacy concerns. Essentially, these solutions are broadly targeted at deactivating (or "killing") a tag or paralyzing the capability of readers to read a tag (assuming it is "alive").

The subsections discuss these solutions in detail.

5.3.3.1. Kill Commands

This kill mechanism is targeted at the tag itself to render it useless. Originally developed by MIT's Auto-ID Center research group in 2003 for its EPC specification (see Chapter 10), this idea seems to have the support of several privacy-rights advocacy groups and state legislators. The idea calls for a reader command, called a kill command, which, when issued to a live tag, instructs the tag to self-destruct. When a tag receives such a command, the tag can erase its memory or reconfigure itself in such a manner that it cannot communicate any further with a reader. A password can also be associated with a kill command so that a reader can securely issue this command.

Early prototypes of chips implementing this command were developed in 2003. Alien Technology, Inc., developed an Auto-ID Class 1 UHF specification chip that implemented a prototype version of this command. Similarly, Matrics developed a prototype chip based on the Auto-ID Class 0 UHF specification, and Philips Semiconductors built a prototype chip based on a 13.56 MHz standard. The implementation of this command seems to be simple and is not expected to increase the unit price of a tag. The chief drawback of this approach is that the original tag is destroyed; therefore, the potential to use the associated data dies with it. This total "kill" might not be desirable in some cases. Suppose, for example, that a consumer buys a toxic substance that has an RFID tag that contains recycling information for this product. If the consumer requests that this tag be destroyed at the time of purchase, the recycling information specific to this product cannot be accessed anymore (which might lead to unwanted consequences such as the dumping of this product in a landfill and so on).

5.3.3.2. Blocker Tags

A blocker tag is a simple, yet ingenious, mechanism targeted at the RFID reader to render it useless in communicating with tags in its read zone.^[5] However, the tags are not destroyed and may remain alive. Originally developed by Ari Juels, Ronald Rivest, and Michael Szydlo, this idea calls for a unique tag called a blocker tag that masquerades as a valid tag with some special properties. The readers, which use what is known as the tree-walking singulation algorithm to read unique tag data, are the targets of this blocker tag. This algorithm is used by virtually all the readers in the UHF frequency and, therefore, is the most effective in blocking these types of readers. The blocker tag mechanism can also be implemented for the ALOHA algorithm, which is chiefly used by all 13.56 MHz frequency readers. For you to understand how a blocker tag works, you must understand the workings of the tree-walking singulation algorithm. The following example describes this.

^[5] The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. Ari Juels, Ronald L. Rivest, and Michael Szydlo. V. Atluri, ed. 8th ACM Conference on Computer and Communications Security, pp. 103111. ACM Press. 2003.

Suppose that three persons, each with a three-letter name (in this case, Bax, Bob, and Tim) are standing in front of a blindfolded interrogator. The interrogator knows neither how many persons are standing before him nor what their names are; he does know that each of their names consist of three letters only, however. The interrogator is tasked with discovering the names of all those standing before him. He can only deduce the number of persons present from the number of unique names he can determine using the letters from English alphabet. He can only accept a response from one person at a time; if more than one person tries to talk to him, a collision results. The interrogator must resolve a collision whenever it occurs. The interrogator can ask these persons to selectively tell him parts of their names if those parts match his questioning criterion. A person must remain silent if his name does not satisfy this criterion. Using this scheme, the interrogator can discover the names of these three persons.

The interrogator first asks those whose name starts with an A to respond; the rest should remain silent. No one answers. The interrogator asks them to respond if the first letter of their name starts with B. Bax and Bob both respond, resulting in a collision. The interrogator then asks those whose name starts with Ba to respond. Only Bax answers. The interrogator then asks for those whose name starts with Baa to respond; they all remain silent. The interrogator continues with name prefixes (Bab, Bac, and so on) until he arrives at Bax. At that point, only Bax responds. The interrogator has now found out the name of one of the persons. The interrogator then repeats the whole set of commands to the persons standing before him, starting with Bb, Bc, and so on. He only gets an answer from Bob when he uses the name prefix Bo. The interrogator then repeats the same procedure starting with name prefix Boa. Again, he gets an answer from Bob only when he arrives at Bob. Now the interrogator has successfully found out the names of two of the persons standing before him. He then proceeds to repeat the entire process with the C, D, and so on, until he calls out T. At that point, only Tim answers. The interrogator delves into name prefixes starting with Ta, Tb, and so on. He gets a response from Tim when he arrives at Ti. The interrogator then starts from the Tia, and receives a reply from Tim when he gets to Tim. Thus, the interrogator discovers all three names. The interrogator then asks those standing before him to respond if their name starts with U. No answer. V. No answer. The interrogator continues with no answer through Z. At that point, the interrogator knows that three persons are standing before him and that he has discovered each of their names.

Now coming back to blocker tags, suppose that there is now a fourth person, and this person does not have any single unique name but instead has every three-letter name possible (that is, can arrange his name in any three-letter combination). In essence, this is what defines a blocker tag. A blocker tag is a kind of a super tag that can assume any value of a tag allowed in the range of possible values. Suppose that this fourth person can speak in such a manner that it seems to the interrogator that two different persons are responding to him at the same time, resulting in a collision. Let's see how this property can totally confuse the interrogator.

When the interrogator starts with A, Bax, Bob, and Tim remain silent; however, the fourth person responds, resulting in a collision (because he speaks in a manner that seems that two persons are speaking). To resolve this situation, the interrogator moves to Aa, but again this fourth person speaks out, resulting in another collision. The interrogator moves to Aaa, and gets a response from the fourth person. The interrogator assumes a person named Aaa is present, and then moves on to Aab; the fourth person responds again. The interrogator is forced to explore every three-letter name possible. However, for three-letter names, the possible number of three-letter names is 26 x 26 x 26 (or 17,576; not exactly a small number). For names with more letters, the situation gets worse exponentially; in that scenario, the interrogator becomes overwhelmed after some time and stops.

In the case of a tag, the "letters" are from the binary alphabet and can be either 0 or 1. The interrogator is a reader that uses a command set to selectively elicit response from the tags. Tag "name" lengths typically start from 96 bits in the current tags, which results in a namespace size of about 80,000 trillion trillion! A reader will spin its wheels forever trying to find this many unique tags in its read zones when a blocker is present. Even if a reader can determine all these tags in its read zone, it does not mean all these tags are valid; therefore, a lot of the reader's time and effort are wasted in determining unnecessary data. In reality, a reader becomes overwhelmed after a few thousand tries and stops. Thus, in effect, a blocker tag does what its name suggests: It blocks a reader out completely so that it cannot read any tag in its read zone.

Clearly, a blocker tag needs two antennas to transmit two responses (0 and 1) at the same time to a reader. The first working prototype of a blocker tag was demonstrated at the thirteenth annual RSA Conference in San Francisco, California, in February 2004. It is expected that a production version of blocker tags will be available sometime in 2005.

A concern with blocker tags is that they can be used maliciously to cripple the operations of a business (a warehouse operation, for example).