Labelling RFID Products 325
John3 writes "Following Wal-Mart's recent announcement that they plan to push RFID in their stores, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) has posted proposed legislation that would require a product to be labeled if it contained an RFID tag. Beyond the label requirement, the proposed legislation also sets up some strict restrictions on the use of RFID data. Even though RFID is not in widespread use, it's probably best to start working on these types of protections before the products are on the shelves."
Katherine Albrecht on Rense (Score:5, Informative)
Re:My god... (Score:5, Informative)
SUMMARY OF THE BILL (Score:5, Informative)
RFID Right to Know Act of 2003
Proposed legislation to mandate labeling of RFID-enabled products and consumer privacy protections
SUMMARY OF THE BILL
AN ACT
To require that commodities containing radio frequency identification tags bear labels stating that fact, to protect consumer privacy, and for other purposes.
SEC. 1. SHORT TITLE.
This section shortens the title of the bill to "RFID Right to Know Act of 2003."
SEC. 2. AMENDMENTS TO THE FAIR PACKAGING AND LABELING PROGRAM.
This section amends the Fair Packaging and Labeling Program by inserting language under subsection (a) of paragraph (6). This section requires that a consumer commodity or package that contains or bears a radio frequency identification tag shall bear a label as provided in the paragraph below.
It also defines the term "radio frequency identification" or "RFID" to mean technologies that use radio waves to automatically identify individual items. It defines the term "tag" to mean a microchip that is attached to an antenna and is able to transmit identification information.
Finally it describes that the label should state, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase; and be in a conspicuous type-size and location and in print that contrasts with the background against which it appears.
SEC. 3. AMENDMENTS TO THE FEDERAL FOOD, DRUG, AND COSMETIC ACT RELATING TO MISBRANDING.
This section amends the federal Food, Drug and Cosmetic Act by inserting language under the sections relating to misbranding of commodities. It says that a food, cosmetic, drug or device is misbranded if the product or package contains an RFID tag, unless it bears a label stating, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. It also prescribes that the label must be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
SEC. 4. AMENDMENTS TO THE FEDERAL ALCOHOL ADMINISTRATION ACT.
This section states that a person shall not manufacture, import, or bottle for sale or distribution in the United States any alcoholic beverage unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
SEC. 5. AMENDMENTS TO TITLE 15, CHAPTER 36--CIGARETTE LABELING AND ADVERTISING.
This section states that a person shall not manufacture, import, or package for sale or distribution in the United States any cigarettes unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
SEC. 6. AMENDMENTS TO TITLE 15, CH. 94--PRIVACY.
This section goes directly to protecting the privacy of consumers. First it directs that a business shall not combine or link an individual's nonpublic personal information with RFID tag identification information, beyond what is required to manage inventory. Second, a business shall not, directly or through an affiliate, disclose to a nonaffili
Re:My god... (Score:5, Informative)
Walk into a store wearing a tagged garment, and your presence could be noted. Prices could magically change as you approach a shelf. Security could get alerted based on your pauper status.
This is a far from perfect association, of course. You could be buying a garment as a gift, or for a child. Of course, if a person wearing a tagged garment makes a purchase, and the association doesn't match, the information could be updated.
Re:My god... (Score:4, Informative)
Dude, I think it was Tom Cruise. But good point. It's still scary.
Re:Was it Ellison? or Joy? Whomever it was they sa (Score:1, Informative)
Re:$20 RFID Reader (Score:4, Informative)
Palm -- http://www.ie-oem.com/rfid/pda-rfid.htm [ie-oem.com]
CASPIAN (Score:2, Informative)
Although labs might be able to produce microscopic tags, the ones we currently use in the industry are around 1 inch square (ever open a new book to find a funny sticker with metal in it?). The tags are also relatively extremely expensive. The two vendors I talked to within the last two weeks both quoted me a price of around $0.50 per tag for an order of 50 million tags, nowhere near the price we'd require for a realistic rollout.
In short, yes the tags will come and there will be some potential for abuse. And yes, it should be illegal for a stalker (or merchant) to sit in a mall and see what you're walking around with. But the hype is is way overblown.
Re:My god... (Score:5, Informative)
Merchants are allowed to store the customer name, card number, and expiration date from the magnetic stripe.
What does a customer name, card number, and expiration date get you? (besides 'paid for your transaction') Assuming the name isn't already unique...
Sales can happen in one of two major "processing environments": card-present (where the merchant swipes the card, and proves to the issuing bank that the card really was there, by demonstrating knowledge of some of that secret card-verification information on the card), and card-not-present (where the card number is sent via mail/phone/fax/internet).
In card-present sales, the merchant only has the card number and name. If companies (like Radio Shack perhaps) insist on having a name and address on file for each customer, they could run into problems: if a customer finds that such-and-such company is refusing to accept Visa/Mastercard CARD-PRESENT sales when the customer refuses to provide a name and address, the customer can complain to their issuing bank or to Visa or Mastercard directly. Those payment-transfer-organizations might conduct their own investigation (plain-clothes customers), and if the merchant is found to be refusing to accept Visa/MC card-present sales without address information, they can be stiffly fined or have their processing priviledges revoked.
In card-not-present sales, the threat model you discussed is reasonable. Best-practices say the merchant should perform an address-verification check, confirming that the address the customer provides matches the billing address the issuing bank mails statements to. If the customer claims they are shipping the goods to another address, the merchant should require the customer to contact their bank and have the bank "whitelist" the new shipping address, because the bank can then confirm all the personal information the merchant isn't allowed to have.
So I guess a merchant in California could be paid off by some marketing company, and could ship RFID-enabled goods to a customer in New York, and report the RFID information so it's trackable.
You could NOT, however, reasonbly expect that by just swiping your credit card in Wal Mart, Wal Mart suddenly has all your personal information. They could, possibly, associate different products with the same customer, but they wouldn't know anything other than the card number and name.
----------
In general, keep this in mind: the Visa and Mastercard corporations are profitable. They are 'payment transfer organizations' and want to maximize the amount of money that travels through their system, because they make a *lot* of money off of processing fees charged to merchants. If something happens that makes customers nervous, or makes merchants nervous, they will pass new regulations that try to make that fear go away.
But of course if there's no widespread customer knowledge of this possible threat, there won't be any significant nervousness to worry about.
--Michael Spencer
First National Merchant Solutions
(a credit card processor or 'acquirer')
First National Tower, 27th floor
1620 West Dodge, Omaha Nebraska, 68197
http://www.foomp.com
The opinions stated above are my own opinions, and do not reflect the opinions of my employer, First National Merchant Solutions.
Re:What's the problem? (Score:4, Informative)
And there are ALREADY systems in place that can do exactly the kind of tracking you're talking about. Have you ever been to Gameworks? You get a card that has a unique ID. This card plugs in to every reader in the center, and those readers talk to a central database that tells them how much money is left, and recieves instructions to debit a certain amount. Do you have any idea how many of these cards Gameworks goes through in a week? And they're ALL unique. Hell, you could apply the same concept with credit and debit cards. The only difference is is you're tracking inventory instead of money, and you're using radio frequency instead of a mag-strip. Everything else is the same.
And don't kid yourself. Stores ALREADY have inventory tracking systems in place, that tell them how much of what item should still be in the store, based on how many of xx UPC has been listed as sold. RFID makes the process more precise, through easier tracking, and unique identification. Another added benefit if they place scanners throughout the store, is they can locate items that have "moved", and direct customers to the location of the item they want, or more easily put it back on the correct shelf.
BTW, they're much closer to the 5 cent mark than the 30-50 cent mark. Wal-Mart wouldn't even consider the use of these if they weren't dirt-cheap already.
Re:Here's a possible misuse (Score:3, Informative)
NEXT!
Re:Better stop them before they arrive... (Score:5, Informative)
They have the right to ask. They also have the right to ask your underwear size. But, while they might deny you service if you refuse to tell them your underwear size, you have no obligation to give them your social security number. The legal protections have gotten more stringent in the last few years; last summer while I was temping the word came down that our time cards, which we were supposed to fill in our SSN on, should no longer bear that information. The reason was because most people faxed them in, and a new law dictated that an entity that requires SSNs for tax or benefit purposes has an obligation to ensure that NO ONE who does not need the information has access to it... not even *within the company*.
The only people you ever *have* to give your SSN to are the IRS and the Social Security Administration (and, if you insist on driving, sometimes the DMV... they've gotten more picky in recent years about confirming your identity).