Forgot your password?
typodupeerror
Privacy

Labelling RFID Products 325

Posted by michael
from the bright-ideas dept.
John3 writes "Following Wal-Mart's recent announcement that they plan to push RFID in their stores, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) has posted proposed legislation that would require a product to be labeled if it contained an RFID tag. Beyond the label requirement, the proposed legislation also sets up some strict restrictions on the use of RFID data. Even though RFID is not in widespread use, it's probably best to start working on these types of protections before the products are on the shelves."
This discussion has been archived. No new comments can be posted.

Labelling RFID Products

Comments Filter:
  • by mr.henry (618818) * on Tuesday June 24, 2003 @05:53PM (#6288876) Journal
    Katherine Albrecht of CASPIAN also has another very informative site [stoprfid.org] on RFID. It's pretty scary stuff. Also, check out her appearance last week on Rense. Link to streaming MP3. [66.36.240.52]
  • Re:My god... (Score:5, Informative)

    by jericho4.0 (565125) on Tuesday June 24, 2003 @06:00PM (#6288941)
    There are a few differences between UPC's and RFID's that make them a subject of concern. One is that you might not be aware when the RFID tag is being read. Another is that an RFID is unique, it doesn't just identify a brand, it identifies an instance of that brand. Another is that some RFID tags can be written to. I think that the benifits of RFID far outweigh the privacy risks, but I think it's a good idea to get some guidelines in place on what uses are acceptable.
  • SUMMARY OF THE BILL (Score:5, Informative)

    by donutz (195717) on Tuesday June 24, 2003 @06:01PM (#6288952) Homepage Journal
    From the website, the summary of the RFID Act (summary is pretty long though):

    RFID Right to Know Act of 2003
    Proposed legislation to mandate labeling of RFID-enabled products and consumer privacy protections
    SUMMARY OF THE BILL
    AN ACT

    To require that commodities containing radio frequency identification tags bear labels stating that fact, to protect consumer privacy, and for other purposes.
    SEC. 1. SHORT TITLE.
    This section shortens the title of the bill to "RFID Right to Know Act of 2003."
    SEC. 2. AMENDMENTS TO THE FAIR PACKAGING AND LABELING PROGRAM.

    This section amends the Fair Packaging and Labeling Program by inserting language under subsection (a) of paragraph (6). This section requires that a consumer commodity or package that contains or bears a radio frequency identification tag shall bear a label as provided in the paragraph below.

    It also defines the term "radio frequency identification" or "RFID" to mean technologies that use radio waves to automatically identify individual items. It defines the term "tag" to mean a microchip that is attached to an antenna and is able to transmit identification information.

    Finally it describes that the label should state, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase; and be in a conspicuous type-size and location and in print that contrasts with the background against which it appears.
    SEC. 3. AMENDMENTS TO THE FEDERAL FOOD, DRUG, AND COSMETIC ACT RELATING TO MISBRANDING.

    This section amends the federal Food, Drug and Cosmetic Act by inserting language under the sections relating to misbranding of commodities. It says that a food, cosmetic, drug or device is misbranded if the product or package contains an RFID tag, unless it bears a label stating, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. It also prescribes that the label must be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 4. AMENDMENTS TO THE FEDERAL ALCOHOL ADMINISTRATION ACT.

    This section states that a person shall not manufacture, import, or bottle for sale or distribution in the United States any alcoholic beverage unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 5. AMENDMENTS TO TITLE 15, CHAPTER 36--CIGARETTE LABELING AND ADVERTISING.

    This section states that a person shall not manufacture, import, or package for sale or distribution in the United States any cigarettes unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 6. AMENDMENTS TO TITLE 15, CH. 94--PRIVACY.

    This section goes directly to protecting the privacy of consumers. First it directs that a business shall not combine or link an individual's nonpublic personal information with RFID tag identification information, beyond what is required to manage inventory. Second, a business shall not, directly or through an affiliate, disclose to a nonaffili
  • Re:My god... (Score:5, Informative)

    by StefanJ (88986) on Tuesday June 24, 2003 @06:04PM (#6288984) Homepage Journal
    If you purchase an RFID-tagged item using a credit or debit card, your name, credit history, and possibly other demographic data can be associated with it.

    Walk into a store wearing a tagged garment, and your presence could be noted. Prices could magically change as you approach a shelf. Security could get alerted based on your pauper status.

    This is a far from perfect association, of course. You could be buying a garment as a gift, or for a child. Of course, if a person wearing a tagged garment makes a purchase, and the association doesn't match, the information could be updated.

  • Re:My god... (Score:4, Informative)

    by JediTrainer (314273) on Tuesday June 24, 2003 @06:09PM (#6289019)
    Watch Minority Report for an example of what can happen if RFID tags are used by stores to market based on your personal buying habits or the items you are wearing. Tom Hanks walks into a store after getting an eye transplant, and the kiosk at the entrance scans his iris and asks if he enjoyed the pants he purchased on his last visit.

    Dude, I think it was Tom Cruise. But good point. It's still scary.
  • by Anonymous Coward on Tuesday June 24, 2003 @06:11PM (#6289032)
    It was Sun Microsystems' Scott McNealey.
  • Re:$20 RFID Reader (Score:4, Informative)

    by 4/3PI*R^3 (102276) on Tuesday June 24, 2003 @06:45PM (#6289289)
    How about this RFID Reader:

    Palm -- http://www.ie-oem.com/rfid/pda-rfid.htm [ie-oem.com]

  • CASPIAN (Score:2, Informative)

    by Yagdrasil (635158) * on Tuesday June 24, 2003 @07:03PM (#6289441)
    CASPIAN also has some pretty far out claims when it comes to rfid technology. Among my favorites is this page [nocards.org] which claims These tiny tags, predicted by some to cost less than 1 cent each by 2004, are "somewhere between the size of a grain of sand and a speck of dust." They are to be built directly into food, clothes, drugs, or auto-parts during the manufacturing process. Directly into food!?!? Seriously folks, I work for a major food manufacturer and we would never dream of putting these things directly into food.

    Although labs might be able to produce microscopic tags, the ones we currently use in the industry are around 1 inch square (ever open a new book to find a funny sticker with metal in it?). The tags are also relatively extremely expensive. The two vendors I talked to within the last two weeks both quoted me a price of around $0.50 per tag for an order of 50 million tags, nowhere near the price we'd require for a realistic rollout.

    In short, yes the tags will come and there will be some potential for abuse. And yes, it should be illegal for a stalker (or merchant) to sit in a mall and see what you're walking around with. But the hype is is way overblown.
  • Re:My god... (Score:5, Informative)

    by Michael Spencer Jr. (39538) * <spam.mspencer@net> on Tuesday June 24, 2003 @08:19PM (#6290041) Homepage
    When you swipe a credit or debit card, the merchant can read your name, card number, expiration date, and some card verification information. They are already *forbidden* from storing the card verification information after they use it to process the sale. When a merchant signs a contract that enables them to accept payment via credit card, some clauses in that contract allow their processor (acquirer) to charge them fees or fines, especially if the acquirer is charged fees or fines by Visa or Mastercard. That means -- Visa and Mastercard have the power to fine merchants for behaving badly. They can also revoke a merchant's ability to accept those kinds of credit cards.

    Merchants are allowed to store the customer name, card number, and expiration date from the magnetic stripe.

    What does a customer name, card number, and expiration date get you? (besides 'paid for your transaction') Assuming the name isn't already unique...

    Sales can happen in one of two major "processing environments": card-present (where the merchant swipes the card, and proves to the issuing bank that the card really was there, by demonstrating knowledge of some of that secret card-verification information on the card), and card-not-present (where the card number is sent via mail/phone/fax/internet).

    In card-present sales, the merchant only has the card number and name. If companies (like Radio Shack perhaps) insist on having a name and address on file for each customer, they could run into problems: if a customer finds that such-and-such company is refusing to accept Visa/Mastercard CARD-PRESENT sales when the customer refuses to provide a name and address, the customer can complain to their issuing bank or to Visa or Mastercard directly. Those payment-transfer-organizations might conduct their own investigation (plain-clothes customers), and if the merchant is found to be refusing to accept Visa/MC card-present sales without address information, they can be stiffly fined or have their processing priviledges revoked.

    In card-not-present sales, the threat model you discussed is reasonable. Best-practices say the merchant should perform an address-verification check, confirming that the address the customer provides matches the billing address the issuing bank mails statements to. If the customer claims they are shipping the goods to another address, the merchant should require the customer to contact their bank and have the bank "whitelist" the new shipping address, because the bank can then confirm all the personal information the merchant isn't allowed to have.

    So I guess a merchant in California could be paid off by some marketing company, and could ship RFID-enabled goods to a customer in New York, and report the RFID information so it's trackable.

    You could NOT, however, reasonbly expect that by just swiping your credit card in Wal Mart, Wal Mart suddenly has all your personal information. They could, possibly, associate different products with the same customer, but they wouldn't know anything other than the card number and name.

    ----------

    In general, keep this in mind: the Visa and Mastercard corporations are profitable. They are 'payment transfer organizations' and want to maximize the amount of money that travels through their system, because they make a *lot* of money off of processing fees charged to merchants. If something happens that makes customers nervous, or makes merchants nervous, they will pass new regulations that try to make that fear go away.

    But of course if there's no widespread customer knowledge of this possible threat, there won't be any significant nervousness to worry about.

    --Michael Spencer
    First National Merchant Solutions
    (a credit card processor or 'acquirer')
    First National Tower, 27th floor
    1620 West Dodge, Omaha Nebraska, 68197
    http://www.foomp.com

    The opinions stated above are my own opinions, and do not reflect the opinions of my employer, First National Merchant Solutions.
  • by Mikeytsi (186271) on Tuesday June 24, 2003 @09:25PM (#6290476) Journal
    No, you're wrong. The ENTIRE orginal point of this was for inventory tracking of items on an individual level. To use it like a barcode is currently used is stupid since RFID's are more expensive. There has to be an added benefit, in order to justify the cost of upgrading to it.

    And there are ALREADY systems in place that can do exactly the kind of tracking you're talking about. Have you ever been to Gameworks? You get a card that has a unique ID. This card plugs in to every reader in the center, and those readers talk to a central database that tells them how much money is left, and recieves instructions to debit a certain amount. Do you have any idea how many of these cards Gameworks goes through in a week? And they're ALL unique. Hell, you could apply the same concept with credit and debit cards. The only difference is is you're tracking inventory instead of money, and you're using radio frequency instead of a mag-strip. Everything else is the same.

    And don't kid yourself. Stores ALREADY have inventory tracking systems in place, that tell them how much of what item should still be in the store, based on how many of xx UPC has been listed as sold. RFID makes the process more precise, through easier tracking, and unique identification. Another added benefit if they place scanners throughout the store, is they can locate items that have "moved", and direct customers to the location of the item they want, or more easily put it back on the correct shelf.

    BTW, they're much closer to the 5 cent mark than the 30-50 cent mark. Wal-Mart wouldn't even consider the use of these if they weren't dirt-cheap already.

  • by JeffSh (71237) <jeffslashdotNO@SPAMm0m0.org> on Tuesday June 24, 2003 @09:53PM (#6290680)
    RFID's do not broadcast. They are passive devices without a power supply. The power is supplied by the reader which excites the chip, providing power for the chip to broadcast.

    NEXT!
  • by Ironica (124657) <[gro.kcodnoob] [ta] [lexip]> on Wednesday June 25, 2003 @12:01AM (#6291416) Journal
    Why do we have to use our social security numbers for everything these days? They were only invented for tax purposes, but because this is a juicy bit of information corperations want, they have lobbied, and won, the rights to ask for this info for say, signing up for your cell phone.

    They have the right to ask. They also have the right to ask your underwear size. But, while they might deny you service if you refuse to tell them your underwear size, you have no obligation to give them your social security number. The legal protections have gotten more stringent in the last few years; last summer while I was temping the word came down that our time cards, which we were supposed to fill in our SSN on, should no longer bear that information. The reason was because most people faxed them in, and a new law dictated that an entity that requires SSNs for tax or benefit purposes has an obligation to ensure that NO ONE who does not need the information has access to it... not even *within the company*.

    The only people you ever *have* to give your SSN to are the IRS and the Social Security Administration (and, if you insist on driving, sometimes the DMV... they've gotten more picky in recent years about confirming your identity).

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre

Working...