Radio Frequency Identification (RFID) is a subset of a group of technologies, often referred to as automatic identification, that are used to help machines identify objects, and which include bar codes and smart cards. RFID refers to the subset of automatic identification that uses radio waves to automatically identify bulk or individual items.
RFID has been around for a long time, one of its original uses being the identification of aircraft during the Second World War. Until recently it was viewed as being too expensive and too limited in functionality for many commercial applications. Advances in technology have both reduced the cost of individual system components and provided increased capabilities, to the point where numerous organizations are either using or considering using RFID technology. In fact, some organizations, notably Wal-Mart and the US Defense Department, have mandated the use of RFID by their business partners.
While RFID technology offers numerous benefits for manufacturers, for instance, certain characteristics of the technology also raise a number of privacy concerns.
What is Radio Frequency Identification Technology?
An RFID system consists of three components: a tag (or multiple tags), a reader or interrogator and the necessary supporting infrastructure (both hardware and software).
An RFID reader, or interrogator, is a device to communicate with the RFID tag. It broadcasts a radio signal, which is received by the tag. The tag then transmits its information back to the reader. Readers can either be portable handheld terminals or fixed devices that can be positioned in strategic places such as loading bays in shipping and receiving facilities, or the doors in transport trucks.
RFID tags, also known as transponders, are usually small pieces of material, typically comprising three components: an antenna, a microchip unit containing memory storage and an encapsulating material. Tags can be either read-only or read-write tags. These terms refer to whether or not the information stored on the tag can be changed or erased. A Read-only Tag is a form of RFID tag that has an identification code (more specifically, an Electronic Product Code) recorded at the time of manufacture or when the tag is allocated to an object. Once programmed, the data on the tag cannot be modified or appended but it may be read multiple times. A Read-Write Tag is a tag that can have its memory changed, or written to, many times. Because their ID codes can be changed, they offer greater functionality albeit at higher price.
While commonly seen as a replacement for the Universal Product Code (UPC), or bar code, RFID tags differ from bar codes in several ways. More than one tag can be read at a time. Tags do not require a direct line of sight for reading and may be read through hard material such as book covers or other packaging material. Each tag can uniquely identify the object to which it is attached, even if that object is one of a multitude of identical items. It is these latter characteristics that are the cause of many of the privacy concerns associated with the use of RFID technology.
In addition to the tags and readers, an RFID system also includes other software and hardware. The most important component is the RFID-specific software that translates the raw data from the tag into information about the goods and orders that are represented by the tags. This information can then be fed into other databases and applications (e.g., inventory management) for further processing. In the case of read-write tags, software is also required to control whether data can be written to the tag, which tag should contain the data and to initiate the process of adding data to, or changing data in the tag.
Potential Uses of RFID Technology
Many public and private sector organizations are either using or planning to use RFID technology. Because the technology basically turns an inert object into one capable of communicating, the potential for use is enormous and limited only by our imagination and the capabilities of the technology involved. Potential uses include:
- Supply Chain Management (monitoring and controlling the flow of goods from raw materials through to finished product, from manufacturer to consumer);
- Product Integrity (ensuring that products (e.g., pharmaceuticals) are authentic and have not been altered in any way);
- Warranty Services (marking durable goods with a tag incorporating a product registration code to facilitate warranty services);
- ID, Travel, and Ticketing (providing a means to verify the identity of the traveler and to ensure that the documents are genuine);
- Baggage Tracking (monitoring and controlling the movement of baggage from check-in to loading on an airplane); and
- Patient Care and Management (providing a means to rapidly and accurately verify information concerning patient allergies, prescription history, etc. to prevent surgical errors).
Notwithstanding the current state of RFID technology or current practices, certain aspects of the technology – notably the small size of the tags and the ability to uniquely identify an object – pose potential threats to individual privacy. These include, but are not necessarily limited to the following:
a) Surreptitious collection of information. RFID tags are small and can be embedded into/onto objects and documents without the knowledge of the individual who obtains those items. As radio waves travel easily and silently through fabric, plastic, and other materials and are not restricted to line of sight, it is possible to read RFID tags sewn into clothing or affixed to objects contained in purses, shopping bags, suitcases, and more. Tags can be read from a distance, by readers that can be incorporated invisibly into nearly any environment where human beings or items congregate. It may not, therefore, be readily apparent that RFID technology is in use, making it virtually impossible for a consumer to know when or if he or she is being "scanned”;
b) Tracking an individual’s movements. If RFID tags are embedded in clothing or vehicles, for example, and if there is a sufficiently dense network of readers in place, it becomes possible to track those tags in time and space. Applications to do just this, using a combination of RFID and Global Positioning System technology, are being proposed by RFID vendors. If the tags can then be associated with an individual, then by that association the individual’s movements can be tracked. For example, a tag embedded in an article of clothing could serve as a de facto identifier for the person wearing it. Even if information about the tagged item remains generic, identifying items people wear or carry could associate them with, for example, particular events like political rallies or protests;
c) Profiling of individuals. When using bar codes, one bottle of water has the same barcode as all other bottles of water of that particular brand. RFID technology potentially enables every object on earth to have its own unique ID (i.e., each bottle of water would have a unique identifier). The use of unique ID numbers could lead to the creation of a global item registration system in which every physical object is identified and linked to its purchaser or owner at the point of sale or transfer. If these unique identifiers are associated with an individual (by linking through a credit card number, for example), then a profile of that individual’s purchasing habits can easily be created;
d) Secondary use (particularly in the sense of limiting or controlling such use). The creation of profiles and the tracking of movement can reveal a great deal of additional information. For example, the revelation of personal information such as medical prescription or personal health histories could have an impact on the availability of insurance or employment; and
e) Massive data aggregation. RFID deployment requires the creation of massive databases containing unique tag data. These records could be linked with personal identifying data, especially as computer memory and processing capacities expand. This, in turn, could facilitate any of the practices listed above.
Application of Fair Information Practices to RFID Technology
The ten principles of the CSA Standard, attached as schedule I of the Personal Information Protection and Electronic Documents Act, provide the basis for a privacy management framework that can be applied to RFID technology. It is important to clarify to what the principles would apply. In the context of RFID technology, this means that:
- If the chip has had the personal information of the individual written to it, then it is a repository of personal information;
- If the tag is unique, and can be associated with an individual, it becomes a unique identifier or proxy for that individual; and
- Information about possessions or purchases which can be manipulated or processed to form a profile is personal information, whether gathered through multiple visits to a facility or organization, or through access to the data base of RFID purchase information.