Surpriv: RFID Surveillance and Privacy

While Snopes says that the well-known adage of frogs being unable to detect slowly rising temperatures sitting in pans of water until they boil to death is false, it’s still a commonly-encountered (and useful) metaphor in talking about erosion of privacy: little bits and pieces of our privacy might be stripped away, with no alarming suddenness, but with a rather sorry result, if the increments are small.

I don’t believe that RFID will produce a sudden, dramatic loss of privacy; I do believe that it, along with many other technologies, has a capacity to “raise the temperature.” RFID-derived data points will be pooled with myriad other ones, to produce a clearer and clearer picture of the world, and that will be disconcerting to anyone who’s trying to hide something, be that out of modesty, to conceal criminality, or to evade or avoid hostile parties (neighbors, governments, or anyone else). It may be that RFID is one of the weaker contributors to such pooling of information; it may be that it uniquely fills a role. I’m interested in figuring out just where it will fit in, how and when.

Just a first, quick note on the issue of RFID, and its insufficiency, in many cases, as a sensor technology. If and when it works, that’s fine: an object bearing an RFID appears within the range of a reader, which accurately interrogates it for its unique ID, or for stored data… it’s all good. But when it doesn’t quite work that way…

Previous comments here, and in the “skeptical” whitepaper, note that point-of-sale checkout with RFID would appear to be impractical: if one wheels the product past, and X items ring up, can we be sure that there were actually X items in there? Was it X+1, and one of the tags was blocked, defective, or previously killed? Or X+5? Or X+10? And just why did we believe that all those items had RFID tags on them, any way? We could imagine RFID complemented by optical scanners, to determine the number of items, but that also presumes a bit more physical interaction at checkout. But that may be what RFID requires: assistance from a variety of other sensors.

I suspect we may find that RFID’s an ideal technology… if you can tolerate a lot of approximate, fuzzy guesses. (Here, certainty of values, when tags are successfully read, but an uncertainty that everything got read, or was readable.)

Then again, approximate, fuzzy guesses might be quite useful in invading privacy (“Find me at least one woman who’s carrying condoms in her purse, and we’ll make an example of her!”), even if they’ll require assistance in implementing supply chain management systems.

So, if we’re envisioning RFID tags as “ubiquitous,” there will be a lot more noise in the world, especially if readers, as well as tags, drop below certain price points, e.g., where they become optional attachments to PDAs or cell phones.

One major consequence would be that it would be pretty easy to be an unobserved collector, perhaps even passively collect RFID data as other readers strobe the various RFID tags loose in the world. When the DOD has pushed RFID throughout its supply chain, will they be able to track down “rogue readers” monitoring their tags, e.g., keeping an eye on the depots, to get an early indication of force deployments, a la the Pentagon’s “pizzaINT” incidents? (“Look, comrade… more than a dozen pallets of wool mittens have arrived at Camp Pendleton. Alert Army Group North!”)

One can imagine other effects, if the world is awash in more RF… perhaps an RFID equivalent to “celldar,” which uses cell phone network signals to implement a passive radar system.

QFC stores, an 87-store chain in the Pacific Northwest that is an affiliate of Kroger, uses customer discount cards to inform them if they’d bought meat from a recalled batch.

In this case, the store seems to have bent over backward not to compromise customer privacy–customers were informed that meat was recalled, and if they asked, a check was made against their discount card-keyed purchases–presumably at a risk that not all customers who’d purchased the suspect meat would be informed.

It’ll be interesting to see what Katherine Albrecht at CASPIAN says on this case, given that the organizations roots are in concerns about abuse of information collected via discount cards…

Security experts regard “security through obscurity” as a recipe for failure, i.e., one shouldn’t count on vulnerabilities being hard to find, as enough poking around tends to find them. Somewhat analogously, I believe that hoping for “privacy through incompetence” (especially as regards privacy from intrusive surveillance by government) is also a losing strategem.

By “incompetence,” I would mean such situations as the balkanized systems of information management scattered among (and within) Federal agencies; if we’re to expect that the government will be able to “connect the dots,” in addressing national security threats, it will necessarily need to learn to better connect all sorts of dots, including those whose picture would erode citizens’ privacy.

Rather than ensure that police and other agencies can’t quite cope, hence can’t effectively threaten privacy, I think we need to build in effective oversight, and make penalties for violation of the rules severe, and sure. And take some steps to “defuse” the value of ill-gotten information, e.g., lessen the value of knowing someone’s health predispositions, by guaranteeing health coverage regardless.

I don’t think we’re headed in that direction… since 9/11, we’ve been rushing to unleash law enforcement and intelligence capabilities, and shrinking from openness and oversight. And that worries me.

One current unknown is the extent to which individuals might elect to use RFID in the future, even for “tagging themselves.” Given that we wear distinctive clothing, get distinctive tattoos, body piercings, etc., and put bumper stickers on our cars, we might similarly use unique or non-unique RFID as an emblem–subject, of course, to how many readers there will be out there, and where they might be found.

I’m reminded of some now-dead dot coms, which used license plates or issued unique IDs on bumper stickers, to allow one to find a soulmate, friend, or just lust object, on the highways… here’s one, courtesy of the Internet Archive’s Wayback machine.

The Red Herring has an article, “RFID costs stagger would-be users,” that contains yet another mention that RFIDs will be the (eventual) demise of the bar code:

Others have followed suit. The U.S. Department of Defense will require its suppliers to use RFID tags on many items by 2005, and U.K. retail giant Tesco, with 2,200 stores worldwide and $52 billion in sales, will use RFID tags on nonfood cases at its distribution centers beginning in April 2004. Because of these mandates, RFID tags will completely replace bar codes by 2023 at the latest, predicts New Jersey-based telecommunications research firm Insight Research.

Let me be skeptical. Firstly, I don’t think we’ll ever see 100% of bar coded products tagged with RFIDs (and we still don’t have 100% of products bar coded, for that matter). And unlike bar coding, RFID tagging is more of an “all or nothing” proposition: if you wheel a shopping cart full of items past a reader, and it records 50 items and totals them up, would you have any clue how many untagged things are lurking in that heap? (For that matter, how many tagged items failed to be read, for any of a variety of reasons?) Our skeptical whitepaper talks about this in some more detail.

But I suspect that RFIDs and UPC (or GTIN, really) bar codes will be far more complementary. Since the marginal cost of putting a bar code on a product or package is effectively zero (just an element of package design), they’ll be there so long as there’s any appreciable number of non-RFID-using retailers out there.

For that matter, what about end-consumers, who shouldn’t be expected to be able to read RFIDs (though end-consumer readers might be an interesting future market), but who can and do read UPCs (the decimal notation) for various reasons? And clerks… when that RFID is disabled or destroyed, there needs to be a human-readable code as back-up.

Much of the proposed end-consumer value of RFID, e.g., in aiding in recycling, or determining potential drug interactions, is addressable through use of the non-unique GTIN. And that print bar code is guaranteed not to be obliterated at point of sale, while RFIDs may end up being killed at point of sale, in response to consumer concerns re privacy.

I’d be happy to make a bet with the analysts at Insight Research that a visit to the Wal*Mart of 2023 will turn up at least as many bar codes as RFID tags, though we might have to take it to Long Bets.

A CRM Daily article, “Gartner Lambastes U.S. on Privacy Renege” (on a Dept. of Treasury decision to publish information they’d previously promised would not be), contains this para mentioning RFID:

Indeed, privacy issues are likely to permeate all areas of a company. Consider RFID technology. “The supply-chain use of RFID has nothing to do [with] privacy — at least at this point,” Gartner research analyst Jeff Woods told CRM Daily. “But companies should have a privacy policy in place specific to RFID just to assure their customers about these concerns,” he was quick to add.

But that’s not entirely true: supply-chain use of RFID could very well affect the privacy of the employees involved in supply-chain activities. I’ve heard anecdotal discussions of concerns by nurses (re RFID-bearing badges, and the ability to track and time their comings and goings) and farm workers (where tagged animals, and not the worker themselves, serve as markers for employee behavior… “Why did it take so long to get the cows out of the barn? Were you taking a smoking break again?”). So in addition to assuring customers that RFID tagging won’t threaten their privacy (if that is indeed the case), one might consider explaining the technology to workers, and developing and adhering to policies that address potential employee concerns re privacy.

Backing up a bit, I guess it’s worth a little bit of discussion as to why I’ve created the Surpriv blog, and what I’m hoping to see come out of that.

As I’m not shy in talking about, I was an intelligence officer at the CIA, as my first job after graduate school (bio); I’d studied both Russian, and computer science, it was the late 1980s, I’d just finished a doctorate on Soviet and East European IT, and, well, what else was going to happen? It was a fascinating place to work, and I found myself migrating from the study of foreign technologies and industry, to the use of IT in the intelligence process, including our relative inability to make sense or use of this Internet thing that was happening at the time.

I left the Agency in 1994; my first work after leaving was assisting some of the foreign embassies in DC to get on the Web. I’d already found connections into the IT policy and advocacy communities, especially those who intersect in the Computers, Freedom and Privacy conference. I gave a paper at CFP ‘93 (and met my wife), and have been active in the conference off and on since then.

So I come at these issues with the eye of a former intelligence officer, interested in IT developments that have a significant impact on the civil liberties, including privacy. My perspective might give me a leg up on imagining the variety of unfortunate (whether unintended or no) consequences we might see arise… this blog is intended to document such thoughts, as well as the positive uses and applications we might imagine and implement; let’s all see where things go from there…

It’s been proposed that one means to address personal privacy concerns, re RFID tags on products (i.e., EPC RFID tags), is to have policies mandating either blanket “killing” of tags at point of sale, or consumer choice to have tags killed. Leaving aside that this then calls into question some of the arguments for RFID, e.g., that persistent tags will allow for more effective recycling, or less fraud in returns, it presumes a certain technical ability of retailers, i.e., they will actually be able to detect and kill tags at point of sale.

While this may be true of some retailers, it certainly won’t be true for all retailers, and would presumably skew away from the smaller ones: while Wal-Mart may equip every checkout lane, or at least every entry door, with some means to perform tag killing, how likely are we to see this at Mom&Pop-Mart? Every retailer who opts not to adopt RFID (and we speculate on the actual value of RFID “on the shelves” here: http://www.stapleton-gray.com/papers/sk-20031113.PDF) will have no more means to detect and kill RFID tags than the end consumer. These “sub-threshold retailers” may represent a significant flow of active RFID tags “into the wild.”

One could imagine “tag mass murder” committed by partners up the supply chain, e.g., with all RFID tags on product destined for non-RFID-using retailers being killed once they’ve outlived any usefulness they might have had in that supply chain, but who wants to sign up to all that work, any way? (And invites discussion of how to make tags easy for retailers and other authorized parties to kill, yet hard for Joe Shoplifter.)