RADIO FREQUENCY IDENTIFICATION TECHNOLOGY AND CONSUMER
Marzie Astani, Winona State University, firstname.lastname@example.org
JoEll Bjorke, Winona State University, email@example.com
ABSTRACT Mart and Target, which had started RFID adoption in
2003, later mandated the use of RFID tags by all their
Radio frequency identification (RFID) technology suppliers at the palette level by 2005. In 2007, Wal-
has helped many organizations to reduce cost. Mart is moving the usage of RFID tags to the item
Nevertheless, there are challenges and issues level. The U.S. Government’s Department of
associated with RFID adoption. The most common Defense (DOD) is following the same path. Several
internal challenge for many organizations is other pilot projects are underway to implement RFID
justifying the investment and modification of at the item level . In addition, there have been
processes. However, there are external issues such many other applications of this technology in the
as privacy and security that companies need to deal airline industry, food and drug industry, hospitals,
with. The focus of this study is to show the business and many government agencies.
value of RFID technology and the related issues,
especially consumer privacy issue that organizations Organizations invest in RFID expecting to reduce
need to be concerned about. cost and achieve a return on investment (ROI). A
recent survey of 150 manufacturers using or planning
Keywords: Radio Frequency Identification (RFID), to adopt RFID technology indicates that they expect
Application Issues, Consumer Privacy the technology to help them in three general areas: 1)
optimizing the procurement and management of raw
INTRODUCTION materials, 2) monitoring equipment, parts and
personnel in the production environment, and 3)
Organizations invest in technological innovations to providing forward demand visibility into the supply
gain competitive advantage in the marketplace. chain . Investing in RFID technology, like any
Enterprises making major investments in technology other major investment, requires careful research of
need to realize that although technology is an enabler, the technology and a critical analysis of its
the adoption of new technology could pose a implementation. Organizations need to review and
complex challenge, especially with the rapid pace of address implementation issues such as internal
technological change. processes’ modification, cost, compliance,
scalability, security, and consumer privacy issues [27,
The most recent technology in which organizations 20, 31]. Consumer privacy is the most publicized
are investing to gain competitive advantage is radio issue among all RFID adoption issues. In 2006,
frequency identification, RFID. This technology has several companies such as IBM, RFIDSec, and
the potential of impacting an organization’s business SmartCode along with lawmakers tried to address
profoundly. Many organizations have adopted this this issue [28 and 22]. The effort in search of finding
technology and others are in the process of doing so. a solution is continuing in 2007.
Although the initial drive for RFID adoption was
supply chain management, today many organizations This study attempts to show issues and challenges
are involved in implementing RFID to solve business that management face in the deployment of RFID,
problems . The growth for RFID technology has especially the privacy issue. In particular, the
been estimated to be over 112 percent for 2007. The emphasis will be on the privacy issue and laws (or
budget for manufacturing initiatives that have already lack of them) to protect citizens. This paper presents
been underway in 2006 will increase 61 percent in a brief description of RFID technology and
2007. This will add 51 percent of new demands in applications followed by the discussion of the
the RFID market in that sector . consumer privacy issue related to RFID applications.
Finally, the future direction of RFID technology and
RFID technology has penetrated into different the conclusions will be discussed.
business sectors very quickly. Many companies have
implemented RFID technology and have already seen
the business value of it. For example, retailers Wal-
RFID TECHNOLOGY industrial environments so they are usually thicker
and less flexible since they contain coils. The 13.56
Although RFID applications in business MHz frequency systems can be used for item-level
environments have been on the rise for the past three management (for example books in libraries and
decades, the history of this technology can be traced inventories) or in supply chain environments for
back to military identification friend or foe (IFF) goods on a conveyor belt. The 13.56 MHz has a
systems during the Second World War . Later, typical read/write distance of 1.5 meters [14, 5]. The
the technology evolved into the popular bar code, International Telecommunications Union (ITU)
which was printed on almost every conceivable piece authorizes RFID systems to work within the
of packaging moved and sold worldwide. RFID is Industrial-Scientific-Medical bands .
the latest technology that can precisely identify
objects . Both bar codes and RFID technology RFID technology has many capabilities, which makes
are used as a support tool that automates processes it very beneficial for logistics, stock handling, and
and improves operations management by reducing traceability and fraud controls applications. RFID
labor and eliminating human error. In addition, this applications and some issues that they have created
technology supports decision making by providing will be discussed next.
essential information about the status of goods being
supplied. However, RFID tags are a more RFID APPLICATIONS AND ISSUES
sophisticated technology than bar codes. The tags are
readable without a line-of-sight requirement and from There is an increasing demand for RFID applications,
much further distance, as well as being easily especially in the supply chain management market.
embedded in objects. For example, tags can be read RFID applications can be either in an open-loop or
through a variety of packaging materials, including closed-loop. Open-loop applications tend to be in a
wood, plastic and cardboard. Tags can also be controlled environment because of the managing
reprogrammed easily and are capable of working in issue of the constant inflow and outflow of materials.
harsh environments such as outdoors and around A closed-loop environment is much smaller and self-
chemicals. Currently, RFID tags are capable of contained and easy for implementing RFID
carrying 96 bits of information, compared with 19 technology .
bits for bar code technology [2, 5].
Supply chain management applications of RFID fall
RFID technology involves the transmission of a radio into the open-loop category. For example, RFID
signal between a tag and a reader. The tag contains a adoption by retailers Wal-Mart and Target, which
chip with embedded information such as an started in 2003, is an open-loop application, where
identification number, bar code number, and serial the industry collaboration is enhanced. Within this
number. The reader sends a continuous signal at a application, labels on the objects allow them to
given frequency to ‘read’ the data stored on the tag become part of the global networks to provide a wide
. There are two types of RFID tags: active and range of new and emerging services. Items can be
passive. Active tags are battery-operated while identified at various points in the distribution system
passive tags are not. Active tags focus on providing to ensure that they are sent to the correct location.
only an identification number and possibly some This information, which is delivered in real time, can
information, such as a description or transportation be shared with all interested parties, the sender, the
history, relating to the tagged object. Passive tags forwarder, and the customer awaiting the shipment,
need to be “illuminated” by the radio waves emitted all with minimum human intervention. The decision
by a specialized reader to provide only an makers can use this information to meet the demands
identification number. Passive RFID tags are of a global economy by responding rapidly to
particularly appealing because they operate without changing patterns of demand while also improving
battery, which makes them very small and customer service levels .
inexpensive, while they can be subjected to new and
interesting design possibilities. For example, they In 2005, Wal-Mart made it mandatory for suppliers to
can have the shape of a coin, stick, label, or capsule start tagging their merchandise pallets and cartons. A
for the purpose of attaching them to an object [2, 30]. few other enterprises such as Metro AG, Tesco,
Target, and Best Buy made similar requirements for
RFID systems work in different frequencies their suppliers. Among Wal-Mart suppliers, Gillette
depending on the application. For example, the 125 was one of the early participants since its products
KHz frequency tends to be used in chips for cars as are reportedly among the most stolen from retail
well as asset management. These tags are used in shelves in the US . Wal-Mart is planning to
apply tags at the item level in 2007. Similarly, the Among all RFID related issues, the violation of
US Department of Defense (DOD) initiated RFID consumer privacy has received the most publicity and
adoption in 2003. By 2006, DOD issued a series of is the most challenging for organizations. This issue
RFID policy guidelines requiring passive tags to be has contributed to the failure of several RFID
applied to all freight/cargo containers, cases, pallets, projects. Major companies worldwide such as Metro
and individual ‘high value’ items that require the Group in Europe and Gillette have scrapped RFID
military’s UID (Unique Identification Code) . programs following consumer backlash. In Gillette’s
trial program, RFID-enabled razor packages sold by
While applications in supply chain tend to be long the United Kingdom retail giant Tesco was canceled
term and perhaps with no immediate return on when privacy advocates protested, stating that
investment, there are more focused and localized retailers and manufacturers could monitor razors that
applications (closed-loop) that can provide had gone home with a customer and use the
incremental justification for the RFID investment. technology for surveillance [10, 26]. Lawmakers in
These include warehousing, asset location/tracking, several U.S. states, including California and
people location, mobile payments, in-process Massachusetts, are considering whether to implement
inventory tracking, repair and maintenance, and RFID-specific privacy policies .
luggage tracking. The U.S. Food and Drug
Administration (FDA) has adopted RFID technology Although some organizations try to minimize the
to prevent counterfeiting prescription drugs. Public consumer privacy concern, the issue is real and
libraries are using RFID to track books . An worldwide. Privacy advocates such as Katherine
interesting application of RFID is by the DeKalb Albrecht, the founder of Consumers Against
County Juvenile Court to track the location of files Supermarket Privacy Invasion and Numbering
through the entire workflow. As a file moves from (CASPIAN), have raised concerns about the risk of
the central file room to the team room and individual personal information abuse and consumer aversion to
offices, the location can be viewed on any network retailers collecting their personal data. Mainstream
computer. This allows the court to prevent misplaced newspapers such as the Washington Post and the
or lost files . New York Times have published articles on the
legitimate questions raised by privacy advocates.
There are many challenges and issues for RFID
adoption including insufficient RFID standards, PRIVACY ISSUES
security concern (especially in wireless RFID), cost,
and privacy. Insufficient RFID standards are being The growing number of RFID applications has fueled
addressed by the standard establishing organizations concern about potential violations of privacy .
including International Standards Organization (ISO) The concern arises out of the fact that the stored data
and EPCglobal [14, 30]. The security concern is on the RFID tags may be linked to individual’s
alleviated by controlling the physical environment so personal information. Further, the presence of the
that malicious users can’t access the tags. This is tags may not be known to consumers, enabling
relatively easy in closed-loop situations, but very monitoring without consent by the item’s seller and
complex in open-loop situations such as a supply potentially others. In addition to the unauthorized
chain, where the tags are typically moved along with collection of information, consumers may be
the products. As with the Internet, security is a subjected to an undesired use or sale of their personal
moving target and needs to be handled on a case-by- information. A theft of that information is another
case basis [13, 31, 33]. The issues of cost in adopting major concern.
RFID technology relates to the cost of RFID system
components and setup, a concern that all One response to these concerns is to allay any cause
organizations share. But with the widespread use of for alarm . The high costs associated with RFID
RFID technology, it is expected that the cost would technology will limit, as a practical matter, any
be reduced significantly . However, for a firm’s extensive deployment of RFID tags and readers .
management, the cost of process modification/change However, as previously indicated, there appears in
and associated data integration in RFID fact to be a rapid increase in the uses of RFID. It is
implementation is a major concern. In a 2006 survey, further argued that users of RFID won’t adapt the
62 percent of 150 manufacturers participating stated technology in a way that will offend their customers
that data integration is one of the top concerns in an and cause injury to the long-term interests of the
RFID initiative . business . Yet Wal-Mart’s experiment with
tagged lipsticks at its Broken Arrow store in 2003 is
cited as evidence early in the roll out of RFID
technology of just such abuse . Finally, the . The others have likewise been evaluated as
counter argument should the implementation of RFID largely ineffectual with regard to RFID privacy issues
adversely affect consumer interests is that existing . Although HIPPA includes the most specific
legal protections are sufficient to redress any harm protections as to the collection and use of data, it
. The following section reviews the evaluation of applies only to health care information .
current law as it pertains to RFID abuse.
Administrative Regulations - At the federal level,
Existing Legal Protections many administrative agencies have considered the
impact of RFID in their respective regulatory fields.
There are multiple sources of protection against The privacy implications are most directly related to
privacy violations under current law: federal and the consumer protection role of the FTC. The agency
state constitutions, statutes, administrative held a workshop in June 2004 to examine the issues
regulations, and case law or common law. The but subsequently determined that it should defer to
application of those laws to RFID is, to date, not industry self regulation .
Common Law - Finally, common law theories have
Constitutions - First, there are provisions in the U.S. been evaluated as an avenue of recourse in the event
Constitution and several state constitutions that of RFID abuse. Theories advanced include those
protect privacy rights . Most notably, the Fourth protecting contract, tort, and property rights [3, 11,
Amendment in the federal constitution prohibits 15, 18]. The most commonly discussed possibility,
unreasonable searches and seizures . Is the an invasion of privacy based on intrusion upon
collection of data from a RFID reader unreasonable? another’s seclusion, suffers the same disadvantage of
The cases interpreting this provision have found constitution and statutory provisions discussed
violations when information is obtained under earlier. It would not apply to private information
circumstances where there is an expectation of available in a public place . In addition to
privacy, such as in one’s home . In the context of problems in meeting the requirements of the
RFID, therefore, there would appear to be no individual theories, common law actions do not
protection if the information is collected from a provide widespread deterrence [11, 18]. The
reader in a public place. Moreover, constitutional recourse is after the fact, is directed at identified
restrictions apply only to governmental actions and defendants only, and varies from state to state.
will not cover collection of information by RFID
technology by private enterprises . In summary, although there are many existing laws to
protect an assortment of privacy interests, none
Statutes - The second source of potential protection is directly address RFID technology in a way that will
based primarily on existing state and federal deter undetected data collection and use. As a result,
prohibitions against fraud. The Federal Trade proposals for new and more targeted methods of
Commission Act prohibits unfair and deceptive trade protection have been proposed.
practices . This arguably encompasses
misrepresentations or omissions about the collection Proposed Protections
or use of data from RFID tags . The FTC
reportedly does not, however, monitor the use of The proposed protections can be classified into two
RFID technology and has not brought any related categories: self and government regulation.
enforcement actions . Future actions are
anticipated to be limited due to the fact that the FTC Self Regulation - New technologies are being
could only proceed against companies that developed to address consumer privacy protection.
voluntarily provide privacy policies . Even then For example, a technology developed recently, Gen2
action may depend on the availability of limited protocol, allows for “kill” functionality, which
resources and would be unsuitably slow . permanently disables a tag at the point of sale.
However, for the retailers and manufacturers, it is
Other federal statutes cited as potentially applicable very appealing to have the relevant information
are the 1974 Privacy Act, the Electronic stored in RFID tag accessible in the event a consumer
Communications Privacy Act, the Fair Credit returns a tagged item. Therefore, the challenge
Reporting Act, and the Health Insurance Portability confronting retailers and consumer package goods
and Accountability Act (HIPPA) . The first of manufacturers is to find a balance between consumer
these, the Privacy Act, is limited to governmental privacy protection and the benefits of post-purchase
action and only to the use, not collection, of data RFID tagging . In recent months, several
companies have offered some solutions. In blueprint for legislation,” the guidelines call for clear
November 2006, IBM licensed “clipped tag” and conspicuous notice to consumers when
technology, which allows a consumer to tear off a information is collected and linked to personal
piece of the tag after the item has been purchased. information as well as when a choice exists as to the
This limits the read range significantly, which means use of RFID technology. Reasonable access to
the tag can be read at very close range, therefore personal information collected is in addition to
preserving the post-purchase benefits . Yet reasonable security of tagged information.
another technology solution is from a Danish
company, RFIDSec, which has developed a FUTURE DIRECTION AND CONCLUSIONS
technology that puts a tag in “silence mode” (the data
would be unavailable for reading) when an item is Many factors have contributed to the increased
purchased. However, an authorized party can demand for RFID applications, especially in the
reawaken the tag at the time the item is returned. In supply chain management market. Industry
addition, the company offers another technology that collaboration, technical developments and the
allows encryption of data being communicated numerous advantages that the technology can bring
between the RFID tag and the reader . are among these factors. However, there are several
issues associated with RFID applications of which
Government Regulation - At the federal level, consumer privacy protection is perhaps the most
amendments to the Privacy Act and the Electronic publicized.
Communications Privacy Act discussed above have
been proposed . More specifically, Consumers RFID applications are increasing. Current law does
Against Supermarket Privacy Invasion and not adequately address potential invasions of privacy.
Numbering (CASPIAN) drafted an act entitled the Changes in law to restrict abuses are anticipated to
RFID Right to Know Act of 2003 which included develop from state legislation and common law rather
amendments to an assortment of federal statutes, than federal legislation or constitutional cases .
particularly those directed at packaging/labeling and Simultaneously, self imposed technological solutions
privacy . Its provisions require conspicuous labels and privacy practices are evolving.
notifying consumers that a package contains a RFID
tag and that the tag could transmit identification REFERENCES
information to a reader. Moreover, it would have
prohibited linking an individual’s nonpublic personal 1. 15 U.S.C. 45 (2000).
information with RFID tag information, disclosing an 2. Borriello, G. (2005). RFID: Tagging the World.
individual’s nonpublic personal information in Communications of the ACM, 48(9), 34-37.
association with RFID tag information, and using 3. Brito, J. (2004). Relax. Don’t Do It: Why RFID
RFID tag identification information to identify an Privacy Concerns are Exaggerated and
individual. It would have required the FTC to adopt Legislation is Premature (Electronic Version).
regulations to implement its provisions. The FTC, as UCLA Journal of Law and Technology, 5.
discussed above, declined to do so. A proposal 4. California RFID Restrictions Get Governor’s
entitled “Opt Out of ID Chips Act” also was not Veto. (2006). Available:
successful . http://www.rfidupdate.com/articles/index.php?
id=1218. Accessed January 20, 2007.
State legislative proposals, on the other hand, have 5. Another Link in the Chain. (2004). Card
been more prolific. RFID related proposals with Technology Today, April 11.
regard to a range of data privacy issues have been 6. Center for Democracy & Technology, (2006).
reported as under consideration in nineteen states, CDT Working Group on RFID: Privacy Best
including the following: California, Maryland, Practices for Development of RFID Technology.
Massachusetts, Missouri, New Hampshire, New Available:
Mexico, Nevada, South Dakota, Tennessee, Utah, http://www.cdt.org/privacy/20060501rfid-best-
and Virginia [3, 18, 32]. The proposals vary with practices.php. Accessed February 21, 2007.
labeling most commonly required . None have 7. Consumers Against Supermarket Privacy
been adopted. Invasion and Numbering. (2003). RFID Right to
Know Act of 2003. Available:
Future proposals may look to the guidelines issued by http://www.nocards.org/rfid/rfidbills.html.
the Center for Democracy and Technology on Accessed January 25, 2007.
privacy best practices for deployment of RFID 8. Dalal, R (2006). NOTE: Chipping Away at the
Technology . Although “not designed as a Constitution: The Increasing Use of RFID Chips
Could Lead to an Erosion of Privacy Rights. Through the Use of Radio Frequency
Boston University Law Review, 86, 485. Identification Technology and the Need for
9. Delaney, K. (2005). RFID: Privacy Year in Legislative Response [Electronic Version].
Review: America’s Privacy Laws Fall Short with North Carolina Journal of Law & Technology,
RFID Regulation. I/S: A Journal of Law and Spring, 6, 325.
Policy for the Information Society, 1, 543. 22. Moskowitz, P. A. Andris, L. Moris, S. S.
10. Eckfeldt, Bruce. (2005). What Does RFID Do Privacy-Enhancing Radio Frequency
For The Consumer? Communications of The Identification Tag: Implementation of the
ACM, 48(9), 77-79. Clipped Tag. RFID Journal Live, May 1-3, 2006.
11. Eden, J. (2005). When Big Brother Prioritizes: 23. Philips, Dale. (2005). Strategic Applications of
Commercial Surveillance, The Privacy Act of Technology: County-Level Case Study in the
1974, and the Future of RFID. Duke L. & Tech. State of Georgia. The Public Manager, Summer,
Rev., 20. 32-36.
12. Evans, Bob. (2005). Business Technology: RFID
Is Already Providing Its Value. Information
24. Privacy Rights Clearinghouse. (2003). RFID
Week, Available: Position Statement of Consumer Privacy and
http://www.informationweek.com. Accessed Civil Liberties Organizations. November 20.
February 11, 2007. Accessed June 21, 2006.
13. Gadh, Rajit. (2005). RFID Moves Beyond http://www.privacyrights.org/ar/rfidposition.htm.
Supply Chain Mandates. Computer World. 25. Ramachandra, Girish. (2005). Learning from
Available: http://www.computerworld.com. RFID: Strategies for New Technology Adoption.
Accessed February 11, 2007. SETLabs Briefing, 3(3).
14. Glidden, Rob et al. (2004). Design of Ultra-low- 26. Rennie, Elizabeth. (2006). Staying On Course.
Cost UHF RFID Tags for Supply Chain APICS magazine, February, 28-33.
Applications. IEEE, August, 140-151. 27. RFID: Not Just for Retail Anymore. (2007).
15. Handler, D. (Spring 2005). The Wild, Wild Information Management Journal. Available:
West: A Privacy Showdown on the Radio http://www.technewsworld.com/rsstory/55673.ht
Frequency Identification (RFID) Systems ml. Retrieved February 11. Accessed February
Technology Frontier [Electronic Version], 11, 2007.
Western State University Review, 32, 199. 28. RFID Tag Balances Privacy and Retailer
16. Harper, J. (2004). RFID Tags and Privacy: How Interests. (2006). Available:
Bar-Codes-On-Steroids Are Really a 98 Lb http://www.rfidupdate.com/articles/index.php?
Weakling. Competitive Enterprise Institute, 89, id=1145. Accessed February 11, 2007.
17. Herbert, W. (2006). No Direction Home: Will
29. Roberti, Mark. (2004). DOD Releases Final
Policy. RFID Journal. Available:
The Law Keep Pace with Human Tracking
Technology to Protect Individual Privacy and
Stop Geoslavery? [Electronic Version], I/S: A 80/-1/1. Accessed February 11,2007.
Journal of Law and Policy for the Information 30. Sakamura, Ken. (2001). Radio Frequency
Society, Spring/Summer, 2, 409. Identification And Noncontact Smart Cards.
18. Hildner, L. (2006). Defusing the Threat of RFID: IEEE, 4-6.
Protecting Consumer Privacy Through 31. Stajano, Frank. (2005). RFID is X-Ray Vision.
Technology – Specific Legislation at the State Communications of the ACM, 48(9), 31-33.
Level [Electronic Version]. Harvard Civil Rights 32. Songini, M. (2006). Wisconsin Law Bars Forced
– Civil Liberties Law Review, Winter, 41, 133. RFID Implants. Computerworld, June 12.
19. Hostetter, D. (2005). When Small Technology is 33. Sullivan, Laurie. (2005). Privacy And RFID: Are
a Big Deal: Legal Issues Arising from Business The Tags Spy Chips? InformationWeek.
of RFID [Electronic Version]. Shidler Journal of Available: http://www.informationweek.com.
Law, Commerce & Technology, Autumn, 2, 10. Accessed February 11, 2007.
20. Klien, Russ. (2007). Aberdeen on RFID 34. Swedberg, C. (2004). FTC Readies an RFID
Adoption in Manufacturing. Available: Report. RFID Journal. Available
id=1219. Retrieved February 11, 2007. 1. Accessed February 12, 2007.
21. Kobelev, O. (2005). Big Brother on a Tiny Chip: 35. U.S. Const. Amend. IV.
Ushering in the Age of Global Surveillance 36. Want, R. (2005). RFID: A key to automating