Why the EU is worried about RFID

For a microchip that measures just a few millimetres across, RFID has already caused a fair degree of controversy. The radio tags – used on anything from pharmaceutical products to sea containers – have prompted campaigns by privacy groups, street demonstrations in continental Europe, and conspiracy theories a-plenty.

The latest organisation to step into the controversy is the European Commission, which this month held a series of workshops in Brussels as part of a consultation over the technology.

The EU’s information society commissioner, Viviane Reding, wants a debate about the security and privacy issues surrounding RFID. The discussions will help the European Commission when it comes to review the EU’s e-privacy directive later this year.

The EU expects the use of RFID tags to grow rapidly in the next few years, and believes a public discussion is necessary now about how they might be used, and how the data the tags provide might be protected.

“We need to ask what information RFID systems gather, how long that data will be kept and who will have access to it,” said Ms Reding when the EU announced the consultation at the CeBIT technology fair in March.

In part, the EU is responding to pressure from consumer and privacy groups, which have expressed concern that RFID tags could be used to build up huge databases of individuals’ shopping, leisure and travel habits. These databases could be exploited by unscrupulous businesses and also become a target for cybercriminals.

The fact that RFID tags track the actual item someone buys rather than simply the type – as is the case with bar codes – has led to fears that RFID data could be far more intrusive than the information retailers already collect. And, as radio chips, RFID tags have the potential to be read at a distance without the consumer’s knowledge.

So far, few RFID projects have involved placing tags on individual consumer goods. The cost of tags, as well as the equipment needed to read them and process the data, also means that item-level tagging is still some way off. Rather, companies are tagging crates, cases and containers.

“Most business cases for RFID involve nothing that touches the consumer, but are based around back-end systems and the logistics chain. Most RFID tags will never reach the consumer but are on the pallet level,” says Jeroen Terstegge, corporate privacy officer at Philips and a moderator in the EU’s consultation.

But concerns remain, not least because technological developments will bring down the cost of RFID tags and also increase their range and accuracy.

European Commission officials are likely to be looking for evidence that the IT industry is taking such privacy and security considerations into account. And companies that are actively involved in RFID, including Philips, IBM and Accenture, are already working on privacy and security enhancement measures for RFID.

Such measures could include limiting the range of tags – so that the reader would need to be in close proximity to the product, for example – encrypting the data on the tag, and providing consumers with the option to wipe the RFID chip once they have bought an item.

An open debate about RFID should help consumers understand how RFID works. Retailers, including Marks and Spencer in the UK and Metro in Germany have also gone to some lengths to reassure consumers about RFID, for example by clearly labelling products that carry tags.

Proponents of RFID also hope that the EU consultation will be an opportunity to present the positive elements of the technology, such as its use in preventing counterfeit drugs reaching consumers, or in aviation, where tags are being fixed to aircraft spares and safety equipment.

Such deployments should be relatively uncontroversial, as are RFID deployments in other closed environments, from manufacturing sites to defence establishments and oil or chemical plants.

“The work we have been doing in the pharmaceutical supply chain is one area that has clear consumer benefits,” says Stephen Proud, the partner responsible for RFID in Europe at consultant Accenture.

“Few would argue that the issue of counterfeit drugs is not important to consumers. We are working with drugs companies to use RFID to improve the integrity of the supply chain. But the tags are clearly identified and are removed by the pharmacist when the product reaches the store.”

And, so far, companies involved in RFID say that the EU consultation is not holding back customers’ plans for the sensors. The barriers for RFID are more often technological or financial. Moreover, there are other technologies that pose as great, if not greater, privacy questions.

“We are seeing some push back on RFID plans, but it is because of technical not privacy issues,” says Duncan Brown, consulting director at analysts IDC. “We are seeing other areas where businesses are generating more and more information in a digital form, and some of this is potentially far more sinister data than what clothes you are buying.”