September 19, 2004

Overblown RFID Privacy Fears Still Merit Attention

By Evan Schuman, eWEEK

Opinion: Bogus reports on RFID privacy problems are coming back louder than ever. But Evan Schuman argues that the only thing worse than believing those reports would be to ignore them.

As RFID stories start appearing in the consumer media and on the television network news shows, we're starting to hear the same death and despair stories that were all the rage when the consumer media first discovered the Web.

My personal favorites were the early stories of shock when a reporter found out that government computers had pornographic images on them. That sounded pretty bad, until you realized that it was simply an Internet server that has Usenet newsgroups on it.

In other words, it had literally millions of pages from all over the world on it. That's like saying your child's school computer has recruitment ads for al-Qaida on it because it offers Web access.

Then there were those stories about how the Web should be banned or restricted because it puts our children at risk. When obscene phone calls were a common threat, I don't recall cries to restrict or ban telephone access. People also can mail death threats, so let's ban or restrict mail and FedEx access.

The silliest of those stories stopped appearing right about the time that consumer reporters started truly spending time on the Web and understanding what it was.

The next time you read or hear one of those "RFID is a 1984 Big Brother privacy threat" stories, remember what those same media organizations were reporting about the Web circa 1995 and 1996.

Two major networks last week reported fears that consumers carrying products with RFID tags could be tracked for miles, from merchant to merchant, seeing where they drove and exactly where the goods went in their house.

Personally, I'm not losing too much sleep over that, given the fact that most retailers today can barely get an accurate, consistent RFID readout when the tag is 2 inches from the reader. True, the technology's accuracy should improve over the next couple of years and, in fairness, no one is honestly predicting widespread, item-level tagging before 2009 or so.

But how many inches from the readers will RFID be able to scan? And why would any retailer flood a community with thousands of RFID readers all over town, like so many cell towers? (Don't get me started on how difficult it can be to send and receive consistently strong cell phone signals walking around Manhattan. And if Manhattan isn't cell-saturated, what are the chances that Dubuque, Iowa, will be? Or for that matter, Sunnyvale, Calif.? But I digress, which I usually do.)

Remember that RFID tags are not like the receivers for GPS (Global Positioning System) units. GPS uses a couple of dozen medium-Earth Orbit communications satellites orbiting thousands of miles above the earth.

By triangulating signals from three of those satellites—and adding that info to data from the wheels and other input—it can allegedly track anything on the planet within 20 meters. Weather, mountains, hills and other factors can interfere with GPS, and military systems reportedly can be much more precise.

No, that's not what RFID is. RFID needs to be scanned by a reader in fairly close proximity. But even assuming some retailer wanted to track where consumers went with various just-purchased products, and that somehow the retailer invested a few extra billion dollars in making its entire coverage area readable, why collect that kind of information?

One of the big problems with CRM systems today is that retailers have neither the staffs nor the inclinations to use one-tenth of the information they are already collecting. Why gather intrusive information that has no immediate benefit to the business when you'll never get around to using it anyway? Who's got that kind of time?

That all said, there are legitimate privacy fears surrounding the amount of data retailers are going to be able to collect in the coming years, and any retail IT exec who treats those concerns blithely is going to find out that it may not be Wal-Mart that will do you in.

As retailers get more sophisticated about multichannel integration and start to do their own triangulation of information about the same consumers, they could go from the catalogue's toll-free number to various brick-and-mortar locations, and then to trolling on your Web site and perhaps integrating Google and eBay activities ... now there is where privacy experts should be sweating.

It's said that familiarity breeds contempt, but in the retail tech world, familiarity also breeds trust, comfort and that ever-illusive quality known as comprehension. A much bigger privacy threat is the ability for everyone's cell phone to not only track a consumer's location much better than RFID can, but to literally be transformed into a super-easy listening device. Just set the phone's ring to "silent," and the rest is automatic.

Why no uproar over that privacy risk? Because consumer media representatives and privacy advocates understand and routinely use cell phones, they understand the practical devices and are not afraid of them. This is the same reason those weird Internet scare stories stopped appearing: As consumers started using the Web routinely, it ceased being the Bogeyman and turned into an everyday tool.

When preparing to deal with a privacy strategy—for RFID or anything else—another crucial factor is that perception trumps reality every time, no contest. In classical cinema terms, think of reality as Bambi and perception as Godzilla. (I love the classics.)

Even if the reality is that RFID does not pose any true privacy threat, if your customers all believe that it does, you must treat their fears with respect. Well, maybe "respect" is a bit much. Humoring them might be more apropos.

Think of what happened at U.S. airports shortly after 9/11. Fatigues-wearing National Guard troops armed with automatic weapons patrolled public areas. Most government officials were not expecting terrorists to storm the airport. The show of force was intended to comfort passengers more than anything else.

A similar showing with RFID might be in order. Loudly and frequently declare privacy policies, where you pledge in plain language to not do the things that you never had any intention of doing anyway. Demonstrate the extremely limited range of the readers. (Like that will be difficult.) And allow consumers to opt out of as much as you can.

Few will take you up on the offer, but the gesture of making the offer is almost all that matters.