RFID security scares ignore facts

February 2004 Asset Management, EAS, RFID

In the wake of Wal-Mart’s recent announcement that it would require radio frequency identification (RFID) tags on cases/pallets of products to facilitate tracking – and may require tags on individual products eventually – scare stories concerning possible use of these tags to violate individual privacy have been surfacing.

Such stories ignore not only common sense and practicality, but also the basic physics that govern the potential of these tags. Both the public and the retailers considering tag use need to understand these basic facts before they can enter meaningful debate on the use of the technology.

Situation analysis

The RFID debate has entered the public forum in recent months, driven on one side by an often overoptimistic view of the technology by potential retail and wholesale users, and on the other by even wilder misapprehensions about the use of this technology to gather intrusive levels of personal information from individuals.

"RFID tags recommended for product tracking cannot be used to track individuals through their lives via some sort of satellite-tracking mechanism due to limited read ranges," says META Group analyst Jack Gold, addressing a common urban legend. "The range of these tags is only a few [metres] at most, and they do not contain any personally identifiable information."

In fact, though several different RFID technologies exist, the passive tags being considered for Wal-Mart's supply chain have a very low data capacity and short read ranges. The Electronic Product Code (EPC) standard supported by Wal-Mart limits data initially to 96 bits, little more than what is found on bar code labels. Moreover, the often cited (but elusive) price point for these tags ensures that range and data capacity will remain low. The tags are not equipped to identify the buyer, so even if someone did track items, there would be no way to link those items to the purchaser via RFID.

Furthermore, tracking what individuals are reading or doing via RFID is the hard - and expensive - approach to gathering personal data. A much easier way would be to hack credit card databases that do contain personally identifiable information. Stores already capture who bought what at the point of sale (POS) when credit cards are used. Yet, consumers think nothing of using their credit cards to buy all kinds of things - including memberships to online X-rated sites. Moreover, the ubiquitous mobile phone is a far more realistic way to track people now, yet few privacy pundits - many of whom carry cellphones - are hyping the evils of big brother tracking who people call and where they are at all times.

Even retailers that legitimately gather personal buying information with consumer permission via loyalty cards that provide product discounts when scanned at the POS terminal still have the challenge of separating the wheat from the chaff to make effective use of the large amounts of data they gather. Some, like Publix, have determined that it is not worth the effort and expense.

"It takes trillions of pieces of data to put together a picture of buying patterns for a store on an individual-consumer basis," says META Group analyst Gene Alvarez. "The real value is for the individual stores to make effective use of it."

Cost versus value

The vision of tracking individuals via RFID tags (perhaps through articles of clothing with embedded tags) also has a practical aspect. Such tracking would require the creation of a huge network of readers that would have to be installed, coordinated and maintained - at the cost of thousands per reader. What value would any organisation receive from that information to justify such an expense? Even a chain with only 500 stores could face significant investment challenges for tracking products - never mind the consumer movement.

In addition, those debating the security aspects of RFID have to ask a basic question: who would possibly care whether a certain person wearing a certain brand sweater went to a particular bar on a Wednesday night?

Retailers need to deal with similar issues when planning RFID applications.

Enterprise wide initiative?

"Right now, Wal-Mart suppliers are under a lot of pressure to deliver, and in those companies we see that the techies are running the show," says META Group analyst Bruce Hudson. "By viewing RFID as a technology project rather than an enterprise-wide initiative, companies are putting their brands at risk. Particularly for item-level tagging, these projects need to be run by the line of business, with legal, PR and marketing input from the beginning. The mistrust surrounding RFID is similar to that around the 'cookie' at the beginning of e-business. A lot of fuss about nothing."

RFID systems are costly. A single tag - bought in bulk - may cost only a quarter, but the readers, the infrastructure to capture the data they gather, the analytical software to make sense of that data, etc, are all still costly. For instance, the cost of installing smart shelves for a single product at all the outlets of a major retailer could cost millions, and so far is unlikely to be economically justifiable given the potential weak return on investment. Thus, it may be more practical to continue to monitor most shelves manually.

Making good processes better

RFID is not a substitute for good store planning. Many retailers need to develop better business processes for store planning first.

"While it has a place in warehouse management, RFID technology is too limited and costly to be used to perform realtime tracking of tens of thousands of pallets of material in a large warehouse," says META Group analyst Dwight Klappich. "It does not work, given the read distances, other environmental considerations such as metal racks, and the three-dimensional nature of a warehouse. The question remains why a company would want to pursue RFID for this when there are far more realistic solutions (ie, warehouse management systems) that accomplish the real object of accurate inventory locating at far less cost and complexity."

"RFID cannot make a bad process good," adds Hudson. "It can only make a good process better."

RFID is also not an answer to the lack of UPC code standardisation. For instance, if Procter & Gamble uses a different set of codes to identify its products for North America and Europe, applying RFID will not fix the problem. Retailers will still have bad data in their databases, leading to incorrect invoice and stocking errors, which is why retailers - while pushing RFID - are also pushing UPC code standardisation and data synchronisation efforts.

RFID also has its own standards problems. Numerous versions of the concept using different technologies and pieces of the spectrum are in production, so a tag that one company uses may not be compatible with the readers of another company. The EPC standard embraced by Wal-Mart, for example, is currently incompatible with ISO standards used in Europe.

User action

RFID technology has already proven itself to be practical in applications ranging from automatic toll collection and the Mobil Speedpass to tracking individual steers on a feed lot. Consumers with privacy concerns should base those on the reality of RFID capabilities rather than on groundless statements by professional doomsayers.

Similarly, enterprises considering using RFID should begin by educating themselves concerning the real capabilities and issues of the technology and not misapply the technology to problems it cannot cost-effectively or technically remedy. When considering any plan beyond a purely technical trial, the planners should clearly identify realistic return on investment early in the planning cycle, considering the variable tag costs as well as the infrastructure and application development costs.

Source: META Group analysts: Dwight Klappich, Bruce Hudson, Gene Alvarez, Tim McLaughlin, Chris Kozup, John Brand and Jack Gold contributed to this article.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Scanning for gold
Issue 8 2020, Saflec , Asset Management, EAS, RFID, Products
The metal detection market is such that customers looking for a specific point solution are becoming a rarity and the primary desire is for a solution.

Ensuring the secure flow of information
Issue 9 2020 , Asset Management, EAS, RFID
The recent leak of two matric exam papers and arrest of a suspect has raised renewed concerns over security and data leaks within a corporate and public organisation environment.

Information keeps the trucks rolling
Issue 9 2020 , Asset Management, EAS, RFID
Elite Truck Hire harnesses the power of information to optimise its business and prevent fraud with FleetDomain.

Circular economy offers cost savings
Issue 7 2020 , Asset Management, EAS, RFID
Circular economy initiatives help businesses keep technology assets in use for longer, extracting the maximum value from those electronics while in use.

IoT is transforming the mobility space
Issue 7 2020 , Asset Management, EAS, RFID
Technology is no longer a grudge purchase, but an indispensable part of modern business, especially in the mobility and transport sector.

Adapting the supply chain to the new normal
Issue 8 2020 , Asset Management, EAS, RFID
The supply chain, particularly in the Fast-Moving Consumer Goods (FMCG) industry and especially in South Africa’s main or informal market, needs to make use of mobile technologies.

Reduce fleet challenges with video telematics
Issue 7 2020 , Asset Management, EAS, RFID
Using a video telematics system can take your fleet into a new domain of safety, efficiency, productivity and cost cutting.

Argility showcases SkyData IoT Platform
Issue 6 2020 , Asset Management, EAS, RFID
SkyData, a device agnostic IoT cloud platform, is transforming asset and resource monitoring and management.

IoT security seal
Issue 4 2020 , Asset Management, EAS, RFID
With the current lockdown and ports operating at reduced capacity, the need for automation has been taken to a new level.

Managing outputs, attendance and time
Issue 5 2020 , Asset Management, EAS, RFID
What started out as a great idea to bring structure, order, measurement and accountability to fieldwork, has virtually overnight turned into an indispensable tool.