Slashdot Mirror

← Back to Stories (view on slashdot.org)

Labelling RFID Products

Posted by michael on from the bright-ideas dept.

John3 writes "Following Wal-Mart's recent announcement that they plan to push RFID in their stores, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) has posted proposed legislation that would require a product to be labeled if it contained an RFID tag. Beyond the label requirement, the proposed legislation also sets up some strict restrictions on the use of RFID data. Even though RFID is not in widespread use, it's probably best to start working on these types of protections before the products are on the shelves."

3 of 325 comments (clear)

  1. SUMMARY OF THE BILL by donutz · · Score: 5, Informative

    From the website, the summary of the RFID Act (summary is pretty long though):

    RFID Right to Know Act of 2003
    Proposed legislation to mandate labeling of RFID-enabled products and consumer privacy protections
    SUMMARY OF THE BILL
    AN ACT

    To require that commodities containing radio frequency identification tags bear labels stating that fact, to protect consumer privacy, and for other purposes.
    SEC. 1. SHORT TITLE.
    This section shortens the title of the bill to "RFID Right to Know Act of 2003."
    SEC. 2. AMENDMENTS TO THE FAIR PACKAGING AND LABELING PROGRAM.

    This section amends the Fair Packaging and Labeling Program by inserting language under subsection (a) of paragraph (6). This section requires that a consumer commodity or package that contains or bears a radio frequency identification tag shall bear a label as provided in the paragraph below.

    It also defines the term "radio frequency identification" or "RFID" to mean technologies that use radio waves to automatically identify individual items. It defines the term "tag" to mean a microchip that is attached to an antenna and is able to transmit identification information.

    Finally it describes that the label should state, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase; and be in a conspicuous type-size and location and in print that contrasts with the background against which it appears.
    SEC. 3. AMENDMENTS TO THE FEDERAL FOOD, DRUG, AND COSMETIC ACT RELATING TO MISBRANDING.

    This section amends the federal Food, Drug and Cosmetic Act by inserting language under the sections relating to misbranding of commodities. It says that a food, cosmetic, drug or device is misbranded if the product or package contains an RFID tag, unless it bears a label stating, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. It also prescribes that the label must be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 4. AMENDMENTS TO THE FEDERAL ALCOHOL ADMINISTRATION ACT.

    This section states that a person shall not manufacture, import, or bottle for sale or distribution in the United States any alcoholic beverage unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 5. AMENDMENTS TO TITLE 15, CHAPTER 36--CIGARETTE LABELING AND ADVERTISING.

    This section states that a person shall not manufacture, import, or package for sale or distribution in the United States any cigarettes unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 6. AMENDMENTS TO TITLE 15, CH. 94--PRIVACY.

    This section goes directly to protecting the privacy of consumers. First it directs that a business shall not combine or link an individual's nonpublic personal information with RFID tag identification information, beyond what is required to manage inventory. Second, a business shall not, directly or through an affiliate, disclose to a nonaffili

  2. Re:My god... by StefanJ · · Score: 5, Informative
    If you purchase an RFID-tagged item using a credit or debit card, your name, credit history, and possibly other demographic data can be associated with it.

    Walk into a store wearing a tagged garment, and your presence could be noted. Prices could magically change as you approach a shelf. Security could get alerted based on your pauper status.

    This is a far from perfect association, of course. You could be buying a garment as a gift, or for a child. Of course, if a person wearing a tagged garment makes a purchase, and the association doesn't match, the information could be updated.

  3. Re:My god... by Michael+Spencer+Jr. · · Score: 5, Informative

    When you swipe a credit or debit card, the merchant can read your name, card number, expiration date, and some card verification information. They are already *forbidden* from storing the card verification information after they use it to process the sale. When a merchant signs a contract that enables them to accept payment via credit card, some clauses in that contract allow their processor (acquirer) to charge them fees or fines, especially if the acquirer is charged fees or fines by Visa or Mastercard. That means -- Visa and Mastercard have the power to fine merchants for behaving badly. They can also revoke a merchant's ability to accept those kinds of credit cards.

    Merchants are allowed to store the customer name, card number, and expiration date from the magnetic stripe.

    What does a customer name, card number, and expiration date get you? (besides 'paid for your transaction') Assuming the name isn't already unique...

    Sales can happen in one of two major "processing environments": card-present (where the merchant swipes the card, and proves to the issuing bank that the card really was there, by demonstrating knowledge of some of that secret card-verification information on the card), and card-not-present (where the card number is sent via mail/phone/fax/internet).

    In card-present sales, the merchant only has the card number and name. If companies (like Radio Shack perhaps) insist on having a name and address on file for each customer, they could run into problems: if a customer finds that such-and-such company is refusing to accept Visa/Mastercard CARD-PRESENT sales when the customer refuses to provide a name and address, the customer can complain to their issuing bank or to Visa or Mastercard directly. Those payment-transfer-organizations might conduct their own investigation (plain-clothes customers), and if the merchant is found to be refusing to accept Visa/MC card-present sales without address information, they can be stiffly fined or have their processing priviledges revoked.

    In card-not-present sales, the threat model you discussed is reasonable. Best-practices say the merchant should perform an address-verification check, confirming that the address the customer provides matches the billing address the issuing bank mails statements to. If the customer claims they are shipping the goods to another address, the merchant should require the customer to contact their bank and have the bank "whitelist" the new shipping address, because the bank can then confirm all the personal information the merchant isn't allowed to have.

    So I guess a merchant in California could be paid off by some marketing company, and could ship RFID-enabled goods to a customer in New York, and report the RFID information so it's trackable.

    You could NOT, however, reasonbly expect that by just swiping your credit card in Wal Mart, Wal Mart suddenly has all your personal information. They could, possibly, associate different products with the same customer, but they wouldn't know anything other than the card number and name.

    ----------

    In general, keep this in mind: the Visa and Mastercard corporations are profitable. They are 'payment transfer organizations' and want to maximize the amount of money that travels through their system, because they make a *lot* of money off of processing fees charged to merchants. If something happens that makes customers nervous, or makes merchants nervous, they will pass new regulations that try to make that fear go away.

    But of course if there's no widespread customer knowledge of this possible threat, there won't be any significant nervousness to worry about.

    --Michael Spencer
    First National Merchant Solutions
    (a credit card processor or 'acquirer')
    First National Tower, 27th floor
    1620 West Dodge, Omaha Nebraska, 68197
    http://www.foomp.com

    The opinions stated above are my own opinions, and do not reflect the opinions of my employer, First National Merchant Solutions.