Slashdot Mirror

← Back to Stories (view on slashdot.org)

Labelling RFID Products

Posted by michael on from the bright-ideas dept.

John3 writes "Following Wal-Mart's recent announcement that they plan to push RFID in their stores, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) has posted proposed legislation that would require a product to be labeled if it contained an RFID tag. Beyond the label requirement, the proposed legislation also sets up some strict restrictions on the use of RFID data. Even though RFID is not in widespread use, it's probably best to start working on these types of protections before the products are on the shelves."

10 of 325 comments (clear)

  1. barcodes? by SweetAndSourJesus · · Score: 5, Funny

    We're terrified of barcodes.

    Where have you been, man?

    --

    --
    the strongest word is still the word "free"
  2. Seems to me by Anonymous Coward · · Score: 5, Insightful

    that these RFID tags would be susceptible to a low power EM pulse. A little high school level physics ought to be enough to keep them from being a problem if they bother you that much.

  3. I'm missing one thing... by NetDanzr · · Score: 5, Insightful

    Their proposal seems to be quite well-prepared, albeit a little too general. However, I would really like to see another section under "Privacy", which would require the users of RFIDs to include them in a way that would make them easy to remove. People should have a choice whether to drive with the tags all the way home or remove them on the spot.

  4. SUMMARY OF THE BILL by donutz · · Score: 5, Informative

    From the website, the summary of the RFID Act (summary is pretty long though):

    RFID Right to Know Act of 2003
    Proposed legislation to mandate labeling of RFID-enabled products and consumer privacy protections
    SUMMARY OF THE BILL
    AN ACT

    To require that commodities containing radio frequency identification tags bear labels stating that fact, to protect consumer privacy, and for other purposes.
    SEC. 1. SHORT TITLE.
    This section shortens the title of the bill to "RFID Right to Know Act of 2003."
    SEC. 2. AMENDMENTS TO THE FAIR PACKAGING AND LABELING PROGRAM.

    This section amends the Fair Packaging and Labeling Program by inserting language under subsection (a) of paragraph (6). This section requires that a consumer commodity or package that contains or bears a radio frequency identification tag shall bear a label as provided in the paragraph below.

    It also defines the term "radio frequency identification" or "RFID" to mean technologies that use radio waves to automatically identify individual items. It defines the term "tag" to mean a microchip that is attached to an antenna and is able to transmit identification information.

    Finally it describes that the label should state, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase; and be in a conspicuous type-size and location and in print that contrasts with the background against which it appears.
    SEC. 3. AMENDMENTS TO THE FEDERAL FOOD, DRUG, AND COSMETIC ACT RELATING TO MISBRANDING.

    This section amends the federal Food, Drug and Cosmetic Act by inserting language under the sections relating to misbranding of commodities. It says that a food, cosmetic, drug or device is misbranded if the product or package contains an RFID tag, unless it bears a label stating, at a minimum, that the consumer commodity or package contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. It also prescribes that the label must be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 4. AMENDMENTS TO THE FEDERAL ALCOHOL ADMINISTRATION ACT.

    This section states that a person shall not manufacture, import, or bottle for sale or distribution in the United States any alcoholic beverage unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 5. AMENDMENTS TO TITLE 15, CHAPTER 36--CIGARETTE LABELING AND ADVERTISING.

    This section states that a person shall not manufacture, import, or package for sale or distribution in the United States any cigarettes unless its container bears a label. That label must state at a minimum, that container contains or bears a radio frequency identification tag, and that the tag can transmit unique identification information to an independent reader both before and after purchase. The label must also be in a conspicuous type-size and prominent location and in print that contrasts with the background against which it appears.
    SEC. 6. AMENDMENTS TO TITLE 15, CH. 94--PRIVACY.

    This section goes directly to protecting the privacy of consumers. First it directs that a business shall not combine or link an individual's nonpublic personal information with RFID tag identification information, beyond what is required to manage inventory. Second, a business shall not, directly or through an affiliate, disclose to a nonaffili

  5. Best post-purchase RFID kill method by burgburgburg · · Score: 5, Interesting
    http://www.stoprfid.org/faqs.html says that disconnecting from the antenna and then puncturing/crushing/pulverizing is the suggested kill methodology. They warn that microwaves, though in theory effective, cause the RFID tag to burst into flames, which tends to be a bad thing.

    But earlier and later in the FAQ, they mention tags placed into the soles of shoes. Since this is done during the manufacturing process and would require slicing open the sole to find/destroy the tag (if you even knew where specifically it was), it doesn't seem there is an effective tag killer in this instance (and any other where the tags are deeply embedded).

    So, anybody else know of an effective tag killer that doesn't involve destroying the item and/or setting it on fire?

  6. Re:My god... by StefanJ · · Score: 5, Informative
    If you purchase an RFID-tagged item using a credit or debit card, your name, credit history, and possibly other demographic data can be associated with it.

    Walk into a store wearing a tagged garment, and your presence could be noted. Prices could magically change as you approach a shelf. Security could get alerted based on your pauper status.

    This is a far from perfect association, of course. You could be buying a garment as a gift, or for a child. Of course, if a person wearing a tagged garment makes a purchase, and the association doesn't match, the information could be updated.

  7. RFID isn't exactly perfect in itself... by TWX · · Score: 5, Interesting

    Remember. RFID isn't perfect. It's operation usually falls under Part 15 of the FCC rules, which is the whole "may not emit interference" and "must accept interference, even if it causes undesirable operation". RFID also uses 900MHz, 2.4GHz, 5GHz, and other public use frequencies, some of which are even also HAM bands. Amateur Radio isn't governed by part 15, so if a ham operator decides to operate on the frequency that RFID transceivers use, and if the HAM radio operator is operating legitimately, it's the RFID tranceiver's owner's problem, not the HAM's. Specific jamming is prohibited by the rules that amateur radio operators follow, but consumer use, nonlincensed devices are secondary users where both licensed and unlicensed spectrum overlap.

    so, what happens when someone is checking out, and the computer fails to record all of the RFID tags because of interference, but the person has legitimately purchased something? When they go to return it, the computer could possibly say that it wasn't purchased, and then the individual is left with more headaches.

    I think that the FCC should require that business-use devices like this be licensed, and each one individually identified in a publicly searchable database. I also believe that reissues of identification should be prohibited. This would work quite strongly to curtail use of RFID for tracking mechanisms.

    --
    Do not look into laser with remaining eye.
  8. $20 RFID Reader by 4/3PI*R^3 · · Score: 5, Insightful

    Wal-Mart doesn't exactly higher the "brightest bulbs in the chandelier" if you know what I mean.

    The good thing is that if RFID tags become omnipresent then so will RFID tag readers. As such an RFID tag reader should be small, simple to use, portable, and dirt cheap.

    In fact the RFID Journal has a story about just such a reader being developed.

    I guess I'll be buying one as soon as they come to market.

  9. Re:My god... by Asetilean · · Score: 5, Insightful

    Why is this important?

    The world is beginning to deal with an issue that of which our ancestors would never have dreamt. Technology has progressed to the point where ubiquitous surveillance/monitoring is not just feasible but cost effective. Our ability to keep our lives private is quickly eroding and it is important to wrestle with the issues now before the situation gets out of hand.

    The problem lies in the fact that our privacy is not removed overnight, but gradually, as the technology advances. Often each step is accompanied by only an incremental degredation of privacy which is, in many cases, compensated for by some benefit (think supermarket savings cards). At the level of individual choice, it is easy to rationalize such an incremental step: "Who cares if they can track my supermarket purchases, it's not like I'm an alcoholic (substitue vice here)." Over time, however, the amount of data collected about an individual is astounding. And as companies work together and exchange collected data and begin to correlate it, decisions will be made that may directly affect your ability to get a job, buy a house, be admitted to school, etc. These decisions will be heavily influenced by a karma score spit out by a computer that won't have all the data, just a lot of it (think being charged more for health insurance because you only bought mac & cheese and frozen pizza at the grocery store, never mind the fact that you get all your meat from your ostrich rancher uncle and have a garden where you home grow all sorts of natural goodies. Oh wait - This is slashdot. We're all just eating frozen pizza and mac & cheese.)

    There are a lot of doomsday predictions surrounding this technology. But there is some real benefit to companies that can leverage it for supply chain and inventory issues as well. What we need to realize is that even if it begins with good intentions, there will always be some asshole who wants to exploit it and will never once give any thought to the fact that what he/she is doing is not accepted by consumers as a legitamite use (example: spam companies). This means we need to be cautious now and carefully examine this budding technology and enact thoughtful legislation that can adapt to future needs of corporations without sacrificing every last vestige of consumer privacy on the altar of corporate greed. Because on the level of societal choice the sacrifices are significant. But I should stop dreaming, because when has congress ever enacted insigtful legislation in any technology area?

  10. Re:My god... by Michael+Spencer+Jr. · · Score: 5, Informative

    When you swipe a credit or debit card, the merchant can read your name, card number, expiration date, and some card verification information. They are already *forbidden* from storing the card verification information after they use it to process the sale. When a merchant signs a contract that enables them to accept payment via credit card, some clauses in that contract allow their processor (acquirer) to charge them fees or fines, especially if the acquirer is charged fees or fines by Visa or Mastercard. That means -- Visa and Mastercard have the power to fine merchants for behaving badly. They can also revoke a merchant's ability to accept those kinds of credit cards.

    Merchants are allowed to store the customer name, card number, and expiration date from the magnetic stripe.

    What does a customer name, card number, and expiration date get you? (besides 'paid for your transaction') Assuming the name isn't already unique...

    Sales can happen in one of two major "processing environments": card-present (where the merchant swipes the card, and proves to the issuing bank that the card really was there, by demonstrating knowledge of some of that secret card-verification information on the card), and card-not-present (where the card number is sent via mail/phone/fax/internet).

    In card-present sales, the merchant only has the card number and name. If companies (like Radio Shack perhaps) insist on having a name and address on file for each customer, they could run into problems: if a customer finds that such-and-such company is refusing to accept Visa/Mastercard CARD-PRESENT sales when the customer refuses to provide a name and address, the customer can complain to their issuing bank or to Visa or Mastercard directly. Those payment-transfer-organizations might conduct their own investigation (plain-clothes customers), and if the merchant is found to be refusing to accept Visa/MC card-present sales without address information, they can be stiffly fined or have their processing priviledges revoked.

    In card-not-present sales, the threat model you discussed is reasonable. Best-practices say the merchant should perform an address-verification check, confirming that the address the customer provides matches the billing address the issuing bank mails statements to. If the customer claims they are shipping the goods to another address, the merchant should require the customer to contact their bank and have the bank "whitelist" the new shipping address, because the bank can then confirm all the personal information the merchant isn't allowed to have.

    So I guess a merchant in California could be paid off by some marketing company, and could ship RFID-enabled goods to a customer in New York, and report the RFID information so it's trackable.

    You could NOT, however, reasonbly expect that by just swiping your credit card in Wal Mart, Wal Mart suddenly has all your personal information. They could, possibly, associate different products with the same customer, but they wouldn't know anything other than the card number and name.

    ----------

    In general, keep this in mind: the Visa and Mastercard corporations are profitable. They are 'payment transfer organizations' and want to maximize the amount of money that travels through their system, because they make a *lot* of money off of processing fees charged to merchants. If something happens that makes customers nervous, or makes merchants nervous, they will pass new regulations that try to make that fear go away.

    But of course if there's no widespread customer knowledge of this possible threat, there won't be any significant nervousness to worry about.

    --Michael Spencer
    First National Merchant Solutions
    (a credit card processor or 'acquirer')
    First National Tower, 27th floor
    1620 West Dodge, Omaha Nebraska, 68197
    http://www.foomp.com

    The opinions stated above are my own opinions, and do not reflect the opinions of my employer, First National Merchant Solutions.