Informational Hearing of the SENATE SUBCOMMITTEE ON NEW TECHNOLOGIES
Senator Debra Bowen, Chair
"RFID Technology and Pervasive Computing"
August 18, 2003
Sacramento, California
SENATOR DEBRA BOWEN: Good afternoon and welcome to the Senate EU&C Subcommittee on New Technologies’ hearing on Radio Frequency Identification technology, also called RFID, and how it fits into a concept known as "pervasive computing."
I’m sure we’ll be joined by the other members of the subcommittee at some point, and I’ve also invited the members of the joint Senate-Assembly Select Committee on Preparing California for the 21st Century, chaired by Senator Vasconcellos, to join us as well.
New technologies can make businesses more efficient and make life more convenient for all of us, but many of them have impacts on people’s personal privacy that, I believe strongly, we need to consider before we allow some of these new technologies to become embedded in our everyday lives in a way that might make it very difficult for us to go back and decide that we don’t like some of the consequences.
The questions often ask whether businesses can track people now, and I guess it’s just a matter of degree. Technology certainly allows every one of us to be tracked, from our morning coffee shop to our evening trip home from work, and there are some instances in which either the federal or the state government has acted to restrict how businesses can use the information that they collect.
Every time someone uses their ATM or credit card, they are, of course, leaving a detailed electronic record which, over time, indicates interests, shopping proclivities, likely income levels, and much more. Federal law allows businesses to share that information freely with affiliates and subsidiaries.
If you use a loyalty program at your local supermarket, you are letting grocers keep tabs on what you’re buying and how much you’re spending over days, weeks, and years. Again, California law restricts how that information can be used.
Your cable or satellite TV viewing habits can be monitored and recorded by your provider for marketing purposes. Here, both federal and state laws prohibit that data from being sold to others.
Libraries and video stores keep track of the books and movies that you check out; although, federal law bans that from being revealed.
Your phone company, of course, keeps track of all of the local and long distance phone calls you make. Federal and state laws strictly prohibit the telephone company from listening in on the telephone conversation, and we also have a prohibition on the sale of information about who telephone company customers are calling.
Your boss can read your e-mail, track your keystrokes, and keep tabs on what Web sites you visit at work. If you didn’t know that, you might want to mend your ways. This practice is not precluded by law, and employers are not required to tell their employees that their actions may be monitored; although, many do so on the theory that they discourage inappropriate use if they simply let people know what is appropriate and what will be monitored.
Internet businesses frequently drop small bits of software, or data strings, known as "cookies" or "Web bugs" on your computer when you visit your Web site. And I think many people are completely unaware that either "cookies" or "Web bugs" exist, don’t know how they work, and wouldn’t have any idea how to go about making choices about what they want and what they don’t want to be tracked.
And meanwhile, of course, anyone who walks down a city street, enters a business, drives through an intersection, rides public transit, or engages in any number of ordinary activities may very well have their activities recorded by a surveillance camera, and they may or may not know that. It used to be that you always knew when there was a surveillance camera because it was big, and only if you had been to the spy shop recently and had a lot of extra money could you afford a camera small enough to be able to track surreptitiously. But now we have cell phones that are capable of taking photographs and transmitting them instantly. We’ve seen proposals for laws, such as laws that prohibit the surreptitious taking of photographs from the floor; up someone’s skirt, for example. If you had a very large camera, it wasn’t possible to do something like that surreptitiously; but with a camera that can be smaller than a half a lemon, it becomes very easy to engage in the surreptitious surveillance.
The goals of this hearing are to begin a discussion about the positive aspects of the technologies that are emerging and the places where we have decisions to make about how we want to set restrictions, about how data can be used, and what can be done with the information.
RFID technology, in particular, has been around for several decades, but we are at a bit of a crossroads or turning point right now because new advances have brought down the size and the cost of manufacturing the RFID chips. They have become much more versatile and considerably less expensive, and it is to be expected that they will become more inexpensive yet and, therefore, more ubiquitous.
What I want to do with this hearing today is to look at RFID technology in particular and start the discussion on what RFID can and can’t do; what it might be able to do in the future; whether the potential exists for this technology to be misused; what, of course, we mean when we say "misused"; and how privacy concerns associated with the technology can be addressed before RFID is on every product, on every store shelf, or embedded in every item of clothing that you are wearing. Imagine, for example, that RFID is routinely embedded into every item of clothing and you discover several years later, much to your horror, that your underwear has been reporting on your whereabouts on a regular basis.
Our panel today includes Dan Mullen, who is the interim CEO with the Association for Automatic Identification and Data Capture Technologies (also called AIM). Beth Givens, who many privacy advocates know very well and applaud for her work. She is the founder and director of the Privacy Rights Clearinghouse. Katherine Albrecht, founder and director of a group called Consumers Against Supermarket Privacy Invasion and Numbering (or CASPIAN). And Dr. Greg Pottie, who I have had the pleasure to come to know in the last year. He’s the deputy director for the Center for Embedded Networked Sensing (or CENS), which is housed at UCLA and is a multi-university effort. He is a professor of electrical engineering with UCLA and had spent some considerable time in the private sector before that.
As many of you know, I like to run interactive hearings because I find that, very often, the useful part of the hearing comes during the give-and-take between committee members and panelists and between the panelists themselves. So, I will ask all of the witnesses to make brief opening statements, and then I’d like to have everyone up here so that we can poke, prod, and do a bit of "point/counter-point" to help all of us get a better understanding of this technology and the pros and cons associated with it. People have asked if the goal is to prohibit the use of the technology. The answer is "no."
My cats all have a microchip embedded in them. Although, I discovered last night that there’s actually a great controversy in the cat world about whether or not it is an appropriate thing to do to an animal, to microchip it and track its whereabouts. It just had never occurred to me that one might question the use of the technology in that context. There is, in fact, on the Web a raging dispute between animal rights purists, who believe that it is an interference in the natural order of a cat’s life, and cat owners, who would do almost anything to prevent the loss without reunification of 97 percent of cats who go missing every year.
So, the goal is not to create a piece of legislation that says that we can never use this technology. It is, though, to begin to engage the broader public, and that certainly is done via the California Channel, another piece of technology that didn’t used to be common around the Capitol, that helps Californians around the state—and around the world, in fact—take a look at what we are doing and what we’re thinking about here in California.
With that, let me ask Mr. Mullen to come up to the witness table and help kick things off for us.
I’d like to thank everyone who came here today, who has waited patiently. We had a witness whose plane was late, and we, of course, have a fairly long Senate Appropriations hearing ongoing. This is a very important topic, and I think we’ll all be more enlightened when we finish the discussion.
Welcome, Senator Vasconcellos. Do you have any opening words to say?
SENATOR JOHN VASCONCELLOS: No.
SENATOR BOWEN: Your committee on the 21st Century was part of what prompted the . . .
SENATOR VASCONCELLOS: Right, and you’re carrying it now. I’m delighted.
SENATOR BOWEN: All right. Mr. Mullen? Welcome.
MR. DAN MULLEN: Thank you.
It’s a great pleasure to be invited to speak to all of you today on the topic of Radio Frequency Identification (or RFID) technology.
I am Dan Mullen, interim CEO of AIM. We’re a trade association for Automatic Identification and Data Collection technologies (or AIDC). I’ve worked for AIM for about ten years in a variety of technology and operational aspects of the company.
AIM actually started over 30 years ago as a part of the Material Handling Institute and is a not-for-profit trade association devoted to the growth and use of Automatic Identification and Data Collection technologies. Worldwide, AIM has over 900 member companies in over 50 countries that are manufacturers, distributors, systems integrators, and consultants who provide AIDC hardware, software, systems, consumables, and services.
Automatic Identification and Data Collection (or AIDC) is the industry term which describes the identification and/or direct collection of data into a microprocessor-controlled device, such as a computer system or Programmable Logic Controller (PLC), without using a keyboard.
As an industry family, AIM classifies AIDC into six distinct groups of technologies and services. They are:
- Car technologies;
- Data communications technologies;
- Bar code technologies;
- Radio Frequency Identification technologies;
- Emerging technologies; and
- Support and supplies which service the industry.
As an association, AIM has a long history of leadership in bar code technical standards development, and we have been a champion for the development of globally acceptable, open standards for AIDC technologies and applications.
As an organization representing a whole range of data input techniques, AIM has a holistic viewpoint, and we advocate the careful analysis and understanding of a data input process that can lead to a solution with the best technology or a combination of technologies.
A little bit of history about RFID.
RFID is a technology that has its roots in radio broadcast technology and radar. During World War II, a basic form of RFID was first used to identify "friend or foe" aircraft.
In the 1970s, with the advent of the transistor, the integrated circuit, and microprocessor, a large amount of research and development unfolded as scientists explored the possibilities for this new technology.
In the 1980s, there was a significant interest in the Untied States for RFID in transportation, personnel access and, to a lesser extent, for tracking wildlife. In Europe, the greatest interests were for short-range systems for animals, industrial and business applications; although, toll roads in Italy, France, Spain, Portugal, and Norway were equipped with RFID.
The 1990s were a significant decade for RFID, since it saw the wide-scale deployment of electronic toll collection in the United States. Today, RFID is a billion-dollar industry with over a billion tags in use worldwide.
What exactly is RFID? I should preface this with, there’s quite a bit of details in the technology, and I think we’ve submitted a primer on the technology for the committee. But basically, RFID technology is an automatic way to provide access to product, place, time, or transaction data quickly and easily without human invention or error. An RFID system comprises a reader or interrogator, its associated antenna, and the transponders, sometimes called "tags" or RFID cards, that carry the data. I have a slide here that I’ll put up.
The reader typically transmits a low-power radio signal through its antenna that the tag receives via its own antenna. It’s a power and integrated circuit, or chip. Using that energy it gets from the signal when it enters the radio field, the tag will briefly converse with the reader for verification and exchange of data. Once the reader receives that data, it can be sent to an information processor to support functions such as payment transaction, building access, analytical purposes, or management. And there’s a few examples shown on the slide.
RFID is actually a range of technologies where tags may be active or static, depending upon the specific application. Some tags carry their own power in order to accommodate required distance for the application, such as a doorway in retail for the prevention of shoplifting or the perimeter of a manufacturing environment or a truck yard.
SENATOR BOWEN: We’re basic. Can you help us understand which kinds of tags are more likely to carry their own power source and how the decision might be made?
MR. MULLEN: Larger tags would tend to have a battery and be read long-range, and when I say "larger," they can be about the size of a small brick.
SENATOR BOWEN: The transponder that goes in my windshield I know has a battery in it.
MR. MULLEN: That’s fairly big but there’s bigger ones that are used on shipping containers and that sort of environment. I’ll talk a little bit more about it.
Specific applications of RFID determines what read range might be needed, what power levels might be suitable, and the type of data that will be communicated.
It is important to understand there are a wide variety of RFID technologies that operate at different frequency ranges and have different antennas. Additionally, some systems can have transponders (or tags) that have static, which are write-once data on them, while other systems might require tags that allow dynamic data. For details on RFID technology, we have several white papers that are available free of charge.
The RFID technology that has received attention during the past six weeks is one type of RFID technology that is a read-only technology with a short read range. With this technology in mind, I’d like to answer a few common misconceptions about it that have been quoted in the media lately.
One: tags that are the size of a speck of dust. While the RFID circuit can be very small, recently there was an announcement of one tag that was 1 to 2 millimeters square, or about .05 to .1 inches square. This tag is one of the smallest we’ve heard of and is certainly larger than a speck of dust. It’s even more important to remember that the small tags will have very short read ranges. This sized tag will have a 1 to 2 millimeter read range. Certain applications, like the retail community, will have an interest in having small tags, but they will also be willing to accept very short read ranges.
Another misconception or quote that we’ve seen in the press: RFID is a homing device. This is not true. Tags only get activated with the proper reader that has the proper protocol communication setup. The tag won’t even wake up unless the reader sends the proper security algorithms and talks to the tag in the right language, or protocol.
SENATOR BOWEN: Does that mean that the car tracking system that has become so common is not an RFID device?
MR. MULLEN: It’s not an RFID device?
SENATOR BOWEN: Well, you said that it doesn’t wake up until. . . . it’s not a homing device.
MR. MULLEN: Right.
SENATOR BOWEN: Again, in an effort to help people understand, what’s an RFID tag and what isn’t? I can’t think of the name of the car system.
MR. MULLEN: FastTrack or EZ Pass.
SENATOR BOWEN: We have so many. FastTrack is the toll transponder. There’s a CAP recovery service called FastTrack. Lowjack is what I’m thinking.
MR. MULLEN: AIM would not consider Lowjack an RFID technology, but the toll tags are RFID. When you get close to a toll booth or a reader, it’s sounding out a signal that wakes that tag up and gets the data from it.
SENATOR BOWEN: All right. So, it takes an electronic address with an appropriate algorithm before the transponder activates. It then, presumably, activates for a brief period of time and goes back to sleep.
MR. MULLEN: The passive tag uses the energy from the signal that’s sent to energize its circuit. It usually sends back some data to the reader.
One final speculation that’s been out there is the fact that. . . . or a question: if RFID tags can be read by satellites in orbit. No, this is not practical or possible based on the short read ranges. A huge amount of power would be required to broadcast from a satellite in order to pick up information on an RFID tag.
I’ll talk briefly about what RFID is being used for today.
As I mentioned earlier, RFID market is a billion-dollar business community delivering benefits to the business and consumer communities. For the past fourteen years, RFID has been used in livestock management. During the past ten years, RFID has been used in automobile immobilizer applications to protect vehicles from being stolen. These are the tags that are in the keys for most cars these days.
Contactless payment systems are now five years . . .
SENATOR BOWEN: Let me stop and ask you a question. Those actually have a pretty long read range, many of them. You can click your car and ask . . .
MR. MULLEN: No, no. Actually, in your key there’s an RFID tag, not in the clicker.
SENATOR BOWEN: Okay.
MR. MULLEN: But in the key itself. When you put your key in the ignition, there’s a little tag right in there.
SENATOR BOWEN: So, you’re talking about the electronic keys that have a fatter head, that are . . .
MR. MULLEN: Yes.
SENATOR BOWEN: All right.
MR. MULLEN: I could show you. I have one.
SENATOR BOWEN: I actually have one. I’m familiar with it. Hard to duplicate without going to the dealer.
MR. MULLEN: Yes.
SENATOR BOWEN: I guess for a good reason.
MR. MULLEN: Right.
Contactless payment systems are now five years old, providing a convenient and secure alternative to card and cash payments.
RFID technology has been used for more than ten years in the collection of toll payments, reducing lines at toll booths around the world. RFID has long been in use at libraries to check in and check out books and in the management of shipping containers.
More recent interest in RFID suggests that this technology can assist in the authentication of brand products versus counterfeit products. Organizations around the world are now, more than ever, evaluating and testing the use of RFID in many more applications.
SENATOR BOWEN: Could you explain how it would work in the context of authentication of a particular brand product versus a counterfeit? Who would have the reader? Presumably, most customers aren’t going to run around with a reader in their pockets to see if what they’re buying is really Microsoft software.
MR. MULLEN: The retailer could use it to authenticate that it’s an actual Microsoft product.
SENATOR BOWEN: So, when it comes into inventory.
MR. MULLEN: Yes.
So, what does the future hold for RFID? Recent speculation has suggested that RFID technology, specifically Electronic Product Code (or EPC) implementation of RFID, will appear on all consumer products, supplementing bar code technology that is now used at the point of sale. The EPC is a number designed to uniquely identify every instance of a product. Every can of coffee with an SKU may have its own unique number, for example. The EPC is the only information stored on the RFID tag’s microchip. This keeps the cost of the tag down and provides flexibility. Dynamic data can be associated with the EPC number and made available through access to a database.
SENATOR BOWEN: Can you explain, in English, what that means?
MR. MULLEN: Basically, if you use RFID on an individual can of coffee—although, that’s not . . .
SENATOR BOWEN: That’s a good enough example. It works. For government work it’s fine.
MR. MULLEN: Basically, you could have an individual identification. It would be used at the point of sale perhaps to read the number. Like you have with bar code technology today, it acts like a license plate. So, it’s just a dumb number, if you will, and the database in the stores go find that number and then find the price; find that it’s a Folgers 20-ounce can of ground Colombian coffee; whatever is going to be printed on the receipt.
Knowing the technology, AIM does not believe that the EPC technology will broadly appear on individual consumer items anytime soon. The immediate interest in RFID by the retail community is in using the technology in the supply chain at the pallet and case level. With that said, RFID is an evolving technology, and new applications of the technology will be considered as it changes. Consumers will drive what technologies are utilized. They will let retailers know whether they’re willing to use the technology comparable to cell phones, ATMs, the Speedpass or EZ Pass, we talked about, credit cards.
Can the use of RFID tags on individual consumer items benefit the consumer? Tags won’t appear on individual consumer items unless there’s a value benefit to the consumer, such as lower prices or customer service benefits.
Is there work to be done before RFID tags appear on individual consumer items? Yes. It is important for RFID vendors, retailers, and consumers to work together to develop standards, principles, and/or guidelines that would define how the technology is utilized. For instance, RFID manufacturers can build in a "kill" mechanism that would permanently disable the tag at a checkout counter should the consumer choose to do so.
As the adoption of EPC technology moves forward, it’ll be important to have these things standardized. The RFID industry, and AIM specifically, are currently considering the consumer perspective as specification for standards are brought forward.
I feel it is important to note that consumers will hold an important position as the future of RFID unfolds. After all, retailers will not have consumers if they do introduce technologies that are offensive or invasive to their customers.
It’s important to educate consumers about RFID, and it is important to raise issues for discussion from the consumer perspective, without outlandish claims about technology and without rhetoric that is not founded in fact. It is important for the industry and the consumer to have an open dialogue, and AIM will embrace this discussion with consumer groups, privacy organizations, and governmental agencies. Using scare tactics and calling for a complete ban of a technology is not part of the educational process. In fact, it does harm by confusing consumers and moves the focus off of what we should be talking about: how and if RFID can benefit consumers by making their life easier, safer, or more productive.
Millions of consumers use cell phones every day comfortably without the fear that our government or the user’s cell phone company is tracking their whereabouts. Millions of toll tag users zip through toll booths without worrying about being tracked because they use a toll tag. Millions of consumers use credit cards to enjoy the convenience of not having to carry cash without worrying about their whereabouts being tracked through credit card records. Millions of consumers are enjoying benefits from these technologies.
We live in a technology-rich society and enjoy great benefits from these technologies. Some consumers choose not to use certain technologies, and it is their right to do so. Other consumers choose to use certain technologies to enjoy the benefits, and it is their right to do so.
Yes, consumer privacy is an important consideration with the use of RFID, but ultimately, consumers will vote on whether they want to adopt the technology or not. Consumers have already voted on whether to use credit cards as a viable and acceptable payment instrument. Consumers have voted on whether to adopt the convenience of toll tags. They have voted to adopt cell phones and ATM machines. Seven million consumers have voted to use Exxon Mobil Speedpass. Some fifty million consumers have voted to use RFID to protect their automobile from being stolen by purchasing cars that include this feature. Consumers vote with their money or participation on what they perceive is a benefit and what they consider invasive or offensive. Consumers will ultimately determine the future of RFID in the consumer space. As the market evolves for RFID, consumers will let us know what is acceptable and what is not.
Until then, RFID manufacturers in AIM will continue to work in educating consumers. We agree that privacy is important. Consumer rights and how RFID affects consumers is important. But the most important issue right now is to get the facts straight about RFID and ultimately let consumers vote to what extent RFID is adapted into everyday life.
SENATOR BOWEN: Let me ask you a question about the "kill" mechanism that we talked about that would disable tags that are used for inventory purposes. Is that in widespread application now, or not?
MR. MULLEN: You don’t see RFID tags at the point of sale today.
SENATOR BOWEN: Okay. So, it’s not an issue if they’re on the pallet, because when the pallet’s taken apart, the tag is. . . what’s done with the tag at that point?
MR. MULLEN: The tag will be reused in the supply chain. It can be reused. If it’s on a label, it might be just destroyed. At this point, it’s not on individual consumer items.
SENATOR BOWEN: So, that’s an issue, if and when it becomes an individual consumer . . .
MR. MULLEN: Right. And there are a number of ways to disable or "kill" the tag, and that’s one of the things that we . . .
SENATOR BOWEN: But there’s no requirement at this point that that be done. I mean, one of the things that I think is notable about your testimony is it’s based on an assumption that people have a lot more knowledge about Radio Frequency ID tags than, I think, they do. I suspect if you asked people who had a fat car key if they knew how it worked or what it did, that not very many would. I know that many people who have a toll pass have never considered the issue of what happens to the data that’s gathered. In fact, there is a bill moving, finally, through our Legislature this year that deals with that.
So, I think, to a large extent, we just don’t understand.
MR. MULLEN: Well, the technology is one thing, but it’s also the data management. I mean, it’s the managing of the data. It’s one thing to learn and get educated about the technology . . .
SENATOR BOWEN: But how is a consumer to know what the practices of a particular RFID user are with regard to the collection and use of the data?
MR. MULLEN: That’s why AIM is here today, I think. We want to engage in that dialogue.
SENATOR BOWEN: But isn’t that done on an individual basis? I mean, that is not an AIM policy matter. That’s the policy of whoever the user is to determine that each. . . . for example, I would imagine that each toll entity that uses an RFID tag has its own policy for what is going to be collected and retained and whether it can be sold, shared, whether you need a subpoena for law enforcement to get it. That’s not an AIM . . .
MR. MULLEN: No, no. I wasn’t suggesting that. I’m sorry if that was communicated. What I’m saying is, though, that the technology is starting to interact with the consumer in a greater extent, particularly with what you’ve heard on EPC, and AIM believes it’s important to have these sort of discussions to determine what the best policies are.
SENATOR BOWEN: And that’s why we’re here.
MR. MULLEN: Finally, cell phone records, toll tag usage, and credit card purchase information is all privately held and can be used by government agencies if an individual is involved in criminal activity and a court order . . . [tape changed – portion of text not recorded].
SENATOR BOWEN: . . . Right? I mean, part of the objection to the whole terrorist tracking network at the airlines was that it was going to link a whole lot of private data without any kind of subpoena or notice to individuals.
MR. MULLEN: With regard to credit card purchases?
SENATOR BOWEN: Yeah! Credit card purchases, bank records. A whole host of things were going to be accessible with no subpoena or notice requirement in the big government. . . . I can’t think of the name of that thing either. I’m not good with names today. It wasn’t Carnivore. That was a different program.
UNIDENTIFIED: [Inaudible.]
SENATOR BOWEN: TTIA. That’s right. The Total Information Awareness program. That was basically going to scoop in a whole lot of private sector records without a subpoena, which was part of the reason there was such an outcry.
MR. MULLEN: Basically, worst-case scenarios and the technology abuses should be considered in all the discussions. The vast majority of these potential problem areas are already virtually impossible and probably impractical. At the very least, they should be solved from a hardware and software perspective. Many of these solutions are already in use in various applications on the Internet within commercial transactions. Such things as passer protection, data encryption, and proprietary communication protocols are all commonly used to protect both businesses and consumers.
SENATOR BOWEN: I look forward to having some more discussion about that because I think one of the things that this committee would like to understand is where there are technological solutions to dealing with security and privacy issues. We’re not technologists; we’re policymakers, so you’ll have to help us understand where the possible solutions are that lie within the technology. I think Dr. Pottie will help us with that as well.
MR. MULLEN: Okay.
In closing, I’m grateful for the opportunity to speak with you on behalf of AIM and provide background information on RFID along with a perspective on where the technology is headed.
Thank you.
SENATOR BOWEN: Thank you. And if you want to stay put, I’m sure there’ll be questions.
Let me ask Beth Givens to come up next. I actually think we’ll have enough room at the table for everyone by the time we get done.
MS. BETH GIVENS: I’ve prepared comments for about, I’d say, twelve minutes or so. They’re public policy oriented. In talking with Katherine Albrecht, she has more of a nuts and bolts point of view. I’m just wondering if you want to switch the two of us and go from small to big, or should I jump in with my public policy comments?
SENATOR BOWEN: John, any thoughts? We could do it either way. Let’s go from. . . . yes?
UNIDENTIFIED: [Inaudible.]
SENATOR BOWEN: Let’s do that, and then we’ll go to the bigger social implications. I think that’s a fine idea. So, we’ll change the order. Katherine Albrecht with CASPIAN will come up.
Ms. Givens, you can stay at the table if you want to. Professor Pottie is setting up now.
Let me introduce Katherine Albrecht. She’s the single person responsible for most of the privacy uproar on RFID, which, I think, Dan Mullen's comments certainly reflected.
Ms. Albrecht started CASPIAN in 1999 to fight supermarket club cards. Since then, she’s focused in on RFID and sponsored a boycott, gone undercover to find out how stores are testing RFID, written a Law Review article on the subject, and written a legislative proposal for Congress, which she may or may not discuss. One of the things that we’re hoping she’ll do is talk about some of the privacy standards she’d like to see for RFID.
If you’re going to stand up, we need to get you a microphone.
MS. KATHERINE ALBRECHT: Some of the things that I’ll be talking about today I think may . . .
SENATOR BOWEN: Let me get you a mike before you—
You know, the Senate is reasonably technology savvy, but we have not gone wireless. So, if you want to talk and be heard on the California Channel or in other places in the building, we actually have to put a microphone with a cord in front of you. On the other hand, no one can eavesdrop on that signal because it’s being transmitted from a base to a hand unit.
MS. ALBRECHT: Thank you, Dan, for the overview there. I’m going to be showing some specific examples of how this technology has been used and what the visions are of the proponents and developers of the technology. Specifically, I’m going to be focusing on the Auto-ID Center and its 103 current sponsors, which are some of the largest global product manufacturers in the world.
The MIT Auto-ID Center was founded in 1999. Its stated purpose at that point was to take RFID technology and commercialize it, making the RFID chips and their associated tags small enough and cheap enough to essentially have them replace bar codes.
Now, one of the things that we’ve been hearing quite a bit, especially in the popular press, is that these RFID tags will be new and improved bar codes. We actually take exception to that for three reasons, in that there are three ways in which this technology is fundamentally different from the bar code.
The first way is, unlike the bar code which contains a UPC (or Universal Product Code number), where every can of Coke has the same number as every other can of Coke, this new system will involve something called the EPC (or the Electronic Product Code), meaning that every single item rolling off a manufacturing plant will be given its own unique identification number separate from all other numbers. Now, the implications of that may at first seem a little bit confusing as to why would manufacturers want to do that and what implications would that have for privacy. The implications for privacy are actually quite extraordinary.
What happens now, the default state in most retail establishments is when you go in and you pay with a credit card and you buy, say, five or ten items with a UPC bar code, that UPC bar code is captured in the computer’s database along with your identifying information off of your credit card, and it is stored, in many cases, longitudinally over time so that that retailer can track all of your purchases and your identity, the location and time of all of your shopping trips. That actually began—that trend—in the early 1990s with the supermarket loyalty cards. It has since expanded to stores that don’t use those cards. Until now it’s pretty much standard practice.
If we do not put some sort of restriction in place, once these EPC numbers replace bar code UPC numbers, the default state will be to record the individual number, for example, of your pair of shoes; the RFID number associated with, say, your underwear, as you pointed out; the EPC number associated with every single thing you purchase; meaning that all of those things would be in a database so that a particular can of Coke lying by the side of the road could be picked up and scanned, and that can of Coke would, in essence, have been registered to its purchaser and would send out identification or information about who had made that purchase; meaning that any pair of underwear caught with one of these reader devices could be also, through that database, linked back to its purchaser. So, the idea of having individual unique identifying numbers associated with physical items is quite different from the current bar code system.
I said there were three ways in which they’re different. The second way is, unlike a bar code which requires a line of sight, where you must actually hold the item up and have it be seen by the reader, this technology enables these EPC tags to be read at a distance. In some cases that distance is up to 20 or 30 feet. The technology is getting more and more efficient. We can only expect that number to rise. That number can not only be read at a distance, but it can be read right through the things that normally provide us with what we consider privacy. That would be through your purse or your backpack or your wallet or your pocket or right through your clothing or through your suitcase. So, it can be read at a distance through your clothing, meaning that someone actually could identify the size and color of your underwear at a distance.
And then the third way in which this technology is fundamentally different from bar code technology is that there’s some questions about whether it is safe to have a world of these reader devices beaming out a constant stream of electromagnetic energy in order to read these tags. Dan, you kind of touched on this a little bit in terms of how the architecture of this system works. But essentially, in order to read EPC tags, a reader device must send out a continual stream of electromagnetic energy anywhere up to, say, 20 or 30 feet, depending on its range, in order to activate and pick up any tags in that area.
So, for example, let’s fast-forward ten years to where everything you’re wearing and carrying in your briefcase contains one of these tags. If I have a reader device here, I can turn it on and beam all of you with that energy constantly while you’re sitting in this room; hence, identifying all of the EPC numbers associated with everything in your pocket and your wallet and under your clothes. There are some serious questions about whether that constant chronic exposure to low-level electromagnetic energy is safe, particularly around children and pregnant women. These are issues that I do not believe the Auto-ID Center has addressed satisfactorily.
So, we’ve got, essentially, three ways in which this is different from the bar code.
SENATOR BOWEN: Let’s stop so I can ask you a couple of questions about that.
Is there enough standardization of the RFID chips and readers right now so that you really can scan everything in the room, or are there different systems that are used that are not compatible? For example, I still can’t take a Mac disc and put it in an IBM PC and read the data.
MS. ALBRECHT: And that’s a great question. At the present time, there are a whole host of different standards out there. It kind of looks like the old Betamax-VHS scenario where everyone’s kind of waiting to see what to invest in and what this is going to come down to and what will be the standard technology. What ultimately will happen, though, given that the goal here is to replace the bar code, is that all retailers would have to have standardized equipment which would be able to read these tags, and all tags would be operating with a standardized protocol and language; meaning that Wal-Mart or Best Buy or Home Depot—all of which are RFID sponsors who have invested heavily in this technology—would all be able to, for example, read each other’s codes. And if we got to the point where all retailers did that, anyone with a device . . .
SENATOR BOWEN: Wouldn’t they have some incentive not to want each other’s codes read?
MS. ALBRECHT: I would imagine it would be the same as the UPC. There’s actually an incentive to have that standardized because everyone benefits from access to the quick and easy reading of the physical items.
SENATOR BOWEN: And what about armoring? If I put on a suit of lead armor or medieval armor, can I put myself in an electronic bubble?
MS. ALBRECHT: Yes, you actually can. Right now on the Internet, you can purchase devices where you can drop, for example, your cell phone or your toll tag transponder, your little EZ Pass transponder, right into one of those devices. They’re made of a special kind of mesh that resembles a faraday cage, and it prevents that radio frequency energy from passing in and out. So, yes, I envision in the future people may wear entire bubbles of RFID shielding fabric, they call it, and there are a number of Web sites out there where you can look that up.
SENATOR BOWEN: So, that’s already existing.
MS. ALBRECHT: Yes it does. People who are aware of the toll transponders and such are quite concerned about the privacy invasions already happening with that.
This little diagram here comes directly from the Auto-ID Center, and one of the things you’ll see on there is that 23 bits would enable you to number all automobiles. We go up to computers. Thirty-three bits would enable you to number all human beings. We found it interesting that they chose to put this in their slide presentation. And 54 bits enables you to number grains of rice.
Dan, perhaps you can fill me in. Is it 96 or 128 bits that they’re looking at now for the EPC?
MR. MULLEN: I think it’s 96 bits.
MS. ALBRECHT: Ninety-six bits, yes. So, clearly, 54 bits will let you number all the grains of rice. According to the Auto-ID Center, their 96 bits will enable you to number every physical item produced on Planet Earth for at least a thousand years. So, there’s plenty of numbers to give everything a unique identification number. Every Coke can, every pack of gum. Again, Coca-Cola is one of the Auto-ID Center sponsors. Dentyne gum, last we checked, was owned by Pfizer, which is one of the Auto-ID Center sponsors. And that’s actually an example that’s been used, is putting these tags, making them cheap enough, small enough, and portable enough to put them in every pack of gum. So, literally the contents of your purse or wallet or briefcase, all of that would be tagged.
SENATOR BOWEN: What happens when you chew it?
MS. ALBRECHT: Well, it would actually be in the packaging, most likely.
SENATOR BOWEN: So, the individual sticks, we’re okay.
MS. ALBRECHT: Well, you could put them in the foil, I suppose.
RFID tags come in different shapes and sizes.
SENATOR BOWEN: So, this means we can tell who’s littering.
MS. ALBRECHT: Well, it could go either way.
SENATOR BOWEN: Or who we presume is littering.
MS. ALBRECHT: If you wanted to set someone up, you could steal their garbage and toss it by the side of the road, and they’d get a nice ticket in the mail. Garbage would become something you’d have to be quite careful with.
There are a variety of different RFID tags. What they do all share is this—let’s see if I can get my finger up there—is this tiny little dot. One of the things, Dan, that you said was one of the myths floating around about this is that the tags are the size of a speck of dust. It’s important to clarify the terminology here. There are two terms associated with this. One is "chips." The chip is the actual piece of silicon; the little wafer containing the unique identification number. The "tag" is that tiny piece of silicon hooked up to an antenna. They’re actually quite different. Currently, the chips themselves are not only the size of a speck of dust, but, I would say, even smaller than a speck of dust.
I’ll actually pass this around. This is from Alien Technology. They’re the company that Gillette placed an order for half a billion of these tags back in November. And I’ll pass these around and let you take a look at how they actually are unbelievably small. That vial that you see there contains 150 RFID chips.
Now, the question is: How do you associate a chip with a tag so that it can pick up the energy through any antenna and transmit its number back? The answer is that there’s many different ways to do that. Up on the screen you’ll see one way. The copper metal around there is the antenna device which picks up that electromagnetic energy being bombarded out. Transmits it to the chip.
One of the concerns that we have is that recent reports indicate that there is technology being developed to where the antenna itself would be a part of the packaging or would actually be part of the spray-on ink of the package itself, meaning that the RFID tag would be undetectable. The actual dot of the letter "i" would be sufficient to track you if it were hooked up to, say, a foil-based package which would pick up the electromagnetic energy waves as an antenna and transmit it to the chip; meaning that these devices can be absolutely undetectable. Other things that we’ve seen include putting these between the layers of cardboard in packaging. And I have seen a demo, which we’ll get to in a moment, of actually a pair of shoes with one of these devices under the insole. So, it’s definitely possible to hide them. I think that possibility will be enhanced in coming years.
This slide right here is an actual EAS tag in use apparently today. It is sewn underneath the label of an expensive men’s suit. If you look under there, you’ll see the little tag. Now, in the current setup, these tags being sewn into suits, we believe, are EAS tags. That means Electronic Article Surveillance tags. That’s the standard on/off. It’s on in the store. If you walk out with it, it sets off a beeper; an alarm. If you turn it off and you walk through the door, then you’re fine. Our concern is that the company that produces these devices, a company called Checkpoint, it has made announcements that these will become, essentially, combined with RFIDs. We will have no way of knowing when that transition happens; meaning that if you walk out of the store with one of these things sewn into your suit or sewn into the tag of whatever it is that you’re wearing, that could be beaming out a unique identification number, again associated with the database, and again, beaming out your identity along with it.
We have evidence from the Auto-ID Center from their own internal documents that they have been testing in Wal-Mart stores, tagging products including Huggies Baby Wipes, Right Guard aerosol deodorant, Mach 3 razors, Caress soap, Pantene shampoo, Coca-Cola. A whole variety of products that right now—or at least in the past six months—have been tested out in Wal-Mart locations, we believe, on real shoppers. We’ve asked for a clarification on that, and we’ve not been provided with that information.
One of the quotes that you’ll often hear if you read the proponents of this technology, they will talk about "silent commerce," meaning that information will be transmitted about products and items silently. That’s exactly our concern. We have no way of knowing when we have been read. So, if you walk through a doorway and the doorway reads you, you will not know when that’s happening.
SENATOR BOWEN: So, that’s the opposite of the transparency that I was talking about.
MS. ALBRECHT: Absolutely.
This device that you see up here on the screen I actually have right here. This is a prototype of the next generation supermarket loyalty card. The folks who gave it to me, with Matrics (M-A-T-R-I-C-S), were boasting that it is one of the few RFID chips with a dual antenna. The reason they were boasting about that is because it enables this to be read right through a shopper’s wallet, pocket, or purse from the doorway at 20 feet away when the shopper enters the store.
Now, based on my own research—and I’m working on a dissertation on this topic on retail surveillance of consumers—one of the things I’m extremely concerned about are comments by the industry and by consultants to the grocery industry that they would like to be able to identify the value of their consumers in order to offer them, and I believe this is almost a direct quote, "poor service and higher prices" to discourage shoppers that are not (quote/unquote) "as valuable to the store" from shopping there. This is one way of transmitting not only a shopper’s identity as they walk into the store but of actually transmitting their entire shopping history and, hence, their (quote) "value" to the store. And we have plenty of evidence about that I’d be glad to show if anyone’s interested in that.
This is an example of a Visa, a bankcard, that also contains an RFID tag. As you can see, you have no way of knowing if this device is in there. Once again, this could be beaming out information about your entire credit history. It could be beaming out information about your credit limit. You could be treated differently, depending on how high that limit is, as you enter a store, and this device could be read right through your wallet, pocket, or purse.
And, of course, in recent news, CASPIAN, our organization, has called for a boycott of Gillette. Gillette put in a purchase order of 500 million of these chips, and they’ve developed something called the SmartShelf—we call it the "spy shelf"—in conjunction with the Auto-ID Center. They have developed a shelf that actually reads the RFID tags of Gillette Mach 3 razor products on it. As the shelf senses that one of those packages has been picked up, it takes an automatic photograph of the person picking it up; an actual close-up mugshot of their face. When they get to the checkout and they pay for that item, it takes a second picture of them with a hidden camera. At the end of the day, those pictures are compared to make sure that everyone picking up the razor blade product is shown paying for it, and anyone not seeing paying for that product at the checkstand is labeled a potential shoplifter, and they are subjected to a tremendous amount of surveillance on subsequent trips to the store.
SENATOR BOWEN: That seems like it would also require some sort of facial identification technology to compare the photographs. You’re surely not going to have somebody sitting comparing computer images.
MS. ALBRECHT: Our impression is that is actually what they’re doing, the security staff. I can provide you with some documentation of that and some pictures that the security staff is actually literally printing those out at the end of the day; although, certainly a facial recognition application would be an easier way to go about it.
I believe that I, myself, interacted with one of these shelves in a Wal-Mart store in Brockton, Massachusetts. I took photographs of that shelf. At the time I did not realize that the shelf might be taking photographs of me because I had not yet seen this document. I might have maybe dressed a little differently and smiled a little more if I’d known that.
There was a big scandal in England in that one of the Auto-ID Center sponsor companies, a grocery chain called Tesco, was using this technology and taking photographs of actual Gillette shoppers. And, of course, the problem here is there’s a "guilty until proven innocent" presumption that everyone picking up a product from the shelf is a shoplifter unless they can prove otherwise.
Now, one of the things, Dan, you mentioned is short read range, and I believe the way you explained this was we won’t have satellite tracking so you don’t need to worry about being traced. And what I’d like to say is that with four reader devices, I could tell where you’ve been today. Given that each one of you is in this room attending this hearing, I could find that out, first of all, because Michelin has already begun embedding these devices between the rubber layers of its tires. All I would need in order to find out where you drove today would be one of these reader devices, which, by the way, have been embedded in floor tiles, carpeting, walls, doorways . . .
SENATOR BOWEN: But then, how does the tire collect information?
MS. ALBRECHT: The tire would not. The tire would have its individual information about you; in other words, when you purchased the car. That’s actually one of the purposes of this is to link tires to actual automobiles. As you drove over a reader device at the on-ramp getting onto the freeway, the reader device—and by the way, the reader devices of these, I believe the statistic is they can read these tags in tires going 90 miles an hour from six feet away.
SENATOR BOWEN: So, you’d have to have a fairly extensive network of reader devices.
MS. ALBRECHT: At on- and off-ramps of the freeway, correct. So, as you got onto the freeway, it would read you got on the freeway. You don’t need a reader device every twenty or thirty feet in order to track the movement of a car on the freeway because it’s not going to float away. It’s going to have to get off the freeway at some point. So, really, the only place you need those readers is the on- and off-ramp. So, regardless of how far away you got on the freeway, once you get off you’re then tracked.
The second place, or the third place that you would want one of these reader devices would be at the entrance to the parking lot wherever your car is sitting right now. Once you drove over the entrance to that, then a second note could be made in the database. For example: This car number seen entering this parking lot.
And then, the final reader device, and perhaps the most disturbing, would be the reader device in the doorway, say, of this room or of this building. As you came into the building, we were all subjected, or our bags were all subjected to a search. It would be possible without even our knowledge to subject us to a similar search by simply putting one of these reader devices emanating its beam of electromagnetic energy at us, reading any tags associated with us as we came into the room, and then recording that information in a database.
So, with just four reader devices, even if you came from across the state, you could be tracked. So, you don’t need satellite tracking in order to find out where people go.
Our primary concern at this point is that these devices are being deployed in a number of different applications, some of which, I think, right now can easily be seen to be violating consumer privacy. We have no way of knowing where they’re appearing. I have no way of knowing if my new bank card or my new supermarket card has one of these in it or not, and currently, there’s no requirement that anyone has to tell me when that’s occurring.
Once again, that pair of shoes that I saw demoed was actually demoed by Alien Technology. They pulled back the insole of a pair of shoes and said, "Won’t it be great when we can put RFID devices in shoes?" Now, their stated reason for that was, wouldn’t it make it easier to avoid, I think what they called, the "shoe sorting parties," in the backroom of shoe stores where they can’t match up the size 7s and the size 8s and they’ve got a big pile on the floor. My answer to that is, well, RFID wouldn’t solve that anyway because if you aimed a reader device at that, all you would get would be a jumble of numbers. It wouldn’t tell you where the size 7s and 8s were. There’s probably easier ways to do that.
What putting those devices in shoes would do, though, would be to create the possibility of a tracking and identification and sort of privacy invasion network that I think absolutely staggers the imagination. If you went into Wal-Mart and you bought a pair of shoes and unbeknownst to you, pressed right into the rubber sole of those shoes, was one of these devices and you paid with a credit card and your name was linked with that number, any place you went where you stepped on a carpet or a floor tile equipped with a reader device—again, without your knowledge—you could be identified and your whereabouts could be recorded in a database.
So, finally, CASPIAN believes that consumers have a right to know when they’re interacting with technology that could affect their health or privacy. We have written numerous letters both to the Auto-ID Center and to Gillette, respectfully asking that they answer our questions as to where this technology is being deployed, what products it’s being put on, what store it’s being tested in, because we believe that consumers have a right. And once again, Dan, as you pointed out, we do agree with you that consumers will ultimately be the ones voting on this. I believe that once we get labels and notification and people are aware of what’s happening, that people will choose not to interact with this technology; although, once again, the market can make that choice. Our concern right now is that consumes have no way of knowing that.
SENATOR BOWEN: So, would you like to see RFID tags go away altogether in an ideal world, or do you think there’s a place for them as long as there are disclosure and privacy standards?
MS. ALBRECHT: Well, personally, I think the possibility for abuse of this is beyond anything I think human beings have cooked up, save, perhaps, the nuclear bomb. I mean, I really do believe that if we allow this technology to be deployed, literally think about it in every physical item on Planet Earth, and then you couple that with, I don’t know, regimes like Saddam Hussein’s and regimes like North Korea, and you let this get into the hands of people who would abuse it—and I would include in there retailers in this country, too, among people who are likely to abuse the technology—I think that we’re really heading down a very dangerous road. I believe that our children and our grandchildren’s generation are going to judge us based on how we respond to this challenge right now.
So, I personally would like to see this go away. I’m not a big fan of legislative solutions. I do believe in the free market, but the free market cannot operate effectively unless people have the information they need to make informed choices.
To that end, we have Zoe Davidson here in the room. Zoe is a Boston University law student who helped CASPIAN to develop the RFID Right to Know Act of 2003. She’s done quite an extensive bit of legal research into this and I’m sure would be happy to answer any questions.
SENATOR BOWEN: Great, thank you. You’ve just scared the shoes off of all of us.
You know, I would note that when the supermarket club card issue first really came up, I saw some very creative responses to the possibility of tracking in California. In the Bay Area, there was a group of young professionals who got together once a month and swapped supermarket club cards. Now, they had the ability to do something that you wouldn’t be able to do with an RFID tag that was tracked to a credit card purchase in that they created false IDs. They had Beethoven and Anastasia and Thomas Jefferson and so forth, and once a month they just simply traded cards. The result was that the data collected was garbage because it didn’t reflect anybody’s buying patterns; it reflected a month of one person and a month of somebody else and a month of somebody else.
MS. ALBRECHT: That’s one of the reasons why I think shoes are such a critical application, because I would ask everyone in the room, when was the last time someone else wore your shoes or even could? So, if you put them in shoes, you really pretty much have that person dead to rights.
SENATOR BOWEN: Senator Vasconcellos?
SENATOR VASCONCELLOS: Do you have any response to her research?
SENATOR BOWEN: Let’s get you a microphone.
MR. MULLEN: I think what AIM is saying—first of all, I should say I don’t represent MIT. A couple of things, though. The read range issue is something very important to understand. There’s a range of RFID technologies, and those that can be read farther tend to be in the larger tags and have batteries on them. The tags that you would see potentially at a retail point of sale would be quite small, would not be read at a long range . . .
MS. ALBRECHT: Dan, what read range would you be thinking there? Point of sale.
MR. MULLEN: Probably a foot to three feet, I bet.
MS. ALBRECHT: Yes, and I’d point out that as you walk through a doorway, you only need about 18 inches of read range on either side of an individual in order to track them, and on shoes, you only need about a centimeter.
MR. MULLEN: And I’m saying, to think that we’re going to sit here in this room and somebody’s going to have a reader at the front of the room and read every item of clothing or everything you have in your purse, whatever, the technology and the physics of that are not really possible, that we can see, today.
MS. ALBRECHT: Dan, I’ve actually done that at a congressional hearing sponsored by the Auto-ID Center about a month and a half ago. They actually had a demonstration where they had put Alien tags into products. They had a red backpack, and you could actually put items into the red backpack and you could walk further and further away. There was a computer screen that demoed it. I was able, myself, with items in that backpack, to get to about 15 feet away and still see them on the screen.
MR. MULLEN: Like I said, there’s various technologies that can read at various ranges, but the tags. . . . I don’t know how big the tags were in that backpack, but the tags you’d be talking about on a consumer item would be quite small. And when I say "tag," I guess that’s the other point. You saw on the screen the chip. When I say "tag," it’s the chip itself as well as the antenna. It’s not just the tag itself or the chip. That doesn’t include the antenna on that. That’s the chip, which, without an antenna, the read range is virtually contact.
MS. ALBRECHT: Right, and these were the actual devices that were demoed at that congressional event.
SENATOR BOWEN: That’s the antenna?
MS. ALBRECHT: This is an Alien tag. This is adhesive, and this was what was actually stuck into, I believe, the Huggies Baby Wipes, in the slide that I showed.
SENATOR BOWEN: So, it could go on the underside of a tissue box.
MS. ALBRECHT: Right. Or it could go between the layers of . . .
SENATOR BOWEN: Of a shoe.
MS. ALBRECHT: Or even of a box or of a package of cereal; for example, Kellogg’s being one of the sponsors. International Paper, which produces much of the packaging in this country, has been experimenting with putting these between the layers of cardboard.
MR. MULLEN: The last thing I’d say is that MIT, I think, is very much a research and development organization looking at futuristic things and does not really represent the technology providers that are out there today. I think we need to have an open dialogue about the technology. A very separate but important discussion is the management of the data: if there’s data generated where that data is, who has access to it, what access or what data is there. That’s just as important as the discussion, if not more important than the discussion, about the technology.
SENATOR BOWEN: I think the difficulty for many of us is that it’s very hard to make the data collection—the fact of it or the data collection practices—transparent in any meaningful way. It’s just hard as a consumer to know who’s collecting what and what they’re doing with it. In fact, we’ve had that discussion with regard to privacy on Web sites and so forth. If the privacy policy says this can be shared with "X," you know, how many generations of other people’s privacy policies that allow some sharing can you go down?
The privacy policies on the Web, I think, are a good example of how difficult it is for consumers to negotiate the information that’s there. It’s so complex that most people click through it. I only know of one person who reads all that stuff before "I Accept" on a Web site where it’s describing its privacy policy, and that’s because her job is to write them. Nobody else reads those things because it’s just too complicated and you just want to get to the Web site. So, as a practical matter, consumers have just thrown up their hands because it’s too hard to understand what’s happening, and the result is that I think we have a responsibility more broadly as a society to make a determination about how we want this to work.
Let’s go on to Beth Givens, well known to this committee for her work with the Privacy Rights Clearinghouse, which more traditionally has dealt with a lot of work on identity theft issues, with various privacy issues, with the interface between First Amendment rights to be left alone and privacy, and the right to know what your government is doing, which is always an interesting source of conflicting policies. We’re going to get the beginning of the bigger picture from her, I understand.
MS. GIVENS: Right. And my prepared comments are, I would say, about twelve minutes.
Senator Bowen and committee members, thank you very much for the opportunity to testify today. The title of my presentation is "RFID and the Public Policy Void." The topic of today’s hearing—pervasive computing and RFIDs—has received scant scrutiny by policymakers to date, so your hearing is a very, very important first step.
I’m going to give you a little bit of a movie review, but it’s a movie review with a purpose; and you’ll see when I get through the review what I’m trying to say.
When Steven Spielberg was developing the 2002 movie Minority Report, he consulted a group of MIT scientists, urban planners, inventors, and futurists to construct a society fifty years from now based on the technology trends of today. The movie, which starred Tom Cruise, takes place in the year 2054 in Washington, D.C., and it portrays a society nearly devoid of privacy.
The movie’s science and technology advisor, John Underkoffler, is an MIT grad and who has a decade of experience in the MIT media lab. His job was to ensure that the technology infrastructure portrayed in the film is what Spielberg calls "future reality" and not science fiction. To quote Underkoffler: (Quote) "A recognizable extrapolation of what we have today with technologies that are just emerging" (end of quote).
In the movie, cameras are everywhere and people’s eyes are automatically scanned many times a day by biometric readers located throughout the city and in public places such as stores. And RFID technology also appears to be part of the technology infrastructure shown in the movie. Billboards, store walls, and shop windows show an ever-changing array of personalized ads, depending on who is passing by. Stores greet shoppers by name when they enter.
During one of the actually exciting chase scenes, as Tom Cruise makes his way through a crowded shopping center, one of the displays calls out to him that he appears stressed-out. "Why not have a Guinness?" it says to him, as he passes by. By the way, you have to watch the movie at least two times to catch that.
What Spielberg has accomplished with his team of MIT futurists is a form of technology assessment; that is, a holistic look at the impacts of technology on all of society in the not so distant future. It is just this sort of analysis that so far has been missing in the public policy arena regarding the development of RFID. What an irony it is that what serves as technology assessment today comes to us not from the public policy realm—at least not so far—but, rather, from Hollywood.
SENATOR VASCONCELLOS: That’s not surprising because it’s kind of known that art sees first what’s coming.
MS. GIVENS: Right.
SENATOR VASCONCELLOS: For better or for worse. And politicians tend to come last, which we’re trying to reverse with this effort.
SENATOR BOWEN: It’s literature as well. I know that my interest in this came from reading William Gibson and Neal Stephenson, in Snow Crash and the Diamond Age and Virtual Light and a host of other sort of science fiction books—Cryptonomicon—data mining and databases.
MS. GIVENS: And Margaret Atwood’s The Handmaid’s Tale.
SENATOR BOWEN: Yes. Oryx and Crake.
MS. GIVENS: Oh, I’ve heard that’s a good one.
Anyway, now the movie review ends, and I’m getting on to serious stuff here.
The process of technology assessment involves an in-depth, multidisciplinary analysis of a technology in order to provide early indications of the probable, beneficial, as well as adverse impacts. Ideally, this process is overseen by a nonpartisan body comprised of representatives of all stakeholders, and likewise, the interests of all stakeholders are examined, including those of consumers. One of the major purposes of technology assessment is to enable legislators, other policymakers, as well as industry representatives to develop policies in order to minimize the social harms.
At one time, Congress operated an organization that engaged in technology assessment. It established the nonpartisan Office of Technology Assessment (or OTA) in 1972 to provide congressional committees with objective analysis of public policy issues related to science and technology changes. This agency survived for two decades. And the definition of technology assessment that I read to you in the previous paragraph comes from the OTA. At its height, it had a staff of 200. The OTA sadly closed its doors in September of ’95, tragically just at a time of dramatic advances in many technologies: the Internet, genetics, biometrics, wireless communications, technologies of surveillance, and the beginning stages of pervasive computing.
The intervening years have also brought us September 11, 2001. In the aftermath of the terrorist attacks, the evolution of these technologies has only accelerated.
If ever there were a technology calling for an in-depth, multidisciplinary, holistic analysis involving all stakeholders, it’s RFID. Yet, this technology has sprung upon the scene with little attempt so far to address its many probable adverse impacts upon society.
We’re not talking about a technology that is just emerging from the lab. The MIT Auto-ID Center, which is coordinating the development of RFID, is a partnership of 100 multinational corporations and five major research universities spanning the globe. The U.S. Department of Defense is one of the Center’s funders. And we’ve just heard from the trade association for this industry, which is AIM. It, too, is a global operation with RFID affiliates in 14 nations, including the U.S., Europe, Asia, and Latin America.
The MIT Auto-ID Center’s consortium is developing the standards and technology components to create what the Center calls (quote/unquote) an "Internet of Things." It envisions (quote) ". . . global infrastructure—a layer on top of the Internet—that will make it possible for computers to identify any object anywhere in the world instantly." And I took that from its Web site yesterday.
It does not take a great deal of reflection to understand the profound privacy and civil liberties implications associated with RFID, if, indeed, all of the things of the world are uniquely identified and can be located and read at a distance, even if it’s just a short distance. We human beings interact and surround ourselves with a huge number of objects: our clothes, furniture, appliances, consumer electronics, food, automobiles, the tires in the autos, even movie tickets, public transportation passes, and documents like our driver’s license, credit card, passport, and birth certificate. Massive databases will not only contain these unique product codes but also the personally identifying information that is connected with the RFID coded items that we buy or otherwise obtain. It’s the association of this personal identity with the object’s unique identity that will enable both profiling and location tracking.
Industry literature envisions a world in which the unique Electronic Product Code (known as the EPC) in RFID tags will be associated with personal identity at the point of sale. A Forbes magazine article shows a drawing in which the shelf calls out to a shopper: "Honey, you could get those pants [you are wearing] for less in our aisle 7."
So, what should the public policy responses for RFID be?
First, RFID must be subject to a formal technology assessment process; one that is not sponsored by industry but, rather, a nonpartisan entity involving multidisciplinary approaches, perhaps similar to the OTA model. And all stakeholders must be represented, including consumers. A variation on this OT theme is something called the Privacy Impact Assessment.
Second, the technology and its implementation must be guided by a strong set of Fair Information Principles. There are several variations on this theme, ranging from the Federal Trade Commission’s five-part approach to the eight-part approach of the international body, the OECD (or the Organization of Economic Cooperation and Development), and then also Canada’s ten-part policy that was recently codified into law. The Federal Trade Commission’s principles are: notice, choice, access, security, and enforcement.
SENATOR BOWEN: Let me have you go through those again. I think you’re going to discuss each of them, but let’s . . .
MS. GIVENS: Actually, I’m not going to discuss each because it would take some time, but my presentation will be in our Web, including the full text of these codes, in the next few days.
SENATOR BOWEN: Let’s take our time with at least these principles so that we can think for a second about your terms. "Notice" is the first.
MS. GIVENS: The FTC’s five, the way I remember it is N-CASE: notice, choice, access, security, enforcement. I just say N-CASE and they’re easy to remember.
"Notice" in the OECD world would be openness. There is no such thing as a secret data collection. And, of course, that’s the issue here, is because of the fact that these things are virtually invisible and can be read from a distance. Even though it’s a short distance, you don’t know what’s going on. That’s "notice."
"Choice." Actually, "choice" really ought to be consent, but unfortunately, the FTC did water down that term to choice. We talked about the "kill" mechanism at the point of sale. That’s an example where they’re actually. . . . in a way, it’s kind of opt-in. The default is, at the point of sale this thing is "killed," and it does not have the ability to turn back on later.
SENATOR BOWEN: How does the customer know then?
MS. GIVENS: Well, there would be labeling, and that’s where the bill that has been proposed by CASPIAN and Zoe . . .
SENATOR BOWEN: But nonetheless, you have to trust whoever it is that’s the operator to have. . . . you know, I could wave my hands over it and say, okay, it’s disabled.
MS. GIVENS: And do you know. Actually, I’m getting there. At the end I’m going to wrap up the Fair Information Principles into a seven-point policy that I think addresses the key points of this technology.
The FTC five: notice, choice . . . "Access." You have a right to access the data that’s held about you and make sure that it’s accurate.
"Security." Any one of these systems that holds personally identifiable information must be held securely, and the data must be used only by those with a legitimate need to know.
"Enforcement," of course, is when there are violations, there should be penalties and some sorts of. . . . well, you know what I’m saying. The word I’m reaching for, I guess, is recriminations, but penalties assessed.
SENATOR VASCONCELLOS: Sanctions.
MS. GIVENS: Sanctions. Thank you very much.
I do think that the FTC’s five is limited; watered down.
I’m going to talk about a few of the Fair Information Principles from both the OECD and the Canadian approaches that I think need to be added; first and foremost being accountability, and I’ll return to that in my closing.
Other vital privacy principles that are found in the OECD document that should be part of any policy guiding RFID, the first one would be "collection limitation." Another one would be "purpose specification." And a third would be "individual participation." And these are vital because of the invisibility of the RFID tags as well as the potential for the tags to be read at a distance without the knowledge or consent of the individual.
And here’s where I wrap it all together in a recommended seven-point approach.
I recommend this seven-point approach based on the Fair Information Principles, and in these points, on expanding upon guidelines that I found in three sources, one is the RFID Right to Know Act, developed by Zoe Davidson of Boston University Legislative Clinic. Second is a document called "An RFID Bill of Rights," by technology writer and MIT Ph.D. student Simpson Garfinkle. And by the way, he is coordinating, I think it’s a November 15th conference at MIT on RFID. And the third comes from the industry itself, called "The Guiding Principles," drafted by the Auto-ID Center and posted on the Alien Technology Web site.
So, number one: Individuals have a right to know that products contain RFID tags. Labeling must be clearly displayed and easily understood.
Number two: Individuals must also know when, where, and why RFID tags are being read. There should be no tag reading in secret.
Number three: Individuals have the right to have RFID tags removed, permanently deactivated, or disabled when they purchase products or otherwise obtain items containing RFID tags.
And point 3A: Merchants must be prohibited from coercing customers into keeping the tags live on the product. For example, merchants cannot tell customers that in order to return the item someday, they must keep that RFID tag alive.
And point 3B: Tags, once disabled, cannot be reactivated without the explicit consent of the individual associated with that item. There can be no backdoor means to reactivate tags once they’ve been permanently disabled.
Point four: Individuals have the right to own and use inexpensive readers so they can both detect tags and permanently disable them.
Point five: The individual has a right to access an RFID’s stored database pertaining to him or her.
And then, to these points I would add number six, which comes from the industry: the requirement of security and integrity in transmission, databases, and system access.
And number seven: the accountability mechanism, which is so important. An accountability mechanism must be established with the implementation of RFID.
Industry processes and operations must be transparent, and I take that, by the way, almost word for word from the industry Web site. There must be entities in both industry and government where individuals can complain when they’ve been harmed by the uses of the technology and when the guidelines have not been complied with, whether or not there is harm. Some have recommended that such guidelines be voluntary and that the marketplace be allowed to ensure that the principles are adhered to. I have not yet seen any situation in which self-regulation has worked. Given RFID’s potentially adverse impacts on privacy and civil liberties, I believe such guidelines must be codified in law.
And something almost as an aside but very important: Policymakers are going to have to grapple with the potential for law enforcement uses of RFID. This matter is beyond the scope of my presentation, but nonetheless, I believe the potential for Fourth Amendment violations are very real.
Unfortunately, we cannot turn back the clock on RFID, but many of the harmful effects envisioned for this pervasive implementation of this technology could be avoided if RFID were restricted to supply-chain management and inventory control, if tags were "killed" at point of sale and, third, if personal identifying data were never linked to RFID tags.
If and when RFID is applied beyond the point-of-sale terminal, the Electronic Frontier Foundation recommends that businesses use smarter privacy protective RFID technology than is currently in use today in such devices as the Easy Pass and the Exxon Mobil Speedpass. Smarter RFIDs can contain secure access control technology which can give individuals more control over how that data is used.
And I want to point out that Dan Moniz of the Electronic Frontier Foundation—he is their staff technologist—is here today and could speak to this whole issue of "smart versus dumb" RFID systems. And I’m sure you can too, Dan. Two Dans in the room who can speak to that.
Public policymakers, I believe, should not wait for a crisis involving RFID before exerting oversight: the usual legislation by horror story that we’re all so familiar with. This technology embodies all the features to enable the development of the kind of total surveillance infrastructure that’s been portrayed in Spielberg’s Minority Report. To keep his vision of the year 2054 from evolving, and to summarize my key points, I recommend (1) that RFID undergo a formal technology assessment process involving all stakeholders, including consumers; (2) that the development of this technology be guided by a strong set of Fair Information Principles, not just the FTC five; and (3) that meaningful consumer control be built into the implementation of RFID.
Again, I thank you for the opportunity to testify today; and this presentation, along with the a complete text of the codes that I mentioned, will be on our Web site in the next few days.
Thank you very much.
SENATOR BOWEN: I’d also like to mention that Kevin Ashton of the Auto-ID Center at MIT was unable to be with us. It’s a real conflict. I think he would have liked to have been here. We have a great deal of information and some testimony from him. Unfortunately, we don’t have it in electronic format. We have it only on paper. So, I will attempt to obtain as much of it as possible in electronic format so that we can post it on the committee’s Web site and make it available to people who are interested.
Let me, at this point, broaden the discussion even further by calling up Dr. Pottie to join us to talk about pervasive computing and how RFID and other technologies fit into that concept.
Let me warn you all that Appropriations is going to be lifting calls in a few minutes, so Senator Vasconcellos will chair while I go to record my vote. I just got told they were lifting calls around five. If that’s wrong, I’ll still be here.
Anyway, welcome. Thank you very much for coming up from Los Angeles. We’re keeping you inside so you don’t have to deal with the Sacramento summer.
DR. GREG POTTIE: Okay, thanks.
I do have a few slides, but I’ll think I’ll skip through them because it’s faster just to read.
I want to talk briefly about RFID in the context of pervasive computing. Pervasive computing means, basically, that computing technologies become both invisible and networked in our environment. This invisibility doesn’t necessarily need to imply that they become small. They don’t have to become dust motes to be invisible. They simply have to be taken to be part of everyday life; for example, like electric motors or security cameras that are in every retail outlet and around here.
Already, most computers have, in fact, faded into the background. In your typical vehicle, there’s all kinds of microcontrollers inside. There’s over two hundred sensors. But what prevents them from being thought of as pervasive is that they are not easily networked right now. This can change fairly quickly. And if it does become networked, it makes an enormous difference in the convenience of access. For example, you have digital access to databases. It can go all over the planet. This, then, makes possible applications on extremely large scales.
Now, a lot of this can be quite positive. I work for UCLA and I’m part of an NFS-sponsored center in embedded network systems, and we have a number of scientific applications, including tracking of contaminants through the environment, monitoring of habitats, study of marine microorganisms, and seismic monitoring and buildings to figure out if they’re going to break in the next earthquake. But there’s, obviously, quite a number of other possibilities once you start talking about linking the physical world to the Internet. This has very large implications.
Where RFID fits in—and we’ve been talking about, mainly, retail applications today—but also, it applies to a plethora of security applications. Consider, for example, in a combat situation. You put down RFID burrs in the environment. Now you’ve tagged everything that comes through that environment, and you can now bind information to that particular object as it moves through the environment. So, you can study from the whole record of how it moves about that region its intent perhaps, which is a very difficult thing to do, but that’s where people would like to go with these types of things. Similarly in the retail domain, people want to view consumer intent: what is it that they’re likely to purchase, and so on.
And so, where RFID is. . . . it’s not, by no means, the only way to do this, but it is a particular way of making it easier to bind information to an object or an individual, and in doing this binding of information, you then enable all these tools for database, and so on, to be applied to capture that information so it becomes linked to the individual and object, and that’s its major impact.
Now, all this would be reasonably harmless if how it got linked was to a system that was just local; the data went to some location, never went anywhere else . . .
SENATOR BOWEN: In other words, the only door that knows my shoes came through it is that one.
DR. POTTIE: Exactly.
SENATOR BOWEN: That is unrelated to any other door that the same shoes might ever go through.
DR. POTTIE: Exactly. I think that’s the crux of it. Once it becomes networked pervasively, then we go from a situation where. . . . I guess I’ll do a comparison: the village and the electronic world. In the village, everyone knows everything about everyone. Well, almost everything. There are some spaces where you’re free from supervision, but by and large, people know what’s going on with each other. But if you go to the electronic world, everyone expands, basically, beyond your physical environment; and basically, anyone who’s willing to pay, according to the regulations of the day, can then be your neighbor, and they can know more intimate details than could be known in this village setting. And so, in effect, whether or not current technology gets us there.
I think there’s a large truth in the Minority Report vision. We could go there if that were our societal choice. And there’s even more extreme dystopias that are possible if that is our societal choice. But what we have with information technology is the capability to design it to be otherwise, and by "design" I mean in law as well as in technology.
I believe it’s quite possible to have these systems such that there’s no privacy anywhere, but there’s also the possibility to set up a regulatory regime so that at this relatively early stage in pervasive computing technology, we build in the principles that support a democratic society with privacy into the technology itself. I, in fact, agree with Dan that there’s solutions to security and privacy and so on that these can be built in. But I also agree with Beth that they have to be supported by a regulatory regime. We’re not going to get there without these coming together.
And it is coming. Pervasive computing is coming. There was a very small national science foundation call for proposals this winter. It’s in my world, okay? But there were a thousand proposals. I had no idea that there were a thousand people pursuing sensor network research in the United States for academic institutions. And this wasn’t big money. So, there’s a huge technological push. Advances are being made in all kinds of different directions, and the time is right for technical assessment. The time is right for an ethical assessment, and I think the time is right for California, given the lack of regulatory movement in Washington, to see to it that these things are done, because this is the state that creates new technology, this is the state that creates new industries, and this is the state that’s got to, therefore, be in the forefront of regulating.
SENATOR VASCONCELLOS: Any of you have any response to anybody else’s comments so far, deep in the discussion?
MS. ALBRECHT: I actually wanted to add to something, Beth, that you had said. I actually have a document here. This is by a professor at the University of Massachusetts at Amherst by the name of George Milne. He’s actually done quite a bit of research into companies’ compliance with voluntary self-regulation of data policies. This article is titled "Privacy and Ethical Issues in Database/Interactive Marketing and Public Policy." And one of the things that he found in here, it says, "The Federal Trade Commission has relied on Fair Information Principles to guide privacy regulation and industry practices in the United States. These principles," as Beth pointed out, "include notice and awareness, choice or consent, access and participation, security integrity, and redress enforcement." However, in a survey of 365 organizations belonging to the Direct Marketing Association, he reports that Milne—that’s him—and Boza in 1998 found that only 38 percent of organizations notify customers when they gather personal information. They found that only 33 percent indicate when they are using that information and that only 26 percent ask permission to use that information.
So, I think it’s clear that relying on the industry to self-police itself has not worked to date. I have no reason to believe it will work in this case. So, I just wanted to add that to Beth’s comments.
DR. POTTIE: This is a partial response on that. Part of the reason industry will often be reluctant to go along with new regulations in these areas is that after you’ve got software in place that works, it’s expensive to change it. Whereas, I think in this particular area, we’re now in a position to say up front, "This is what we expect to happen in the technologies," and by intervening at this early stage, we greatly reduce the costs of having the values we want embedded in this technology actually within the technology. That’s why I applaud this hearing. I think it’s important to study this and then move on it at this early stage.
SENATOR VASCONCELLOS: I co-chair the 21st century preparation committee. Our first topic was race and diversity. Our second one is now technology. And . . . [tape changed – portion of text not recorded] . . . desire to take a lead in this, which is fine, because I leave next year. I retire, and she’ll be here a while longer, fortunately.
We’ve talked about technology assessment for the state, which seems like it’s overdue. The one in Congress, I guess, has dissipated. Right? It’s gone? The one in Congress is gone now? Yes, it’s gone. We’ll probably have to take the lead one more time.
In the particular area of pervasive computing in what’s thought today, I know that she plans to provide the leadership that we can if we can figure out some way to do it collaboratively so everyone is in it at the front end and making smart calls and seeing what’s coming and have our own process be transparent. Hopefully, we can get something that’s mature and smart. Transparency is a big part of my bias in whatever I do. I think that’s her intention. She can speak on her own behalf when she’s back, but that’s certainly how we have talked about trying to help guide the Legislature toward a policy process in which everyone is welcome to be present and be a partner and participate in some way to make the most wise decisions in anticipation of what’s coming, rather than waiting afterwards and having too little, too late, and too much cost to try and make it ride.
Anyone else here want to have anything to add? The gentleman from Frontier, do you want to come up and add anything to this?
MR. DAN MONIZ: Thank you for inviting me to make some comments here.
SENATOR VASCONCELLOS: Give us your name, just for our record.
MR. MONIZ: Dan Moniz with the Electronic Frontier Foundation.
The Electronic Frontier Foundation takes a position on RFIDs similar to that of Beth Givens. We believe that the fundamental principles of having access, transparency, notification, and having the ability to have, what we’re calling, "consumer controllable tags" be the paramount driver of the technology.
Right now, the technology is being designed and is being manufactured for a very low cost—mass production type of scale—which makes sense for products and supply chain and people that use the technology in that realm. But what isn’t being considered, at least in the short term in the early days of this industry, is what the privacy impact is; but more, also, what are the potential consumer uses of this technology?
The technology itself represents something that could be used by consumers. It is not a single-use technology. We believe right now that as being designed, as being deployed, it is too close to just the supply side and the manufacture and the industry of that, rather than what the consumers could use this for.
Having said that, what we want is a mandatory "kill" procedure at point of sale until such time as the technology allows more consumer control on the reading, the writing, the ability to scan, the ability to find and detect RFIDs in products of any nature. We also would like to push labeling, and we support Katherine on the labeling issue of being able to know when products are RFID tracked.
SENATOR VASCONCELLOS: Okay, thank you.
MR. MONIZ: Thank you.
SENATOR VASCONCELLOS: Anybody else here want to say anything? Add anything? Challenge anything? Suggest what else we ought to do next in looking at any of this?
Go ahead, please.
MS. ALBRECHT: This is Katherine Albrecht of CASPIAN here.
I’d have to say, given the speed with which these devices are being deployed and the number of locations where they’re being deployed and the number of products in which they’re potentially being deployed right now, my concern is the amount of time it’s going to take to get this assessment.
One of the things that CASPIAN called for all the way back in the spring, when we called for a worldwide boycott of Italian clothing manufacturer Benetton, was a moratorium on further development of this technology and implementation of this technology until this assessment can be done and until the voices of the people who will most be affected by this, which would be the world’s consumers and citizens, have an opportunity to make their voice be heard.
What’s happened is, behind closed doors since 1999, some of the biggest global product manufacturing companies in the world, including Philip Morris, Procter & Gamble, Coca-Cola—the big guys with lots of money—have met in secrecy and developed this technology, have tested it out on real people without their knowledge, and have already moved to a point where they are putting in orders for half a billion of these chips to begin putting them in our world.
And my concern here is that our voices have not been heard; our questions have not been answered. We’ve asked very politely and repeatedly to have those questions answered. My concern is that if they’re not answering those questions now, if we let another six months or a year go by while this assessment takes place, it could be very difficult to turn back. As you rightly pointed out, many of those systems are going into place. Wal-Mart has made a mandate to its hundred top suppliers that they must be RFID compliant or using this at least in the backroom and on the supply side by the end of 2004.
So, already, heavy investment is beginning in this technology, and I believe that unless we intervene now and say, "Yo, it’s time out. Let’s stop putting money into this until we can assess it," that there’s going to be a big backlash by industry when they say, "Hey, wait a minute, we just spent $50 million in putting this in and now you’re telling us you want us to do it differently."
SENATOR VASCONCELLOS: I hear that. One question comes to mind, one is about our own capacity to move rapidly, which has not always satisfied my predilections, but the larger question is: What agency has the authority and/or jurisdiction to be able to put a moratorium on whatever it is? Can the State of California. . . . are we a big enough entity in terms of being a market, I guess, to our doing it, to have some impact, or whether people just run on by us and say, "You’d better get on board or you’re gone"? That’s a question I don’t have any answer for.
MS. ALBRECHT: Actually, I was going to bring a book. I’ve got here the minutes from. . . . this was July 15th through 16th in Cambridge, Massachusetts, the EPC Network: CEO Summit, where CEOs from all over the world were invited to converge in Cambridge. . . . or actually, in Boston, Massachusetts, to get on board with this technology. One of our concerns about this was, in the entire course of this meeting, only four percent of the meeting was devoted to even discussing privacy or societal concerns. At that meeting was handed out a book—and I wish I had brought it with me. The cover of it said, "Adapt or Die." It was actually put out by an organization called SAP, which is a promoter of this technology, and the message to these CEOs was: get on board with this immediately, or you will be defunct and you will be out of the global running.
So, there’s a huge push for them to invest in this.
SENATOR VASCONCELLOS: I would encourage you to get that book to Ms. Bowen.
MS. ALBRECHT: Will do.
SENATOR VASCONCELLOS: Or maybe you can find it for her.
Anything else? Any comments?
MR. MULLEN: Yes. I think it’s important that we’re having this discussion. I think as Wal-Mart has done with using the technology, looking at using the technology in its supply chain, on pallets and cases of information, getting information on that level. . . . you know, the retail community is always looking to optimize their supply chain and make it more efficient; oftentimes bringing value to the consumer.
The earliest we would see individual tags in any kind of mass production on an individual product would probably be in 2007 and 2008; so we do have time. I happen to agree that the discussion needs to happen now, that the guidelines or policies or whatever are needed need to be worked out. But it isn’t like tomorrow you’re going to have everything at your grocery store with an RFID tag.
And I have to say, something, you know, it’s kind of glossed over, but you have to realize there has to be a real business case for someone to put an RFID tag on; for instance, a can of Coke. It isn’t as easy as you might think to put an RFID tag on a metal can filled with liquid. So, is there really a business case for that sort of detail? It’s nice to think about the MITs and others researching the idea and the potential, but when it comes down to it, there may not even be a business case or a return on investment for anybody to really do that.
So, I would just encourage the dialogue. AIM and our members would very much like to be a participant in that dialogue.
SENATOR VASCONCELLOS: Sure. To the time sequence that you indicate, the word that Gillette just ordered a half a billion of these—500 million of these—would suggest that maybe it isn’t 2007. Or do they order that far ahead these days?
MR. MULLEN: I think you’d have to look at the Gillette. It was a press release, and it was a company that was very much a venture capital company. I don’t think they could produce a half a billion tags in the next two years. They don’t have the production capacity to do that. So, it was somewhat of a PR announcement.
I’m not saying there’s not an interest, but the dialogue has time to develop, and guidelines or whatever is needed can happen.
SENATOR VASCONCELLOS: Let me ask then of all of you, each and all of you, what can we do? I’m going to defer to Ms. Bowen because I’ve got my plate overfull and I’m trying to complete it before I depart in fifteen months. What could she and we best do next to generate a larger, more engaged dialogue? Bring you five back, and who else? Is that an option, an around-the-table, two- or three-hour session that’s not a hearing as much as just a talking through? Would that be the next thing we could do? Any of you. In your idea, what will we do next that would lead us toward a really wise, fair, public interest or end result? That’s, I guess, our criteria that I would think everyone would like to be a party to. I assume that.
MS. GIVENS: That would be a good next step. Also, I realize that the state has, really, no discretionary money, but if there were a way of doing a formal technology assessment that would include representation by all stakeholders that would put together kind of where we are now, what are the beneficial uses, what are the probable adverse implications; do some kind of a formal study that’s more than just talking heads. That hasn’t been done. Really, this technology has advanced, I think, at great speed without any kind of attention to the adverse impacts, and that really needs to be done.
Now, we don’t have a congressional OTA anymore, but perhaps some sort of a. . . . I don’t know how it could be funded. I would think you might have some ideas for that but perhaps some sort of joint approach. There are actually nonprofit organizations that may be able to get grant funding through, say, for example, Markle. Markle funds a lot of technology type projects. Ford Foundation has done this sort of thing. That might be an approach as well.
DR. POTTIE: Another example that avoids having a large permanent staff is, for example, the National Research Council, which does studies on a commission basis, where experts are consulted and they come together and create a report. That’s "a" model. I’m not saying that it’s the only model.
I certainly think it’s important to do it not just in this context of RFID, but because there’s a general thing that’s coming, which is the networks linking to the physical world; and that has large implications for this society in terms of industrial production, how we live, and we need to make a start somewhere.
SENATOR VASCONCELLOS: So, how about the development of a, for want of a better term, white paper that we would all get together and the paper would attempt to develop a roadmap of what we ought to figure out? What’s likely to be coming, what are its appropriate uses, what are its benefits, what are its threats? I can imagine what they are, but if we sat around the table, the five of you and Ms. Bowen and myself and ten more people who are in the field and perhaps more who are from the industry so there’s some more input, is that a next . . . ?
MS. GIVENS: Well, you could, also, in addition to having all of those representatives like you said, hold hearings where you bring in, in one day, more experts who are not necessarily part of that committee but who can add their expertise to the discussion. Maybe hold a hearing or two.
SENATOR VASCONCELLOS: Okay. I’m not adverse to that, except that I want to see us do something rather than just listen. Hearings are precious, and what’s more precious, in my experience—I’ve been here a while now—is to have the information and then as a group, as a team of all the diverse and converging and diverging interests, attempt to find some common ground and develop a roadmap for how to use this information to get a policy that we really believe is the best. So, maybe we can do both, you know; a further hearing.
I think what I’m going to do first—if I were the chair, and it’s her call—would be to convene, next, a roundtable working group to try to develop this process roadmap and then have people come in and comment on that. There’d be a hearing about that before we proceed towards adopting it, or proposing it to our colleagues for adoption. That would get what you want, but it would focus it on something that’s already kind of got a shape to it. It’s always a question of how much do you listen and when do you say, "We’re going to do this" when you think about it. I’m trying to do that back and forth so we get some closure, get the broadest input, but then the closure that really leads to some action. That’s my own working model.
MS. GIVENS: If you want to see how the OTA did things—and I really don’t know if that’s a good model or not. I mean, after all, they did close their doors after two decades. But there is an archive of all of their studies at Princeton University, and it’s one of the links in my paper.
SENATOR VASCONCELLOS: Okay. Maybe we ought to check that out.
MS. ALBRECHT: I would add that one of the biggest frustrations in working on this is the lack of disclosure of what has been done and what is being done. One of the things I would like to see would be for one of these bodies to compel the testimony of the companies that have been involved in doing this so that we can actually ask them, "What have you been doing?" Not only "What are your plans for the future?"—which I’m sure they could answer in a number of ways—but "What has actually been happening right now that consumers have already been subjected to?" There are a number of companies who have hinted around about that, but of course, we don’t have access to knowledge of what trails have already taken place, and that’s a real concern as consumers.
SENATOR VASCONCELLOS: Yes, I hear that. Probably one of the points that we want to be in this roadmap. I think that would be a piece to put in for consideration.
MS. ALBRECHT: Well, it’s difficult to know what we need to protect ourselves against until we know what’s already been taking place.
SENATOR VASCONCELLOS: I understand.
I think we’ve gone about as far as we today can. Ms. Bowen is tied up in a series of closing votes in the Appropriations Committee. In this time of year, we’re all in sixteen places. I just happen not to have a committee today other than this one.
Thanks to each of you for being here and your thoughtfulness and helping us to learn about what we’ve got to be making some progress with respect to. We’ll be back in touch with you as she develops the next plan for this subcommittee.
Thank you very much. If you have further thoughts once you leave today, feel free to e-mail them to Ms. Bowen and let her know what they are.