Radio frequency identification

9.35 A radio frequency identification (RFID) system consists of a ‘transponder’, a ‘reader’ and a ‘back office’ system. A transponder is a small object—often referred to as an ‘RFID tag’—that transmits data by emitting radio waves.[61] These data are collected by a device known as a reader. Readers can be mobile, resembling hand-held barcode scanners, or fixed at certain locations, such as the entrance to a warehouse or a vehicle toll gateway.[62] Once data are collected by a reader they are sent to a ‘back office’—namely, a data processing system.[63] In June 2006, British Petroleum (BP) commenced a ‘mesh network’ trial in which RFID tags or ‘nodes’ communicated information directly to other RFID tags. In this trial, an RFID node transmitted ‘details of its environment and content … to all other nodes within a 3-meter range’.[64]

9.36 There are two main types of RFID tags—passive tags and active tags.[65] Passive tags lack an internal power source and can operate only if they are in range of a reader that activates the tag.[66] Accordingly, they have a limited ‘read range’. They are relatively inexpensive, however, and have a longer life-cycle than active tags.[67] Active tags have an internal power source (usually a battery) that allows them to emit radio waves.[68] These radio waves can be read if the tag is in range of a reader. The ‘read range’ of active tags is much greater than that of passive tags (up to several kilometres).[69] Active tags also have larger amounts of memory and better processing capabilities than passive tags.[70]

9.37 RFID tags can be attached to objects, such as clothes, shopping trolleys or plastic cards. They also can be attached to animals and people. Passive tags usually are physically smaller than active tags and can be difficult for an individual to detect. An RFID tag can transmit data that identifies the object or entity to which it is attached, such as a unique serial number. It can also transmit data about the price, expiry date, colour, or date of purchase of a product.[71] If an RFID tag is combined with a sensor, it also can transmit data about its surroundings, such as the temperature in its location or the composition of the atmosphere surrounding it.[72]

9.38 RFID technology has been in existence since the 1940s.[73] Currently, it has a number of established uses, including facilitating automated payments at vehicle toll booths, enabling people to lock and unlock cars remotely, and enabling people to access secure buildings.[74] Additional uses for RFID technology are being deployed as the cost of the technology decreases.[75] In October 2004, for example, the United States Food and Drug Administration approved the use of a subdermal RFID tag for medical purposes, such as to enable health service providers to obtain identity and health information relating to unconscious patients.[76] It has been predicted that between 2006 and 2016 the value of the RFID market will rise from US$2.77 billion to US$26.23 billion.[77]

9.39 The use of RFID technology can benefit individuals, businesses and governments. RFID technology can benefit individuals in the areas of safety, convenience and accessibility. For example, RFID can be used to trace food, lead to shorter supermarket queues and track patients suffering from Alzheimer’s disease.[78] It can also be used by businesses to track products from the point of manufacture to the point of sale, thereby reducing inventory and labour costs, and stock losses.[79] Other applications of RFID technology include:

prevention of counterfeiting of consumer goods; pinpointing the location of theft; library book check-out; tracking passenger bags in airports; residential garbage collection; sensitive document tracking; asset management; equipment and personnel tracking in hospitals; parcel and post management; livestock management; inmate and guard tracking systems for prison security management; parking permits; tire pressure monitoring; and pharmaceutical labelling for monitoring of location, expiration and anti-counterfeiting.[80]

9.40 It also has been suggested that RFID technology could be used to create ‘smart products’, such as washing machines that wash garments in accordance with instructions on their RFID tags.[81]

9.41 Some uses of RFID technology raise privacy concerns. In particular, concerns arise about the ability of agencies, organisations or individuals to

surreptitiously collect a variety of data all related to the same person; track individuals as they walk in public places (airports, train stations, stores); enhance profiles through the monitoring of consumer behaviour in stores; [and] read the details of clothes and accessories worn and medicines carried by customers.[82]

9.42 These concerns are exacerbated by the fact that individuals may not be given notice that the products they purchase or the objects they use contain RFID tags and may not be given the choice to remove or disable RFID tags. Further, individuals may not be able to ascertain when, or how many times, data on an RFID tag have been collected.[83] Technologies have been developed that aim to prevent the unwanted scanning of RFID tags, such as ‘blocker tags’ which ‘impair readers by simulating the signals of many different RFID tags’.[84] An individual may not be aware, however, that a product contains an RFID tag and it may not be practical to purchase and carry an RFID blocker. It has been argued, therefore, that PETs are unable completely to ‘assuage the danger to privacy engendered by RFID technology’.[85]

9.43 In 2002, one commentator proposed that organisations wishing to use RFID technology should comply voluntarily with an ‘RFID Bill of Rights’ that granted consumers the right to:

  • know whether a product contains an RFID tag;

  • have an RFID tag removed or deactivated at the point of purchase;

  • use RFID-enabled services without RFID tags;

  • access an RFID tag’s stored data; and

  • know when, where and why RFID tags are being read.[86]

9.44 To these, other commentators have added that consumers should have the right to:

  • own and use readers that enable them to detect and disable permanently RFID tags;

  • know who to contact in order to access information pertaining to them that has been collected by RFID technology; and

  • be confident that data is securely transmitted and stored.[87]

9.45 In March 2007, the European Commission issued a Communication on RFID to the European Parliament, noting the need for legal certainty for both investors in, and users of, RFID technology.[88] Further, the European Commission has established a widely constituted RFID Stakeholder Group to discuss security and privacy issues and is conducting public consultations on a draft recommendation that sets out the principles that European public authorities and stakeholders should apply in respect of RFID usage.[89]

[61] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[62] M Ward, R van Kranenburg and G Backhouse, RFID: Frequency, Standards, Adoption and Innovation (2006) Joint Information Systems Committee Technology and Standards Watch, [1.1.2].

[63] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[64] J Collins, ‘BP Tests RFID Sensor Network at UK Plant’, RFID Journal (online), 21 June 2006, <www.rfidjournal.com>.

[65] M Ward, R van Kranenburg and G Backhouse, RFID: Frequency, Standards, Adoption and Innovation (2006) Joint Information Systems Committee Technology and Standards Watch, [1.1.1].

[66] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[67] M Ward, R van Kranenburg and G Backhouse, RFID: Frequency, Standards, Adoption and Innovation (2006) Joint Information Systems Committee Technology and Standards Watch, [2.1].

[68] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[69] M Ward, R van Kranenburg and G Backhouse, RFID: Frequency, Standards, Adoption and Innovation (2006) Joint Information Systems Committee Technology and Standards Watch, [2.1].

[70] Ibid, [2.1].

[71] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[72] Australian Government Department of Communications‚ Information Technology and the Arts, Getting the Most out of RFID: A Starting Guide to Radio Frequency Identification for SMEs (2006), 6.

[73] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[74] Ibid, 7; Australian Government Department of Communications‚ Information Technology and the Arts, Getting the Most out of RFID: A Starting Guide to Radio Frequency Identification for SMEs (2006), 4.

[75] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 7.

[76] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [3.133]–[3.143].

[77] IDTechEx, RFID Market $2.77Bn in 2006 to $12.35Bn in 2010 <www.idtechex.com> at 24 April 2008.

[78] Commission of the European Communities, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework (2007), 3–4.

[79] Australian Government Department of Communications‚ Information Technology and the Arts, Getting the Most out of RFID: A Starting Guide to Radio Frequency Identification for SMEs (2006), 13–16.

[80] G Eschet, ‘FIPs and PETs for RFID: Protecting Privacy in the Web of Radio Frequency Identification’ (2005) 45 Jurimetrics 301, 307–308.

[81] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 8.

[82] European Union Article 29 Data Protection Working Party, Working Document on Data Protection Issues Related to RFID Technology, 10107/05/EN WP105 (2005), [1].

[83] Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 5.

[84] Information and Privacy Commissioner Ontario, Tag, You’re It: Privacy Implications of Radio Frequency Identification (RFID) Technology (2004), 19. See also, Organisation for Economic Co-operation and Development, Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations (2006), 26; G Eschet, ‘FIPs and PETs for RFID: Protecting Privacy in the Web of Radio Frequency Identification’ (2005) 45 Jurimetrics 301, 315–320.

[85] G Eschet, ‘FIPs and PETs for RFID: Protecting Privacy in the Web of Radio Frequency Identification’ (2005) 45 Jurimetrics 301, 320.

[86] S Garfinkel, ‘An RFID Bill of Rights 1’ (2002) 105(8) Technology Review 35, 35.

[87] See Privacy Rights Clearinghouse, RFID and the Public Policy Void: Testimony of Beth Givens, PRC Director to the California Legislature Joint Committee on Preparing California for the 21st Century (2003) <www.privacyrights.org/ar/RFIDHearing.htm> at 24 April 2008.

[88] Commission of the European Communities, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework (2007), 4–11.

[89] European Commission—Information Society, Policies—Towards an RFID Policy for Europe (2008) <ec.europa.eu/information_society/policy/rfid/index_en.htm> at 3 April 2008.