California State Senate Subcommittee on New Technologies

Hearing on RFID and Privacy

August 18, 2003

Testimony of Kevin Ashton

Executive Director, Auto-ID Center

Senator Bowen, members of the subcommittee, thank you for inviting my participation in today’s hearing. I am sorry I cannot join you in person because of a long-standing teaching commitment in Cambridge. I also sincerely regret your schedules could not accommodate a meeting while I was in California last week. I am very interested in being part of this process, and would welcome the opportunity to share additional detail about our research on RFID and privacy.

The Auto-ID Center is an academic research project headquartered at the Massachusetts Institute of Technology in Cambridge, MA. We have five other research labs around the world: at the University of Cambridge in the United Kingdom; the University of Adelaide in Australia; Keio University in Tokyo, Japan; Fudan University in Shanghai, China; and the University of St. Gallen in Switzerland. Over 100 sponsors fund the Center’s work, including nine Corporations headquartered here in California. Our research topic is Automatic Identification. Radio Frequency Identification, or RFID, is an important part of the system we are developing. Security and privacy in RFID systems is a major area of our work, and has been since 2000.

I attach as background: our Technology Guide, which describes RFID technology (www.autoidcenter.org/new_media/brochures/Technology_Guide.pdf); a technical paper on RFID Privacy and Security (www.autoidcenter.org/publishedresearch/MIT-AUTOID-WH-014.pdf); a paper describing consumer research the Center conducted during 2002 (www.autoidcenter.org/publishedresearch/cam-autoid-eb002.pdf); a briefing on previous cases of public concern with new technology (www.autoidcenter.org/publishedresearch/MIT-AUTOID-WH-016.pdf); and a paper outlining various approaches to regulation of RFID (www.autoidcenter.org/publishedresearch/mit-autoid-eb006.pdf). All of our research, including this material, is publicly available on our web site. I would be happy to make the Center’s research team available to provide briefings on specific areas as the subcommittee requires.

For today’s testimony, I will make general comments on behalf of the Center about our research in the area of RFID and Privacy. I do not speak for our sponsors, nor for the Massachusetts Institute of Technology as a whole, nor for any of other Universities that make up the Center. I do not speak for the RFID industry, and cannot comment on RFID in general – only on the system the Center has developed.

How would you describe RFID?

RFID is conceptually quite simple: an RFID ‘tag’ is a microchip attached to a small radio antenna. You can send information to and from the chip using radio waves, using a device called a ‘reader’ (sometimes ‘interrogator’). Readers are also quite simple to describe – a processing unit attached to a radio antenna, and typically connected to a computer. An RFID tag is more or less a very small, very simple wireless computer. Sometimes it is described as a ‘next generation bar-code’. Tags range in complexity and performance: some have little memory and no battery of their own, instead drawing power from the radio energy radiated from the reader; others have their own on-board batteries and memories. It is also possible to add other sensors to RFID tags, for example to measure temperature.

How new a technology is RFID?

Microchip-based RFID tags first started appearing in the late 1980s or early 1990s. Initial applications were in access systems for office buildings, toll roads and so on. One of the biggest markets today is in car immobilizer systems: some car keys use RFID to authenticate themselves to the car. Other common uses include the Mobil ‘Speed Pass’ payment system and animal identification. Before this, RFID-like systems used circuit boards instead of microchips, for example for managing railroad signaling systems.

RFID seems to be getting more and more attention. Why is this?

Many people – myself included - think that RFID is starting to reach the low price points and high performance levels needed to become a more mass-market technology. You can draw an analogy with the history of computing: the first computers were expensive, and relatively low performance, and only found niche applications. But over time, their price dropped, and their performance improved, and the market for them expanded massively. We are on the verge of that happening with RFID – it’s a bit like we are in RFID’s equivalent of the year before the personal computer was born. We can expect to see public and economic benefits on the same scale as the birth of the PC.

What role does RFID play in your work at the Auto-ID Center?

The center was founded in 1999. Our mission is to make it possible for computers to identify objects automatically. We do this by attaching RFID tags to the objects, and using radio waves to ‘sense’ them. RFID is nothing more or less than a wireless network technology. Adding RFID to objects allows computers to network to them to find out what they are. For wide-scale industrial applications, for example the distribution of products from one company to another, you need a common system of communication. The Center was founded to create this common system for industry. I sometimes describe it as ‘the Internet of Things’. The basis of our system is an identification number called the ‘Electronic Product Code’, or EPC. We often refer to the whole system as the ‘EPC Network’. RFID isn’t the only part of the EPC Network, we also make extensive use of other technologies such as software defined radio, networking and the Internet.

What do you think RFID will be used for?

It is always hard to anticipate everything a new technology will be used for. The EPC Network is designed to be a general-purpose system for automatically identifying objects. Early applications of interest to our sponsors are in the supply chain: more efficiently making and moving products to reduce costs, time, and waste such as inventory. For the next few years, these are likely to be almost entirely at the case and pallet level, and restricted to factories, back-rooms, distribution centers and warehouses. As the price of RFID continues to fall, there is interest in applications at consumer unit level, such as managing shelf inventory, preventing crime and identifying counterfeit products. I would call these medium term applications – not likely to emerge at scale until 2007 or 2008 at the earliest. This is where consumer privacy questions arise. In the far future – say ten years from now or longer – we foresee major applications in areas such as recycling, where RFID could be used to identify post-consumer waste so it can be sorted and reused, rather than simply added to landfill. The possibilities seem endless, and there are many social and economic benefits, providing privacy and other policy questions are properly addressed, and the technology meets the required price and performance targets.

What about using RFID tags to identify people?

We oppose using RFID tags to identify people. MIT’s licensing arrangements for the EPC Network specifically prohibit the use of the technology for tracking or identifying people, with two exceptions: military personnel and medical patients.

What, in your view, are the privacy questions that need to be addressed?

We have done extensive work on this topic. Our findings are that people have genuine privacy concerns that need to be taken seriously and acted upon. I don’t think that will come as a surprise to many people. In 2001, the Center did an Internet based survey to gauge this. The data is US-only and good enough for a check-step, nothing more. After reading a short article about RFID, 55% of those polled said they were either very or somewhat concerned about privacy. This was not a surprise: it simply confirmed that we were right to be undertaking research in this area. (This is a fairly typical reaction to new technology. Something similar was seen with the introduction of Caller ID, for example, where the response was very negative at first.)

We followed this with extensive, global consumer research in the US, Japan, France, Germany and the UK. Some of the US work was done here in California, in San Francisco. As far as I am aware, this is the most extensive consumer research that has been done on the topic of RFID and privacy. The goal was to understand the concerns in detail, and also to learn how people wanted them addressed. The findings were that people’s reaction was ‘neutral to negative’. They are far more worried about topics completely unrelated to RFID, such as health, safety and money. When prompted, they typically said would like privacy questions answered before they would be completely comfortable seeing RFID in the products they bought. The solutions they asked for included being able to deactivate the technology, and being able to know what products were using it. The findings were common globally – there was little significant variation around the world, although top of mind issues varied (e.g. whether Government or Corporate intrusion was more likely).

In addition to consumer research, we have also conducted outreach with privacy advocates and consumer groups around the world. We had initiated discussions with some forty expert individuals and organizations by the end of 2002. These confirmed our own intuitions and research. One result of this work was the formation of an Independent Policy Advisory Council to help with further research. This is made up of six experts with political, legal and technology backgrounds. The Chair is Elliot Maxwell, a Fellow at John Hopkins with extensive experience in technology policy. We formed two other expert groups: a technical group, made up of research experts in the fields of privacy, security and cryptography; and a forum for Chief Privacy Officers from our sponsor companies.

I would summarize the findings from this work as follows: the questions that need to be addressed most are not about products being tracked and identified, but people being tracked and identified, either directly or indirectly. The answer, I think, is that people need notification, choice and control.

What research are you doing to answer these questions?

There are two aspects to our research on these questions: technology and policy. In the technology area, we are developing as many ways as possible to provide security and privacy in the system. For example, our first innovation, which we developed in 2001, was a technology called ‘kill’. All our EPC RFID tag specifications include the requirement that the tag will deactivate irrevocably if it receives a ‘kill command’. I include an extract from this specification below:

'Kill: Tags matching the [VALUE] (consisting of the complete tag identifier, CRC and an eight (8)-bit Password) beginning at location [PTR] = 0 are permanently deactivated and will no longer respond to or execute reader commands. This "self-destruct" command renders the tag inactive forever.'

There are many aspects to this work – ensuring reader systems are private, authenticating users, encrypting data, and so on. As the technology continues to mature and the market continues to grow, I expect that more and more sophisticated priavcy and security features will be added to the technology.

The second area, policy, follows naturally from this. Building ‘kill’ into the system is no use unless the capability is made available to the consumer, so the next question is what usage policies should be adopted, and how should they be implemented and regulated. We issued our first draft usage policy to our sponsors on February 1, for discussion and feedback. We are now in the final draft stage, and most of the feedback is in. I do not want to pre-empt the results of this work until we have concluded discussions, and until there is a chance for consensus to form, but I can say that our recommendation on EPC and Privacy will likely embody three principles: - Notice. The right to know whether a product contains and EPC tag, and whether a public place is using RFID readers

• Choice. The right to have the EPC tags in the purchased products deactivated without cost
• Control. The right to have Personal Identity Information kept separate from Object Identity Information

The first two principles are based on common Fair Information Practices (FIPS), such as those defined by the OECD (Organization for Economic Co-Operation and Development) in 1980. The third, while in the spirit of FIPS, addresses a specific issue raised by EPC and RFID – the fact that it is information technology attached not to us, but to the objects we buy. I expect that our final policy recommendation will be released later this year. This will provide a framework for subsequent discussions. Publication will naturally lead to questions about how to implement against these principles, which will add focus to the technical work done on this topic both at the Center and in the commercial sector.

How do you think Policy should be regulated? Are you in favor of legislation?

The most important thing is that the policy is effective, so when it comes to regulation – and I speak only for myself here, not even the Center - I am in favor of what works. There are good and bad examples of everything from self-regulation to international legislation, and there are no magic bullets. And legislation needn’t mean new legislation – existing laws may provide adequate protection. In the US, the Federal Trade Commission has legal powers to enforce any policies companies publish to consumers, and FTC has used these powers against companies that breach their own privacy policies. In June, FTC took such action against a Californian retailer. This approach is sometimes called ‘co-regulation’: industry agrees it own rules, which are then enforced by government agencies. There are lots of regulatory options, therefore: I think we should look for the one that maximizes the use and benefits of the technology, minimizes the risk of abuse, and looks for the outcome that is in the best interests of the public and the nation.

Do you have any other comments?

Only to reiterate that I welcome this hearing, and wish I could be with you in person. The Center and its staff are available to this subcommittee as and when required to provide information and support as you continue your work. Thank you for the opportunity to comment today.