Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Sun, 28 Sep 2003 20:25:31 +0200
From: Andreas Krisch <akrisch@xxxxxxx>
Subject: Re: [IP] 'Don't Fear New Bar Codes,' USA Today
To: Dave Farber <dave@xxxxxxxxxx>
Dave,
Here are some comments on the USA Today article:
First of all I would like to make some clarifications regarding the
definitions used:
EPC: Electronic Product Code
The EPC is not a chip but a code which is used to uniquely identify objects.
The MIT Auto-ID Center proposed a 96 Bit code [1] that would be capable
of uniquely identifying 1152 thousand billions of objects per
manufacturer. The code supports 238 million manufacturers. The important
difference to the commonly used barcode is, that not only groups of
products will get an unique identifier but every single object will get
its unique serial number.
RFID Tag: Radio Frequency Identification Tag
This is the computer chip on which the EPC is stored and that transmits
the code to the RFID Reader and the computer where the information
processing takes place. The main difference to barcodes is that RFID
Tags do not require a line of sight to the reader and automatically emit
their information when they come into the readers field of operation.
Passive Tags receive their power from the reader and are cheaper than
active Tags that are equipped with a power supply that usually is said
to operate approx. 10 years.
On 28 Sep 2003 at 8:04, Dave Farber wrote:
> >http://www.usatoday.com/usatonline/20030925/5532478s.htm
> >
> >Don't fear new bar codes
> >
> >By Larry Downes
[...]
> >This new technology will lower prices, improve selections and supplies,
I would prefer to say: This new technology _is said_ to lower prices.
The five-cent-RFID-Tag which is promised ever since the Auto-ID Center
was founded is not available yet and investments in readers, databases,
network-infrastructure and so on have to be done [2]. So it is very
unlikely that the use of RFID will lower prices in the near future.
> >eliminate counterfeits (especially prescription drugs) and reduce theft.
I don?t see a ability for theft reduction with RFID-Tags that is not
given with the already commonly used article surveillance systems that
are based on a yes-no logic instead of unique identifiers. Counterfeits
are eliminated as far as the information on chips can?t be copied and
stored on another chip.
[...]
> >Privacy advocates are concerned that retailers and manufacturers will use
> >EPC (also called radio frequency identification tags) to track our every
> >purchase, monitor products after they leave the store and use that
> >information without our knowledge.
This is of course possible and the MIT Auto-ID Center has already
designed the necessary technology for this task.
The System the Auto-ID Center proposes consists of RFID-Tags, the EPC,
RFID-Readers, an Object Name Service (ONS) [3], a Physical Markup
Language (PML) [4] and a lot of severs connected to the internet and
maintained by the manufacturers of the tagged products.
The system roughly works like this: The manufacturer of a product embeds
a RFID-Chip in every single product on which a EPC is stored. He as well
maintains a internet-connected server that holds information on the
product. This information is formatted using the PML, an XML-Scheme
designed for describing objects and their environments. Then the
manufacturer delivers the product and the EPC is used as an identifier
throughout all steps of the supply chain. Every time the EPC is read the
ONS (which is comparable to the Domain Name Service used to match
internet addresses and IP numbers) is searched to find the information
on that object which is stored on the manufacturers PML server. Then
some information can be retrieved but as well be stored on the PML-
Server. Information like name of the owner, location of the object,
history of locations of the object, EPCs of other objects in the
surroundings, production dates and so on. (See [4] for details.)
Finally the object is in the retail store, where it is used for
inventory tracking, theft control, and other purposes. Now the consumer
buys an object (lets say a T-Shirt). The consumer takes the T-Shirt
home, washes it and wears it frequently.
If the RFID-Tag is not destroyed or better removed at the checkout
the consumer can easily be recognised by the EPC of her T-Shirt. With
this unique identifier the retail shops are easily able to i.e. track
the buying habits of their customers. As RFID systems are not very
common today this will only happen in some stores but when the
technology gets widespread (i.e. as widespread as the barcode) one will
transmit serial numbers all the time to any reader someone wants to
operate.
[...]
> >Details aren't important
> >
> >Aside from the practical impossibilities of storing the zillions of bytes
> >of data that most worry privacy advocates, the truth is that even the
most
> >aggressive marketer doesn't have much use for data about anything more
> >specific than your sex, age and ZIP code.
Since I am European I don?t know exactly how "aggressive marketers" use
to work in the USA but in Europe they tend to be interested in shopping
habits, frequency of visits to the shop, financial abilities and so on.
> >Groups such as the Electronic Privacy Information Center and the
> >Electronic Frontier Foundation are most concerned about what happens once
> >the product leaves the store. In theory, our home computers could some
day
> >serve as EPC readers, but only if consumers allow it. For example, EPC
> >could be used to automatically reorder products or let consumers know
when
> >an appliance needs preventive maintenance. That's useful, not invasive.
This may be true as long as one never leaves the house with a chipped
object. Otherwise _every_ RFID-Reader is able to read the EPC and
request the information from the PML server (and add its own location as
a "been there"-information to the set of data stored on the object).
[...]
> >Many think of companies as amoral, profit-hungry beasts that will do
> >anything to promote their own selfish interests. In the case of EPC, the
> >early signs suggest an impressive cooperation aimed at making the
> >transition as smooth as possible and of sharing the benefits of new
> >technology as widely as possible.
It is of course not a question of companies being beasts of any kind but
a question of who controls which information on customers. RIFD-Tags are
especially in the system designed by the Auto-ID Center without any
doubt tools that can be used to monitor habits, movements, and many
other circumstances regarding the private sphere of a person. This is
not the fault of the technology but the fault of the overall system
design.
> >EPC isn't dangerous. Ignorance is.
Yes, and that is the reason why industry advocates should start to think
of privacy as an opportunity instead of a threat. Companies seriously
considering and fulfilling their customers needs tend to be successful
and have customers that are happy to come back and buy again instead of
being suspicious if their every moves are being watched.
Andreas
[1] BROCK,DAVID L.: WHITE PAPER The Electronic Product Code (EPC) A
Naming Scheme for Physical Objects. MIT AUTO-ID CENTER, 01. January
2001.
[2] see ?The Cost of Wal-Mart's RFID Edict (RFID Journal)? on this list,
11. Sep. 2003
[3] OAT SYSTEMS AND MIT AUTO-ID CENTER: The Object Name Service
- Version 0.5 (Beta), 01. February 2002.
[4] BROCK,DAVID L., TIMOTHY P. MILNE,YUN Y. KANG, and BRENDON
LEWIS: WHITE PAPER: The Physical Markup Language - Core Com-ponents:
Time and Place. MIT AUTO-ID CENTER, 01. June 2001.