By Russ Jones
Pundits believe that RFID tags—positioned as a next-generation replacement
for the familiar bar code—are going to drive vast improvements in
the efficiency of supply chains as products wind their way from the manufacturers
out to the retail shelves. Critics believe that RFID tags pose a significant
threat to personal privacy, in that tags worn or carried by individuals
permit unwanted surveillance by anyone with an RFID reader. They contend
that RFID technology and its use in business should be heavily regulated,
if not outright banned for specific applications. The court of public
opinion is still listening to both sides of the debate.
Initial use of RFID has gained the most attention recently through the
highly publicized announcements of Wal-Mart in the U.S. and Metro AG in
Germany to use the technology for improving receiving and inventory tracking
at the level of product pallets and cartons. While tracking pallets might
be low-hanging fruit, there are many surprising applications in financial
services that are now beginning to surface. We believe that while these
applications are intriguing, financial institutions need to pay special
attention to the privacy issues associated with RFID and understand how
this technology fits in a larger social context.
Key RFID Concepts
Before looking at applications in financial services, it helps to understand
a couple of key RFID capabilities and constraints. Radio frequency identification
(RFID) technologies have been around for several decades and are used
every day for facility access control, automated toll collection, and
vehicle theft protection.
RFID systems are made up of RFID tags, tag readers and the reader "controller"
systems, which both receive information from the tag readers and manage
their operation. Tags can be attached to or embedded in various objects.
Readers sense nearby tags using three standardized radio frequencies bands.
Using the lowest cost tag technology, when a tag detects the scanning
reader’s signal, it resonates such that the reader can detect with a unique
numeric ID that has been embedded in the tag. Unlike barcodes, tags are
not required to be within the line-of-sight of readers, making it possible
to detect a tag that might be within a shipping container or inside product
packaging.
Sophisticated tags are usually active (requiring a power source) and
have local memory and logic to handle limited encryption and other application-specific
functions. Simple tags are usually passive (drawing power from the radio
waves of the reader) and have no intelligence; when probed by a reader,
they simply respond with their ID number. With continually increasing
demand, the price of simple tags is expected to fall over the next several
years from $0.50 per tag to roughly $0.05 or $0.10 per tag. Depending
on power source, radio frequency, size of the antenna, tag orientation,
and surrounding environment the read range of the tag might be anywhere
from a few feet to more than one hundred feet. While it is all much more
complicated than this, you get the idea. The interesting tags, from our
perspective, are passive, incredibly small, and can be read from several
inches to several feet.
In a closed loop environment, the ID number embedded in the tag has an
application-specific meaning. It might be used as a key to determine access
privileges, to update on-hand information in an inventory database, or
to look up an account number to be debited. To support open loop applications,
there is also an industry effort underway to use the ID number in the
RFID tag to logically represent an electronic product code or EPC.
The EPC concept is profoundly important to mass-market RFID advocates.
Where first generation barcodes could be scanned to determine that an
object was a can of baby food, RFID tags carrying an EPC could be scanned
to determine precisely which can of baby food. Using the EPC, a
database lookup could be used to determine a variety of information about
the item—where the ingredients came from, who packaged it, how it
was shipped, what it contains, and when it should be thrown out.
While this all sounds wonderful to some, it’s important to remember that
passive RFID tags are application agnostic and know nothing about readers;
when the tag detects the radio frequency of a reader, it simply responds
without knowing or caring about who is requesting the information or how
that information might be used, processed, or logged. Today’s passive
RFID tags are not powerful enough to authenticate the reader. So while
oftentimes referred to as smart tags, RFID tags are actually pretty
dumb.
What’s Happening Now
When readers are combined with inventory management systems and tags
are attached to products, retailers can track goods in real-time as they
move into the warehouse, are distributed out to stores, are unloaded and
stocked on the shelf, and eventually taken to the point of sale (POS)
by the consumer. At least that’s the vision. Earlier this year, Wal-Mart—the
largest corporation in the world—told its suppliers that it was moving
to pallet and case-level tagging at the start of 2005 and would soon begin
testing item-level tagging. The US Department of Defense’ Defense Logistics
Agency has placed more than 2,000 suppliers on notice that material sold
to the U.S. government will require item-level tagging in 2005. The U.S.
Federal Drug Administration has also mandated that Class 2 pharmaceuticals
(which are subject to abuse and therefore require careful controls) must
be tagged at the level of individual doses within a year. Clearly, things
are happening.
To RFID advocates and critics, the Wal-Mart decision was the shot heard
around the world. While praised by advocates for pushing RFID into the
mainstream and its widespread use in the consumer products sector, this
announcement lit a fire under critics who quickly turned up the media
heat on Wal-Mart by focusing on consumer privacy concerns and the general
fear of stealth business practices.
Privacy advocates point out the same RFID tags that are used for tracking
goods through the supply chain can also be used to, in effect, track people
carrying or wearing RFID-enabled goods. Particularly products like clothes—or
worse still, shoes—that are worn by people day in and day out as
they enter, move around, and leave buildings. In this scenario, the RFID
tags embedded for a specific purpose by one organization become embedded
tokens that can be used by all organizations to track movement of the
"goods".
The most cynical critics position RFID tags as personal cookies. Instead
of being stored in a Web browser and given back to the site that creates
the cookie, they are worn or carried by individuals and freely given to
every merchant, restaurant, or bank that scans for tags.
It’s also important, in fairness, to underscore that passive RFID tags
don’t carry identity information in the traditional sense. Your name,
address, and social security number could never fit on today’s simple
tags. But if correlated with personal and historical data that is stored
elsewhere by a merchant, for example, a tag could be used to alert sales
people within a store when a known customer returns, looks at specific
merchandise, or begins to carry it throughout the store.
Still, at this point in time, this risk is more hypothetical that real.
There are tens of millions of RFID-enabled tags carried by people all
around the world and there have been few, if any, reports of organizations
using RFID tags to track consumers. Nevertheless, it’s a slippery slope.
If RFID tags were as pervasive as some advocate—and were carried
or worn by everyone—it’s very easy to imagine how appealing consumer
tracking would be for some organizations.
Subsequently, Wal-Mart has backed away from its item-level tagging trial.
RFID critics believe it was because of the public outrage around personal
privacy; RFID advocates believe it was because the costs of tags, readers,
and related software are not yet low enough for mass-market deployment.
The RFID debate is, today, extremely inflammatory and heavily covered
by the news media. Every announcement of a proposed application or new
trial brings a barrage of criticism about "big brother" monitoring,
the erosion of personal privacy, and the need for government regulation.
A coalition of civil liberty groups and privacy groups recently proposed
a RFID bill of rights for consumers and is calling for a voluntary moratorium
on the use of RFID technology for item-level tagging. (1)
Applications in Financial Services
While debate around RFID privacy rages on, a number of financial services
applications are being proposed, prototyped, and piloted:
- RFID in the Branch. IBM is currently running a pilot in Europe
that explores the use of RFID to better manage customer relations in
the bank branch. (2) The general idea is to embed
RFID tags in the checkbooks or bank cards of customers so that they
can be quickly identified on repeat visits. When customers return to
the branch, tellers can greet them by name. For well-heeled customers
with large account balances, the branch manager might be notified by
instant message that an important customer has entered the branch.While a compelling application of the technology for the bank, the
pilot also underscores one of the larger societal issues with RFID;
the same embedded tag that announces the customer’s arrival at the
branch also announces their arrival at the local clinic, the polling
place, and the local bookstore—locations that are outside the
scope, control, and use of the technology as originally envisioned
by the bank. - RFID in the Back Office. An intelligent office pilot, conducted
by the Xerox Research Centre Europe, is exploring the use of RFID to
track and manage physical documents as they move around the back office.
(3) To pull this off, RFID readers are placed in
every drawer of every file cabinet and underneath desks throughout the
office. When important documents arrive, a smart label is placed on
the document by the mailroom. For in-house documents, the label is attached
by the laser printer as the document is printed. Correlated against
a physical document management database, it becomes easy for
in-house staff to query a computer to locate a missing document or to
be automatically notified when a document needs to be in the mail but
is still sitting on someone’s desk.While the pilot is exploring this application in a legal office
setting, it’s easy to imagine how this would be used in a mortgage
application center as document after document is submitted, assembled,
reviewed, reworked, lost, found, approved, and finalized. - RFID at the Point of Sale. The payments industry is currently
in the early stages of proximity payment trials. In this application,
the RFID tag is used to trigger credit or debit payment at the point
of sale. MasterCard, for example, is exploring the use of RFID tags
embedded in otherwise normal credit and debit cards. (4)
MasterCard is also working with Nokia to embed RFID payment tags in
next generation cell phones. American Express is following the SpeedPass
pay-at-the-fuel-pump model by giving customers a keychain "fob".
(5) RFID-enabled proximity payments are targeted
at low-value, cash-intensive environments—such as quick service
restaurants, movie theaters, drugstores, and supermarkets—where
speed and convenience are important drivers.This application illustrates how RFID technology can be used in
a retail POS context, independent of the item-level tagging of goods.
But while optimized to work securely in a payment-centric world, the
embedded RFID tags still return their ID when scanned by a reader
at the right frequency. While this ID might be useless outside of
the payment system, it can still be used to spot repeat customers
and potentially track their movement. - RFID in Circulation. The European Central Bank, reportedly,
is investigating how paper-thin RFID tags could be embedded in high-value
banknotes to stem counterfeiting. (6) While details
are sketchy, the general idea is the RFID tag would be woven into the
paper and carry much of the data that is already on the face of the
note—perhaps the note’s value, probably its serial number. While
this doesn’t strictly make counterfeiting impossible—it simply
raises the bar on what counterfeiters have to do—it would potentially
make it easier for government officials to track cash as it moves through
transit centers and across borders. It would also simplify the life
of muggers who could theoretically scan potential victims ahead of time
to determine how much cash they were carrying, or help robbers figure
out where cash is hidden in a home or place of business.This potential application is a lightning rod of controversy and
touches a raw nerve for many. Nothing is more cherished by privacy
advocates than their belief in the anonymity of cash. But we think
both sides are wrong; if proven viable and implemented, we doubt it
would actually stop counterfeiting and we doubt it could be used for
mass surveillance of people.
Some of these applications will never see the light of day, as technical
problems surface, public backlash mounts, or the business case fails to
materialize. But they are all thought provoking and nicely illustrate
both the potential and the risk of RFID technology in the financial services
industry.
What’s It Mean To You?
Financial services professionals have a significant stake in how RFID
technology is applied and used in the industry. In addition to understanding
the technology, the applications, and the emerging privacy issues, you
should also:
- Participate in the debate. RFID technology is not inherently
good or bad. Many beneficial applications have privacy problems. Many
proposed privacy solutions throw the baby out with the bathwater. We
believe it’s inevitable that there will be additional regulations and
it’s important that all sides of the debate get a fair hearing. - Engage your chief privacy officer. Avoid prematurely embracing
technology that undercuts the hard-earned trust that banks enjoy today.
It is important to remember that the use of RFID—and its implications
to your customers—extends far beyond the four walls of the bank.
Your institution’s senior officer responsible for privacy issues should
definitely be involved. - Push technology vendors to better address industry needs. Despite
recent advances, RFID technology is still in its infancy with major
chip manufacturers just recently starting to deliver the technology.
Privacy protection, access control, and security are all areas of intense
research and development. Help vendors better understand industry and
institution-specific requirements for confidentiality and privacy, as
well as applications beyond the supply chain.
If implemented properly, with a careful eye on the special requirements
of the financial services industry, RFID holds great promise. But if deployed
prematurely or before all the privacy ramifications are understood, it
might also provide some nasty and unfortunate surprises.
Notes
- Position
Statement on the Use of RFID on Consumer Products, CASPIAN and Privacy
Rights Clearinghouse, November 2003 - RFID
May Boost Service at Banks, RFID Journal, April 2003 - Paper-based
Communicating Objects in the Future Office, Proceeding of the Smart
Objects Conference, May 2003 - MasterCard PayPass
Web site - American
Express ExpressPay Web site - Where’s
the Smart Money?, CFO Magazine, February 2002
Publication History
Initial Publication Date: January 12, 2004
