Radio Frequency Identification, also known as RFID, pertain to an automatic identification method that rely on RFID tags to store and remotely retrieve data. The RFID tags are devices attached to objects to obtain and store vital information. This information is stored on existing records or database when read by the RFID receivers, by means of radio waves. Encryption is used to protect the data being transmitted between the tags and the reader. (Paxar Americas, Inc.,2004; Information and Privacy Commissioner of Ontario & Hewlett Packard, 2008; Piasecki, 2008)

Generally, RFID systems are categorized into four:

1. Electronic Article Surveillance (EAS) Systems – These systems are generally used in retail stores to track an object or product. The merchandises are placed with tags and large antenna readers are placed near the exit of the store. This ensures that no product is taken or disposed of without authorization.

2. Networked Systems – These systems are characterized by a centralized information management system or database. The RFID readers are placed in fixed positions and the RFID tags are placed on objects and/or on people.

3. Positioning Systems – These systems are typically used for automatically locating vehicles or items with RFID tags.

4. Portable Data Capture Systems – These systems are typified by the use of portal RFID readers. Thus, these systems are used in different ways, because of its portability (Electronic Privacy Information Center, 2008).

However, there are also other categorizations for RFID systems.

RFID systems may be classified as referential or non-referential. Referential RFID systems are the systems that contain a unique key or data string, allowing information to be retrieved from a database. If the database or the centralized system is down, the RFID system may not be able to function properly. Non-referential RFID systems are those that store most, if not all, of the data needed for system’s operation in the RFID tag. This allows operations and decisions to be made based on the data in the tag. This also allows the RFID system to work even if the network and database are down or data cannot be accessed from it (Information and Privacy Commissioner of Ontario & Hewlett Packard, 2008).

RFID systems may also be categorized as having either a closed or open loop application. RFID systems considered to have closed loop applications are those that are utilized entirely by only one company or organization. RFID systems classified as having open loop applications are those that are intended for the use of several organizations. This implies that standards and protocols are applied to all organizations and the members concerned. Examples of RFID systems having an open loop application are those used in supply-chain management wherein items have to be tracked in different locations and in various organizations (Information and Privacy Commissioner of Ontario & Hewlett Packard, 2008).

There are three kinds of RFID tags: passive, active and semi-passive. Passive RFID tags do not have an internal power source and requires a signal from the RFID reader to send out data. Passive RFID tags are usually smaller than active RFID tags. Active RFID tags contain their own internal power source and broadcasts its own signal to the RFID reader. Active tags typically have greater memory capacity and computational capability than passive RFID tags. These tags are also more appropriate in cases wherein radio waves are prone to interference. Semi-passive RFID tags are similar to passive RFID tags in that it does not transmit a signal unless the RFID reader transmits a signal first. However, it does have an internal power source similar to the active RFID tags (SAS, 2005; Data Privacy & Integrity Advisory Committee, 2006).

Electronic chips are placed in each RFID tag. These chips may be classified as Read-Only chips or Read-Write Chips. Read-only chips are those that are programmed only once with information appropriate for its purpose during its manufacturing process. Once data are placed on these chips, it may never be altered. Read-write chips, on the other hand, are those that allow the user to overwrite the existing information in the chip (Paxar Americas, Inc., 2004).

RFID readers use radio waves to obtain information stored on the tag. It uses three primary frequency bands – Low Frequency, Mid-frequency and Ultra High-Frequency (Paxar Americas, Inc., 2004). RFID readers may also trigger the tags to start transmitting data or may simply receive data from the tags through signals sent automatically either continuously or in set intervals. Reader can also be stationary or mobile.

Ever since its development, RFID systems have been presented as innovation, especially for monitoring and convenience. Over the past three decades, the use of the RFID system and its tags has become popular, from ocean containers to packaging labels, mainly because of its numerous advantages (Masters & Michael, 2007).

An advantage of the RFID technology is that RFID tags can be read from a distance, through different materials, almost instantly. The tags are used even without a line-of-sight reading and are read in a sequential manner, yet it is so fast that it is indiscernible. Another advantage is that RFID tags can hold more data compared to bar codes. Also, RFID tags are more adept in harsh conditions and environments such as underwater (Piasecki, 2008). Read how surveillance can be performed through either stationary or mobile 

It may not be apparent to most people but RFID technology has become rampant and present in everyday life. RFID technology is used in collecting fees for toll booths and tracing daily arriving containers. It has also been used by credit card companies so that people may conduct transactions without carrying cash or coins (Attaway, 2008).

RFID system has also proven to be a convenient and useful system for commercialism. In a survey done by IBM and Executive Technology, a significant 41% of the retailers consider RFID technology important. Retailers and manufacturers also see its importance for inventory management, out-of-stock avoidance, labor advance, avoidance of product tampering and anti-theft (Butler, 2004). Thus, it is currently used in a lot of different industries.  RFID system is used by pharmaceutical companies in drug containers to monitor their products and to prevent theft of highly controlled drugs. It is also utilized by airline companies[1] to track passenger bags and lessen the number of lost luggage (Attaway, 2006).

In Washington, RFID-enabled identification cards and licenses are being tested. A joint project of the Washington State and the Department of Homeland Security (DHS), the tested licenses and identification cards will be used for the Western Hemisphere Travel Initiative[2]. The cards would include vital person information such as proof of citizenship (Washington State Office of the Governor, 2007).

Also, the University of Washington’s Department of Computer Science and Engineering has come up with a large-scale project called the RFID Ecosystem Project. The project investigates user-centered RFID systems with respect to business, technology and the likes. It will be producing a living laboratory to gain in-depth research for the applications of RFID and other related matter such as databases, privacy and security. Its main goal is to inform the public and the community of the risks, benefits and obstacles for user-centered RFID systems. Its proposed primary benefit is a better understanding of the issues related to RFID such as the RFID technology’s usage, its threat to privacy, and technical challenge brought about by the users and consumers of RFID systems (University of Washington, 2008).

However, the use of RFID technology has also become an issue due to privacy concerns. Since RFID tags can be read at a distance, it is plausible that information stored in a RFID tag can be accessed without the knowledge of the person who carries the RFID tag. In fact, plenty of RFID-related abuse takes place. Fraud, identity theft and phishing[3] are examples of the said abuse (Piasecki, 2008). Concrete examples of RFID-related misuse include the skimming of driver’s licenses and credit cards. Several drivers’ licenses employ RFID tags. A driver’s license contains vital personal information about a person such as the complete name, age, weight, height and other data. Information from credit cards using RFID tags are also important information. Plausible scanning of these information without the consent of the person has become an issue.

Even the government and researchers specializing on security have privacy concerns related to the RFID system. The Office of Inspector General of the Department of Homeland Security released a report on the Department’s use of RFID systems. The Department shall be using the RFID tags to store data and broadcast the information to the RFID receivers for immigration documents and passports. However, the DHS has acknowledged in its report that the use of RFID technology may leave critical and vital information open to hackers and other forms of unauthorized access.

The report also stated that the use of RFID technology for the Department’s database brought about problems such as lack of systematic inventories, inconsistent policies, and security issues regarding password management, auditing and user access permissions. Also, a security researcher showed studies that RFID tags may be cloned. The said RFID tags are to be placed in the United States passports as well as those from other countries. Another security personnel showed a demonstration that accessing information, copying the data and placing the data into another RFID chip is possible with the current and available technology (EPIC, 2008).

Because of the privacy concerns, the clamor for rules and regulation regarding the usage of RFID systems has risen.

There are existing acts and laws that tackle the topic of privacy. The Privacy Act of 1974 gives people the right to evaluate their personal information in records, correct their personal data and find out if their records have been released. It also restricts unauthorized disclosure of federal government records which contain personal information pertaining to certain individuals. The Fair Credit Reporting Act (FCRA) requires that credit reporting agencies uphold their client’s credit information and certify that it is accurate and relevant. The FCRA gives the people their right to have secure and correct information, to have accountability and security measures from the credit reporting agencies and to have their consent in the agencies’ attainment and proper usage of their information.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to give out notices to their clients regarding their institution’s information collection and usage practices. The Health Insurance Portability and Accountability Act (HIPAA) control the sharing of a person’s information regarding his health. Washington’s Privacy Act impedes the recording and intercepting of personal conversations without consent from the affected parties. Other Washington laws have specifications for invasions of privacy, identity theft, and skimming crimes such as using a copied information or credit card for illegal uses. However, the said acts are not enough to address the privacy concerns brought about by the RFID technology. Currently, there are no federal laws that restrict or prohibit the use of RFID (Washington State House of Representatives Office of Program Research, 2007).

The state of Washington addressed the clamor to regulate RFID technology by coming up with legislation House Bill 1031 (HB 1031). It recognizes the importance of maintaining an individual’s privacy and his or her personal information for the person’s well-being and safety. This bill would create a felony from scanning an RFID tag for the purpose of stalking, identity theft, fraud and other such crimes. It would basically allow consumers specific rights with respect to electronic privacy. These rights include notification of an entity’s information practices before information is collected, opt-in consent before any public or private entity can read and store data in an RFID tag, access to the personal information obtained, attestation to the accuracy of the information gathered and confidentiality and security measures are implemented by the data collector (Washington State House of Representatives Office of Program Research, 2007).

There are several versions of the HB 1031. The first version, known as the “Electronic Bill of Rights”, failed to pass the March 2007 House vote (Swedberg, 2008). The first version of HB 1031 defines what electronic devices, RFID and RFID tags are. It requires that objects and products containing RFID tags and are issued, sold or distributed have proper notices and labels. In the label, it should be stated that the item contains electronic devices allowing electronic communication and that the said device can send personal information to a receiver after the purchase or issuance of the product.

The notices must inform the public that the consumer has a legal right to request that the electronic device be removed from the product or the device be deactivated and that the he or she has the right to request for a copy of the personal information gathered about him or her via the electronic device (Washington State House of Representatives Office of Program Research, 2007). The labeling of RFID tags allows people to have the right to receive prior notice of an entity’s information practices and a choice whether to disclose personal information by using a product that can engage in electronic communication.

The first HB 1031 also allows the consumer to have control over his or her personal information. It has provisions that allow a person to request and review his or her personal data.[4] He or she may attest, correct or amend the personal information gathered about him or her and may even request information to be deleted.[5] It also has provisions that allow the purchaser to request that the RFID tag and such electronic devices be deactivated or removed from the product. Once it is deactivated, it may only be reactivated with the written consent of the consumer. The bill also entails that a person may not be forced or persuaded to keep the RFID tags (Morris et al., 2007).

The early HB 1031 also has stipulations regarding personal information and security measures. It requires that entities and individuals that sell, issue or distribute products with RFID tags and similar electronic devices must utilize adequate security measures to prevent misuse, tampering, loss and leakage of gathered personal data. It prohibits entities and/or individuals to disclose and use personal information stored and obtained from electronic devices (Morris et al., 2007).

The first version HB 1031 also forbids unauthorized scanning. Scanning attempts and remote scanning are also ruled out by the bill. As long as the person or consumer has no knowledge that his or her personal information is being scanned, it is considered unauthorized and illegal. (Washington State House of Representatives Office of Program Research, 2007)

The prior HB 1031 penalizes crimes regarding scanning of RFID tags and such electronic devices. A person may file a civil action to request a ruling for the crimes and payment per violation or for the actual damages done because of the demeanors restricted by HB 1031 (Morris et al., 2007).

There were several problems with the first version of the HB 1031. It had such a broad scope and it did not offer exemptions for several sectors of the community such as the university researches, service providers like cable companies. The labeling was also sternly opposed by the businessmen and technology vendors, given that they already had to comply with a labeling standard (Swedberg, 2008). Also, the early version of the HB 1031 does not cover all RFID related cases for misuse and abuse. Due to heavy corporate lobbying, the scope of HB 1031 became limited. Thus, it is still legal to collect information, with or without consent, from a consumer’s RFID tag if it is for sales transaction (Chartier, 2008). This presented a problem since an entity may claim that it is gathering personal information for marketing or business purposes even though it is not the case.

The passed HB 1031 had the same intent – allow consumers to have specific rights with respect to electronic privacy. The difference from the earlier version of the bill is the provisions. In the revised version, the requirement that labels be placed on products containing RFID technology was completely removed. Also, a provision was made stating that intentionally scanning a person’s identification system without his or her knowledge and prior consent for illegal purposes such as fraud and theft was labeled as class C felony (House Committee on Technology, Energy & Communications, 2008).