Reporting from Recalling RFID

It proved to be the beginning of a day that aimed to recall Radio Frequency IDentification (RFID). And through heated debate, recalling seemed to be two-fold: regain awareness of the topic to build on the past or, as Katherine Albrecht proposed, cancel the technology as a whole.

After having escaped the RFID terminals in Amsterdam's metro station, the audience was introduced to the subject by a short film called 'The Catalogue' by artist Chris Oakley -see embedded video- in which people are shown walking, running, chatting and more importantly being watched in a shopping mall. A voyeuristic camera catches everyone in sight and shows detailed information of the avatars in the physical space and a flickering red warning in the case of an untagged person. The cyberpunk science-fiction of the 1980s has now almost become a reality, the fairy tale vision of first session moderator Rob van Kranenburg takes us even further into a possible future: 'I see myself walking through the woods and suddenly a screen pops up from a tree and has info about the place'.

The Recalling RFID program put a strong focus on the question where are we now, and more importantly on the question: where are we heading? Session moderator Rob van Kranenburg mentions the concept of (Un)common Ground as a way to debate this move towards RFID and bring together people from various disciplines, in this case the field of RFID, and share experiences to perhaps create new visions.

Self, Safe, Security
After the introduction by Rob van Kranenburg, Christaan van 't Hof is the first speaker of the day and kicks off the first session called 'Self, Safety and Security'. Van 't Hof is a sociologist and senior researcher for Rathenau Institute. He provides a solid introduction to RFID technology and talks about two specific cases of what a government can do with this information. Firstly the abovementioned public transporation and secondly RFID enabled passports. How can, for example, RFID aid police investigation when a crime has been committed in public transport? You can go through the buffers of the RFID database and see who was in the train, metro or bus. Van 't Hof assumes that in a case like the technology 'is okay'. The downside however is: In which cases can government make use of this system? Is it also going to be used to track unemployed people? And how about preventive investigation?

The second case, the new Dutch passport containing biometric information, is subject to heated political debate. However as we speak, a similar database called ORRA (Online Raadpleegbare Reisdocumenten Administratie) is already storing personal and biometric data in a single database. The reason given for this collection of data is the prevention of passport fraud, however this database provides a valuable resource for authorities.

Van 't Hof also showed figures on the awareness of RFID by the Dutch people. These statistics show that most people would prefer a fully personalised OV chipcard instead of an anonymous card. A majority also agrees on using the technology to track down not just suspects, but also witnesses of a crime. For the future of the technology, Van 't Hof calls on the Dutch government for 'a clear position on the centralisation of biometric data, a clear position on using travel data, more research on effectiveness, possible data retention laws for RFID and a vision on RFID, privacy, innovation and investigation'.

Second speaker Melanie Rieback, creator of the first RFID virus, is currently working on the RFID Guardian at the Vrije Universiteit in Amsterdam. In the video below she explains the workings of Guardian together with Rutger Hofman. In effect this should be able to solve some of Van 't Hof's privacy issues. Rieback explains: 'It is a bit of a firewall for RFID, but also a way of providing a tool for testing employment of RFID. How can we create a safe system?' To exemplify this point she takes us back to the days of World War II. “Identifcation of friend and foe” was a method used by the Germans to indentify friendly planes: when a German plane flipped its wings this was picked up by radar and the 'friend' was identified. The English created an automatic responder to do this called “Identify or die”. But this system suffered from Denial of Service (DoS) attacks, which caused friendly planes to be attacked. The lesson according to Rieback: 'You have to trust the system in order for it to be useful'.

There are however many obstacles: 'RFID now is the low-end of computing. You had the mainframe, minicoputers, pc's, embedded computers and way below that is RFID: The smallest, weakest and most low-end computing of the day. If you want to build this “Internet of Things”, all of these problems with the internet of today will translate into the new technology'. The RFID guardian is a method to take the next step and provide security and privacy: 'The main characteristics of the device should be that it is portable, battery powered and provide two-way RFID communication. What it can do is act like an RFID reader, but also as an RFID tagger. It can immitate, spoof and provide multiple RFID tags'. Rieback also wonders why a system such as the OV chipcard costs so much and can be hacked so easily, as proved by a group of University of Amsterdam students, who hacked the card in a week: 'Maybe because companies didn't know where to go with their questions?'

From the field of business comes the third speaker in the session on 'Self, Safety and Security': Stephan Engberg, founder of Open Business Innovation, Priway – Security in Context, and its spin-off company RFIDsec. RFIDsec shares the vision Rieback also sketched for the audience at De Balie. Engberg's goal is to 'provide RFID tags that allow both safe sharing of data and active access throughout the Product Life Cycle, even after point of sale'. Engberg sees that 'we are polluting the visual space in rapid rempo right now and we need to counter this. It is the same as with the physical environment in which we don't throw away junk on the street. This would be fatalism: the doctrine that all events are subject to fate'. A social constructivist approach is the best way to counter this according to Engberg: 'The way we design technology is how society will work, therefore we have to think about how we design it. In the digital world we control even gravity'. RFIDsec intends to create a new key and transfer control of RFID to the owner. For example create a stealth mode where RFID remains silent until authentication is approved: 'Every part of a value chain, from government to supermarket to customer, has to agree with identification'. This solution is all about empowering the user because RFID can't leak what it doesn't hold: 'You need to have exclusive control on your information'. ZeroLeak is one of the systems by RFIDsec that aims to provide this function.

Serious Play

'We're designers, interested in physical things and we're particularly interested in the playful things you can do. What does it do? What does it make us feel? What experience does it create?' These are the valuable first questions by designer Timo Arnall who talks about RFID as a material in design. In designing with technology, Arnall notices that 'one of the fundamental things about technology is that you only notice it when you work with it for a long time'.

It is important to go back to these fundamentals, because there is the inevitability of new technology being clouded by metaphors. For example touch interaction: Firstly you can touch a tag and get linked to the Internet. Secondly you can use it as communication and thirdly you can use RFID as a button. These are all linked to previous technologies and are not fundamentally RFID: 'We work from simply coming close to the chip and extrapolate from there'. A student project done by Arnall had students look at the visualisation of radio fields, such as RFID and Bluetooth. Another, more practical, visualisation of technology is the iconography created by Arnall for Nokia, which is currently usertested.

The concept of play is very visible in the work of Rafi Haladjian, who also hosted the Nabaz'mob Opera for 100 Smart Rabbits during Recalling RFID. Besides the concept of an opera, the toy rabbits are also a consumer product with a target of three year old kids: 'Really simple things show the cool things that can be done by RFID. By making small and cool things one after another, users are educated on the technology. The goal here is to make the people familiar with RFID as product. Haladjinan's company Violet also created Ztamps, which enable the user to RFID tag objects themselves: 'If people can make their own combinations, this helps shape the idea of RFID. For example you can stick a Ztamp on your daughter so when she comes home from school and starts to play with the rabbit, you can see she has returned home safely'.

Haladjian's rabbits might seem like something straight from a Japanese gadget store and this is what Wouter Schilpzand talks about. He has studied RFID in Japan for four months and as expected, because of the gadget happy and convenience driven society, Japan is ahead in the use of RFID in location based services. The two examples given by Schilpzand are interesting. Firstly there is Suica, a rechargeable contactless smart card used as a fare card on train lines in Japan which is similar to the Dutch OV chipcard. An important social aspect of Japan however is that there is always someone to help you out. Another example, a bit similar to the Ztamps example given by Haladjinan, are RFID tags on school children's bags to track where they are.

Examples closer to home are given by Willem Velthoven of Mediamatic. RFID employed during the Picnic '07 conference provided users with a coffeecup you could put your tag in. This started a Google search on the tag and gave back information. Another example of RFID on Picnic '07 is a photobooth which was connected with the Picnicnetwork website. This allowed visitors to publicly publish their friendship. Velthoven however also wants to outline a 'less funky' example: the possibilities for RFID and innovation in libraries. As an example of current innovation in this field he mentions LibraryThing.

Two sides of the same coin?
Katherine Albrecht is co-author of Spychips and as mentioned in the introduction, she is very cautious of the new possibilities of RFID. She sees the comparison of RFID to its predecessor the barcode as 'an easy one used by the industry to soothe people'. But why is Albrecht trying to warn us against RFID? According to her, RFID differs from the barcode in a couple of ways. RFID for example has a unique identification string at the end of the code, this way every can of Coke can be personal. Another uncertainty about the technology is electromagnetic radiation, Albrecht: 'We simply don't know what the impact will be'.

Albrecht gives us a revealing, and perhaps frightening, look behind the doors of the corporate. United States' supermarket Stop 'n Shop said that they had created a software programme that had collected eight years of data (that was in 2002). Albrecht: 'This information could be individualised. Why would you want to do that? They said that they they had spent three billion dollars on the project and had to cash in. Therefore they sold this information to health maintenance organisations such as insurance companies. This could result in the denying of someone particular benefits because of a bad eating pattern'. These so-called data trade-offs are just one example. To show which tone 'commercial' conversations have, Albrecht gives another example: 'They simply say: “Would it not be great if we could see when a customer takes the cap off their toothpaste?' But still consumers don't really care and say: 'I'm not paranoid, I don't believe in conspiracy theories'. Companies however do fear a commercial backlash once customers find out that they don't like this technology.

Implementation of the tag is all about hiding it: 'You can sandwich RFID tags in shoes. And once this is done you can be identified everywhere: when you pass doorways, ceilings and floors you can be identified'. But what about RFID tags molded into tires? Or RFID tagged swipeless credit cards? The effects of implementation are still every unclear, as this article mentioned by Albrecht shows: Chip Implants Linked to Animal Tumors.

After implementation in everyday life, applications can be deployed. Some applications are already in use, for example in amusement parcs such as Alton Towers and LEGOland. You could say that this is merely in an amusement parc setting. IBM however has patented the Person Tracking Unit. This specific patent places RFID readers in the environment and as people walk around it tracks their movement and records products they carry with them. This could mean that “they” could look inside a woman's bag to see, for example, if she carries babyfood and in turn use that for marketing purposes. Besides IBM, Bellsouth/Cingular has patented perhaps the most privacy invading example, which is about 'post consumption information' or simply put: garbage scanning.

The answer according to Albrecht lies in action. As an example she mentions the hidden RFID chips found at the Future Store in Germany. Metro Group had hidden RFID chips in loyalty cards and through protest, the company had to comply with privacy laws. More action is needed according to Albrecht to stop projects such as the forced chipping of Alzheimer patients.

With this attack on RFID, is there any way to balance this view as the title of this third and last session implies? Bart Schermer of RFID Platform Nederland (Dutch RFID Platform) has the task to perhaps put Albrecht's words in perspective. He starts off by saying that he is 'both a fighter for privacy and an RFID fan, you might wonder how this is possible'. Schermer continues: 'Is RFID malevolent technology? The story is just not that simple, everything is based on application of the technology and it is not inherently evil. My main point is that it is not a one-sided thing, companies are not forcing RFID down your throats. And in the Netherlands and Europe, it is simply not allowed to 'look inside' a persons shopping bag. It is simply not legal, they will have a problem with the law if they do. Personal information is power and consumers should have a say in their personal data. Privacy is a means to maintain “economic equality” between companies and consumers'.

Schermers was also active in this years Dutch Big Brother Awards. This year's award went to “YOU”, the Dutch citizen. The reason given was that 'the Dutch citizen values security higher than privacy, and therefore the single biggest threat to privacy is you. It is not the evil companies but also the consumer that is at failt here'. This seems to compliment Albrecht's final statement that action and awareness is required to balance the use of the technology, Schermer: 'Consumers should be made aware of the role of privacy and the role RFID plays in invading or defending your privacy. There should be an opt-out option so you can for example deactivate RFID at the point of sale. But the consumer should not base their decision on fear, but on facts'.

More
RFID Platform Nederland (NL) Privacy Project (NL) Bits of Freedom - RFID en Privacy (NL) Emerce RFID page (NL) MIT RFID Privacy workshop coverage (EN) Spychips (EN) Masters of Media report (EN)