Watching us through the Sorting Door
Ex-spook and SAP launch RFID research project
A former CIA intelligence analyst and researchers from SAP plan to study how RFID tags might be used to profile and track individuals and consumer goods.
"I believe that tags will be readily used for surveillance, given the interests of various parties able to deploy readers," said Ross Stapleton-Gray, former CIA analyst and manager of the study, called the Sorting Door Project.
Sorting Door will be a test-bed for studying the massive databases that will be created by RFID tags and readers, once they become ubiquitous. The project will help legislators, regulators and businesses make policies that balance the interests of industry, national security and civil liberties, said Stapleton-Gray.
In Sorting Door, RFID readers (whether in doorways, walls or floors, or the hands of workers) will collect data from RFID tags and feed them into databases.
Sorting Door participants will then investigate how the RFID tag's unique serial numbers, called EPCs, can be merged with other data to identify dangerous people and gather intelligence in a particular location.
For example, a computer could alert customs officials when sensors show that a container's contents do not match the descriptions provided by its EPCs. Or a doorway RFID reader might detect suspicious individuals, such as someone wearing a heavy coat into a bank on a 90 degree day.
Government investigators could also build profiles about individuals through the EPCs, such as their tastes in clothing, or their reading preferences.
RFID/EPC tags on consumer goods "may give clues to their owners' interests, habits, and activities," according to the Sorting Door proposal. This data could be acted upon by security sentinels, or devices that greet recognized customers.
Sorting Door gets its name from the Sorting Hat in the "Harry Potter" books, which magically determines which school house its wearer will join.
The data mining software in Sorting Door would be provided by SAP, an enterprise software company, which has worked on RFID tests with Wal-Mart, Procter and Gamble and the Metro Group.
RFID, an acronym for radio frequency identification, is widely used in highway toll-pay transponders, contactless payment devices and proximity (or "prox") cards used in offices.
Sorting Door will largely focus on RFID/EPC tags (EPC is short for Electronic Product Code), which will eventually replace the barcode on consumer goods, according to retailers' plans.
Many retailers and their suppliers hope to create databases merging the EPCs on purchased items with shoppers' credit and customer loyalty cards. The companies could then use that information to pitch new products at specific consumers - wherever RFID/EPC reader devices are set up to spot them.
The U.S. Department of Homeland Security may also be interested in having access to these databases, which will help form what some are calling the EPC Network, and others "The Internet of Things."
The U.S. Department of Defense, which has gigantic supply chains, will be a major contributor of databases to the EPC Network.
Homeland Security has been contemplating joining Sorting Door, since Stapleton-Gray talked with the agency about the project several weeks ago.
"RFID tags have some promising potentials, but also some serious questions," said Homeland Security spokeswoman Valerie Smith. "So research like this can be helpful."
Smith said that Homeland Security would not be commenting specifically on whether it is joining Sorting Door at this time.
Privacy advocates worry that the government is already eyeing ways to access the EPC Network. Several airlines have already shown their willingness to turn over their databases to federal authorities, in the name of national security.
"The government is already doing a lot of data mining, with databases from the private sector," said Katherine Albrecht, director of the consumer privacy group, <http://www.nocards.org" target=new>CASPIAN. "It lets them get around that pesky Fourth Amendment to the Constitution (which protects citizens from arbitrary searches). This is data they would be not allowed to get on their own."
Privacy advocates, for their part, expect Sorting Door to show how RFID tags will turn shoes and clothes into tracking beacons for marketers and government snoops.
That is one unique aspect of Sorting Door: It is open to all stakeholders in the RFID debate, including privacy watchdogs, the RFID industry, and the government.
But the RFID industry - those who make radio tags and those who buy them - are afraid of revealing RFID's "spy chip" capabilities, according to civil libertarians.
RFID users such as Procter and Gamble will not be interested in Sorting Door, because the results will be open to public scrutiny, said Electronic Frontier Foundation senior staff attorney Lee Tien.
"The burden is on the proponents of tracking devices to show that they are not going to contribute to a surveillance infrastructure," said Tien. "But (the retailers) are not willing to have an honest conversation with society."
Tien said he supports the mission of the Sorting Door project.
Retailers and suppliers, the RFID/EPC standards body EPC Global, and representatives of industry- backed RFID laboratories either declined to be interviewed for this story, or did not respond to interview requests.
Some of the industry representatives said they were unfamiliar with Sorting Door. Stapleton-Gray said he hopes to brief retailers, consumer packaged goods producers and EPC Global on the project in the near future, however.
SAP's involvement will likely get the attention of others in the industry.
Tao Lin, director of Auto-ID (or EPC) research at SAP Labs in Palo Alto, Calif., is combining an EPC Network data mining project of his own with Sorting Door.
The EPC Network is an inevitability, said Lin, and now is the time to learn about its potential for securing people and goods, or for being abused by the government.
"We need to proactively investigate the issues," said Lin, "before we set up laws and rules to facilitate or prevent certain uses of this infrastructure."®
Sponsored: Data Loss Prevention & Data Theft Prevention