Ten years ago, Van ‘t Hof led a research group to “provide insight into real life experiences with Radio Frequency Identification (RFID), draw a future scenario, and formulate challenges for this rapidly emerging technology”[VTHOF2007]. They looked at 24 use cases of RFID in various sectors: (public) transport, retail, passports and amusement parks, to name a few. In this blog post, you can find a couple of these case studies in three categories: shopping, transport and leisure.

Shopping

Several stores have incorporated RFID technology in their supply chain. While some stores use it primarily to track their inventory, the Metro Future Store also provided customers with RFID loyalty cards. Their stores contained information kiosks to provide extra information on RFID-tagged products, such as books, but also audio and video items. In the last case, additional trailers could be shown to the customer. The law in Germany could require that a person is of a certain age, before the video is shown. “Fortunately”, the loyalty card: a) contained the age of a person, b) was readable through RFID. This coupling of information (sharing age through a loyalty card while viewing additional content) led to protests by the FoeBud (Verein zur Förderung des öffentlichen bewegten und unbewegten Datenverkehrs), who argued that customers were not informed that their loyalty card contained RFID.

The Dutch bookstore Selexyz (who have merged with De Slegte, later to be called Polare, but declared bankrupt in 2014) used RFID to uniquely label each of their (at the time) 38 000 books. The main function of these tags was to keep track of the location of the book: when it entered the store, where it was placed, and whether the correct book was delivered. Selexyz offered an additional service: customers could place an order and receive an email when it was delivered to the store. Selexyz claimed the purchase information was not linked to the customer, and the chip is deactivated upon purchase.

Transport

We only mention the OV-Chipkaart, because it an example that is close to home, when compared with the Oyster card (London, UK) or VRR/VRS card (North-Rhine Westphalia, Germany), that are mentioned in the case studies.

The OV-Chipkaart is used in all types of public transport in The Netherlands. The first pilot was done in Rotterdam, in 2005. The card itself contains a passive writable tag, which contains information about the last 10 journeys and the current balance. There are two types of cards: personalised and the later introduced anonymous. During the pilot, the authors of [VTHOF2007] acquired an OV-Chipkaart, but had to provide many personal details: name, address, bank account, signature and a copy of their passport. That last detail surprised the researchers, because the card was used as a debit card, not a credit card. When a user has enough balance, they hold their card in front of an RFID reader in a public transport means, starting their journey. This is called “check-in”. At their destination, they “check-out” (again, by holding their card to a reader), which decreases the user’s balance with the trip fare.

The main concern at the time was the lack of explicit user consent for processing of the travel data (i.e. the time and place of a “check-in/out” event, patterns emerging from collecting such data, etc.), and that usage of the card automatically means accepting the data policy.

Other concerns were centered around price differentiation. In some cases: people pay 10% more because they travel during rush hours, or 20% less when they don’t. This is deemed as unfair, because people sometimes have no choice but to travel during rush hours. Another idea, at the time, was that people who define their destination beforehand get a (large) discount, when compared with regular check-in/check-out.

Leisure

In this final category, we show a use case which is similar to the OV-Chipkaart, but in a very different setting: an RFID implant used for access and payment.

The Baja Beachclub has a leisure branch in Rotterdam and Barcelona (Spain). Although the club in Barcelona is actually located at a beach, the one in Rotterdam resides in a concrete environment. It mimicks a beach setting using palm trees, water scooters, and other water attributes. It also has a place for VIPs which is only accessible for loyal customers who have an RFID implant. After a payment of (at the time) €1000,–, the RFID implant can be used to access the VIP area and to pay for drinks. The club gives the loyal customer a credit of €1500,– to spend. The RFID implant, VeriChip, was primarily intended for medical usage, such as the identification of patients. It has the size of a grain of rice and contains a single fixed code.

In the beachclub, the chip can be read at three moments: upon entering the club, upon entering the VIP area, and upon payment of drinks. The bar personnel scans their implant and their info (name, photo, balance of the chip, transaction history) can be seen on a separate screen. The information does not leave the club. These RFID tags were not introduced without hassle in the media. Journalists claimed the placement of these tags were like tagging cattle, and privacy groups saw this as precedent to use implants for other purposes.

Conclusion

In this blog post we have seen various ways of using RFID technology, e.g. as loyalty or transport card, and for inventory tracking purposes. Each implementation has its privacy-related concerns, such as the OV-Chipkaart’s collection of detailed travel history, or the coupling of customer information with products they have not even bought yet.

Each technology has its merits and disadvantages. In the previous cases, the merits could be found in exact inventory tracking at Selexyz, and providing an easy payment service for loyal customers at the Baja Beachclub. Disadvantages in terms of privacy protection were also found in the case of the OV-Chipkaart, which lacked explicit consent for processing of travel data.