Libraries and RFID woes.
Aug. 14th, 2004 05:51 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
swestrupUpdate: When I first wrote this little blurb, I added a CUT and a commentary on the general problem of cluelessness amongst librarians. It got eaten by my LJ client. So, I'm not going to reiterate much, except to say that the failure to see a problem is endemic to the current library culture, as they isolate themselves too much from mainstream technology. They think the fact that hand RFID scanners are rare today means they'll be rare for 10 to 15 years. Fact is, they'll be easily available in 3, and common in 5. Do they really plan to retag ALL their books in 3 years, or shrug and say its too late now?
By SCOTT CARLSON
Some college libraries have replaced the bar codes on their books with
high-tech tags that can silently transmit information, a change that
might escape the notice of most patrons. But privacy advocates hope
you take a closer look.
The new tags use radio-frequency identification, or RFID. They have
made the news recently as a tool to make retail stores more efficient
at inventory control and theft prevention -- and also as a potential
source of snooping. Recently, libraries have starting adopting the
tags as well.
With their encased microchips, RFID tags can transmit information to
devices designed to pick up the signals and interpret them. Some
privacy advocates worry that a day will come when a library book's tag
could broadcast information about a patron to anyone nearby with a
tag-reading device -- stalkers, snoops, corporate marketers, or G-men.
Librarians are weighing such concerns against the benefits the
technology could bring. The tags are easy to use, allowing a library
to set up automated or self-check-out stations. And with RFID, taking
inventory is a snap: A tag-reading device waved across a shelf can
check all the tags on the shelf against a database to find books that
are out of order, thought lost, or rarely checked out and ready for
remote storage.
More than 300 libraries in the United States have adopted RFID. Most
of them are public libraries, but some are college libraries,
including those at California State University at Long Beach, North
Lake College, and Providence College.
Librarians typically guard patron privacy closely, and so they are
carefully reviewing the new technology. Privacy advocates fear that
books bearing the new tags might make it easy for government agents
armed with subpoenas or hackers armed with know-how to find out who is
reading what, and when.
Peter E. Murray, assistant to the director for technology initiatives
at the University of Connecticut's libraries, which have adopted RFID,
says he doesn't believe the technology is a threat to patrons'
privacy.
"But it's a good point to start this discussion of the technology," he
says. "If it is accepted in the library, it can be accepted anywhere,
and if the library can serve as the instigator of that discussion,
more power to us."
The RFID technology has been around for decades, and the transmitting
tags that hold the data come in different shapes and sizes. RFID is
already in use in the E-ZPass boxes that hang in cars and transmit
payments at toll stops on some highways. More than 60 years ago, the
British used RFID to identify incoming planes during World War II.
Today RFID tags can be smaller than the head of a pin, and the types
used in retail cost mere pennies.
How It Works
The RFID tags that college libraries generally use are flat adhesive
labels, a little bigger than a half-dollar coin, with a swirling,
silvery antenna surrounding a tiny microchip. The antenna picks up
signals sent out by nearby "reader" devices (which come in several
forms, from handgun-shaped to flat pads) from one to three feet away.
The readers transmit back any information programmed on the chip,
usually a book-identification number. Unlike a bar-code reader, which
must be pointed directly at a coded object with nothing blocking the
way, the RFID reader can pick up a signal through a book bag or a
coat.
RFID tags used in libraries cost about 50 to 80 cents and are durable,
guaranteed to last as long as the books on which they are stuck.
At the University of Nevada at Las Vegas, which agreed to serve as a
test site for tags marketed by 3M, the company's engineers mimicked
abuse by patrons. They parked a black car in the Nevada desert and put
a book with an RFID tag on the dashboard. The inside of the car
reached 240 degrees, but the tag survived.
RFID readers at checkout counters usually are flat black pads. A
librarian simply sets a stack of books on the pad and the reader picks
up the signals from all of the books, marks them as checked out in the
library database, and in some models disables a theft-prevention
setting that would trip alarms at a gate at the front door. (Many
college libraries use hidden electromagnetic tape for theft prevention
because RFID tags are relatively conspicuous and easy to tear off.)
Careful Coding
So far, many libraries have been careful to store very little
information on their RFID tags.
Jennifer L. Fabbi, director of the curriculum-materials library at the
University of Nevada at Las Vegas, says that her library stores
nothing but bar-code numbers on the tags. Those numbers, she says, are
meaningless apart from the library catalog, which is guarded by
security software.
The libraries at the university were among the first in the country to
adopt RFID. But she did not think about the privacy and ethical
concerns raised by the tags until she prepared to speak about RFID at
the annual American Library Association conference, in June.
"I really had to stop and think, What privacy and ethical issues?" she
says. "We have not talked about that here."
She says that many of the privacy concerns might be based on some
"misperceptions" about RFID. At the library conference, worried
librarians could be heard in the halls talking about tracking library
RFID tags via satellite. Although some RFID transmitters can be
tracked from long distances, that's not possible with the kinds of
tags used on library books.
Other people might think that there is a mother lode of information on
the chip, she says, or that hand-held RFID readers are commonplace.
For now, readers are expensive and relatively rare, she says. And of
the half-dozen marketers of RFID technology for libraries, none of
them use a common, standard system, she says, so a snoop would have to
carry readers from several different companies.
The more information libraries store on the chip, the more risk, she
says. But she thinks the risk is relatively low in any case. "Is it
outlandish for people to be tracked by their RFID tags?" she says.
"Yes, I'm not personally worried about it. But I can't speak for what
could happen in the future."
Lee Tien, a lawyer at the Electronic Frontier Foundation who
specializes in free-speech law and privacy, has been a prominent
critic of the use of RFID by libraries. He knows that a reader device
has to be within a few feet of a tag to "talk" to it, but that doesn't
worry him any less. That is a suitable range for an RFID reader
affixed to a doorway or security gate.
"We always say that read range is a red herring when it comes to the
ability for people to use RFID for tracking," he says.
He paints a scene to illustrate his point: A government building could
have an RFID reader set up at a doorway. A person could walk in with a
library book in a bag and sign in at a security gate. The bar code on
an RFID tag could be picked up and connected to an identity.
From there, the information could be used a number of ways, he says.
Government officials could subpoena the catalogs of local libraries,
or snoops could go to the library, scan the codes on controversial or
hot books, and put those on a database that the RFID readers could
watch for. Smart hackers wouldn't have to visit the library -- they
could simply crack into the library database and gather the
information they want, he says.
"As far as I know, there are no high-security firewalls around library
databases, like there are around the databases that we routinely read
about being hacked into," he says.
Those engaged in surveillance might not even be interested in the
title of a book. The anonymous bar codes on RFID tags could be used to
track a person. As he or she walks from building to building, the RFID
readers at the doors would pick up the bar code, and surveillance
programs could connect that number to a time and place.
Mr. Tien admits that for such scenarios to occur, RFID readers would
have to be pervasive and databases linked -- and that is perhaps years
from becoming reality. But he and other privacy experts insist that
these are real possibilities, not science fiction.
John Han, a research assistant at the Samuelson Law, Technology, and
Public Policy Clinic at the University of California at Berkeley, has
studied RFID in libraries and the related privacy issues.
"Personally, I don't think there is a cause for immediate concern," he
says, but look at the trends in industry for a glimpse of the future:
Big companies like Wal-Mart are pushing suppliers to adopt RFID.
Companies are already thinking about how RFID tags on products can be
used beyond purchase -- for example, how a tag on a shirt could tell a
washing machine what water temperature and spin cycle to use.
"So many items will be tagged, that at that point, the risk of these
tags being read continuously is much greater," he says. "There will be
readers at restaurants, in retail settings." He points out that Nokia
is already designing a cellphone with an on-board RFID reader.
Security guards would use it to check in with RFID tags posted at
various locations on their rounds.
And although RFID manufacturers use different operational standards
now, he says, "what traditionally happens with standards is that they
converge into one standard after a number of years."
Emerging Standards
Companies that sell RFID systems are starting to discuss ways to
operate on common standards, says Rebekah E. Anderson, a marketing
manager with 3M Library Systems. "The privacy people are making good
points," she says. "You have to go forward with your eyes open."
Ms. Anderson says that 3M tells library customers to store a minimum
amount of information on the tags, both for privacy protection and to
maintain good system performance. (The more information on the tag,
the more time the tag takes to transmit that information.)
She says that libraries have always had to worry about privacy, and
guard against snoops peering at materials. "The thing that RFID
changes is this contactless reading, which raises a whole lot of
issues," she says. "You have to look at the value that you are getting
out of the technology versus the risks." The risks, for now, are low,
she says.
And librarians are quick to point out the value. Ms. Fabbi says that
checkout transactions are quicker using RFID because the librarian
doesn't have to scan bar codes on books one by one. "That cuts down on
repetitive-stress injuries," she says. And with RFID tags and a
hand-held reader, librarians can more easily take inventories, a
cumbersome task.
"It pushes libraries to do things that they put off," she says.
The University of Nevada libraries found more than 500 lost items
after officials tagged 600,000 items in its collection -- which saved
the library $40,000 in replacement costs. The library does inventories
more frequently now.
At the University of Connecticut, RFID tags have allowed the library
to set up self-checkout stations. That has freed up staff members,
whose salaries total about $120,000, for other tasks around the
library.
Patrons' privacy is more secure, Mr. Murray says, because even library
staff members don't see what people check out at those stations. He
says the library is now considering purchasing automated book-drop-off
stations that use RFID readers. With such stations, a patron places a
book on a conveyor belt; the belt runs the book past a reader, marks
it as returned, then drops it into one of several bins, depending on
where the book needs to be reshelved.
To him, the value of the tags is obvious, while the privacy threats
are remote, and speculative.
"There is a little bit of science fiction" in talk of snoops lurking
with RFID readers, he says. "Is it possible someday? Maybe."
By SCOTT CARLSON
Some college libraries have replaced the bar codes on their books with
high-tech tags that can silently transmit information, a change that
might escape the notice of most patrons. But privacy advocates hope
you take a closer look.
The new tags use radio-frequency identification, or RFID. They have
made the news recently as a tool to make retail stores more efficient
at inventory control and theft prevention -- and also as a potential
source of snooping. Recently, libraries have starting adopting the
tags as well.
With their encased microchips, RFID tags can transmit information to
devices designed to pick up the signals and interpret them. Some
privacy advocates worry that a day will come when a library book's tag
could broadcast information about a patron to anyone nearby with a
tag-reading device -- stalkers, snoops, corporate marketers, or G-men.
Librarians are weighing such concerns against the benefits the
technology could bring. The tags are easy to use, allowing a library
to set up automated or self-check-out stations. And with RFID, taking
inventory is a snap: A tag-reading device waved across a shelf can
check all the tags on the shelf against a database to find books that
are out of order, thought lost, or rarely checked out and ready for
remote storage.
More than 300 libraries in the United States have adopted RFID. Most
of them are public libraries, but some are college libraries,
including those at California State University at Long Beach, North
Lake College, and Providence College.
Librarians typically guard patron privacy closely, and so they are
carefully reviewing the new technology. Privacy advocates fear that
books bearing the new tags might make it easy for government agents
armed with subpoenas or hackers armed with know-how to find out who is
reading what, and when.
Peter E. Murray, assistant to the director for technology initiatives
at the University of Connecticut's libraries, which have adopted RFID,
says he doesn't believe the technology is a threat to patrons'
privacy.
"But it's a good point to start this discussion of the technology," he
says. "If it is accepted in the library, it can be accepted anywhere,
and if the library can serve as the instigator of that discussion,
more power to us."
The RFID technology has been around for decades, and the transmitting
tags that hold the data come in different shapes and sizes. RFID is
already in use in the E-ZPass boxes that hang in cars and transmit
payments at toll stops on some highways. More than 60 years ago, the
British used RFID to identify incoming planes during World War II.
Today RFID tags can be smaller than the head of a pin, and the types
used in retail cost mere pennies.
How It Works
The RFID tags that college libraries generally use are flat adhesive
labels, a little bigger than a half-dollar coin, with a swirling,
silvery antenna surrounding a tiny microchip. The antenna picks up
signals sent out by nearby "reader" devices (which come in several
forms, from handgun-shaped to flat pads) from one to three feet away.
The readers transmit back any information programmed on the chip,
usually a book-identification number. Unlike a bar-code reader, which
must be pointed directly at a coded object with nothing blocking the
way, the RFID reader can pick up a signal through a book bag or a
coat.
RFID tags used in libraries cost about 50 to 80 cents and are durable,
guaranteed to last as long as the books on which they are stuck.
At the University of Nevada at Las Vegas, which agreed to serve as a
test site for tags marketed by 3M, the company's engineers mimicked
abuse by patrons. They parked a black car in the Nevada desert and put
a book with an RFID tag on the dashboard. The inside of the car
reached 240 degrees, but the tag survived.
RFID readers at checkout counters usually are flat black pads. A
librarian simply sets a stack of books on the pad and the reader picks
up the signals from all of the books, marks them as checked out in the
library database, and in some models disables a theft-prevention
setting that would trip alarms at a gate at the front door. (Many
college libraries use hidden electromagnetic tape for theft prevention
because RFID tags are relatively conspicuous and easy to tear off.)
Careful Coding
So far, many libraries have been careful to store very little
information on their RFID tags.
Jennifer L. Fabbi, director of the curriculum-materials library at the
University of Nevada at Las Vegas, says that her library stores
nothing but bar-code numbers on the tags. Those numbers, she says, are
meaningless apart from the library catalog, which is guarded by
security software.
The libraries at the university were among the first in the country to
adopt RFID. But she did not think about the privacy and ethical
concerns raised by the tags until she prepared to speak about RFID at
the annual American Library Association conference, in June.
"I really had to stop and think, What privacy and ethical issues?" she
says. "We have not talked about that here."
She says that many of the privacy concerns might be based on some
"misperceptions" about RFID. At the library conference, worried
librarians could be heard in the halls talking about tracking library
RFID tags via satellite. Although some RFID transmitters can be
tracked from long distances, that's not possible with the kinds of
tags used on library books.
Other people might think that there is a mother lode of information on
the chip, she says, or that hand-held RFID readers are commonplace.
For now, readers are expensive and relatively rare, she says. And of
the half-dozen marketers of RFID technology for libraries, none of
them use a common, standard system, she says, so a snoop would have to
carry readers from several different companies.
The more information libraries store on the chip, the more risk, she
says. But she thinks the risk is relatively low in any case. "Is it
outlandish for people to be tracked by their RFID tags?" she says.
"Yes, I'm not personally worried about it. But I can't speak for what
could happen in the future."
Lee Tien, a lawyer at the Electronic Frontier Foundation who
specializes in free-speech law and privacy, has been a prominent
critic of the use of RFID by libraries. He knows that a reader device
has to be within a few feet of a tag to "talk" to it, but that doesn't
worry him any less. That is a suitable range for an RFID reader
affixed to a doorway or security gate.
"We always say that read range is a red herring when it comes to the
ability for people to use RFID for tracking," he says.
He paints a scene to illustrate his point: A government building could
have an RFID reader set up at a doorway. A person could walk in with a
library book in a bag and sign in at a security gate. The bar code on
an RFID tag could be picked up and connected to an identity.
From there, the information could be used a number of ways, he says.
Government officials could subpoena the catalogs of local libraries,
or snoops could go to the library, scan the codes on controversial or
hot books, and put those on a database that the RFID readers could
watch for. Smart hackers wouldn't have to visit the library -- they
could simply crack into the library database and gather the
information they want, he says.
"As far as I know, there are no high-security firewalls around library
databases, like there are around the databases that we routinely read
about being hacked into," he says.
Those engaged in surveillance might not even be interested in the
title of a book. The anonymous bar codes on RFID tags could be used to
track a person. As he or she walks from building to building, the RFID
readers at the doors would pick up the bar code, and surveillance
programs could connect that number to a time and place.
Mr. Tien admits that for such scenarios to occur, RFID readers would
have to be pervasive and databases linked -- and that is perhaps years
from becoming reality. But he and other privacy experts insist that
these are real possibilities, not science fiction.
John Han, a research assistant at the Samuelson Law, Technology, and
Public Policy Clinic at the University of California at Berkeley, has
studied RFID in libraries and the related privacy issues.
"Personally, I don't think there is a cause for immediate concern," he
says, but look at the trends in industry for a glimpse of the future:
Big companies like Wal-Mart are pushing suppliers to adopt RFID.
Companies are already thinking about how RFID tags on products can be
used beyond purchase -- for example, how a tag on a shirt could tell a
washing machine what water temperature and spin cycle to use.
"So many items will be tagged, that at that point, the risk of these
tags being read continuously is much greater," he says. "There will be
readers at restaurants, in retail settings." He points out that Nokia
is already designing a cellphone with an on-board RFID reader.
Security guards would use it to check in with RFID tags posted at
various locations on their rounds.
And although RFID manufacturers use different operational standards
now, he says, "what traditionally happens with standards is that they
converge into one standard after a number of years."
Emerging Standards
Companies that sell RFID systems are starting to discuss ways to
operate on common standards, says Rebekah E. Anderson, a marketing
manager with 3M Library Systems. "The privacy people are making good
points," she says. "You have to go forward with your eyes open."
Ms. Anderson says that 3M tells library customers to store a minimum
amount of information on the tags, both for privacy protection and to
maintain good system performance. (The more information on the tag,
the more time the tag takes to transmit that information.)
She says that libraries have always had to worry about privacy, and
guard against snoops peering at materials. "The thing that RFID
changes is this contactless reading, which raises a whole lot of
issues," she says. "You have to look at the value that you are getting
out of the technology versus the risks." The risks, for now, are low,
she says.
And librarians are quick to point out the value. Ms. Fabbi says that
checkout transactions are quicker using RFID because the librarian
doesn't have to scan bar codes on books one by one. "That cuts down on
repetitive-stress injuries," she says. And with RFID tags and a
hand-held reader, librarians can more easily take inventories, a
cumbersome task.
"It pushes libraries to do things that they put off," she says.
The University of Nevada libraries found more than 500 lost items
after officials tagged 600,000 items in its collection -- which saved
the library $40,000 in replacement costs. The library does inventories
more frequently now.
At the University of Connecticut, RFID tags have allowed the library
to set up self-checkout stations. That has freed up staff members,
whose salaries total about $120,000, for other tasks around the
library.
Patrons' privacy is more secure, Mr. Murray says, because even library
staff members don't see what people check out at those stations. He
says the library is now considering purchasing automated book-drop-off
stations that use RFID readers. With such stations, a patron places a
book on a conveyor belt; the belt runs the book past a reader, marks
it as returned, then drops it into one of several bins, depending on
where the book needs to be reshelved.
To him, the value of the tags is obvious, while the privacy threats
are remote, and speculative.
"There is a little bit of science fiction" in talk of snoops lurking
with RFID readers, he says. "Is it possible someday? Maybe."
