Cellphones to keep track of your purchases -- and you

You might not know it, but as of January it became illegal in California for companies to require workers to have devices implanted under their skin that would reveal their whereabouts at all times.

State Sen. Joe Simitian (D-Palo Alto) called his legislation a safeguard against “the ultimate invasion of privacy.” Gov. Arnold Schwarzenegger signed the bill into law in October.

But your privacy may not be completely safe. The same chip-based technology that California won’t allow to be forcibly placed under people’s skin will soon be ubiquitous in cellphones, which the telecom industry believes will be increasingly used as electronic wallets to make purchases.

Virtually all leading cellphone makers are already introducing this technology to their handsets. Payments by cellphone are expected to explode over the next few years as more stores are equipped to handle such transactions.

Here’s how it’ll work: You go to the Gap, select a pair of khakis and wave your phone in front a reader at the cash register. The purchase price is instantly deducted from your checking account like a debit card or applied to a credit card account. A record of the purchase is also entered into the Gap’s database.

That’s very convenient and will undeniably be a boon to shoppers, merchants and cellphone companies.

What the technology also means, though, is that all cellphone owners, which is nearly everyone, will be technologically “tagged.” In theory, anyone -- or any company or government agency -- with a desire to do so would be able to identify you from as much as 300 feet away and track you as you go about your business.

Your cellphone would be constantly broadcasting your location, along with, possibly, your name, address and other potentially sensitive information.

“The public has been slow to appreciate the privacy implications of this technology,” said Simitian, who has a variety of other bills in the hopper to address various aspects of what’s known as radio frequency identification, or RFID.

“Most people don’t realize that there’s no law against who can read the information on an RFID tag, and no limit on what can be placed on the tag,” Simitian said.

OK, let’s take a deep breath. RFID technology has been around since World War II, when transponders were placed in Allied aircraft to distinguish them from German planes. These days, RFID is everywhere.

When workers wave an ID card or fob in front of a reader to enter their office building, that’s RFID. When plastic tags are placed on merchandise in supermarkets or retail stores to manage inventory, that’s RFID.

RFID tags are starting to be inserted in driver’s licenses and passports. The Legoland theme park in Denmark recently experimented with giving RFID wristbands to kids so they could easily be found by parents. (A spokeswoman said there were no plans to test the technology at the Legoland in Carlsbad.)

China is now in the process of issuing RFID-equipped national ID cards to all of its 1.3 billion citizens.

There’s no question RFID can make official documents harder to fake and make life much easier for consumers. Think how fast a checkout line would move if everyone was carrying an RFID-equipped cellphone or credit card instead of cash or old-fashioned, magnetic-stripped plastic.

Cellphone companies love the technology because they anticipate customers using more minutes and being less likely to switch services once they’ve turned their handset into an e-wallet.

“Everybody’s interested in this,” said Mark Desautels, vice president of CTIA -- The Wireless Assn., an industry group. “There’s an awful lot of experimentation taking place throughout the industry.”

IDTechEx, a market researcher specializing in RFID, estimates that more than 2 billion tags will be sold to companies and governments worldwide this year, compared with 1.7 billion last year.

The number of tags in circulation will be 300 times larger a decade from now, the firm estimated, citing rapid reductions in RFID costs and expansion of the number of RFID scanners at businesses and government agencies.

At the moment, the most common form of RFID tagging in this country is what’s known as a “passive” emitter. That means the tag has no independent power source and must be activated by an external scanner, usually within a range of up to 25 feet.

Increasingly, passive tags are being replaced with tiny, battery-operated “active” tags that continuously transmit signals as far as 300 feet. Those signals could be picked up by anyone with an RFID scanner.

Numerous companies have filed patent applications in recent years for use of RFID technology to monitor people’s activities.

In 2006, for example, IBM received patent approval for a system that could be “used to monitor the movement of the person through the store or other areas.”

That “or other areas” is what spooks privacy advocates. At the moment, there are few limits on how this technology can be used.

“The notion that we’re building a surveillance society is very real,” said Sophia Cope, a staff attorney at the Center for Democracy and Technology, which focuses on civil liberties in the digital age.

Although she acknowledged the myriad benefits of RFID technology, Cope said it was all too easy to imagine cellphone tags being used to monitor people’s activities from morning to night.

In a messy divorce case, for instance, records could be subpoenaed from wireless companies that would show not just where and when you made a purchase, but also precisely where you went afterward and how long you stayed there.

Cellphone services already have the ability to pinpoint users on their network. What makes RFID more troublesome is the ease with which the technology can be exploited by others -- that is, companies and government agencies that don’t operate wireless networks.

Similarly, tags could be constantly beaming people’s name, address and bank account number to anyone capable of picking up the signal, potentially ushering in a new era of identity theft.

“I’d like to say this technology can be controlled,” Cope said. “But there’s a lot of room for abuse if this isn’t implemented correctly.”

Desautels at CTIA said the wireless industry is aware of the security concerns surrounding RFID.

“Is there a danger here?” he asked. “No one in the industry has minimized the need to protect consumer information.”

It’s still early enough in the game for regulators to protect consumers. Some suggestions:

* All RFID-equipped cellphones should have the capability to switch off the technology or at the very least to block the signal. It shouldn’t be an all-or-nothing proposition.

* Cellphone makers should be required to produce non-RFID handsets for people with no desire for electronic payments.

* Consumers should be clearly informed about what types of information will be stored on their RFID tags, and should be given the ability to make changes as they see fit.

* Sales of RFID scanners should be limited only to those with a legitimate need to possess the technology.

* Laws should be passed clearly defining the circumstances under which companies and government agencies can track RFID tags and requiring court orders for the technology to be used for surveillance purposes.

There were more than 243 million wireless subscribers nationwide as of June 2007. Considering the stakes, does anyone really think this is a technology that should be left to the honor system?

Consumer Confidential runs Wednesdays and Sundays. Send your tips or feedback to david.lazarus@latimes.com.