Corporate Privacy and Information Technology: the Case of RFID

Corporate Privacy and Information Technology: the Case of RFID

Working Paper

Sascha Vitzthum

Goizueta Business School,

[email protected]

Abstract

Like every new information technology, Radio Frequency identification (RFID) has security issues that could jeopardize corporate privacy. This paper explores the concept of corporate privacy by looking at both the development of the philosophical concept of (individual) privacy and the legal framework that governs corporate privacy. Further, it discusses the general requirements of corporate privacy: protecting economically valuable information and instituting appropriate security measures. The research model links Information Technology capabilities and security issues with corporate privacy risks. It yields four important findings. As expected, the perceived benefits of a new Information technology stem from the economic value of the gathered information. However, there are three distinct factors that not only affect cost, but also that can completely diminish the benefits. First, there are actual costs that derive from implementing the different security measures. Second, competitors can gain profits from information that is unprotected, which can harm the adopter’s competitive position and thus can be interpreted as cost for the adopter. Third and most importantly, the introduction of unsecured information technology can threaten corporate privacy. If the measures to protect data are not appropriate, the information can be considered public and thus can be legally exploited by every entity that that chooses to do so. Keywords: Corporate Privacy, Economic value of information, IT security, RFID

1

1

Introduction

The inevitable inclusion of Radio Frequency Identification technology (RFID) into consumer goods has triggered a public discussion about its impact on consumer privacy. Even though RFID is only in its test phase in the end consumer market (for example, in the German Metro chain’s Future Store), many industry analysts have voiced concerns over potential privacy intrusions (News.au.com, 2004). Opponents argue that consumer data can now be collected anywhere, as long as the RFID tags are not disabled after purchase. Without regulation or industry guidelines in place, consumer advocates paint a grim picture in which personal consumer information would be transmitted outside of the home and could be collected and exploited by anyone who has a mobile transceiver (Schwartz, 2004). Although many of the assumptions regarding the capabilities of RFID are exaggerated, companies should be well aware of consumers’ fears for at least two important reasons. First, alarmed consumers will take their business elsewhere, which will harm the sales of innovative companies that introduce RFID. Second, and even more importantly, companies should be aware that RFID tags might provide real-time information about product flows not only to the designated company server but also to tech-savvy competitors. In other words, the former is a concern regarding consumer privacy, while the latter regards corporate privacy. In this paper, I explore the notion of corporate privacy in general and, more specifically, how it will change with the introduction of RFID .

Like every new information technology, RFID has security issues that can potentially jeopardize corporate privacy. The first part of this paper explores the concept of corporate privacy by looking at both the development of the philosophical concept of (individual) privacy and the legal framework that governs corporate privacy. Further, the general requirements of corporate privacy–-economic value of information and reasonable security measures—are introduced. In addition, the theoretical framework and the historical practice of data protection are discussed in order to show how capabilities of emerging technologies have influenced both the view and the practice of corporate privacy.

The second part of the paper introduces RFID. After reviewing the basic architecture of the technology, I point out security flaws that can threaten corporate privacy. Further, I introduce the benefits of RFID, such as the kind of information that can be gathered, and I weigh them against potential privacy threats. Those privacy threats are then exemplified through privacy scenarios at different points in a supply chain.

The last part of the paper introduces a theoretical model that links Information Technology capabilities and security issues with corporate privacy risks. Moreover, the assumptions and limitations of this model are discussed in order to provide an outlook for future research. Overall, the paper’s analyses can be used to evaluate the impact of corporate privacy risks on the adoption of new information technology. This paper

2

2

makes three important contributions to the existing literature. First, it defines the concept of and specifies requirements and limitations for corporate privacy. Second, it shows how RFID technology currently does not provide reasonable security measures and thus compromises corporate privacy. Finally, it shows that RFID adoption decisions are impacted by privacy risks that might even prevent its adoption altogether.

The Concept of Corporate Privacy

A conception of corporate privacy originates from universally accepted notions of individual privacy. As early as 1890, Warren and Brandeis defined privacy in legal terms as “the right [of individuals] to be left alone.” This early definition is only concerned with the physical dimension of privacy: the protection of personal space from others. Westin, a human rights activist, extended the term “privacy” in his 1966 definition: “Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin 1966, p.7). His definition has two major implications. Westin acknowledges that privacy is not only an individual right, but also applies to institutions such as corporations. Further, the definition extends privacy from the purely physical to informational; the idea of privacy thus extends to personal/proprietary information and the control of its dissemination. Privacy, then, has two basic dimensions: physical privacy and information privacy (Culnan, 1993).

In the past, the main body of the privacy law was phrased in terms of an individual person's rights. However, businesses have rights analogous to the individual’s right of privacy, which are stipulated in different laws. Trademark law holds that a business can own a product name and prevent others from using the same name, at least in the owner's territory. However, until 1996, the law did not explicitly prohibit the unwanted dissemination of corporate information. Laws such as the Interstate Transportation Act, the Mail Fraud Act or the Fraud by Wire Act were applied to the proprietary information of companies, although they were originally written for the protection of tangible goods (Department of Justice, 2001). The Economic Espionage Act of 1996 (EEA) closed that gap by explicitly protecting corporate information. The EEA is the first law that defines corporate information as property of the corporation that is protected. As such, corporate privacy—defined as control over access to and dissemination of economically valuable and secured corporate information—is explicitly protected by U.S. law.

Westin (1966), however, also acknowledges limits to the claim of privacy. First, privacy is not an absolute right. If privacy claims conflict with higher interests of the community or society, privacy rights might have to be conceded. Laws usually govern those exceptions to privacy. For example, an individual may not claim the solitude of

3

3

his or her home if a judge has signed a search warrant. While this exemplifies the lawful intrusion of physical privacy, information privacy can also be limited. Although a social security number constitutes personal information that is specific to an individual, an employee has to provide his or her social security number to the employer so he or she can pay benefits to the state. As such, the employee is not only forced to provide personal information to a single party, but also has this personal information disseminated to a third party (the state) for a higher purpose (social security of the labor force). In sum, individual privacy is a relative right that concerns the protection of and dissemination of personal information.

The same is true for corporate privacy. It is also a relative right that is governed by the interests of the society and its stakeholders. The right of the investors and the government to gain access to this proprietary information is another limit of corporate privacy. The most important regulation for publicly traded companies is the mandatory disclosure of periodical financial information. The disclosure system administered by the U.S. Security and Exchange commission (SEC) was created specifically to serve the information needs of stakeholders that are outside of the company. The basic objective of the law is to “require that investors receive financial and other significant information concerning securities being offered for public sale” (Securities Exchange Commission, 2004). However, since all public companies are required to publish this financial information, it is not a competitive disadvantage. With only a few limits to corporate privacy, from a legal perspective companies are able to control the provision and the dissemination of proprietary information, giving each company a high degree of corporate privacy. The protection of corporate privacy that the law provides, however, is only granted if the information meets certain requirements: it must have independent economic value, and it must be protected by reasonable security measures.

Information has economic value if rents can be appropriated from its use. The economic value of information derives from two attributes. First, the creation of information requires financial and human resources to gather and record which incurs cost. Further, knowledge has to be private in order to be economically valuable. It has been suggested that firms have strong incentives to protect proprietary information in order to exploit its economic value by disguising or distorting the information and by disconnecting it from its context (Williamson, 1979). There are several reasons for this behavior. First, there is the threat that competitors use proprietary information to diminish a company’s competitive advantage. This information can range across all capabilities of a firm. The publication of an internal telephone directory, for example, yields the risk of recruiters contacting key personnel and luring them away to competitors. In addition, competitors can use the disclosure of procurement data to pressure their own suppliers to lower prices or to switch to the same supplier to increase profits. Second, there might be a conflict of interest between stakeholders. The company management might want to pursue a strategic course that is different from the shareholders’ preferred strategy and thus may not want to release information about a recent acquisition. Similarly, a company might want to hide profits in order to pay

4

4

lower taxes to the government. While these are not transparent and fair business practices, they are nonetheless realistic reasons for management to protect corporate privacy.

Although there are different strategic advantages to corporate privacy, the benefit of corporate privacy depends on the type of knowledge it protects. In general, knowledge is embodied in the employees and the resulting knowledge products such as plans or patterns (Cheung, 1982). If knowledge is only existent in the employees and is not recorded, then it is tacit. In order to obtain this knowledge, a company has to recruit a competitor’s employee. Codified knowledge, on the other hand, can be recorded. Thus, it can easily be duplicated or transmitted. As such, codified knowledge improves the knowledge transfer within a company but also increases the likelihood that economically valuable information is leaked outside of the corporation. In order to prevent leakage, the information has to be protected from unauthorized access. Besides having independent economic value, information also needs to be stored in a secure way. Information should be stored and transferred so that it remains private and confidential. Apart from the threat of leakage of information from the inside of the corporation, there is also the threat of outside attacks. Liebeskind (1997) notes that structural isolation can protect the corporate environment from outside attacks. The extreme case of structural isolation is geographic isolation. Building a research institute in a remote area with no public access roads hinders outsiders to access or even to locate corporate knowledge bases. Still, such isolation might not be feasible either, given that employees are more likely to want to live within the corporate area and not to commute long hours to reach their workplace. A more viable protection can be gained from secure perimeters. Security devices can vary from simple fences to security architecture that resembles that of military bases.

Overall, it becomes clear that companies must employ new security measures that use the specific qualities of new technologies. Thus, only if security mechanisms are embedded in the technology a company adopts can it protect its corporate privacy. This also applies to RFID, which is the subject of the next section. After a brief introduction to the technology, security issues of the technology are discussed.

Technology Evaluation of RFID

In order to evaluate RFID in terms of corporate privacy, I will focus on three aspects of the technology. First, the RFID architecture is briefly discussed to understand the basic functionality and potential security flaws. Thereafter, the capabilities and benefits are introduced in order to comprehend the nature of the information that can be gathered across a generic supply chain. Finally, I discuss the security flaws and potential remedies.

5

5

Architecture

Radio Frequency Identification (RFID) systems are comprised of three main components: the RFID tag, or transponder, which is located on the object to be identified and is the data carrier in the RFID system; the RFID reader, or transceiver, which may be able to both read data from and write data to a transponder; and the data-processing subsystem that utilizes the data obtained from the transceiver in some useful manner. The basic components of an RFID system combine in the same manner for all applications and variations of RFID systems. All objects to be identified are physically tagged with transponders. Transceivers are placed to interrogate tags where their data is required. In sum, the transceivers and transponders provide the mechanism for obtaining data (and storing data in the case of writable tags) associated with physical objects. Today, passive RFID tags are the most widely used. Although their performance in terms of readability is, lower than that of active tags, their affordability makes them the prominent choice for current business applications.

The Auto-ID Center, a research center associated with MIT, has developed and implemented a system that enables all physical objects to be connected in real-time to the Internet by attaching an RFID tag to the object (Sarma, 1999). Given the constraints of passive tags, the system minimizes the functionality on the tag by moving that functionality to the network. The four key components of this system are the Electronic Product Code (EPC), the Object Name Service (ONS), the Savant, and the RFID transponders. The Electronic Product Code (EPC) is an identification scheme designed to enable the unique identification of all physical objects. On passive RFID tags, the EPC is stored on 96 bits and contain header, manufacturer, product and serial information. The EPC acts like a trigger to the information stored in the network. The Object Name Service (ONS) is a directory service that maps the EPC to an IP (Internet Protocol) address where information about the associated object can be written and/or accessed. The ONS is based entirely on the Domain Name Service (DNS) to map a domain name to an IP address. The ONS reduces the burden on the transponders because it reduces the memory and power requirements on the tag and thus minimizes the footprint of the tag’s microchip, reducing the cost of the transponder. In addition, it protects most of the economically valuable information that is linked to the product via the RFID tag. Thus, through the complementary tag design and architecture, security protection does not necessarily have to focus on the tag itself in order to protect information. The last component, the Savant system, is concerned with the security of the network. It provides automated control functionality and manages the large volumes of data generated by the RFID readers. A Savant makes possible the creation of a reader network by acting as a gateway to the next highest level in the Savant hierarchy, effectively isolating the reader’s sub-network. The use of Savants enables distributed security by providing convenient points for network isolation. The Savant network further reduces the burden on the tags by reducing the memory and power requirements on them, so transferring the computationally intensive functionality to a

6

6

powered system. Thus, the RFID architecture corresponds to the ISO OSI reference model of network architecture. The tags and the readers are the physical layer, which is the lowest layer in the model. The EPC code corresponds to the data-link layer, which is responsible for proper communication between the readers and the tags. The next layer in the ISO OSI model, the network layer, defines the standards of network communications. The Savant serves this purpose by gathering the EPC and sending them to the ONS. For purposes of this paper, I will restrict the discussion to those three layers, since the TCP/IP (transport) and the ONS layers are duplicates of the Internet architecture and thus are not RFID-specific. Figure 2 gives an overview over the classification of the RFID architecture.

In theory, the OSI model warrants security of information transfer between the different layers. As such, the separation of product code and product information seems to be the most economical solution that ensures protection of the data. Although this solution might be the most cost-effective, it creates security issues that derive from the architecture of the physical layer. The following section will first identify the capabilities and benefits of RFID and then focus on potential corporate privacy threats.

Capabilities and Benefits

The main capabilities of RFID are increased reader accuracy, the ability to gather information at new points in the supply chain, and new methods of collaborative sharing of information between different supply chain levels. Increased accuracy is mainly achieved through the replacement of bar codes with RFID tags. Instead of manual or semi-automatic scanning of bar codes, information that is contained on RFID tags can be read without a line of sight. Thus, information can be gathered simply by passing through a checkpoint. Further, items can be read simultaneously, which allows unparalleled amounts of information to be read.

The business benefits of RFID follow the categorization of Dehning et al. (2003). According to their IT strategic role construct, main benefits of IT are the automation of business processes, information gathering, and transformation of business processes. Automation usually replaces manual labor and thus provides timesaving and reduced labor costs. Faster and more accurate reading of product information is the best example for this benefit. Information benefits constitute better information distribution throughout a company or supply chain. While RFID tags by themselves cannot provide this benefit, a network infrastructure (such as EDI that transmits the information gathered through the serialization of RFID tagged products) can provide this benefit. If, for example, there is a need to track down a particular case or pallet of items that might have been damaged during the packaging process, a quality manager can simply find out the location in real-time on the network instead of waiting for a time- consuming inventory count in physical locations. The ultimate strategic role of an information technology is to transform a single business or an entire industry. In the coming years, RFID can potentially provide this benefit by enabling new processes or new collaborative information networks within the supply chain.

7

7

Security Flaws and Potential Solutions

As described in the previous sections, there are three general situations in which data can potentially be unprotected: while being stored on the tag; while being stored in the connected database; or while being transmitted between the two, which corresponds to the first three layers of the OSI model. Unfortunately, current RFID tags, being part of the physical layer, do not have secure protection. They, and the information contained on them, can be altered and modified, which might lead to unauthorized access of proprietary data. The first possible alteration of RFID tags is physical attacks. However, physical alteration tends to demand time-consuming techniques such as laser etching, and such techniques usually require a laboratory setting and cannot be carried out unnoticed in public, e.g., in a store where merchandise is tagged. Thus, there is no action necessary by the retailer except for looking out for suspicious activity in a store.

Data can also be obtained during the transmission of the data between tag and reader. It has been hypothesized that readers could be placed outside the property lines of a warehouse or store. Weis et al. (2003) suggest two preventive measures to block reading from far range. The first measure is to limit the sending signal range or backward channel of the tag, which allows only short range. The second measure is to install blockers or signal jammers that create a frequency firewall around the company’s property. While those measures might prevent long-range access, short-range access is still a major threat. To address this problem, Weis et al. (2003) suggest the implementation of a hash function. The hash is a random encryption of the tag’s MetaID. Once the MetaID has been assigned, it is encrypted and sent to the reader. Upon the sending of the hash, the tag enters a locked state and responds to queries from readers only with its MetaID. Only if the correct hash key is transmitted to the tag will it unlock itself. The authors claim that this method only requires the implementation of the hashing capability on the tag, which requires minimum storage space and thus might soon be economical. The last possible point of vulnerability is the product information database. With a whole supply chain connected to a central database, chances are that there might be security leaks at the connected locations. There has to be an access management in place that regulates which supply chain partner can access different types of information. The main problem with such a data management system involves network control and ownership of the information. Nonetheless, for purposes of this paper I will assume that the network architecture is secured through the Savant system and traditional security systems such as firewalls.

To bolster the Savant security, companies should install additional monitoring mechanisms for possible intrusions. One possibility is reading detectors that can filter out requests by unauthorized readers. Those detectors could also monitor the signal strengths in order to determine if the reading was attempted by an unauthorized long-range reader. Further, tags should incorporate a warning feature that alarms the system if any attempts to alter, disable or remove the tags occur. Overall, several known RFID-technology security issues must be addressed. There is a need to implement security

8

8

and monitor mechanisms to protect information that has been gathered and transmitted through RFID. While security solutions only exist in theory, the Savant system is comparatively a thoughtfully designed protection that seems rather easy to implement. The protection of the RFID tags, on the other hand requires considerable work by the tag manufacturers. The next section of this paper discusses how these security issues of this technology could influence corporate privacy and how competitors might take advantage of them at different stages of a supply chain.

Privacy Scenarios

Unauthorized readers may compromise corporate privacy by accessing tags that lack adequate access control. Without access control, a third party could just use a mobile reader and scan product flows. This section introduces privacy scenarios for individual participants as well as for the supply chain as a whole and will describe selected scenarios of how a competitor could take advantage of gathered information. .

Manufacturer

It is safe to assume that at a factory and the respective warehouse there is no physical access for third parties. Thus, information such as material flows or location data cannot be gathered using a mobile reader inside the manufacturing location. Still, there is a danger of long-range reading; and assuming that no preventive measures against outside attacks such as a signal blocker are in place, a competitor might yet extract valuable information. While a competitor cannot read actual assembly flows within a factory, she might be able to read the stock levels of both incoming raw materials and finished goods. With this information, a competitor can not only monitor the current production schedule but also estimate current and future orders for particular products. Armed thus, the competitor could change its own strategy either by producing directly competitive goods or by focusing on different products that are not currently in stock in order to avoid direct competition.

Transport / distribution centers

During transport, there is no secure perimeter. Unless trucks are equipped with local blockers or are made of signal blocking materials, competitors with mobile readers can track truckloads. As with the factory warehouse, products in distribution can also be read from the outside. While it might appear that only stock-level information is at stake at this stage of the supply chain, there is another privacy threat that arises from the transport of good marked with distribution center data: destination information. Through an analysis of product movement through a country and the stock levels of local distribution centers, market data can be gathered. If, for example, a certain product is shipped only to a single region, a competitor can assume that there is a particular demand in this region and thus can adjust his/her own distribution strategy.

Retail store

Although competitors can browse through competitors’ shelves while pretending to be customers, the results of the data collection using RFID would differ

9

9

both in quality and in scale. Before the introduction of RFID, the spy would have to go through shelves and would have to approximate the number of items in store. Using RFID, he/she would simply walk through the store and analyze all SKUs that are equipped with RFID tags. Although the data only consists of EPC codes and not of pricing or status data, it would only be a matter of time to match a product with an EPC code family. Assuming that individual items, and not only pallets and cases, are tagged, even more crucial information could be gathered. If every product can be uniquely identified, frequent scans could precisely monitor the product flow of individual products within the store. Information could be dated and matched to location. A possible product flow log could read as follows:

Product XYZ arrived in a delivery truck on Monday at 10 a.m. and was then moved to the warehouse. At 2 p.m., it was shelved in the store. XYZ was bought on Tuesday at 8 p.m. (item outside of reader range).

That way, a competitor would get a good idea about the product flows and product turnover of a particular retailer.

In addition to product information, other types of RFID-encoded information might also be unsecured. Retailers are also toying with the idea of implementing RFID tags into customer loyalty cards to ease the checkout process. Again, the customer information is stored in a central database and is only triggered by the unique identification number on the tag. Nonetheless, accessing the information could give competitors clues about purchase patterns and consumer behavior within the store that could be the basis of specific target marketing. Further, there are already applications that use RFID tags to identify employees. Although employee location data might be useful knowledge to assess workflows, access to the identification data might be more valuable to competitors. With the data, competitors can try to spoof an ID tag and thus gain access to insider information.

There are also other security flaws that do not threaten corporate privacy directly but that could disrupt the operations of businesses. For example, in addition to threats of passive eavesdropping and tracking, an infrastructure dependent on RFID tags may be susceptible to denial of service attacks. Saboteurs could disrupt supply chains by disabling or corrupting a large batch of tags. Moreover, thieves could rewrite or replace tags on expensive items with spoofed data from cheaper items. Overall, the premature introduction of the still-imperfect RFID technology poses considerable risks to businesses. In the next section of this paper, I formulate propositions that identify those elements that influence the components of corporate privacy and then propose an adoption model for RFID that incorporates corporate privacy.

RFID and Corporate Privacy

The prior discussion has shown that the construct of corporate privacy has two dimensions: the value of the information and the security measures taken to protect it.

10

10

Several factors determine the value of information that can be gathered through RFID. From an economics perspective, information is valuable if it is complete (Lawrence 1999, p.26). Completeness of information is achieved if there is no uncertain decision parameter. The economic concept the value of information is closely related to the quality-of-information discussion of the Information Systems literature. Instead of abstract descriptions of completeness, the discussion identifies information attributes that can measure its quality. Based on DeLone and McLean’s (1992) model, Seddon (1997) has identified three major attributes of information that contribute to data or information quality: accuracy, timeliness, and relevance of information. Whereas the first two attributes are directly derived from the information-gathering-technology capability, the latter depends on the data-processing capabilities of both the decision support system and the decision maker.

Traditionally, accuracy refers to the degree to which the reported value is in conformance with the actual or true value (DeLeon and McLean 1992). Thus, accuracy is one of the dimensions of data quality since it improves the value of information (Hilton 1981). Through the automated reading of inventory, for example, constant counts and recounts can take place in order to know the exact number of units in single location. Accuracy is further improved with the depth of RFID tagging. If only pallets are tagged, the information does not have to be accurate since the cases or items on the palette might have been rearranged or restocked at different times in the supply chain. Only if individual items are tagged can the product distribution be accurately read. The last aspect of information accuracy depends on the depth of the reader network. If only a single location is equipped with readers, only static information such as stock levels can be gathered. However, if there is a network of readers through out different locations of the supply chain the actual product flow can be monitored and potential problems be identified more easily. Proposition 1a summarizes the impact of information accuracy on the adopter’s economic value of information:

Proposition 1a: Higher accuracy of information increases the information quality for the adopter.

Another attribute of the information gathered with RFID is the timeliness of the information, which is defined as the “[t]he availability of the output information at a time suitable for its use” (Bailey 1983, p. 541). If there is a reader network in place that continuously updates information and if this information is available to decision makers, there is virtually no delay in the transmission of the information. Thus, the information gathered through is more valuable because managers can make decisions based on real-time data. If for example a product is missing at a distribution center, it can be immediately reordered in order to minimize the disruption of the product flow. Further, damaged items can be located faster, which minimizes cost of manual searches. The impact of timeliness of information is summarized in proposition 1b.

Proposition 1b: Higher timeliness of information increases the information quality for the adopter.

11

11

The third information attribute that influences the economic value of the information is the relevance of the data. Although there is a good chance that the information gathered from RFID is useful for the adopter, there might be an information risk. Smith et al. (2001) and Peladeau (1995) have pointed out that the collection of too much information as well as keeping of unneeded and outdated material decrease the usefulness of information and thus the productivity of the adopting entity. Moreover, there is a chance that information is misinterpreted (Marshall et. al 1996) which can also decrease the original value of information. Since both of these problems are caused by the cognitive boundaries of the deciding individual, a potential remedy for reestablishing the value of information is to implement a decision support system that can automatically analyze vast amounts of data. Proposition 1c

Proposition 1c: Higher relevance of information increases the information quality for the adopter.

The prior propositions have summarized the impact of the RFID inherent technology capabilities on information quality. However, information quality does not necessarily translate into economic value for the organization. Economic value is only created if better business decisions are made based on the gathered information. Raghunathan (1999) proposed that decision quality is a result of both information quality and quality of the decision maker or the decision making progress. Tallon et al. (2000) also recognized that the management practices moderate the effect of Information Technology on the created business value. The economic value of the information gathered with RFID will also be dependent on the quality on the decision process, since the information can only be a trigger for the management’s decision to restock items or to implement new business policies. Although the quality of the decision process is not the focus of this paper, it has to be included in the research model, since it provides the causal link between information quality and current or future economic value of the information.

Proposition 2: Higher quality of the decision-making process increases the adopter’s economic value of the gathered information.

Reasonable measures to secure information are the second dimension of corporate privacy. The security of the information depends on where the information is stored and how this storage area is protected. First the, general location has to be protected. In order to alter RFID tags close range proximity is necessary. Thus, physical access to the company grounds has to be controlled. If the tags are physically secured the information cannot be altered through spoofing or etching techniques, providing basic security. The second level of security would be to prevent access to the tag reader communications. Possible measures are blocker tags (for specific protection) or Faraday cages (for structural isolation) (Juels et al. 2003). Such security measures that are not technology inherent provide one dimension of security. As discussed before, the physical layer of the RFID infrastructure is the most vulnerable to unauthorized access. Consequences of this access include manipulation of data and denial of service. Because

12

12

there are numerous ways to obtain or manipulate the data that is stored at the physical layer of the RFID architecture, there is a probability that information can be leaked outside the company or supply chain. Higher-level layers, such as databases and those levels that are protected through the Savant layer, are at a substantially lower security risk. This is because the network architecture is similar to existing technologies such as the Internet where the main security issues and protection mechanisms are already standard procedure. Thus, security is also a function of the storage device. The last security issue considered here is the supply chain length. With more partners and locations involved, the probability increases that inadequate security measures are in place at some point in the supply chain. One unsecured warehouse or an unconcerned handling of access information by an employee can jeopardize the security of the product flow information. In addition, there might be a conflicted-interest motivation for a supplier supplying different customers; such a supplier could provide access to competitors’ information networks. The effect of peripheral security measures, level of network layer and supply chain length are summarized in the next set of propositions.

Proposition 3a: The higher peripheral security measures the higher the information security.

Proposition 3b: The higher the layer of the architecture on which information is stored the higher the information security.

Proposition 3c: The higher the number of linked supply-chain participants on the lower the information security.

With the two factors of corporate privacy identified—the economic value of the information and the security of the device where this information is stored—we can explore different levels of corporate privacy risk. If, for example, highly valuable information is stored on the highly unsecured tags, then corporate privacy risk is the highest because competitors can access and exploit this information relatively easily. Yet, if both the security risk and the economic value are low, there is hardly any corporate privacy risk. Thus, the more information available through the introduction of RFID and the less security on the storage devices, the more corporate privacy can be compromised. Table 1 below summarizes this relationship, while Proposition 4 summarizes the impact of the two dimensions.

Proposition 4: Higher probability of unauthorized access and higher economic value of the information increases the corporate privacy risk

13

13

Table 1

Economic Value of Information

Low High

Low Low Corporate Privacy Risk Medium Corporate Privacy Risk

Security

Risk

High Medium Corporate Privacy Risk High Corporate Privacy Risk

Source: Aubert et al. 1998

Apart from the adopter’s economic value, the attributes of information gathered through RFID are also attractive for competitors. Increased accuracy, timeliness and relevance of the information can potentially increase the information quality on which a competitor bases her decision. Nonetheless, as an outsider, she will only have restricted access to the information sources. As discussed before, information that is gathered from a single source can only provide limited benefits to competitors since such a snapshot does not provide product flow information but mainly location and stock level data. If, on the other hand, the whole supply chain is connected through a RFID network, valuable information can be extracted, such as procurement or distribution strategies that a competitor could exploit. The location of the RFID deployment within the supply chain also determines the quality and thus the value of the information for the competitor. At the manufacturer, only quantities of materials and products can be observed while destination information and order quantities from specific customers remain unknown. The closer the product moves to the consumer, the better the destination information becomes. With information that is more complete a competitor can better adjust its strategy.

Nonetheless, there is a tradeoff between the completeness of the information and the time to react to new information (Ballou et al. 1995). If information is gathered at an early stage in the supply chain, competitors have more time to adjust their strategy, while at a late stage in the supply chain, only tactical adjustments can be made. Further, the information quality is determined by the granularity of the tagging. If only pallets are tagged, only a small amount of information can be gathered. If, however, individual items are equipped with RFID, the information is more accurate. Besides the fact that the type of information gathered has to fit the information her information needs, the competitor also has to be able to process the gathered information. Like the adopter, only a high quality decision-making process will yield economic value of the information. In summary, the competitor does not automatically benefit from the fact that information is available to her. The next proposition summarizes this relationship.

Proposition 5a: Better fit of the gathered information increases the competitor’s economic value of the gathered information.

14

14

Competitor’s organizational attributes

Security attributesInformation attributes

Information Quality

Security of technology layer

Security of physical access

Accuracy of information

Timeliness of information

Relevance of information

Perceived Benefits Perceived Cost

Supply chain security

Competitor’s quality of decision process

Adopter’s quality of decision processInformation fit

Competitor’s Economic Value of

Information

Adopter’s Economic Value of

InformationCorporate Privacy Risk

Information Security

Adopter’s organizational attributes

P1a: +

P1b: +

P1c: +

P3a: +

P3b: +

P3c: +

P4: -

+

+

+ P2: +

P5:

Proposition5b: Higher decision-making process quality increases the competitor’s economic value of the gathered information.

With all the propositions in place that take the dimensions of corporate privacy into account, an Information Technology evaluation paints an interesting picture. As expected, the perceived benefits of a new Information Technology stem from the economic value of the gathered information. However, there are three distinct factors that not only result in cost, but also that can also completely diminish the benefits. First, there are actual costs that derive from implementing the different security measures that can be calculated before an actual adoption. Second, competitors can gain profits from information that is not protected by the adopter, which can harm the adopter’s competitive position and thus can be interpreted as cost for the adopter. Third and most importantly, the introduction of unsecured information technology can threaten corporate privacy. If the measures to protect data are not appropriate, the information can be considered public and thus not only be exploited by a technology savvy competitor, but by every entity that that chooses to do so. Figure 2 summarizes the complete research model.

Figure 2 Research Model

15

15

Looking ahead, this evaluative model could be included in existing technology adoption models. Chwelos et al. (2001) have modified the Technology Adoption Model (TAM, Davis 1986, 1989) in order to explain the technology acceptance behavior of organizations. In the context of EDI adoption, he developed three constructs that explain the adoption of EDI: readiness, perceived benefits and external pressure. Perceived benefits are the direct and indirect benefits that an organization hopes to realize with the adoption of a technology. Direct benefits are cost- and time-savings that arise from technology capabilities. In the context of RFID, those economic benefits of a successful implementation would be automated data entry (error free) and corresponding reduction of time and labor costs, better theft protection of the inventory as well the reduction of under and overstocking costs. Indirect effects are defined as opportunities that arise from a technology implementation. The implementation of RFID can yield such effects, in the form of better system utilization and better data management as well as better coordination of in store marketing activities.

Further, assuming that the RFID tags communicate the status of perishable goods, automated dynamic pricing could be employed to discount those items before they are spoiled. Moreover, there are benefits that arise from collaborative information sharing across the supply chain. However, these perceived benefits identified in the Chwelos model are only one side of the coin. The model fails to incorporate potential costs and risks associated with the adoption of a new technology. It is exactly this gap of the adoption model that the developed research model can fill. The costs of unauthorized access to a company’s information are often neglected because they do not arise until proprietary information is disseminated. Moreover, those costs are hard to quantify because information as such does not have a set value. The value of the information depends on who obtains the data and how it is used. In the context of technology adoption, those costs are a direct function of the security flaws of a technology. As described in the previous sections, RFID is still an imperfect technology. Tags and readers are not secure and can provide unauthorized access to product, customer and employee information. Any unauthorized access to stored or intercepted data facilitated by flawed technology will decrease the perceived benefits of RFID.

Conclusion

Proprietary data provides a competitive advantage and thus needs to be protected. This paper has defined corporate privacy as control over access to and dissemination of corporate information and has emphasized the requirements that businesses have to fulfill in order to have corporate information legally protected. The requirements for legal protection of corporate privacy are economic value of information and reasonable measures to protect this information. The paper made the case that—through increased accuracy, timeliness and relevance of information that is gathered through RFID information—the quality of that information is increased. This corresponds to the economic value of the information if an adequate decision-making

16

16

process accompanies it. Further, the security of the current RFID architecture has been reviewed and reasonable measures to patch security flaws have been proposed. While the database of product information is secure through the implementation of the Savant layer, RFID tags themselves are currently a security risk, even though there are already theoretical solutions to this problem. As such, the introduction of the current RFID technology can seriously compromise corporate privacy. The theoretical model I propose has two major implications. First, it contributes to theory-building in the IS field by theorizing how the economic value of information and the security of storage devices affects corporate privacy. Further, it expands a current technology adoption model by showing that corporate privacy risks are a cost factor in the technology adoption decision. The model also suggests a few directions for future research.

First, the introduced model and the included constructs need to be refined and be tested empirically. In particular, the constructs of economic value of information and the degree of corporate privacy risk have to be confirmed. It is hard to estimate a hierarchy of information value. Although it was assumed that location data is less valuable than product flow data within a retail store, what information is valuable to which market participants depends on the industry. With such a hierarchy of information in place, the measure for corporate privacy risk could develop from the crude measures depicted in Table 1 to a refined scale that can measure the impact on technology adoption and technology use. Moreover, it would allow for a dynamic model of technology adoption that could incorporate both improvements in and increasing familiarity with a new technology into account. Such a longitudinal model of technology adoption would allow for an analysis of first-mover benefits and costs, which could result in the optimal point of adoption where the benefits outweigh the costs and risks of adopting a new technology.

As for methodology, the first step will be to undertake a case study. An appropriate site would be a company that recently has or will in the near future introduce RFID to transmit economically valuable information. The target of the first case study will be the Emory Health Care system. Emory Health Care has already introduced RFID to track movement and location of medical equipment. Apart from interviews with the responsible managers to extract the reasoning and considerations behind the RFID adoption, it will also be a unique site to test the security of the system. It is assumed that the hospital would welcome such an investigation, since security breaches not only could reveal corporate information, but also could harm the privacy of their customers. After this initial case study, health care-specific privacy concerns will have been identified. To improve the model and the constructs further, those findings have to be generalized across industries and Information technologies. To achieve this objective a survey instrument will be developed and sent out to IT managers in different industries. The last step in the research strategy would be to look for archival evidence from secondary sources to further improve the model. An appropriate start would be the analysis of newswire reports that identify security

17

17

breaches of information technologies and resulting stock market reactions to attach a financial value to the loss or compromise of formerly protected corporate information.

Another important issue that needs to be addressed in future research is the ownership of information. Although current law protects the information of a single entity, ownership of data gathered throughout a supply chain is uncertain, as is the question of which entity should have the rights to distribute it. Should the consumer have the right to own all information that was gathered along the supply chain after he or she purchased the product? As is suggested in this paper, that information has an independent economic value, but that would mean that the ownership of the product does not automatically imply ownership of the product information. This question is crucial when one considers the competing claims of individual privacy and corporate privacy. While these questions cannot be answered immediately, this paper suggests a starting point is to think about technology from the point of view of information value and furthermore to think about how technology is a means to create and protect such information. A slightly different approach to information technology privacy would be technological alignment to needs of stakeholders. This paper discusses the impact of information technology on only one specific right (privacy) of one specific stakeholder (corporation). However, as mentioned in the introduction, there are multiple stakeholders with different rights that can be influenced by technology capabilities and flaws. As such, technology mechanisms and architectures have to be identified to satisfy those different needs without compromising the rights of the stakeholders. This paper’s analysis of contributing factors to adoption decision is only a small piece of the technological alignment discussion. Nevertheless, it poses a good starting point for future research.

18

18

References

___ "Economic Espionage Act," in: TITLE 18, 1996.

Aubert, B., M. Patry, and Rivard, S. (1998). “Assessing the Risk of IT Outsourcing,” Proceedings of the 31st Hawaii International Conference on Systems Sciences. California: IEEE, 685 – 693.

Bailey, J.E., and Pearson, S.W. "Development of a tool for measuring and analyzing computer user satisfaction," Management Science (29:4), May 1983, pp 530-546.

Ballou, D.P., and Pazer, H.L. "Designing Information Systems to Optimize the Accuracy-timeliness Tradeoff," Information Systems Research (6:1) 1995, pp 51-73.

Cheung, S. "Property Rights and Trade Secrets," Economic Inquiry (20) 1982, pp 40-53.

Chwelos, P., Benbasat, I., and Dexter, A.S. "Research report: Empirical test of an EDI adoption model," Information Systems Research (12:3), Sep 2001, pp 304-321.

Culnan, M.J. "How Did They Get My Name - an Exploratory Investigation of Consumer Attitudes toward Secondary Information Use," MIS Quarterly (17:3), Sep 1993, pp 341-361.

Culnan, M.J., and Armstrong, P.K. "Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation," Organization Science (10:1), Jan-Feb 1999, pp 104-115.

Davis, F. "Technology Acceptance Model for Empirically Testing New End-User Information Systems: Theory and Results," Massachusetts Institute of Technology, Boston, MA, 1986.

Davis, F.D., Bagozzi, R.P., and Warshaw, P.R. "User Acceptance of Computer-Technology - a Comparison of Two Theoretical-Models," Management Science (35:8), Aug 1989, pp 982-1003.

Dehning, B., Richardson, V.J., and Zmud, R.W. "The Value Relevance of Announcements of Transformational Information Technology Investments," MIS Quarterly (27:4) 2003.

Department of Justice "Theft of Commercial Trade Secrets," in: Computer Crime and Intellectual Property Section (CCIPS), 2001.

Hilton, R.W. "The determinants of information value: Synthesizing some general results," Management Science (27:1) 1981, pp 57-64.

Juels, A., Rivest, R.L., and Szydlo, M. "The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy," CCS’03, AMC, Washington, DC, USA, 2003.

Lawrence, D.B. The economic value of information Springer-Verlag, New York, 1999.

19

19

Lee, H.G., Clark, T., and Tam, K.Y. "Research report. Can EDI benefit adopters?," Information Systems Research (10:2), Jun 1999, pp 186-195.

Lee, H.L., Padmanabhan, V., and Whang, S. "Information distortion in a supply chain: The bullwhip effect," Management Science (43) 1997, p 546–559.

Liebeskind, J.P. "Keeping Organizational Secrets: Protective Institutional Mechanisms and their Costs," Industrial and Corporate Change (6) 1997, pp 623-663.

Loch, Karen D.; Carr, Houston H." Threats to information systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Jun1992, 16(2), pp173-183

Matsura, J.H. Managing intellectual assets in the digital age Artech House, Boston, MA, 2003.

News.au.com "German chain kills RFID plan," 2004.

Pare´, G., and Raymond, L. "Measurement of information technology sophistication in SMEs," Proc. Admin. Sci. Association of Canada) 1991, p 90–101.

Peladeau, P. “Principles of Personal Data Protection,” Risk Management, 42(12), 1995, pp 35 – 40.

Raghunathan, S. "Impact of information quality and decision-maker quality on decision quality: a theoretical model and simulation analysis," Decision Support Systems (26:4), 1999, pp 275-286.

Sarma, S., Ashton, K., and Brock, D. "The Networked Physical World,," in: Technical Report MIT-AUTOID -WH-001, 1999.

Schwartz, E. "RFID may give "Tag, you're it!" a whole new meaning," in: InfoWorld, 2004.

Securities Exchange Comission "How the SEC Protects Investors, Maintains Market Integrity," 2004.

Seddon, P. B. "A Respecification and Extension of the DeLeone and McLean model of IS success," Information Systems Research (8:3), Sep 1997, pp 240-253

Smith, H. A., Mc,"Keen, J.D., and Staples, D. S. "Risk Management in Information Systems: Problems and Potential," Communications of AIS (7), August 2001

Tallon, P. P., Kraemer, K.L., and Gurbaxani, V," Executives Perceptions of the Business Value of Information Technology: A Process-Oriented Approach", Journal of Management Information Systems (16:4), Spring 2000, pp 145-173.

Venkatesh, V., Morris, M.G., Davis, G.B., and Davis, F.D. "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly (27:4) 2003, pp 425-478.

Warren, and Brandeis "The Right to Privacy," Harvard Law Review (4:5), December 1890, pp 193-220.

20

20

Weis, S.A., Sarma, S.E., Rivest, R.L., and Engels, D.W. "Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems," Laboratory for Computer Science, Auto-ID Center: Massachusetts Institute of Technology, 2003.

Westin, A.F. Privacy and Freedom Atheneum, New York, 1966.

Williamson, O.E. "Transaction Cost Economics: The Governance of Contractual Relation," Journal of Law and Economics (22:October) 1979, pp 3-61.