As regular readers will know I have been working closely with an organisation called Book Industry Communication (BIC) – a charity supported by both the book trade and the library community – for many years. BIC’s mission is, as the name suggests, to improve communication across all sectors of the book trade (including electronic) and has been instrumental in establishing many of the standards now used in libraries.

This post has been inspired in part by an email from Kathy Settle. In a three-way discussion about BIC’s recent report on RFID privacy she commented that the sample poster template included at the foot of the web page (for use in libraries to help inform users about the potential risks associated with RFID tags) , “If it was my mum reading it, I’d think she would be very confused – and worse, very worried – about what this all means”.

She has a point. The public aren’t included in the long list of people for whom the guidance is intended – but it does suggest ways in which libraries should inform their users that RFID is being used by the staff.

By pure coincidence I received an email this morning from a library user who is writing his own application to interact directly with library stock. I can’t tell you what he wants to do with it in case he plans to sell it to other members of the public, but I can at least assure you that it is an entirely innocent idea that has some merit.

This may sound surprisingly ambitious – after all librarians have been rather slow to recognise the potential that now sits on their shelves – but such initiatives are likely to become increasingly more frequent as the public recognise that most of the stock on the shelves of our libraries are wide open to exploitation by anyone with a smartphone app.

Why a ‘UK’ guide? Well almost 100% of UK libraries now use essentially the same technology and standards whether they know it or not, so this guide will work for almost 100% of UK library users. There’s no mention of data models, frequencies, encryption, or any of the myriad other variables that make RFID sound more complicated than it is – and which have led to other countries choosing different paths to RFID deployment.

This guide is different from everything else I have written about RFID over the past 10 years or so. It is much shorter, and is for the individual who wants to write their own app as well as the ordinary citizen who just wants to borrow a book.

And of course it’s for Kathy’s mum.

A UK Library User’s Guide to RFID

What’s RFID?

RFID stands for Radio Frequency Identification. Your library uses it to keep track of its books etc. It’s a very simple idea with a huge range of applications so you probably already have some form of it in your possession already. If you have a bus pass, travelcard (like Oyster), a bank card that you can just wave at a terminal or a library book the chances are that it has RFID on board.

There are lots of different kinds of RFID but they all have two things in common – they use a ‘chip’ to store information and an aerial (attached to the chip) to send and receive information. The ones in your library books are about the size of a credit card and are called ‘tags’.

Why is my library using RFID?

Well according to the findings of surveys that I used to carry out annually almost 100% of them are using it to allow you to borrow items from the library without the need to trouble a member of staff. Libraries call this “self-service circulation” and it’s a bit like using the self-service device to buy goods in a supermarket except that you don’t have to pay and you use a radio scanner to read a library RFID tag instead of an optical scanner to read a supermarket barcode.

Like supermarkets libraries still do use barcodes to manage their stock sometimes although the information in the barcode is also present on the tag – plus a whole lot more. The main reason libraries switched from barcodes to tags was to improve security. Before RFID libraries tried a variety of ways to protect themselves from theft – the most popular was something called ‘tattle-tape’ – a magnetic strip hidden in a stock item that could be magnetised and de-magnetised. Security gates at library exits used magnetic waves to detect any item being removed illegally. The system worked well but required expensive and bulky electromagnets to arm and disarm the strips. RFID simply writes a code to each tag to specify whether it can be borrowed or not.

RFID security devices often resemble the earlier electromagnetic ones but work in a completely different way so you cannot ‘mix and match’ the two technologies.

Is RFID harmful?

The technology has been in use for more than half a century without any reports of any impact on health and the voltages used to run RFID systems are very much lower than those used by electromagnetic devices.

Why does my library want me to know if they are using RFID?

The European Union issued a mandate some years ago that recommends that libraries (and other establishments) notify their users if RFID technology is in use in a location to enable them to assess any personal risk to their privacy.

Are there risks to my privacy?

Because data is being broadcast over the airwaves there is the possibility that a third party could intercept messages exchanged between your books and the library’s self-service devices.

However most libraries do not record any data that can be traced to an individual on their RFID tags. Anyone seeking to discover what someone is reading would also have to gain access to the library’s database in order to decode what would otherwise be just a stream of numbers flying through the ether. It is nonetheless a level of risk that the EU feels deserves advertisement by the library.
Your membership card by the way is still most likely to be using the ‘old’ technology barcodes which cannot be read by radio.

Is RFID used for anything else?

Some librarians have been very creative in finding ways to exploit RFID technology and use it for much more than issuing and returning stock. There are examples all over the internet and elsewhere in this blog. None of them offer any additional threat to library users over and above that mentioned above.

…….

So that’s my attempt at a user’s guide to RFID. I am aware that it will not apply to everyone but I think it works quite well for the majority of UK libraries. My thanks to Kathy’s mum for taking the time to read it and offer some helpful suggestions – likewise to Kathy for finding the time to do likewise.

A final word for librarians

If there are any additional concerns about public interaction with the library they should be troubling librarians rather than the public. The reason for my saying this concerns recent advances in a technology called NFC (short for Near Field Communication) that have resulted in many smartphones being able to read and write to library tags. As I indicated at the start of this post some members of the public are already using this capability to develop their own apps to interact with library stock. For the moment this appears to be for purely benign reasons.

But that could change of course.

On Wednesday NXP made a seemingly routine product announcement about their new RFID chip designed especially for libraries – the reassuringly geeky sounding ICODE SLIX 2.

The press release doesn’t say very much about the reasons for the chip’s development, rather it concentrates on the improvements it will bring to library users of RFID technology. The more technically minded can download the full specification of the chip here.

The poor benighted librarian reading this announcement – which has been duplicated by the excellent Marshall Breeding on his website – will however probably be simultaneously confused and reassured. After all just about all the major players (in the UK RFID market at least) have made supportive and excited noises about the significance of the new product in the announcement – and I know from my annual surveys that librarians trust their suppliers above almost everybody else in the market (apart from other librarians) when it comes to RFID.

So why this post?

Well you can call me a sceptic (people do you know) but I take very little at face value and there are some threads running through this announcement that raise questions in my mind. Coupled with other information I received last week I’m beginning to wonder whether we’re about to see a realignment in the library automation world that we haven’t seen the like of since the birth of the Internet.

Let’s look at what the statement says and try and figure out what’s going on here.

After the usual “it’s all going to be so much better” messages we are told that,

“The SLIX 2 is fully compatible with existing ICODE library systems, ensuring that over 5000 public and university libraries already using ICODE SLIX and ICODE SLI based labels can migrate and benefit from the latest technology without difficulties”.

Which is good news for the 5000 (where ARE all these libraries, and how are they being counted I wonder?) but there will be many more libraries out there NOT using the ICODE family of products that won’t. Unlike most RFID users libraries tend not to replace their RFID tags – and their “product” lifecycles are significantly longer than in retail for example.

So the chances are that many libraries will still be using tags that even predate the existence of the ICODE family of products. An obvious point I know – but I know some librarians who will think that this statement means everything’s fine. When it may not be.

The next point that caught my eye was,

“In addition to improved scanning and reading capabilities the new SLIX 2 introduces near field communication (NFC) technology to enhance library services.”

Now THAT’s a really interesting way to present information that already applies to ANY RFID tag using 13.56 MHz tags (and that’s ALL of them in the UK by the way).  Regular readers will be aware that the potential for NFC devices (like smartphones and tablets) to be used to alter or delete data on RFID tags is something of an obsession of this author’s. It’s been possible for years now, what’s different is the recent surge in the number of NFC devices on the market. To me this sounds like spin – the implication that NFC has been “added” suggests that it hasn’t been possible before. But it has. For ages now.

What the data sheet will also tell you is that NXP are introducing a number of new features on this chip that will enable suppliers to password protect, and even kill tags. Librarians should consider two aspects of this news.

Firstly that this protection will only available on the new tags, and secondly that password protection may not be the answer to the problem because of the way in which libraries actually work (something frequently misunderstood both by RFID suppliers and manufacturers alike). Integration with an LMS might indeed be made more difficult if RFID suppliers start to manage additional aspects of the circulation process – and that’s one of the reasons for my opening, somewhat hyperbolic(?), remarks about change.

The last part of the announcement to which I want to draw your attention is this one,

“The new chips offer additional memory space to store dedicated URLs without compromising the library management memory areas. The URLs will point to internet spaces that contain additional information related to the book or media.

Sophisticated content, such as movie trailers, author bios, book reviews, and much more, becomes automatically accessible through NFC-enabled mobile devices as they tap marked areas on the books. “

Sound familiar?

Again regular readers (and those who have attended any of my conference presentations in the last few years) will be aware that I have long advocated the use of physical stock as a discovery tool for other resources. Examples of this obvious benefit already exist in libraries as far apart as Australia and Norway. By linking with a discovery system – or even an OPAC – library users can already enjoy the benefits of using books, DVDs etc. to discover author interviews or live performances for example (it’s already documented on this blog).

But the difference here is that the URLs that make this possible will be stored on the chip – rather than on a remote database which, in the light of the recommendations on user privacy in the EU’s mandate to standards bodies – M436 (as discussed at length on this blog and elsewhere), may be almost culpably reckless. The mandate isn’t only concerned with the data present on tags but also with what might be inferred from it. Someone carrying an item with a URL on it could easily be inadvertently advertising a personal or commercial interest to someone equipped with the right (and probably free) software on their smartphone.

So what to make of all this?

To me it all sounds like the RFID market has run out of existing products to sell to its traditional library market and has decided to take on the LMS companies for their circulation business.  It’s not a surprising development – the potential has existed for many years now, what was missing was a chip that could support the additional features that would make an entirely RFID based circulation solution possible. Until now.

Of course this is not an overnight process. First librarians will need to buy the new chips that make the reinvention of circulation possible.

I wonder what they cost?

The second half of 2014 saw the first signs that its mandate on RFID privacy M436 might be gaining some teeth with the issue of two new standards EN 16570 and EN 16571 – respectively defining the display of warning signs in RFID-enabled establishments and the process by which Privacy Impact Assessments (PIAs) should be completed. The second of these documents, created under the direction of its Project Editor, Paul Chartier, gives details of the process to be followed in creating a Privacy Impact Statement (PIS) to be displayed alongside signs warning that RFID is being used in an establishment – a library for example.

Paul’s company – Convergent Technologies – has been quick to alert librarians and their suppliers of the requirements of EN 16571 and has partnered with the French RFID organisation – CNRFID – to produce software that enables what the standard refers to as “Operators” to complete a PIS. This software can be purchased from either Convergent or CNRFID.

EN 16571 applies to any business using RFID but singles out libraries for special attention its Project Editor having a special interest in the sector having previously been PE for a number of other standards, most notably the somewhat over-engineered ISO 28560. Some of the requirements of EN 16571 would have profound implications for libraries. The need to label every single item that contains an RFID tag for example. Signing up to complete a PIS might therefore commit a library to more expenditure than simply buying the software.

So how should librarians respond to this new challenge? Convergent’s answer would probably be – “show us the money!” and that’s certainly one option. However the standard is not (yet) legally binding and may be enforced – or not – quite differently in different member states. The standard – like ISO 28560 before it – suggests to me that its creators may have been more familiar with the needs of the book supply chain than with running a library service and it is to be hoped that wiser counsels will prevail if it ever becomes the subject of legislation.

Book Industry Communication (BIC) – a charity funded by both the book trade and libraries – is an organisation that seeks to advise and inform its members on issues such as standards adoption. Its various committees and task-oriented working groups are populated by both suppliers and their clients (librarians) working in the sector. It liaises with other concerned parties (like the UK’s Information Commissioner’s Office (ICO)) to try and ensure that legislation is informed by those who work in the library sector rather than by EU experts who may have little experience of the day to day problems of running a library service.

BIC today issued an advisory notice to UK librarians about M436 seeking to reassure them that precipitate action is not necessary and detailing the approach it is taking on behalf of its members (and UK libraries in general). This might be summarised as “Don’t Panic” – but this should not seen as a call for complacency so much as a call to arms for librarians to be aware of the issue.

As a part-time BIC consultant I will be working with them to represent the interests of libraries in these cash-strapped times. I hope I can count on your support?

On July 31st the European Union finally published directive M436 on Radio Frequency Identification (RFID). M436 has been in process for so long that many RFID users may have forgotten all about it some time ago. A few may never even have heard of it.

M436 attempts to deal with concerns over the privacy issues that have surrounded this technology since it first appeared – in libraries over 20 years ago. The directive is “application agnostic” – meaning that the rules apply to RFID users regardless of how they are using the technology. Libraries are one of the key areas of activity already identified by the EU and they will certainly feel the effects of mandate M436 over the next few months/years.

Locations will be required to display a sign

Locations will be required to display a sign

There are two main elements to the directive as I outlined in my “quick guide” for librarians back in 2013. The first, and simplest, is signage. Locations where RFID is being used will be required to display a sign advising users of this fact.

The second, and slightly more demanding requirement is to carry out a Privacy Impact Assessment in order to produce a Privacy Impact Statement that should also be made available to anyone wishing to understand the implications of the use of RFID in an establishment. In a library this might be displayed alongside the sign – or advice be displayed indicating where the statement can be found – on a website for example.

 

The mandate is issued to European standards bodies to create standards for ensuring the privacy of individuals using RFID solutions. As such it has no legal force as such, but may grow teeth if either the UK Information Commissioner’s Office (ICO) or the European Union itself decides this issue requires formal legislation. Certainly the display of signs and the creation of a Privacy Impact Statement should now be regarded as “best practice” for librarians.

Book Industry Communication (BIC) established a Privacy Group (which I chaired) in 2013 to maintain a watching brief on the progress of M436 and to liaise with the ICO in order to ascertain that body’s attitude to possible legislation. This group will now be reconvened in the near future to initiate its education programme for librarians wishing to know more – or to comply with the directive. Invitations have been issued to both the Society of College, National and University Libraries (SCONUL) and the Society of Chief Librarians (SCL) to participate in this process.