Programming note: Sorry for the infrequent posts lately, I have been traveling
and starting a new job. Probably the next thing I post will be a report on some
of that travel, which you will hopefully find interesting.
Previously on Deep Space Nine, we discussed the landscape of common retail
EAS systems: electromagnetic, acousto-magnetic, and RFID. I now want to
extend on this by discussing some peripheral systems that serve as part of the
larger retail loss prevention technology stack. I will follow up on that by
saying a bit about why none of these approaches seem to end up working that
Shopping carts are fairly expensive, running around $200 to replace. Since
shopping carts are attractive for moving stuff, they have a tendency to "go for
a walk" and require frequent replacement. The first type of "smart cart"
technology to make a widespread appearance is "cart retention" or cart
anti-theft. Most Americans have probably encountered these by now, although
they remain fairly uncommon in New Mexico.
While there are a number of vendors and systems, most are based around a fairly
simple concept. A special wheel or wheel housing contains low-power electronics
which observe for an RF tone. When the tone is detected, some type of locking
mechanism activates that prevents the wheel from rotating. The wheel usually
remains locked until commanded to unlock via an RF or IR device.
To form a cart perimeter, a cable is buried around the perimeter of the parking
lot that acts as an antenna. The emitted power is quite low, so carts only lock
when passing fairly close to the cable. In some systems, a second cable buried
a bit inside of the outer emits a separate tone that commands the wheels to
unlock. This makes it possible for a customer to reset a cart by dragging it a
short distance back towards the store, potentially saving employee effort.
Most cart retention systems operate at low frequencies, below 9 KHz in the case
of the Gatekeeper Systems offering. These low frequencies are fairly efficient
with the very long antenna cables used, penetrate materials well, and best of
all are below allocated spectrum... so there is no licensing required.
You can probably imagine that the "locking cart wheel" technology can be
applied to a few different problems. A common form of retail loss, and one that
tends to involve fairly large dollar amounts, is "push-out theft." A push-out
thief loads up a cart with products and simply walks out. With well-chosen
items like powdered laundry detergent it can be difficult to detect this type
One approach is aggressive traffic management in the store, using one-way gates
and barriers to prevent customers exiting without passing through the
checkstands. This kind of highly visible security is becoming more common but
it's not completely effective... for one, having a large number of
self-checkout machines tends to make it pretty easy to get through the
checkstands without paying or being noticed.
A somewhat more sophisticated, and annoying, solution is the installation of a
pushout prevention system like Gatekeeper's Purchek. While there can be more
complexity to these systems, the basic idea is that each cart is temporarily
"enabled" when a customer completes a purchase, and stays enabled for a time
period like 30 minutes. Outside of that time period, any attempt to leave the
store with a cart will cause that cart to lock. This should prevent anyone
leaving with a cart of unpaid items.
You can probably think of a few ways to implement this, and they've probably
all been done by at least one company, even the bad ones. In the case of
Gatekeeper's older generation Purchek system, each checkstand seems to contain
a unit that transmits a signal which starts the exit timer in the cart wheel.
When the cart is pushed through the exit, a tone transmitted by a floor antenna
causes it to check the exit permission timer and lock up if it is not still
There are variations with appreciably more complex configurations though, and
Gatekeeper Systems holds a patent on a cart-to-cart and cart-to-access-point
mesh networking system that can be used to apply particularly complex logic
to make lock-on-exit decisions. It's not clear to me how much of the patented
material is actually implemented in their commercial products right now, but
certainly some of it is.
Many grocery stores now feature a panel antenna mounted near the exits facing
the area approaching the doors. This panel antenna is used by the Gatekeeper
door controller to communicate with the cart wheels, and it's hard to suss out
the exact logical architecture of the system but it seems that the door
controller can query the cart wheels for a recent historical average rotational
speed and can use the history of detection of that cart wheel to determine the
location history of the cart. These can be factored into the exit permission
I have heard complaints of Kroger configuring the time window during which exit
is enabled after paying to be as short as 60 seconds, short enough that walking
slowly toward the exit (e.g. due to a disability) will consistently result in
the cart locking at the doors. There is a substantial accessibility issue with
many of these loss prevention technologies and vendors seldom address it in
their marketing material.
Networked communication with cart wheels can also be used for various
convenience use cases, like automatically counting carts in the parking lot to
determine when carts need to be rounded up, and allowing a parking lot
attendant to unlock all carts in a corral area at once. Nonetheless, Kroger
consistently struggles to have any carts available at the entrances, but that
comes down to staffing... which we'll get to in a bit.
One long-running source of loss prevention frustration is that deck at the
bottom of the cart between the wheels, often called the bottom-of-basket or
BOB. The way most checkstands are configured, the cashier cannot directly see
this area... but it's often used for relatively expensive item like 24-packs of
beer. It presents a significant opportunity for both accidental failure to ring
up an item and intentional theft.
A friend who once worked in a grocery store told me that his chain had a
general practice of cashiers making some comment about a fictional coworker or
relative named "Bob" to warn another cashier that a customer had something on
the bottom of their cart. For decades, checkstand manufacturers have offered a
low-tech BOB solution consisting of a "periscope" configuration that allowed
the cashier to see the foot-level area by looking in a mirror mounted under a
hood near the weighscale/barcode scanner. Many stores just placed an adhesive
parabolic mirror on the side of the next checkstand over that served the same
purpose more simply.
These solutions are simple and effective, so of course there are options which
are complex and, well, questionably effective? The Lanehawk from Datalogic is a
camera and illuminator which mounts in the space most checkstands have for the
lower periscope mirror. It uses machine vision to detect items in the BOB and
identify them, giving the cashier a prompt that rings them up in one button
press. I have seen LaneHawk installed at several stores and I have never
actually seen it work. It's hard to tell if this is because of poor reliability
or because of retailers starting deployment and never finishing it due to
training or configuration issues, which seems to be oddly common with this type
Queue and customer volume management
Customers get irritated if they have to wait too long to check out, but idle
cashiers waste money. Stores have to try to strike a balance between short
wait times and high utilization rate for open checkstands.
There are two basic ways that technology can, in theory, help: first, counting
queues at the checkstand can allow for a fast automatic call for more cashiers
when lines start to grow. There are various systems that can do this including
Gatekeeper based on counting the number of cart wheels apparently in queue for
A second and more interesting approach is predictive queue counting. By
knowing how many people entered the store and when, it's possible to predict
the likely number of people who will queue to check out some time in the
future. Several grocery chains have invested in Irisys's system, which uses
distributed "people counting" units to track the arrival rate of customers.
This data, along with potentially data on customer location in the store based
on other vendor's systems, drives television screens mounted near the
checkstands that display the current number of open checkstands and the number
that will be required to maintain a queue depth target in 15 and 30 minutes.
For some odd reason these three numbers are labeled "Lanes Open," "Action Now,"
and "30 Minutes," the first and third of which are inconsistent but logical and
the middle of which is just bizarre. Besides this real-time feedback it also
collects historical data to make long-term projections, which can be used for
scheduling cashier shifts.
For some reason Irisys's marketing material repeatedly mentions the use of a
"VGA display." It's unclear to me if the copy is from the '90s or just the
attitude of the person who wrote it. The use of consumer televisions should
reassure us that it is at least WXGA.
The data for these systems can come from many, diverse sources. Kroger
stores in my area are equipped with machine-vision based people counting using
multi-lens 360 degree cameras as well as Bluetooth and WiFi-sniffing people
counting systems. Some machine vision is infrared, but some is visual. Some
people-counters use simple multi-spot passive IR methods (somewhat like typical
burglar alarm motion detectors) while others use proper imaging.
If data collection on customer volume can be gathered automatically, what about
data on stocking levels? There are products on the market that monitor shelf
stocking using machine vision, but I have not personally seen them widely
deployed. The principle is fairly simple, just pointing a camera at a shelf
(often using fisheye optics for wide coverage) and using obvious methods to
see if items are present where they should be.
Shelf stocking information can also be gathered by robots that travel the store
floor observing shelves. This has been shown at a number of trade shows but I'm
not sure if it's actually being done on any large scale. I tend to think that
it would end up being more expensive overall than fixed cameras, considering
the more complex maintenance situation.
Staff and Equipment
Given the amount of technology apparently being thrown at the problem, why is
it that retail loss prevention (at least in my market) mostly seems like a
I'm not an industry insider or anything, so I can only speculate. But it seems
clear that insufficient staffing is the single greatest issue at the moment,
and I think that's been the case since prior to COVID. Basically al of these
systems are dependent on having enough staff to attend to them, and grocery
stores frequently fail on this front. Kroger spent a good chunk of money
installing guard podiums at the entrance of all their stores with monitors
showing surveillance video, but I still haven't actually seen one staffed,
presumably since it would prevent the single guard actually walking the
The issue has become more acute as retailers have made increasing use of
two particularly labor-intensive approaches: separate, dedicated cashier
stands for high-theft areas, and locking displays.
In the former system, the liquor and cosmetics sections are isolated (perhaps
by awkwardly installed screen walls) and have a dedicated cashier. This cashier
is presumably more able to monitor for shoplifting since they have a small
assigned area, and it prevents unpurchased items from those sections
circulating to parts of the store where they would be much easier to conceal.
Kroger rolled out this system over the last two years in my area and has had
significant practical problems. The thing that has most stood out to me is that
they have consistently laid out these areas with the expectation that the
cashier stand with their back to the products. This obviously limits how
vigilant the cashier can be, and moreover poses a safety concern to the staff
since it reduces their situational awareness and provides an easy covert
approach to potential thieves. There is news reporting that, in some areas,
these checkstands have been modified in response to union complaints related
to employee safety.
There are other issues yet. The checkstand obviously needs to be staffed for
this system to be effective. Early on Kroger tended to leave it unstaffed most
of the time, but the switch to self-checkout stands seems to have enabled more
consistently posting a cashier. Second, it creates a situation in which
purchased merchandise circulates around the store. This is significant, since
it means that it is now fairly normal for a customer to check out and only pay
for some of the items they are taking with them. This makes "theft by
omission," already common at the self-checkout stands, difficult to impossible
to detect. The use of "paid" stickers and stapling bags shut mitigates the
issue somewhat but not entirely, since the realities of a busy retail store
make it very hard to consistently adhere to and enforce these mechanisms.
In a particularly interesting gaffe (or perhaps partially implemented change in
policy), Kroger stores in my region have not installed an EAS tag deactivator
at the cosmetics checkstand. Cosmetics items are relatively commonly tagged, and
Kroger tags many items post-manufacturing with an anti-tamper tape overlay. Due
to the lack of a deactivator, though, these items now set off the EAS portal
every single time they are purchased. The guard now responds to all EAS alarms by
resetting them with no further investigation. Brilliant.
Nonetheless, there is obvious potential to reduce theft. I tried to find some
sort of data on the efficacy of this measure but either there's little to be
found or, perhaps more likely, I don't know the right terms to search for.
The other common staffing approach seen today is locking up certain items in
their displays, and then requiring customers to find a staff member to have
them unlocked. The staff member might walk the item to a checkstand instead of
trusting the customer with it, once unlocked . This method has been around for
decades and is becoming increasingly common, from Walgreens (just about
everything) to The Home Depot (cordless tools, certain consumables like diamond
blades). The theft advantages are obvious, but the big problem is that there
have to be enough employees around for a customer to reasonably be able to find
someone. I am always very curious about how much sales drop when this system is
introduced; I have basically stopped buying cosmetics at Walgreens because of
the difficulty of getting an employee to show up.
Where does this whole thing leave us? Despite a lot of development retail loss
prevention is still an unsolved problem in many ways. The greatest problem
remains the trade-off between loss prevention and staffing costs: loss
prevention technologies have to be cost effective, and that usually rules out
the most effective designs (ubiquitous use of RFID).
Amazon Go has demonstrated the strong potential of machine vision and other
machine learning technologies. This kind of ubiquitous tracking requires
extensive infrastructure support, though, and major retail chains often seem to
struggle with much more basic equipment installations. No doubt the management
model of these companies, including franchising in some cases, is part of the
difficulty, but it's also what has allowed these chains to grow to such large
To some extent the increase in online shopping has obviated loss prevention
technology, and there are no signs of this trend stopping. Future stores will
probably lean more and more into showroom-type design, but in many cases their
loss prevention efforts will lead to higher and higher friction to actually
making a purchase. This seems unwise as a strategy to compete with Amazon but,
well, does anyone have a good plan to compete with Amazon?
 An interesting factoid is that Walgreens uses expensive Medeco cylinders on
the plexiglass display cases that you can force open by hand. I assume this is
just to allow same-keying with other more secure enclosures, but one wonders at
how much extra money these expensive cylinders have cost across the enterprise.
Long time no post, or at least it feels that way! I have returned from a long
vacation in a strange foreign country where the money is made of plastic, and
I am slowly recovering from the tactile disturbance this caused. As tends to
happen I ended up thinking a lot about the small details of international
interoperation, and the issue of currency is an interesting one. I think my
next post will be a bit about the mechanics of the relatively seamless ability
to spend US funds in Canada or Mexico today. But first, a post that I started
before I left and didn't finish until now...
You know how sometimes when you leave the grocery store, an alarm goes off
which is either completely ignored or immediately reset by staff? What's up
with that? Well, I can only really offer a satisfying explanation of the how,
as the why is a topic of some complexity.
The whole world of tag-detection-based anti-theft technology can be broadly
referred to as Electronic Article Surveillance, or EAS. One of the tricky
things about understanding EAS is that, much like with proximity key systems,
several significantly different technologies are in use simultaneously. There
are a lot of "urban truths" about EAS that are often correct insofar as they
apply to one particular EAS technology, but often not even one of the more
widely used ones. The different practical and security properties of EAS
systems are interesting from an evolution of technology perspective, and the
cutting edge of EAS gets into some interesting areas of RF engineering.
The general principle of EAS is fairly simple: article tags are affixed to,
or placed in, products that might be stolen. At the exits of a retailer, a
"portal" system is installed that detects the tags. When an item is sold to
a customer, a cashier uses some mechanism to either remove or deactivate the
tag so that the customer can exit without causing the portal to alarm. What's
less simple is the number of different ways of achieving this.
EAS systems are commonly, but mostly incorrectly, referred to as RFID. In fact,
the most commonly deployed EAS use a technology which is quite dissimilar to
RFID and relies on magnetic, rather than electric, field coupling. This makes
it all the more interesting that EAS started out on the path to RFID, before
taking rather substantial detours into the world of magnetics.
There seems to be some confusion in common sources about the nature of the
first EAS, although it's agreed to have been invented by Arthur Minasy in the
mid '60s. It's actually not at all difficult to find the original patent
granted to Minasy in 1966, in between Minasy's many other forays (he was the
type of "serial inventor" which is rarely seen today). The original Minasy
design, commercialized by a company he founded called Knogo, is a simple
passive circuit that receives RF energy via an antenna, rectifies it to DC, and
uses that to power an oscillator that emits RF at a different frequency. This
is, of course, substantially similar to the RFID concept and I find it likely
that Minasy would be listed today as among the significant contributors to RFID
were it not for the fact that this original technology was quickly abandoned by
Knogo and is little known today. This is true to such an extent that articles
about the history of EAS, if they go into any real detail on early systems,
tend to describe the replacement of the Minasy system as Minasy's original
There is a fundamental problem with both Minasy's early design and modern RFID
in EAS applications: it requires electronic components, and electronic
components are expensive. This was true in Minasy's day when individual
transistors were a meaningful impact on the BOM cost, and it remains true today
when EAS tags are made in tremendous volumes and fractions of a cent make a
The Minasy system, often called "RF tags" or "resonant tags," are still in use
today. The relatively high cost of the tags tends to limit them to applications
where they can be reused, mostly in the form of "hard tags" attached to
clothing and removed on sale using a special tool. That said, it is possible
to "deactivate" resonant tags. LC tags can be manufactured with an intentional
susceptibility to failure when exposed to an excessively strong RF field, for
example by using a capacitor which will overheat and allow the plates to short
together. The tags can then be placed on a device which emits the same
frequency as the detectors but at a much higher power level, resulting in
intentional failure of the tag.
A more recent (but not very recent) innovation is thinner and cheaper RF tags
operating at a higher frequency---typically 8.2MHz, while the original Minasy
system had been tuned for 2MHz with very low precision. These 8.2MHz tags
look like rectangular thin paper stickers, and when peeled up the metal foil
antenna is visible underneath. They operate on the same principle as Minasy's
system but are almost always deactivated by RF field rather than removed. Their
thin size makes them well suited to printed materials, but they can also be
applied to boxes and other packaging.
Far more common today than RF tags are a later development, the magnetic EAS
tag. Magnetic tags exist in two major variants, the first having been developed
by 3M in 1970. The 3M technology, commonly known by its 3M brand name "Tattle
Tape," can more generically be called electromagnetic or EM EAS. EM tags rely
on an interesting property of magnetic fields, or rather their interaction with
Magnetic materials such as iron can be "magnetized" by exposing them to a
magnetic field, causing an alignment of the magnetic dipoles of the material's
molecules. During this process some of the energy of the field is consumed.
Magnetic materials also have a "saturation value," which is a measure of their
greatest potential to become magnetized, or the point at which no further
improvement in the magnetization of the material can be achieved. For most
magnetic materials, the saturation value is quite high. It is possible, though,
to design materials that are magnetizable but have a very low saturation value.
The most common in EAS applications is an alloy called "metglas," so called
because it has a non-crystalline structure more similar to glass than metal.
When a quantity of metglas is placed in a magnetic field, it absorbs some of
the energy of the field in order to become magnetized. It quickly reaches
saturation and stops interacting with the field. This behavior is quite useful
as it can be detected by magnetic means.
So, an EM EAS system relies on a portal with two antennas, typically
placed on the two sides of the door (in multi-door situations it is common to
have multiple towers which alternate receiving and transmitting). The
transmitting antenna emits a magnetic field. The receiving antenna on the other
side of the portal observes this field. When metglas is introduced into the
field, it briefly absorbs energy and then stops when it reaches saturation.
This can be observed as a brief dip in field strength at the receiving antenna.
By rapidly alternating the field emitted by the transmitting antenna (essentially
using it as an AC electromagnet), this effect can be checked for many times a
Even better, the nonlinear behavior of metglas in a magnetic field causes a
number of effects in a rapidly alternating magnetic field including harmonic
frequencies resulting from the repeated magnetization and demagnetization of
the metglas. Modern EM EAS systems use complex DSP techniques to observe for
multiple different effects caused by the low-saturation-value material, making
them less susceptible to false positives. In fact, false positives in the
detection of metglas are quite rare (although EAS are usually quite prone to
false positives, they come from other causes which we will discuss later).
Because materials with a very low saturation value are exceptionally rare in
nature, the presence of rapid magnetic saturation behavior is a very strong
indication of the presence of a tag.
Magnetic EAS technology becomes even more interesting when you consider the
issue of deactivation. EM tags are typically manufactured with a strip of a
normal ferromagnetic material placed alongside the metglas strip. If this
material is magnetized, it keeps the metglas strip constantly saturated,
preventing it interacting with external fields. Thus an EM tag "deactivator"
simply emits a strong enough field to magnetize the ferromagnetic strip. Even
better, an "activator" can emit a rapidly alternating magnetic field which will
effectively "scramble" the magnetic orientations of the underlying magnetic
elements in the magnetic strip, causing it to lose its magnetic field. The
metglas strip will no longer be held in constant saturation and will be
detected as usual.
This ability to activate and deactivate EM tags at will is unique to EM tags
and is the cause of their ongoing popularity in libraries. Libraries install
tattle tape permanently, usually adhering it to a middle page near the spine
where it is difficult to notice. The circulation desk deactivates tags when
books are checked out and activates them when books are checked in, usually
using a device that just has an "activate/deactivate" switch to select between
a fixed and alternating magnetic field.
If this neat property of EM tags seems a little too good to be true, well, it
does have caveats. First, the ferromagnetic element in EM tags is of relatively
low coercivity (e.g. magnetically "soft") to allow for easy activation and
deactivation. That also makes it prone to being affected by various
environmental magnetic fields, and as a direct result EM tags have a tendency
to "self-activate" over time. If you have ever renewed a library book a few
times and then set off the door portal when returning it, this is due to the
ferromagnetic element simply losing its magnetization over weeks of exposure to
electrical equipment and other ferromagnetic materials.
Second, the only aspect of EM tags that can be detected is the presence of an
active one. There is no way to differentiate EM tags from each other. This can
be a practical problem in circulation environments like libraries. In my city,
the county library has ended use of EM tags in favor of an RFID system, but
much of their inventory is still "tattle taped." The tags in these older books
are now almost all active due to environmental demagnetization, and so it is
more or less guaranteed that carrying a county library book into the university
library will set off the portal system... on the way in and out. This kind of
nuisance alarm behavior will very quickly cause staff to disregard the EAS
system, and so the county library's upgrade to RFID has no doubt significantly
reduced the effectiveness of the university library's system.
EM tags are most often seen in the form of "tattle tape," whether made by 3M or
a competitor. These tags are long, narrow strips that are usually self-adhesive.
They are thin enough to sit inconspicuously in the pages of a book, but large
enough that they would be tricky to get onto the packaging of smaller products.
You don't see them very often, mostly because in their most common application of
library books they're placed either in the spine or on a page very close to it,
where they're concealed.
EM tags cannot really be permanently deactivated without physical destruction,
and they require relatively strong fields to detect. These two downsides lead
to the development of a variation on magnetic EAS, called AM EAS. The label is
a little confusing here as most would read "AM" and assume "amplitude
modulation," but in this context it's actually an abbreviation for
"acousto-magnetic." These tags rely not just on the interaction of a material
with a magnetic field, but also on acoustic resonance of the material. That's
AM tags contain a thin strip of a material that demonstrates
"magnetostriction," or a change in physical shape when exposed to a magnetic
field. They are sized such that they are resonant when vibrated at a particular
frequency, usually 58KHz. The AM portal system emits short bursts of a 58KHz
field and then, after transmitting, uses a receiving antenna to observe for any
continued 58KHz magnetic oscillation. An AM tag will continue to vibrate for a
short time after the original field disappears, causing a detectable "trail"
from the transmitted burst. Once again, modern portals repeat this process rapidly
and use DSP methods to check for multiple indications of a real tag.
AM tags can be deactivated much like EM tags, but there are important
differences. AM tags also contain a strip of a ferromagnetic material, but its
function is different. The ferromagnetic strip is magnetized normally and
serves as a "bias magnet." As a bias magnet, it is carefully tuned so that it
offsets the magnetic anisotropy of the magnetostrictive strip---its tendency to
only react to magnetic fields coming from one direction. Without this bias
magnet, the AM tag cannot be reliably detected. To deactivate AM tags, the
magnetic strip is demagnetized by exposing it to a strong and alternating
field. AM tags are the opposite of EM tags when it comes to activation and
deactivation, and so they have a bias towards deactivation. This bias is weak
though: the proximity of the bias magnet to the magnetostrictive strip and the
inconsistent placement of these tags makes it impractical to remagnetize or
reactivate them, so they're designed for one time use only. This means that the
ferromagnetic material used for the bias magnet can be of relatively high
coercivity and is less affected by normal environmental fields.
I'll go into a little bit more depth on typical AM equipment, because AM is the
most common EAS technology used in US retail. Virtually every retailer has at
least AM portals, and you have certainly seen AM tags. AM tags are relatively
thick but small compared to EM tags. They're usually in a plastic housing of
perhaps 4cm long (as common as they are I couldn't find one around to measure)
and a few mm thick. The largest manufacturer of AM tags is Sensormatic, and so
they often have the old "hand in crosshairs" Sensormatic logo printed on them.
AM tags are ubiquitous in part because they are the accepted technology for
source tagging. Source tagging is a common industry convention in which
anti-theft tags are placed in products by the original manufacturer rather than
the retailer. There are a few advantages to source tagging: not only does it
save labor on the part of the retailer, the manufacturer can usually place the
AM tag in a more discrete and difficult to tamper with location. For example,
it's very common for power tools to come from the manufacturer with an AM tag
inside of the tool, often adhered to the inside of the plastic molding for the
handle. I recently encountered an item of clothing with an AM tag sewn into a
label, although fortunately this practice isn't common... AM tags are quite
rigid and not especially comfortable to wear.
Source tagging also allows for the use of EAS throughout the supply chain.
Fulfillment and shipping warehouses, for example, can use AM portals to deter
theft by employees, even before delivery to a retailer.
AM deactivators consist of a large coil antenna, which may be constantly active
but on modern equipment usually runs in a low-power "detection mode" where it
behaves similarly to a portal. The coil only runs at full power to demagnetize
when it detects the presence of an AM tag. This saves a bit of money on
electricity but more importantly makes the deactivator less likely to
deactivate someone's credit card, which had been an occasional problem with AM
deactivators despite the high coercivity of payment card magnetic strips. Some
AM deactivators, probably those that have received some physical abuse,
demonstrate magnetostriction of the coil itself in the form of an audible
"ping" or "twang" each time the coil is powered .
AM portals are the most common type you see. Older AM portals (and EM portals
as well) sometimes stayed unpowered until they were activated by a
pressure-sensitive mat or deck between the antennas, and you might still see
this in libraries in particular where continued use of EM gives little
motivation to upgrade equipment, but most portals today are able to use
electronic and DSP methods to detect the possible presence of tags with a very
low power consumption. This sometimes takes the form of "search" and
"interrogate" modes (these terms are often used in remote sensing due to its
military origin and so I tend to use them), where the portal normally operates
in a low power mode and the detection of any kind of magnetic interaction
causes the portal to switch to a higher power mode to distinguish tags from
Sensormatic is the largest manufacturer of AM portals as well as tags, so you
will likely recognize the Sensormatic product lineup that varies from "big
beige towers" to clear lexan sheets with coils embedded in them. Newer portal
systems are relatively small, and Sensormatic even offers a "concealed" option
that mounts against the door frame (not really very discretely at all) instead
of requiring freestanding towers for the antennas. Of course it is limited to
a fairly short range due to the small size of the antenna coils and so it
doesn't seem to be that common. A more recent innovation is the installation of
surveillance cameras either on the antennas or at the door frame. Sensormatic
controllers can trigger video surveillance systems  or retrieve images from a
video surveillance system, either way offering correlation of detection events
with video of the person walking through.
While AM portals are mostly effective and extremely common, they do have
distinct downsides. They share with the EM the property that AM tags cannot be
differentiated. A common downside emerges with source-tagged items: if you
purchase a source-tagged item at a retailer that does not have an AM portal,
they will likely not deactivate the tag on sale. It will then set off the
portals at other retailers. This is an extremely common cause of false-positive
alarms. The portal also cannot indicate how many items or what types of item
were detected, which makes it difficult to investigate an alarm.
As a partial mitigation, vendors including Sensormatic now offer handheld
"wand" AM tag detectors with a short range. These can be used much like a wand
metal detector to identify the item, or at least location on the body, that
triggered the alarm. WalMarts are usually equipped with one of these in a
wall-mount charging cradle near the door, but I have never actually seen one
used, which foreshadows a later point I'll discuss.
Another downside is the size of AM tags. They're not exactly large, but they
are thick... too thick to be easily integrated into some types of packaging.
Their larger size also makes them easier to locate and remove, if they're not
hidden somewhere by source tagging. Retailers that apply AM tags to items will
sometimes apply a larger sticker with anti-removal features (scoring so that it
will not peel away in one place) to frustrate shoplifters that simply peel off
the tag, but of course this isn't entirely effective.
As I mentioned, genuine RFID has been applied to retail EAS. It remains
relatively uncommon because, despite advances in low-cost manufacturing of
small electronics, active RFID tags remain considerably more expensive than AM
Perhaps the greatest champion of RFID EAS is WalMart, which has invested
considerably in both the installation of RFID equipment (manufactured by
Sensormatic) and the standardization and promulgation of RFID Electronic
Product Code or EPC tags. Much like UPC (Universal Product Code) or the closely
related EAN (European Article Number), EPC is an effort to assign a unique
numeric ID to every product in a retail environment... but EPCs tend to be more
specific than UPC, to the SKU (stockkeeping unit) level rather than price
level. This means that products that are offered in multiple variations (e.g.
flavors) at the same price may share the same UPC, but will have distinct EPCs.
One of the driving motivators behind this technology is its advantages for
inventory management. In order to effectively track shrink (theft, spoilage,
loss, damage, etc) and other "dispositions" of purchased inventory other than
sale, retailers need to actually count the inventory on the floor. This is also
a required step in financial auditing, insurance underwriting, and various
other business processes. Basically, large stores need to actually send people
out to count everything.
In practice retailers rarely handle this in house, particularly because the
auditing use of this information makes it valuable to have it collected by an
independent third party. For example, the use of an inventory contractor makes
it more difficult for an insider (employee) who is stealing products to cover
for the loss by inflating inventory counts. The largest such contractor in the
US is a company called RGIS, which regularly sends an army of temp workers
equipped with handheld barcode scanners into each of America's stores in order
to scan every individual item on the shelves.
Sidebar which is Critical of Capitalism, You Have Been Warned
Actually the history of retail inventory is itself rather interesting as RGIS
has historically been a pioneer in the design of highly usable wearable
computers, and in the era before the universal use of UPC/EAN labels the
incredible speed at which experienced RGIS employees could operate a belt-worn
ten-key was something of a legend. Of course in one way, the invention of the
barcode was a labor-saving device that ought to accelerate the inventory
However, as potently observed by Brian Justie in The
Magazine), many "automation technologies" are better viewed as "labor
technologies" in that their primary purpose is not actually to speed up a
process but to reduce the level of operator skill required, thus making the
labor more readily replaceable. This phenomenon is rather clear in the case of
RGIS, where more than speeding anything up the transition to barcodes
facilitated RGIS's transition to nearly complete use of short-term temp agency
Since RGIS workers no longer needed to learn the skill of rapid and accurate
manual entry, they no longer needed to be paid at a level that motivated them
to stick around. Anecdotally, it seems that the modern barcode-based RGIS
system is quite possibly slower than the earlier belt-pack ten-key, but the
operator only needs the barest of training and therefore only the barest of pay
or benefits. This is one of numerous cases in which advancing technology has
reduced costs as promised, but by facilitating lower wages, rather than by
actual improvements in efficiency.
End of leftist discourse
The EPC scheme promises to significantly accelerate the inventory process by
allowing "drive-by" inventory with a good sized antenna. It also offers a
significant enhancement in EAS: an EPC-based EAS system can determine exactly
which items are detected and report the list of items to the operator. Even
better, EPC can include a unique serial number for each item. This way,
"deactivation" of the tag can be performed in an "online" manner by marking
that individual item as sold. This promises significantly more accurate EAS,
easier investigations of alarms, and better overall inventory control and
market research insight via end-to-end lifecycle tracking of individual products.
It is also, according to a surprisingly large segment of the American
population, a sure sign of the coming apocalypse. I'm sort of kidding about
this but only sort of. A meaningful vein of opposition to RFID technology in
public discourse has been its potential resemblance to certain aspects of the
Book of Revelations. To discuss this fascinating and surprisingly important
artifact of American culture would be its whole own article, but I will note
the comedy of "Not Today Satan Cross Christian Religious Credit Card RFID
Blocker Holder Protector Wallet Purse Sleeves Set of 4" listed on WalMart.com
coming up in the same search results as "ALERT, RFID CHIP READER IS AT WALMART
THE MARK OF THE BEAST IS HERE IN VIRGINIA."
A much larger problem with RFID than its satanic origins remains the cost of
tags, which has lead to a lot of hesitation on the part of manufacturers and
distributors to participate in RFID source-tagging schemes. WalMart is of
course a large enough part of the US economy that it has a powerful ability to
push its suppliers around, and WalMart just recently announced that it will
mandate source-tagging with EPC for a large portion of their products. This
needs to be done at the expense of the supplier, of course, although WalMart
notably continues to exclude groceries from the requirement. The required
categories for EPC tagging are basically all higher-value and higher-theft
products, showing the practical impact of the tag cost. This same trend is seen
throughout the world of EAS: the cheaper and less attractive to thieves an item
is, the less likely it will have any sort of tag. The more expensive or
theft-prone an item, the more likely it is to feature AM and then RFID tagging.
Although the expansion of EPC tagging at WalMart is recent, the system itself
is not, and WalMart has used EPC tags on product cases and some apparel items
since 2003. So have other retailers, although usually not on as large of a
scale. The technology lead to enough debate around privacy (and rapture)
implications that WalMart attempted to placate public concern through
"transparency" by putting an "EPC In Use" decal on entry doors somewhere
between the other ten regulatory decals. Of course this has never achieved any
type of benefit, but I do like the design of the sticker.
Another stronghold for RFID EAS technology is the library industry. The same
requirements that kept libraries on EM make RFID attractive, and so most
libraries are transitioning from EM to RFID (or already have in the case of
most larger libraries). Besides allowing for very accurate online tracking of
checked-in/checked-out status of books, it speeds up the circulation desk (or
self-service kiosk) by allowing a whole stack of books to be scanned at once.
Since library books are fairly expensive and have fairly long service lives,
the cost of the tags is not so much of a deterrent to libraries, and RFID tags
are readily available in a thin sticker format the goes just fine inside the
cover of a book.
Most RFID EAS tags are thin stickers made of either paper or plastic. They're
often square or fairly close to square. Usually either peeling one up and
looking underneath or shining a light through an RFID tag will reveal a spiral
or otherwise packed antenna, similar to PCB traces but more often just a metal
foil on a paper or plastic backing. Some RFID tags have a serial number or
barcode printed on them, but many are just blank. In the case of EPCs on
apparel, it's common for the RFID tag to be adhered into the middle of a
two-layer paper hangtag. Libraries usually put them inside of the front or back
cover, and retail products often have them placed somewhere near the UPC/EAN
barcode since this gives the cashier a good idea of which side of a large box
to put against the reader.
RFID EAS portals are mostly not distinguishable from AM portals, since RFID
support is usually just an add-on feature to an AM system (by adding extra
antenna coils in the same tower enclosure). RFID EAS systems are a lot more
likely to have some sort of operator interface like a display and keypad on the
wall, rather than a simple alarm, since they're able to show a list of items
Unexpected part break...
This has already become quite long and I have quite a bit more to add... as
sometimes happens to me, everything I've said so far is really just background
to what I really wanted to discuss. Let's break this up a bit by calling this
part 1, and soon I will post part 2... which will cover both cutting-edge
retail loss prevention technology and the reason why both existing and brand-new
systems are increasingly ineffective. There will be more criticism of capitalism,
but also more weird technology!
 Iron is slightly magnetostrictive and this effect is the source of a lot of
cases where you can "hear electricity." The 60Hz hum of large power transformers,
for example, is primarily the result of the transformer windings vibrating due to
 Support for external triggers is a longstanding feature in video surveillance
systems, allowing video to be recorded on demand or just tagged with the time of
events. In older systems this takes the form of a relay on the EAS system that
energizes a digital input on either the video recorder or a camera (digital
surveillance cameras usually include one or two digital input/output pins and
a protocol to inform the recorder when their state changes). In newer systems it
is more likely to be all IP.
Let's discuss the humble thermostat. You probably have one in your house,
and it probably connects to a set of wires. If you've ever replaced your
thermostat, you've probably found those wires a little irritating due to
the lack of well standardized nomenclature for identifying them. This is
particularly clear in the new generation of smart thermostats which attempt
to be "consumer-friendly" to install, and thus must have sort of complex
install wizards (InstallShield (R) for Thermostats) just to generate your
hookup instructions. So what's up with that?
Well, let's take a step back.
Your house is full of a bunch of 120VAC wiring. Well, that's assuming you live
in the United States, and to be fair US residential wiring is typically 240v
split phase, so you have both 240v and 120v wiring, depending on how you count.
The idea of this split phase thing, if you're not familiar, is that the utility
delivers to your house 240VRMS AC with a neutral wire that is at a potential
halfway between the other two pairs. We could label this -120V, 0V, and +120V,
which while "0V" is always arbitrary makes some sense since neutral is bonded
to ground. These are all of course VRMS, which in this context is Volts Root
Mean Square, not Virtual Richard M. Stallman (which is a piece of software that
chastises you for being complicit in your own subjugation). Since AC implies a
voltage that changes constantly, there are a few ways to measure, and VRMS is
conventional. 120VRMS is about 170V peak to zero, or 340V peak to peak. We call
it 120V because, well, that 170V only exists briefly at the two peaks of the
waveform. 120V is a more useful number for actual power calculations, although
AC power calculations can always become a bit complicated because the phase
relationship of potential and current can vary (this is called power factor).
This is all basically an irrelevant tangent, the point I want to make is that
we all understand that residential electrical wiring is 120VAC or 240VAC
depending on how you look at it .
But after all that, what if I told you that it is also conventional for
residential electrical systems to have a low-voltage AC supply?
Well, it's true, but in sort of a limited sense and with a lot of variations.
Almost all homes have at least one small transformer mounted on the side of a
junction box in a basement or closet that produces 12-24VAC. There are two
standard residential applications of low-voltage AC: the first is the doorbell,
which typically uses 16VAC although 12VAC and 24VAC doorbells also exist. The
second is the HVAC control circuit, which is nearly always 24VAC. Most of the
time these have two separate transformers but you can use one for both
purposes, although I'm not sure that it's wise or code compliant.
The reason for the low-voltage supply is that, in most cases, the thermostat
switches low-voltage, current-limited (by the transformer) circuits that
energize relays in the actual furnace/AC/etc. This allows thermostat wiring to
be significantly smaller, and thus cheaper and easier to install. Code
requirements for thermostat wiring are particularly lenient due to current
limiting in the transformer, so they're commonly only 18 AWG. 18 AWG is small
enough that the NEC ampacity tables don't even go that small; it's just not
permissible for non-current-limited circuits. The size savings are particularly
important since thermostats are most often hooked up using a five-wire cable.
The wires connected to a thermostat are conventionally identified by letters
(but usage of these letters is not entirely consistent) that primarily refer to
the conventional colors of the wires (while obviously a terrible practice, I
have encountered thermostats where the colors were not used according to
convention). In other words, if you are wondering what the "R" wire is, it's
the Red wire. That's what R means. Similarly G for Green, Y for Yellow, and C
for Blue (not to be confused with B for Blue). That's a joke, C is for Common,
but the wire is conventionally blue, but a lighter blue than the B wire.
Sometimes it's not blue. C is probably the one that varies the most.
Conventional (four|five)-wire systems
What do all these wires do? Well, the R or Red wire is the 24VAC power supply.
Less commonly, there can be separate R wires for heating and cooling, usually
labeled RH and RC. This usually happens when the heating and cooling equipment
are in different locations and installed at different times, so they each have
their own transformer without a connection between them. This actually comes up
a lot in New Mexico because of people replacing swamp coolers with refrigerated
air, which is often easier to do by putting a package unit (condenser and
evaporator in one unit) on the roof on the original swamp cooler plenum. In
this case the entire cooling system, from compressor to indoor air blower, is
all on the roof and usually has its own thermostat wiring run .
The basic concept of the thermostat is that it takes the 24VAC supply and
connects it to other wires, which go the coils of relays in the heating or
cooling equipment to actually turn things on and off. The most common of these
wires are W (White) which activates the heat, Y (Yellow) which activates the
cooling, and G (Green) which activates the fan. A typical simple thermostat
installation only provides these four wires: R, W, G, and Y. G is provided as a
separate wire for the fan to enable the fan auto/on switch that most
But there's sort of a problem with this standard setup: 24VAC is available, but
it cannot be used as a general purpose power supply! The reason is that there's
no neutral wire to connect the 24VAC to that doesn't cause something in the HVAC
equipment to turn on. This is why many digital thermostats are battery powered.
Historically, the thermostat wiring was strictly a control circuit and could not
be used as a power supply.
Modern smart thermostats, though, involve typical computing industry horrors
like running a complete Linux environment, and therefore cannot run off of AAs
with any reasonable lifespan . They require a constant external power
supply. This means they need a common, or C wire, which functions as a general
purpose neutral. The C wire is a relatively new innovation in thermostat wiring
and so a lot of homes don't have one, and on those that do the color can vary.
Both blue and black are fairly typical. The C wire is only used if you have a
thermostat that expects an external power supply; mechanical thermostats and
older digital thermostats typically did not. Many newer digital thermostats can
function off of either a C wire or batteries, but the combination of both is
ideal since it avoids regular battery changing but also allows the thermostat
to keep its clock during a power outage.
So now we have five wires, which as I said is the most common in a modern
residential installation: R and C (24VAC and common), G (fan), and W and Y
(heat and cooling).
There are more.
Some houses have more interesting HVAC equipment that involves extra wires to
control extra features, or that for historic reasons just uses a little
different control scheme.
Some homes are equipped with two-stage heat, two-stage cooling, or potentially
both. Two-stage cooling seems more common but that might just be because I live
in a climate that rarely stays below freezing all day, but does require all-day
cooling more often than I'd like to admit. In most cases thermostats exercise
only "bang-bang" control, a term that means that all they can do is turn a fixed
heat or cooling output on or off. But in a two-stage system, there is a "low"
setting and a "high" setting. In AC this is often implemented by having two
For two-stage systems, there will be two wires, one for each stage. These are
usually called W1 and W2 for heat, and Y1 and Y2 for cooling. W2 is usually,
but not always, brown, and Y2 is usually, but not always, light blue.
Heat pumps usually add one difference and potentially a second. First, heat
pumps typically have some outdoor temperature at which they are no longer
more efficient than resistive heating (or in other words they become 100% or
less efficient, when heat pumps are typically more than 100% efficient.
For newer heat pumps this temperature is usually low enough to be pretty
uncommon, but older heat pumps in colder climates may get into this situation
Heat pumps are almost always installed with resistive electric heating for this
situation. Switching to resistive heating in excessively cold weather basically
makes 100% the minimum efficiency. Older heat pumps usually called this feature
"emergency heat," but "emergency" sounds sort of dramatic and may have been a
factor in people avoiding heat pumps ("do heat pumps run into a lot of
emergencies?"). As a result, newer heat pumps and thermostats tend to call this
"auxiliary heat." Either term works but auxiliary is probably better since it
clarifies that the resistive heating is not just for situations where the heat
pump has failed (although it is a cool bonus that heat pumps usually provide
redundant heating, unlike gas or conventional electric heaters).
As you'd imagine, there's a wire for that. It's labeled "X" or maybe "Aux.",
and it can be basically any color. There's no agreed upon norm.
I'm actually oversimplifying somewhat as "emergency heat" and "auxiliary heat"
are technically different things, but it is still largely true that auxiliary
heat has replaced emergency heat. What happened is that older heat pumps
usually only used the resistive heat if the user turned on a switch on the
thermostat, usually in response to loss of heat---an apparent emergency. Newer
heat pumps usually turn on the resistive heat automatically, either when the
outdoor temperature is too cold or when the thermostat is trying to close a
large temperature difference quickly in which case the auxiliary heat just
provides a boost. This is sort of a two-stage heat system. These newer systems
still usually have an "emergency heat" switch on the thermostat which just
forces it to use the auxiliary heat only, should the heat pump have failed.
As an additional complication, some heat pumps use a fundamentally different
control scheme. I have never personally seen one of these, but I have read that
some brands still work this way. To understand it we need to consider how a
heat pump actually works: fundamentally, a heat pump does the same thing to
heat and cool, but the direction of the loop is changed. This is accomplished
by a "reversing valve." While many heat pumps have a heat and cool input (W and
Y) and set the reversing valve and run the compressor based on those two
inputs, some heat pumps use the W wire to run the compressor and then have an
additional wire which sets the reversing valve as a separate function. The
reversing valve wire may be powered for cooling (called B), or powered for
heating (called O) depending on the manufacturer. Trane heat pumps seem to use
a particularly eccentric scheme where B and O are both present but B energized
is the same as the un-powered state, B is used a a common wire (it doesn't do
anything, just like C on most thermostats) except when O is energized.
These wires are usually blue and orange, and called B and O as a result. The
functional equivalency of these wires in certain combinations with W and Y
wires results in a lot of thermostats having terminals that are labeled for
both functions, which leads to further confusion.
Everything I have said so far relates to conventional control voltage
thermostats, which are most common because of their low install cost and
universal support in forced-air furnaces. But line-voltage thermostats, which
directly switch power to the device, also exist. Line-voltage thermostats are
very common in my region on swamp coolers, which have relatively low current
consumption and are traditionally controlled manually by a rotary switch or set
of light switches. Most swamp cooler upgrades to thermostatic control are just
done by putting a line-voltage thermostat in place of the old manual switches.
These thermostats are somewhat specialized since there are operational factors
specific to swamp coolers, for example the desire to pre-wet the media before
starting the blower and the popularity of two-speed blower motors.
Line-voltage thermostats are also common with radiant electric heating systems
like baseboard heaters and underfloor heating, where they're installed very
near the heater more or less in line with the electrical wiring already going
to it. They're also common for hydronic (water) heating systems, but this is
a bit of an odd case as hydronic thermostats are still usually just actuating
a control circuit... it's just that typical hydronic zone valves operate at
line voltage, not low voltage, and actually have a fairly substantial current
Of course all of this nonsense with wires can be a huge pain, especially on a
retrofit installation of central heat or when relocating a thermostat for
better performance. To ease these kinds of situations and create a fun new set
of failure modes, there are plenty of options for wireless thermostats that
communicate with a box that "emulates" a traditional thermostat. The
receiver/controller can then be connected directly to the HVAC equipment and
the thermostat can go wherever you want. I had one of these once and the
thermostat required 8 AA batteries that died constantly. There have probably
been advancements in recent years.
This simple scheme of the thermostat energizing relay coils is not very
practical in commercial buildings. In fact, it's not that practical in
residential buildings today either, and in modern heaters and air conditioners
the thermostat wires are not necessarily connected to relays but instead may
just be logical inputs to a control board. Still, the necessity of five or more
pair wiring to each thermostat is a cost issue in commercial buildings where
it is typical to have one thermostat in each room.
On top of that, commercial buildings tend to have a more complicated system
design in which variable air volume (VAV) equipment is used, which means that
thermostats control the amount of air delivered to a room instead of whether
or not heating or cooling is active.
Historically, variable air volume commercial HVAC systems were often pneumatic.
Rather than pressure based, they were vacuum based. Somewhere centrally in the
building, a vacuum pump pulled a decent volume of air through a system of tubes
running throughout the building. Vacuum lines were run to variable air volume
dampers (VAVs) and then to thermostats. In response to out of range
temperatures, thermostats would close or open the tube to the room air. In
response to the change in vacuum pressure on the line (which would increase, or
rather go more negative, when the thermostat closed its valve) a pneumatic
servo actuator in the VAV would adjust the damper. If you've heard a thermostat
making a constant faint whooshing noise, that's why... it's a pneumatic
thermostat admitting air into the vacuum line.
Of course this pneumatic scheme had its downsides, and as technology advanced
it became more attractive to use an electronic scheme. I am not very
knowledgeable in this area, having had only very limited interactions with
commercial HVAC equipment that mostly mounted to some collegiate security
research on manipulating the temperature of unpopular faculty member's offices.
Most modern commercial HVAC systems do seem to have consolidated on BACnet,
which is a general purpose communications protocol for building automation
equipment that originated in the HVAC industry (with a trade group called
BACnet is a fairly simple protocol (intended for easy implementation on
embedded devices) which has a lot in common with other protocols for similar
use cases. It's primarily what I call a "high level remote memory access"
protocol, meaning that it fundamentally consists of commands to read and write
addresses (called "properties" in BACnet, unlike say modbus which more clearly
shows its RDMA basis by calling them registers). BACnet enhances this model a
bit by adding a simple discovery scheme that makes setup of BACnet networks
easier. BACnet also specifies a set of standardized properties or addresses that
facilitate compatibility between vendors.
BACnet is agnostic to the physical layer, which can be Ethernet but is often
RS-485 or proprietary protocol LonWorks. An interesting property of BACnet
is that it seems to be fairly common for access to the BACnet physical medium
to be fairly easy to obtain, for installer convenience. In other words, a lot
of commercial thermostats just have a Euroblock-type connector on the bottom
that can be used to connect to the BACnet bus. You can imagine the potential.
 Unless you're on three phase delta power, which is a weird thing that is
common in apartment complexes. Then you have 120V and 208V for reasons that
 I live in a house with what I would call the New Mexico Transitional
configuration, meaning that I have a normal AC evaporator mounted on my central
furnace, but the condenser is nonetheless sitting on a platform on the roof on
top of the old swamp cooler plenum. I think when there's already a roof frame
for the swamp cooler this is just easier than putting the condenser on the
ground, especially since the refrigerant lines can be run straight down through
the old plenum or heater combustion air duct. It has the downside that the
central furnace and AC continue to use the old swamp cooler plenum which is
poorly sealed where the swamp cooler was removed and loses a lot of conditioned
air into the attic. Nothing that eighteen cans of Great Stuff can't fix.
 This is not strictly a limitation of smart thermostats, I've used an Emerson
Sensi thermostat which is WiFi-connected but still manages a reasonable life off
of battery power. Of course it has a basic LCD display and physical buttons, not
the full color touchscreen that everyone demands these days.
The greatest trend in telephone technology for the last decade or so has been
the shift to all-IP. While this change is occurring inside telco networks as
well (albeit more slowly), it's most visible in the form of IP-based end-user
communications devices. In other words, the ubiquitous office IP phone.
Office IP phones have gone through various forms as vendors have come and gone,
but I still tend to picture the Cisco 7900 series as the prototypical example.
Some of this association probably comes from the 7960's starring role in the
television series 24, where the fictional law enforcement and/or intelligence
agency and/or paramilitary CTU is absolutely lousy with them and their
distinctive ring tone. This is no coincidence, Cisco apparently had a generous
promotional consideration deal with the 24 production team that ensured a
number of Cisco office telecom products were clearly visible... and audible.
I'm not sure how many people can place it, but I think a large portion of
people around my age recognize the
A Tangent About a Ringtone
One wonders, of course, where the sound known to many as the 24 ringtone
actually came from. I wrote several paragraphs about the history of these ring
sounds as I understood it before I did some careful listening and realized I
was entirely wrong. Here's the issue: I thought, and from googling some other
people seem to think as well, that the "24 ringtone" was a stock ringtone on
Cisco 7900 series phones, and that it was a direct copy of a ringtone long
present on AT&T/Lucent/Avaya office phones that dates back to the AT&T Merlin.
The Merlin, a historically notable office key system for several reasons, was
also AT&T's first serious foray into digital, function-generator-based
ringtones. Merlin phones contain a simple sine-wave-only variable frequency
oscillator (VFO) to produce various beeps and blorps like keypress
confirmation. To produce a pleasing ringing sound, the phone drives this VFO
based on a simple "program" that consists of frequencies (in hertz) and time
periods (in milliseconds). This system works well enough that it still sees use
in telephone today, although the VFO is now software. Such "programs" are often
written in a compact text format, and most IP phones today still use this basic
approach for things like dial tone, ringback, etc... but for ringing proper,
they usually expect a "proper" audio file. Not so with the Merlin, which didn't
yet have the hardware to actually play audio samples. Lists of frequencies and
durations were all you got.
Someone at AT&T presumably spent a long time messing around with these simple
programs and it was worth it. The original eight Merlin
ringtones remain, in my opinion, some of the finest
phone ring sounds ever devised, and are still offered by many IP phones today.
Western Electric, which manufactured the Merlin, became AT&T Technologies,
which became Lucent, which became Avaya. These companies have largely honored
AT&T's legacy in this era and Avaya IP phones continue to have a minimalist
and commercial-feeling but also pleasing and thoughtful sound scheme... still
largely based on simple sequences of one or two tones.
This is of course strictly a matter of opinion, but I am incredibly irritated
by the path that phone sound design has taken. A modern smartphone, by default,
offers basically zero ringtones that actually sound like phones. I realize that
this comes from my idea of what a "phone" is having ossified when I was about
four years old, but I do think there's a good objective argument for communications
devices using simple, short, and highly recognizable notification sounds rather
than the sort of bizarre set of one minute compositions you tend to get today.
But let's get back to the first tangent here. It turns out my recollection here
was wrong: first, the "24 ringtone" is not actually a default ringtone on Cisco
phones, but is a "default custom" ringtone that is provisioned to phones by a
default installation of Cisco Call Manager (or Cisco Unified Communications
Manager later, when Cisco was a major driver of the brief Unified
Communications buzzword craze). Cisco IP phones are virtually always used with
Cisco Call Manager because they don't use SIP, but rather a Cisco-proprietary
protocol called SCCP (commonly referred to as "skinny," which was both an
earlier internal name and a reference to SCCP's goal of being simpler and
easier to implement on devices than SIP). As a matter of fact Cisco 7900 series
phones actually did support SIP if you re-provisioned them with a different
firmware image that Cisco provided for that purpose, but this was janky and
it's not something I've actually seen used outside of my own home.
So, since Cisco 7900s are almost always used with Call Manager and Call
Manager, by default, provisions the phones with these "custom" ringtones...
they're pretty much default. The issue is pedantic but still sort of
interesting, as it leads you to wonder what internal politics lead to
additional default ringtones being included as part of the install package for
Second, though, and more importantly, the ringtone in question is not a
Merlin ringtone. The most widely heard ringtone in 24 is very similar to, but
noticeably different from, Merlin ringtone 6. The other ringtones heard in the
show (which are other Cisco Call Manager defaults) are also "very much but not
quite entirely" like the Merlin options.
This actually addresses a bit of a mystery to me. Cisco got its IP phone
business by acquiring (pretty much immediately after founding) a company called
Selsius. There is no historic business relationship between Cisco/Selsius and
AT&T/Lucent/Avaya, so it would seem surprising for AT&T's classic ringtones to
end up in a Cisco product. Well, they didn't, or at least not exactly. Although
I can't find solid proof, it seems virtually guaranteed to me that the the
Cisco Call Manager default set of custom ringtones are, in fact, ripoffs of the
Merlin tones. The 24 ringtone is a fake! Given the '80s era prestige of the
Merlin system, the Cisco ringtones are practically the "Louise Vittant" handbag
of the telephone world.
To be fair, though, whatever anonymous Cisco employee sat down to copy the
Merlin ringtones made some meaningful improvements. The staccato cadence of the
Cisco ringtones, as opposed to the Merlin's legato, is very distinctive and
probably more recognizable in a loud environment. It also sounds pretty cool,
which sure helps with a TV series about a vague counter-terrorism agency with
apparently superhuman abilities.
So here I'm 100 lines in and on a total tangent. I didn't mean to write about
ringtones, I just like them. What I actually wanted to write about has to do
with the ubiquity of IP phones themselves. Most office workers my age have
probably had an IP phone on their desks for pretty much their entire career. I
have, with the exception of one large institutional employer where I was lucky
enough to be among the last employees issued an ISDN desk phone. This was rare
enough by then that the amused telecom technician made a show of blowing the
dust off of the "voice terminal" that she had pulled out of a closet junk heap.
I actually loved that phone, but I loved it because it was weird and obsolete.
Despite their own eccentricities (which are significant enough that IP phones
are virtually always segregated to their own VLAN), IP phones are an
increasingly pedestrian part of IT infrastructure that lack some of the
intrigue of traditional analog and TDM instruments.
Despite the advantages of IP phones, a lot of organizations that make the
switch to IP end up with various odd analog phones left over that, for various
reasons, are more expensive to replace. It's fairly common to end up keeping
landline telephone service to buildings just to support these devices. And here
is the real purpose of this post: to tell you about a few cases where you will
very frequently find analog phones, even in organizations and facilities that
have otherwise switched to IP. The best part is that these are pretty much all
weird types of phones (that's what makes them hard to replace with IP), and
you know I love talking about weird phones.
One common category of holdover analog phones are emergency phones. The most
common case are elevator phones, intended for use by an elevator occupant if
they're stuck. In most cases, code requires elevator phones to use an outside
line to call an attended call center. This means that they're usually proper
phones hooked up to the PSTN. While IP elevator phones are available, they
don't seem to be very common. A big factor here is that the elevator phone is
typically hooked up by the elevator installer who will run an analog phone
line with the elevator travel cable. Adding ethernet later is a pain on its
"Blue light" type emergency phones (whether or not made by the actual company
Code Blue) are also often analog, although new installations are likely to use
the IP versions.
Burglar alarms historically used landline telephone for reporting almost
exclusively. Well, historically meaning since the 1950s or so. Prior to that
point there were a lot more private alarm monitoring networks in use that used
either dedicated pairs per monitored system or telegraph technology. Today, a
variety of burglar alarm reporting methods other than telephone are available,
but there are still plenty of landline phone communicators in service.
Alarm communicators are not limited to burglar alarms. Some devices like
generators and refrigeration equipment may be equipped with a device for
reporting any test failures or alarms. Like burglar alarms, today these are
often cellular and/or IP, but there's still older equipment out there using
analog telephone for reporting.
Access Control Systems
It's fairly common for access control systems, that is electronic door locks,
to be remotely programmable. This is common in small organizations where the
system is fully managed by a locksmith, and in large organizations where it
is managed centrally from a corporate office. Once again, newer systems are
moving to IP but there's a lot out there that relies on something like a
USRobotics modem for external access.
Paging and Radio Bridges
Something that I've personally seen a couple of times is held-over analog phone
lines to support audio bridges to an overhead paging system or to a handheld
radio service. There are plenty of IP bridges available for these kinds of
applications, but this is another area (like elevators) where you run into a
disconnect between contractors: if different organizations service the
telephone system and the paging or radio system, you can get stuck on analog
just because of the lack of coordination (and willingness to pay) for the
Some Miscellaneous Phone Devices
Analog phone lines lead to a lot of odd situations inside of commercial
buildings, especially smaller ones, both because they were easy to adapt to
many purposes and because adding more lines was pretty expensive. There
was an obvious desire to put more than one device on each phone line.
A common way to achieve this was via a device like "The Stick," which picked up
phone calls, detected the presence of a fax or modem carrier, and directed the
call to different ports as a result. These types of "lightweight switches"
produce some interesting opportunities for phone phreaking. With the popular
Stick, for example, DTMF sent immediately after pickup can be used to force it
to direct the call to a different port. This can reveal devices like modems
that otherwise don't "pick up."
The whole reason I personally know about The Stick is that I've seen it used
for remote programming modem access to the access control system in two
different buildings. There are obvious security implications of this practice.
How Analog Hides Out
So how do organizations that make a switch to IP support these existing analog
telephone devices? To some readers it might seem obvious that an ATA (analog
telephone adapter) could be used to connect them directly to an IP phone
system. In some cases this is true. But it's important to understand that many
VoIP systems use speech codecs that do not preserve enough bandwidth for
digital signaling to work. This is most commonly encountered in the case of fax
machines: a fax machine naively connected to VoIP via an ATA will likely work
unreliably or not at all, depending on the codec selected for the call.
Instead, legacy analog devices are often supported by just keeping conventional
telephone service. In a way this is a good solution, since some of these
devices are safety or security related, and the telephone network is operated
to a higher standard for reliability than most corporate networks. On the other
hand, this can become a real headache when a PABX is in use. Although a
somewhat extreme example (this was a very large organization with many legacy
devices) I have seen one case of an entire 5ESS kept in service basically for
analog (and some ISDN) cruft. This is a telephone switch of a scale that it has
a staff, albeit now a small one. More commonly, there are definitely some
smaller PABX systems that remain installed in commercial buildings to support
fire and access control applications. There may be few people with knowledge
of these switches and how they're configured.
Well, that was sort of a grab bag of topics but I hadn't written for a while
and it was on my mind. I'm in the midst of a remodeling project and life is
hectic in general at the moment, so I'm probably going to be following up with
some more posts on odd topics. For example, I'm thinking a lot about
thermostats right now, and I expect to write a bit on the curious world of HVAC
So we've talked about radio spectrum regulation in some detail, including the
topic of equipment authorization (EA)---the requirement, under 47 CFR, that
almost all electronics receive authorization from the FCC prior to sale. We've
also talked about the amateur radio service (ARS, 47 CFR 97), and I've hinted
that these two topics collide in an unusual way. So this of course raises the
question: does amateur radio equipment require authorization? Or, more fun to
type, does EA apply to ARS?
The answer is... it's complicated.
In fact, it's sort of surprisingly difficult to get a straight answer on this
question. 47 CFR itself is not very clear on this point, because of course the
authors of regulations are a lot more willing to throw in special cases to
resolve special circumstances than to provide a convenient general rule. While
amateur radio is mentioned in various places in Parts 2 and 15, and equipment
authorization is touched on in Part 97, there's no general requirement or
exception to be found in 47 CFR.
Further contributing to confusion, there is a lot of "armchair lawyering" in
the amateur radio community. You will get different answers from different
people on even very basic questions about EA. Part of the reason is that the
rules have changed over time, less due to 47 CFR itself than due to enforcement
actions and regulatory guidance coming from the FCC Enforcement Burea. Part of
the reason is because people are repeating things they heard eighth hand from
somewhere in the 1950s. And, well, part of the reason is that amateur radio
operators enjoy a rather unusual privilege: generally speaking, there are no
EA  requirements for amateur radio.
In a way this is intuitive: amateur radio has a substantial tradition of
home-built or home-modified equipment. "Vintage" HF equipment are sometimes
colloquially referred to as "boat anchors" in reference to both weight and
typical market value while sitting on a hamfest vendor's table. But, as a
matter of fact, if you manage to construct a boat anchor into an RF transmitter
you are welcome to use it in the amateur radio service, subject to the
technical requirements of Part 97. A common way to explain this (common enough
that the FCC itself says it in a number of places, even though it is not quite
a literal part of the regulations) is to say that amateur radio privilege rests
entirely with the person holding the license. As a licensed operator, you alone
are responsible for the operation of your station... not the device
manufacturers. You can make use of anything, subject to good engineering and
But I said it was complicated, didn't I?
The first reason is related to requirements on the sale of scanning
receivers. As a convenience and because it is fairly easy to implement with
modern electronics, almost all amateur transceivers on the market today offer
wide-band reception. Any device capable of monitoring two or more frequencies
between 30 and 960 MHz and switching to one on which a signal is received is
considered a scanning receiver (47 CFR 15.3(v)). As of 1999, all scanning
receivers require certification by the FCC (47 CFR 15.101(a)). Certification
is used here in its current sense in the regulations, meaning that the FCC
must actually review and approve the results of testing. A mere declaration
of conformity from the manufacturer is not acceptable.
In other words, the majority of amateur radio transceivers sold today are
actually subject to equipment authorization under Part 15, Part 97 be damned.
If you remember our talking about the verboten
band, this might be
familiar: the certification requirement for scanning receivers was created
specifically to prevent the sale of devices which would be used to eavesdrop on
analog mobile calls. This ruling somewhat inadvertently introduced a de facto
EA requirement for the amateur radio industry, and it is typical today for
amateur radio devices to somewhat incongruously bear a Part 15 Device label.
Amateur radio transceivers can be marketed and sold without certification under
Part 15 if, and only if, they do not meet the definition of a scanning
receiver... not particularly likely since wideband reception and dual VFO with
"dual watch" have become standard features on even the cheapest HTs. A more
likely type of device to not fall under this requirement are HF transceivers,
which are more likely to omit wideband reception and not have receive
capabilities above 30MHz. Still, this is not especially common.
Given that the first complication boils down to reaction to mobile phone
eavesdropping, it will perhaps be unsurprising (at least if you've read enough
of my radio rambling) that the second complication boils down to citizens band.
For primarily cultural reasons that are hard for anyone under 40 to really
comprehend, citizens band (CB) enjoyed a brief period of mass popularity,
during which it was the primary thorn in the FCC's side. Like other services
which are licensed-by-rule (e.g. FRS and GMRS), CB is available to individuals
without training or registration. To prevent the band becoming unusable, there
are strict limitations on CB equipment in terms of output power: 4 watts. That
doesn't sound like a lot, but remember that unlike the consumer radios we're
used to today, CB is HF. 4 watts travels surprisingly far below 30MHz,
What makes CB very different, from a regulatory perspective, from FRS and GMRS
was the absolutely huge extent of rule-breaking. While illegal operations at
e.g. higher than permitted power is not unheard of in FRS and GMRS, it is not
very common. At the height of the CB craze, illegal operation at 100W or more
became practically the norm. While there were higher-than-limit CB radios
available for purchase through various grey market channels, high CB output
powers were most commonly achieved by adding an external power amplifier.
Power amplifiers would probably be unfamiliar to most radio users today,
because we now use mostly VHF and UHF where power levels are relatively low
and linear amplifiers are troublesome for technical reasons. But in the HF
bands, still today in amateur radio, it's fairly normal to use a transmitter
with an output power of, say, 4 watts, and direct that power to an external
linear amplifier which uses it as the gate input for a very big power tube.
Power amplifiers were not legal to sell for CB use, but the CB band is close to
the popular 10 meter amateur band. Close enough, in fact, that a power
amplifier intended for 10M use will typically work acceptably when driven by a
CB radio. The inevitable result: truck stops suddenly diversified into the
lucrative amateur radio power amplifier market. Who amongst us has not stopped
into a Pilot Travel Center to upgrade our 10M rig to 300W output?
The FCC addressed this runaround of the rules by creating 47 CFR 97.315. This
exception to the general lack of EA rules in Part 97 states specifically that
any power amplifier capable of operation below 144 MHz is subject to equipment
authorization. The same section then provides broad exceptions for any such
amplifier that is built, modified, or purchased used, but only when the user
holds an amateur radio license.
What rules must such amplifiers meet to receive EA? 47 CFR 97.317 tells us that
the amplifier must exhibit zero gain between 26 and 28 MHz, not be easily
modified to demonstrate gain on those frequencies, and more broadly not be
usable for services other than amateur radio. 26 to 28 MHz is, of course, the
citizen's band. Just to reinforce this, along with some brief boilerplate
amateur radio is mentioned in Part 2 (which, remember, states the general
requirement for equipment authorization subject to whatever other part applies
to the device) only once... 47 CFR 2.1060(c), which says that "Certification of
external radio frequency power amplifiers may be denied when denial would
prevent the use of these amplifiers in services other than the Amateur Radio
Service." Here, the FCC protects "can be used for CB" as a reason to refuse
authorization under Part 97---in the one case where it's required.
Why the 144 MHz cutoff? I'm not sure exactly but there is an obvious direction
for speculation. 144 MHz is the start of the 2-meter band, which is for most
purposes the lowest amateur band that is not HF. Power amplifiers designed for
VHF and UHF use are fairly substantially different from those designed for HF
and would be unlikely to produce usable output when driven by any HF
transmitter, including a CB radio. The "below 144 MHz" rule seems to just give
a pass for those power amplifiers that are unlikely to be part of the problem.
Now, if an amateur radio power amplifier can be modified for use in CB radio,
what about a whole amateur transceiver? Yes, that's where the off-label CB
market went next. Remember Pilot truck stops? Agents of the FCC Enforcement
Bureau visited eleven of them in 2004---well into the decline of CB radio. They
are not famous for their quick reaction to new trends. Still, the FCC found
that these Pilot locations had oddly diversified again into amateur radio
It's part of the American tradition to dream big, and it ought to inspire us
all that Pilot aspired to best such barons of industry as Ham Radio Outlet
and.... no, that's it, HRO is actually the only brick and mortar amateur radio
retailer I have ever laid eyes on. The fact that their Portland location is
still open can only be explained by miracle.
Of course this was not really the case, what Pilot was selling as amateur HF
transceivers were just CB radios without equipment authorization. Or more
accurately, they were 10M transceivers that had been intentionally designed to
allow trivial modification to CB. For this bit of not-so-clever deception Pilot
was ordered to pay $125,000 to the FCC. That includes an extra bonus forfeiture
for continuing to sell them after the first set of violation notices was
This notice of apparent liability for forfeiture, FCC docket 04-272 or
better cited as 19 FCC Rcd 23113, is notable mostly because it is now the
primary citation given for the fact that amateur radio equipment does not
generally require equipment authorization. It states explicitly in paragraph 3
that "radio transmitting equipment that transmits solely on Amateur Radio
Service frequencies is not subject to equipment authorization requirements
prior to manufacture or marketing." Had the Enforcement Bureau not provided
that plain statement in this particular NALF, the lack of EA requirements for
amateur radio would remain a largely non-obvious consequence of the lack of any
particular EA requirements in Part 97 (other than the one about sub-144 MHz
Note though that, fortunately, the FCC didn't decide to address this problem by
adding an EA requirement for amateur radio transceivers that could transmit
anywhere near 30 MHz. Instead, the Enforcement Bureau finds that the existing
rules are quite clear enough. Any transmitter intended for use in CB must be
type certified for CB, and it was well established earlier in the CB craze that
"easy modifiability" does not work as a loophole. A device which is sold on the
premise that it can be easily modified for CB use is still, in the FCC's view,
a CB radio.
Nonetheless, illegal CB equipment remains pretty easy to obtain. A trivial
Google search found a 100W power amplifier for sale at just $88, apparently
from an Italian manufacturer. The internet has made regulation of the radio
market very challenging, as it has for most markets. Equipment is made for
legal applications in other countries and then imported, or just starts out
as a design for the US gray market.
This problem has become particularly large with the rise of the Chinese radio
manufacturing industry. There is a substantial global market for inexpensive
land-mobile radio equipment for business use, and many countries have rather
lax regulations on radio services and devices. LMR radios in the United States
are generally prohibited from being face-programmable, for example, but many
other countries have no such prohibition. A set of Chinese radio manufacturers
have emerged that sell products into this market. One of the cheaper ones has
become less of a brand and more of a category in the amateur radio market:
Baofeng, more properly Fujian Baofeng Electronics Co., Ltd, was founded in 2001
by one Wang Jinding. With around 1000 employees, Baofeng produces a large line
of VHF/UHF handheld radios, or Handie-Talkies as amateurs charmingly still like
to call them (a term that dates back to WWII). For several years now, Baofeng
seems to be represented in the United States by Baofeng Tech or BTech. Baofeng
Tech conspicuously promotes themselves as based in the sub-1000 population town
of Arlington, SD, and indeed the Secretary of State has the filings for B-Tech
Distribution Inc, incorporated by one Andrew Brown. The same Andrew Brown at
the same address has formed a variety of LLCs with names like "Three B
Developments" and "Three B Investments," but I can find little else about them.
The About page on the Baofeng Tech website ends in "if you have accepted Christ
as your personal Savior – contact us today here to let us know and we will send
you a one time package of literature."
BTech has also sent a one-time package of literature to the FCC, as they
obtained equipment authorization on a number of Baofeng models based on test
results commissioned from Bay Area Compliance Laboratories of Dongguan. These
equipment authorizations are, in fact, type certifications for Part 90
land-mobile radio operation. As a result, for these models, it is perfectly
legal to market and sell Baofeng radios in the United States. It is, though,
still completely possible to purchase Baofeng models with no such equipment
authorization, often shipping direct from China. This would constitute a
violation of the FCC regulations on the part of the retailer.
But what of amateur radio? Type certifications are done against specific parts
of the FCC rules. The Part 90 certificate for the Baofeng models list specific
bands and modes (emission designators) for which they are authorized. Part 90
(private land-mobile radio) is not Part 97 (amateur radio), and so the radio is
not really authorized per se.
But the trouble here is, amateur radio is largely exempt from equipment
authorization in this way too. Much like Part 97 lacks equipment authorization
requirements (except power amplifiers) on manufacturers, it also lacks any
prohibition on the use of unauthorized equipment. In fact, both Part 2 and Part
97 contain exceptions to equipment authorization requirements that explicitly
preserve the ability of amateur radio operators to use any equipment they
choose. For example, Part 2 provides an exception to general requirements that
modifications be authorized by the FCC: Amateur license holders can freely
modify equipment for use in the amateur radio service. No approvals required.
It has for some time been a generally accepted practice to repurpose Part 90
equipment for amateur use. This was particularly true in the days of
crystal-based mobile radios, when many ex-police HF radios were modified for
amateur operation. I know of club repeaters today running on lobotomized
Motorola P25 (trunking system typically used by law enforcement) equipment. And
an active group of amateurs operates WiFi equipment in amateur bands, based on
their overlap with foreign WiFi allocations.
As a result of this exceptional latitude, amateur radio operators are, as far
as I can tell, completely permitted to use Part 90 authorized radios. Further,
amateur radio operators can use radios that are not authorized at all. This
actually shouldn't be that surprising: most amateur radios today only need
equipment authorization under the 1999 anti-eavesdropping rule. Prior to '99
most all amateurs were operating unauthorized equipment!
Nonetheless, the organizations marketing and selling these unauthorized models
are violating FCC rules. The FCC seems to have taken a light touch on the issue
of selling unauthorized equipment for amateur use, not just a bit because doing
so would only really violate normal Part 15 rules and not nominally harm any
licensed service. But the FCC has increasingly taken an aggressive position on
retailers selling unauthorized radios to non-licensed users. In a prominent
case, hobby vendor Rugged Radios received a threat of a forfeiture notice if
they did not cease sale of the RH5R (apparently a custom case version of the
Baofeng UV-5R) and other models. The target market was primarily offroad and
powersports users, who don't generally hold any radio license .
Offroad and powersports users might better be advised to use the
licensed-by-rule services MURS or CB , or even apply for an
industrial/business pool license as an organization (although the logistics of
distributing Part 90 radios are somewhat complex, since they must be programmed
externally). But Rugged Radios was selling unauthorized radios along with
materials that included lists of Part 90 and Part 95 frequencies. This clearly
constituted marketing of an unauthorized device to a use for which
authorization is required.
The importation of radios not built to US regulations will continue to be a
challenge in spectrum coordination. Incidents of drone FPV transmitters
directly interfering with aviation radar show the practical effects. I tend to
think, though, that the impact will always be limited: Today, consumer radio
use not controlled by a licensed entity is largely limited to the microwave
 This is as opposed to what I'm doing here, which is more like jailhouse
 or device certification, type acceptance, or type certification. The FCC
itself is not entirely consistent about how it uses these terms and they have
changed over time, including a find-replace amendment to 47 CFR to swap out
 This has sort of come up a couple of times now. The FCC is not properly a
part of the government (it's an independent agency) and so it does not issue
fines. Instead, it issues Notices of Apparent Liability for Forfeiture, which
tell the target how much they are expected to pay as a civil matter. NALFs are
often attached to a Memorandum of Opinion and Order, which give an
interpretation of how the regulations apply to the present situation. Those
memoranda are sort of like court opinions in that they set precedent the
Enforcement Bureau will rely on later.
 Unless they happen to also be amateur radio operators. While there are
restrictions on the use of amateur radio for any commercial purpose, it's well
accepted to use amateur radio in the course of other hobbies. That is, an
amateur radio operator who also e.g. participates in off-road racing would be
permitted to use amateur radio equipment and spectrum for that purpose so long
as it is not a commercial activity (in which case the Part 90
industrial/business pool would be applicable). There is a particularly strong
tradition of amateur radio in the RC world, where many amateur radio operators
use amateur equipment and spectrum for telecontrol of RC aircraft and etc.
 MURS, the Multi-Use Radio Service, is a licensed-by-rule service similar to
GMRS but in low band where propagation in the open tends to be better. MURS
radios are more commonly mobile (i.e. automotive) than handheld, but ther are
both handheld MURS radios and mobile GMRS radios on offer. GMRS is a slightly
odd situation for that matter and there actually is such thing as a "GMRS
license," which confers privileges beyond those of licensed-by-rule users such
as repeater operation. This might also be attractive to off-road users. If you
chuckle at the common pronunciation "murrs" you are probably going to hell but
I am right there with you. Consult Baofeng Tech for advice on salvation.