RFID Technology and its Impact on Privacy
RFID technology is based on the use of a "smart" tag that stores and emits data through radio frequencies to a reader device. Presently, RFID tags are widely used in logistics and manufacturing to track the movement of inventory; are beginning to be used for physical security; and are proposed to be used on a more widespread basis, even implanted into human beings as a means of identification.
The technology was originally developed for use by the military: transmitting an ID code by radio helped to accurately identify friendly planes or ships to reduce friendly-fire casualties, and was later adapted to civilian uses in transportation and logistics. Miniaturization and microelectronics have facilitated its introduction in a wider array of applications.
Presently, there are two kinds of tags: a "passive" tag that does not have an internal battery and cannot transmit data unless activated by a reader, and an "active" tag that emits a signal. The core function is the same: to associate an item with an ID code that can be cross-referenced against a database to identify the item and, by virtue of the event created when it is read, its location at the time it was scanned. Additional data can e stored on the tag itself (name, address, photograph, fingerprint code, DNA, etc.), though these can just as easily be associated with the ID in a central database.
The "smart" tag is cause for greater concern: it contains sensitive information that can be picked up by anyone who scans the tag. However, even the tag that contains only a generic ID code can be used to track a person's movements and create one's own database, even if the original data source cannot be accessed to gain the information initially associated with the code.
The author asserts that the "active" tag is also more cause for concern because it transmits data and can be scanned without consent. However, I think that this is also true of passive tags, though some physical force may be required - so its' more accurate to say that the passive tag can be scanned covertly.
There is also concern of ongoing tracking by associating the RFID tag of a product to the person who purchased it. If the tag is in a vehicle or cell phone or credit card, it's almost as effective in practice as a tag placed on the very body of the user. Another example is given of a supermarket loyalty card that was used to track the movements of customers within the store.
CONTACT BETWEEN THE PERSON AND THE TAG
The primary debate over RFID tags is presently between commerce (which wishes to use the data to profile and market to individuals) and civil-rights interest groups, whose concern about the potential abuse is more significant than their objection to the current use.
Privacy Safeguarding Principles Applied to RFID
The Right of Information
The key objection to RFID as a communication device is that the communication is involuntary on the part of the tagged person. Fundamentally, the individual is not in control of what he is communicating, or to whom, or how they will use that information.
The author asserts that the tagged individual should be notified and have the ability to opt out, especially where personal information is concerned, as is required by EC directives regarding the use of this technology, though there is presently no such law or protection in the US.
Opt-In or Opt-Out Principle?
There is some debate over whether "opt out" is sufficient, and a suggestion that opt-in should be the standard instead. In either case, there may be instances where the person does not have a real choice - where opting in is made the condition of owning a product or utilizing a service. (For example, supermarket loyalty cards: your only way to opt out is to forego their use, and the associated price discounts.)
The author leans toward an opt-in system, in which the individual can obtain a product or benefit, but the tag is not activated unless they authorize it to be - and that the user then have the ability to deactivate it if they previously authorized activation.
She notes that "special consideration should be given to instances of the use of RFID tags by employers, and where refusal to be tagged, or tampering with an existing tag, could be used as reason for termination. This is a highly controversial issue that has not made it to the courts as yet.
The Specific Purpose of the Implementation of the Tag
There is also concern over the (mis)use of RFID tags outside their specified purpose and scope. Again, the EC directives forbid this, but there is no such limitation in the US. The directives also limit the ability of companies to revise or extend their usage of tags at a later date.
Main Areas of RFID Applications
The author provides a lsit of some of the common uses of RFID tags:
Healthcare
The use of RFID in the health sector enables healthcare practitioners to reference information about a patient and share the information between the various caregivers who provide service to a single individual (e.g., the doctor who prescribes a drug, the pharmacist who dispenses it, and a nurse who administers the dosage).
In this sense, the RFID tag is an extension of the medical records and patient ID bracelets that are already in use, but the prospect of direct implantation fo RFID tags in the body, or their inclusion on devices implanted therein, causes concern, especially in the possibly availability of health-related information to third parties (an employer covertly scanning an active smart tag to identify an employee with a health condition).
On the other hand, implantation could be life-saving - along the lines of a medic alert bracelet that is used to identify allergies or special needs of individuals so that healthcare workers can be aware, even if the patient is unconscious).
In the end, the general principle of consent should apply: the patient should decide whether they wish to use the technology, though there may be instances in which the tag could be lawfully implanted without the patient's consent (public health emergency, or a disease such as AIDS).
Security
The use of RFID technology by governments causes a great deal of concern over the surveillance of citizens and the use of this information to compile dossiers used to persecute or blackmail them. Even so, RFID are commonly used on ID tags, official papers, and passports, as a way of combating forgery.
RFID as a security device is also in use in the private sector, as a security "tag" on equipment or merchandise as a way of detecting (and sounding an alarm) when they are moved without authorization, as well as in employee ID badges, which can be used to "card in" to gates without the need for a physical security presence to check IDs.
Transportation
RFID is widely used in the transportation area, to track and route baggage, or to embed a tag into tickets and passes. The author remarks that monitoring an individual's movements may be considered intrusive and threatening, but that the issue has not yet been raised.
Consumer Goods
RFID is commonly used in manufacturing and logistics, to track the movement of material through production and the movement of goods through the supply network. This is more of an internal operations choice and ethically unobjectionable.
However, if the RFID tag is added to a product (or its packaging), such that it can be tracked after it leaves the store (at which point, it is the customer's personal property), the ethical issues arise. However, there has not yet been a known case.
The use of RFID within a retail store is a gray area Technically ,it is still the property of the store, but it could be used to track the movement of a customer within the store, or detect the combination of goods in their "basket." Again, potential, but no incident.
THE SYMBIOSIS: THE TAG, AN INDISCREET COMPANION?
The author speaks of the "relationship" between the tag and the individual.
- It begins when the tag is implemented into the product or the body
- There follows a period where the tag is active
- There can be a hiatus if the tag is deactivated but not removed
- The relationship is terminated on the removal of the tag
Each of these states merit consideration: even if the beginning is "idyllic," the relationship may sour in a later phase.
Fair Processing of RFID Data
The "fair" use of RFID is dependent upon an agreement between the person tagged and the organization that collects tag data. Ideally, this is a voluntary and explicit agreement.
Data Quality
Some basic principles: the data that is collected should be limited to the minimum data necessary to serve the purpose, both in terms of the individual datum and the frequency with which the data is collected. Any collection or storage that is irrelevant to the core purpose is a possible infringement on privacy.
Data accuracy is also critical: the means for collection should provide reasonably accurate results, the subject should be able to monitor the data collected on them, and there should be provisions to edit the data to ensure it is correct and up to date.
Also, all data should be deleted one it is no longer relevant to the task, or if the relationship is terminated by either party.
Safeguarding the Security of the RFID System
One of the main concerns of RFID is the security of the data: safeguarding it against a third party's attempts to "clandestinely access" the data stored on the tag.
It is suggested that a user may find themselves carrying multiple tags in future (on their passport, drivers license, credit cards, work badge, clothing, transit card, and even subdermal), and the aggregate information stored in these tags would reveal "quite a lot" about the individual.
It is recommended that the data be encrypted such that each tag could be read only by its issuer, and that the quality of encryption should be reasonably sound, even if the data on a specific chip seems, in and of itself, relatively benign.
From a legal perspective, those who issue RFID tags should be held to standards that ensure a minimum level of security, and there should be legal remedies for any attempt to access or hack RFID data.
However, there may be some difficulty, especially with the first, as it is an emerging technology and security standards will continue to evolve. Also, there are a number of parties involved - the hardware and software developers, the solution provider, and the organization that employs the solution, and culpability should be assessed. Also, some responsibility must rest upon the user to take reasonable measures to ensure their own tag remains protected.
The Rights of the Person During the Processing of Data
The Right to be Informed
In most instances, there is a single notification event when personal data is collected and processed, but in RFID applications, the subject may be aware that they have been tagged, but unaware when the tag is being read, or what data is being collected at the time the tag is read.
An example: if an RFID tag is used in a transport ticket, the user should be informed not only that the ticket contains RFID, but at each instance where the tag will be read. This is generally not a problem when there is a short-range tag and an overt scanning technique, but even a moderate range (a few feet) may make the act of scanning unnoticeable. Fundamentally, use of "hidden checkpoints" should be considered illegal
The Right of Verification
The subject should be able to access any data collected in the course of the RFID relationship, and have the ability to verify its accuracy and request its deletion. This places a responsibility on those that maintain this data to provide secure access to the individual to his own data, but at the same time to safeguard access to this data by other individuals.
THE SEPARATION: THE END OF PERSONAL DATA PROCESSING
Currently, the average battery life for an active RFID tag is more than ten years, which may improve over time. This means a long lifespan, but also a natural end to the relationship, though there should still be the potential to terminate the relationship sooner.
Termination by the User
By common standards for fair practices, the individual should be granted the right to terminate the collection and processing of personal data. Ideally, there would be no repercussions for doing so (termination of employment, violation of product warranty, or cessation of any benefit for merely asking for monitoring to cease).
However, it is not always clear-cut. There may be instances in which disabling an RFID tag could (and should) have practical implications: if the RFID tag on a transit pass would be a breach of contract, disabling the tag on a credit card might void the card, or disabling the tag on an ID card might revoke access to a secure facility. In each of these instances, the act of disabling the tag is a breach of contract, a technical impediment, or even an attempt at fraud.
Termination by the Tag Controller
The "tag controller" (the organization collecting the data) is expected to have an ongoing interest in collecting data, but there may be instances where their interest in collecting data is temporal (a product with a limited lifespan) or inevitable (the company goes out of business). There are even instances in which a tag should be disabled to prevent the unintentional collection of private data (disabling an employees RFID tag when they leave company premises so as not to "accidentally" observe their after-hours behavior).
For personal privacy reasons, the termination of data collection should coincide with the deactivation of the tag. Also, there is an ongoing responsibility for safeguarding the information on the tag (if it is electronically disabled, preventing anyone else from re-enabling it and/ore retrieving the data)
There is some suggestion that data collected from a tag should also be purged at the moment the tag is deactivated, but there are certain instances in which the retention of historical data is useful, or even required by law (as a business record).
CONCLUSION
Presently, governments seem to be waiting for RFID technology to reach a level of maturity before implementing legislation, so that the extent of its use and abuse can become established and the need for legal remedies clear. However, it is clear that even in the early stages, there are many areas of serious concern for the preservation of privacy, and the author suggests that regulatory initiatives should be defined to proactively address the issues that may arise.