The emerging RFID industry is not producing Orwellian and Kafkaesque chips. At least, not yet. But privacy advocates are already sounding loud and urgent alarms about the potential abuses of RFID technology.
At the consumer end, RFID technology has already touched off consumer backlashes. In 2005, Gillette Co. conducted a test at a store in Cambridge, U.K. that tracked and photographed shoppers taking RFID-tagged safety razors off the shelf to see if the technology could be used to deter shoplifting. The pilot resulted in protests and a consumer boycott that is still in effect today.
On the government front, proposed uses of RFID for human tracking have also generated storms of protest. In 2005, the U.S. State Department proposed using RFID chips containing personal information in passports to allow it to identify the holders.
The agency was bombarded with 2,400 negative comments from security professionals criticizing its proposal. A key concern was the use of active RFID chips, which emit a constant signal that can potentially be read by criminals covertly scanning passport holders at airports. The agency has since announced it will proceed with a revised plan using passive RFID chips, which emit no signal until they are activated by a reader at close range. As of October 2006, all U.S. passports will contain RFID chips.
Controversy revolves around the potential uses and abuses of RFID for human tracking, as distinct from the way the technology is actually used currently. Human RFID is being used in a very limited and voluntary way today, according to John Procter, spokesperson for VeriChip Corp., a vendor based in Delray Beach, Fla.
“VeriChip is the only company that offers FDA-approved, human implantable RFID. We’re the only ones on the block,” he says. The company offers a variety of systems that represent the state of the art today in human RFID.
A core product is a system called VeriMed for people with medical conditions. A tiny, passive RFID chip about the size of a grain of rice containing a 16-digit code that links to a medical file is injected into the recipient’s arm. In a medical crisis, emergency staff can read and obtain the code that gives them access to the person’s file. “VeriMed is a voluntary medical device offered to those who choose to adopt it. This system is not used for tracking – it is strictly for identification, and that’s an important distinction,” says Procter.
The company also offers an infant protection system called Hugs to prevent abductions. In this system, the baby is tagged at birth with an ankle bracelet containing an active RFID chip that can communicate with the hospital’s network of RFID readers located in the maternity ward and other locations. If the baby is taken beyond permissible locations, an alert is immediately sent to notify hospital staff.
At present, the Hugs bracelet contains no capabilities that would allow authorities to track an abductor holding the baby, nor are there plans to add that, says Procter. “The system does not track the baby’s movements. All the system can tell is if the RFID chip crossed an unauthorized threshold at a point in time or on a particular floor.”
For access control, VeriChip offers an application called VeriGuard. As in VeriMed, a tiny, passive RFID chip containing a 16-digit code is injected into an employee’s arm, which is in turn linked to specialty software that contains a database of authorized users. The system is designed to replace cards, keys and other access control items or devices. “Since it’s implanted, the level of identification is higher, as employees can’t lose, borrow or steal the chip,” says Procter. If an employee leaves the company, the ID number is removed from the access list, but the chip is not removed from the employee’s arm, he says. “It can be used for other medical identification purposes.”
Although VeriChip’s products appear to have limited capability today and the company claims participation is entirely voluntary, it is not difficult to imagine the issues that may arise in the future. What’s to stop vendors from combining RFID with GPS or other technology for long-range identification and tracking? Will an employee who refuses to have an access control chip implanted be coerced or fired? Should a parent who wants to tag and track a troublesome teenager be allowed to do so?
“Many technology cheerleaders are naive and short-sighted about the way technology is, can or will be used,” says Philippa Lawson, executive director at the Canadian Internet Policy & Public Interest Clinic (CIPPIC). “People have not thought through the societal implications of RFID. Is this the direction we want to be heading, giving the capability to third parties to engage in ubiquitous and surreptitious surveillance?”
Lawson sees potential problems even in scenarios where people give their consent in return for some benefit, such as cheaper product rates. “I have an issue because it’s been my experience – and I’ve been studying the issue of voluntary consent in privacy-related practice for many years – what is purportedly voluntary in the vast majority of cases is not fully informed consent,” she says.
The fundamental guiding principle should be: What uses of RFID are so beneficial that the benefits outweigh the privacy concerns? There is value in preventing infant abductions, providing emergency medical information, and so on. But privacy is also valuable.
“We need to get beyond kneejerk reactions on both sides and articulate the pros and cons,” says Lawson. “No one wants to jump out and regulate technology or industries prematurely. But we also don’t want to get into situations where whole industries are built around a technology we later find is unacceptable. We need principles to guide the development of RFID technology today.”
Canadian business needs guidance in this area, agrees Murray Long, an Ottawa-based privacy consultant and publisher of PrivacyScan, an information service providing updates about Canada’s privacy laws. The Privacy Commissioner of Canada recently issued a fact sheet on RFID, he says, emphasizing business must obey the 10 fundamental principles of fair information practices developed by the Canadian Standards Association (CSA). “It is a good start but it leaves a lot of ambiguity. There is no clarity when you get down to things like whether RFID should be deactivated at the point of sale.”
This is a contentious point for consumer goods tagged with RFID at the product level. Most experts agree there are no privacy issues if retailers track information without personal identifiers. “To the extent that stores monitor how many coats and sweaters were purchased from this shelf versus another, we don’t have a concern with that,” he says. “My basic view is that if companies don’t track items on an individual level, then it’s not personal information and therefore not subject to privacy laws, unless it is done in such a way that the person can be re-identified later.”
Long says he is looking to the federal Privacy Commission to develop a set of guidelines in consultation with industry. “Given the huge financial outlays needed to move RFID to the next level beyond case and pallet, the business community would probably welcome a chance to have meaningful consultation,” he says.