Privacy a hot topic as RFID tagging grows in use
- — 21 September, 2007 10:40
Privacy concerns over RFID tagging are reaching new heights, with US state legislators introducing and increasingly passing new measures to restrict their use, while employers face a barrage of concern from workers over RFID-embedded identity badges.
Those worries were aired by speakers and attendees at RFID World: Boston even as some RFID technology defenders worried that they haven't done enough to promote the value of RFID in tracking tainted foods or counterfeit drugs and of reducing the cost of tracking inventory.
To indicate how extreme the national RFID hysteria has become, one speaker said privacy advocate Katherine Albrecht had urged consumers to microwave new underwear to disable any RFID tag and prevent someone from tracking your whereabouts. However, a check of Albrecht's website revealed the opposite -- the site actually urges users not to do so, because it could cause a fire.
"[RFID and privacy] are taken very seriously in state governments across the US," said Ben Aderson, manager and counsel for technology policy and state government affairs at the American Electronics Association, an industry trade group. Unfortunately, most legislators don't know RFID technology well, he added.
Aderson said 50 bills involving limits on RFID were introduced in 19 states in 2007, and three of them became law, the largest number of the past four years. "Nothing catastrophic has passed to completely ban RFID in a state," he said, adding that activity at the federal level has not been as extensive, he said.
The biggest action in states is for bills to ban implantation of RFID chips in people without their consent, and seven states have taken up measures, with Wisconsin and Idaho passing them, Aderson said. However, he said the laws are unnecessary, since implanting anything in a person would be akin to hitting someone in the face, punishable under laws of battery.
Other measures restrict governments from tracking people's movements or with linking RFID data with personal information, he said. Still others, such as one in California, require notifying consumers that a product has a tag, done either on an article of clothing or with a sign in a store.
"A concern of ours is that people don't realise how predominant RFID chips already are, and this [legislation] would include mobile phones [equipped with RFID-type chips]", Aderson said.
Aderson agreed with one questioner who said the industry had not established in the public's mind why RFID chips were necessary to preempt the privacy concerns. "[The industry] has to create knowledge of the value of RFID," Aderson said. "That's a key element, to emphasise what is out there that consumers benefit from." In addition, Aderson said legislators need to be educated about the values of the technology.
Among some positive examples of RFID usage is Michigan, where cattle must be tagged with RFID, so that if an outbreak of mad cow disease occurred, the source could be easier to locate, Aderson said. In Florida, fish and wildlife officials are requiring owners of exotic pets, such as snakes, to tag the animals in case they are lost or escape.
While Aderson generally opposed restrictive legislation as unneeded, a speaker from the Cato Institute in Washington urged a dialogue between RFID opponents and advocates. The speaker, Jim Harper, director of information policy studies at the think tank, also said the RFID industry should cooperate and agree to oppose the use of RFID in areas that identify individuals, their locations and backgrounds.
"Let's not do human identity stuff, and collectively say that's a bad idea, and that doing so will provide the rest of the industry protection [from attacks by privacy advocates]", Harper said. "Great things are coming from RFID, but we want it done right to protect privacy."
Harper said he is concerned that Washington state was considering inserting long-range RFID tags into driver's licenses to enable them to be a kind of border-crossing permit for drivers entering and returning from Canada.
"That's quite concerning," Harper said. "If you have long-range RFID to communicate license information, that's an identifier. And in 50 years that could be misused. It's not the panacea as a lot of people think it is. Stand down everybody; let's not push."
By comparison, Harper noted the US State Department went a long way toward creating the e-passport with an RFID chip, but decided to add encryption and other protections that still required a customs official to slide the passport through a visual scanner, "which did nothing to speed up the process".
Further, third-party tracking was a "distinct problem" for RFID, he said, noting that security analysts have worried that a terrorist group could place an RFID reader somewhere outside an embassy, and find a diplomat carrying something in his briefcase that has an RFID tag.
"That leaves the opportunity to set up an explosive device, really anywhere in an airport, that explodes after the [terrorist] is gone for three to four months if the RFID system is not well designed," Harper said. "Think about the misuses that would be made of that, and that's the kind of thinking you get from privacy advocates, who exaggerate to make a case."
Lee Tien, senior staff attorney for the Electronic Frontier Foundation in Washington, gave a separate presentation, noting that there had been at least eight news reports of hacks or spoofs of RFID-tagged identity cards in recent months. Part of the problem with RFID tags is that they are often promiscuous and will respond to any compatible reader, he said.
"Our concern has to do with wedding this technology with information about people," Tien said. Noting he has a daughter learning to drive, he said, "the last thing I want is for that driver's license card to have information capable of being skimmed for her name, address and photograph."
Other speakers said they have encountered strong opposition from employees over RFID chips installed in identity badges. At Boston's Beth Israel Deaconess Medical Center, attempts to add RFID to emergency staff's badges were abandoned about a year ago because of worries that managers would be trying to find workers on breaks who might be smoking or at the far reaches of the hospital, said John Halamka, the center's CIO.
"The staff reaction was, 'Oh my God, Dick Cheney just wants to watch me,' " Halamka said. While the identity cards do not have RFID, Halamka has installed the chips on expensive medical equipment to track it, he said, reducing the staff time needed to find the devices.
At Boeing Integrated Defense Systems, Steven Georgevitch noted that 150,000 employees in 70 countries have RFID-embedded badges that are needed for access to buildings. But imposing the radio technology has not been easy, he said. The experience should serve as a lesson to other companies that IT managers need to work closely with employees to explain the purpose of the technology and to hear the workers' concerns.
RFID in badges is a "really, really" big concern, said Georgevitch, senior manager of supply chain technology at Boeing. "Employees will always ask: 'will they track me in the bathroom?'"
In one case, Georgevitch recalled, RFID information from badges was not being broadcast from one reader device in one location at 6pm daily as it was supposed to. Boeing staff tried to track what happened by installing a video camera near the reader. IT employees discovered that every day a worker was leaving the building, unplugging the reader, then plugging it in again on his return.
When confronted, the worker said he unplugged the machine because he was leaving to use the bathroom and was concerned someone would track his location. "Somebody would laugh at me," the worker said, according to Georgevitch.
As a result, Georgevitch urged IT groups to test RFID with small groups of workers, and to talk with people to find out their concerns. "Most IT people never want to talk to workers, but I say go test this so people feel comfortable," he said.