p2pnet - rss feed: RFID privacy abuse warning
p2pnet.net News:- Many of America’s largest federal agencies are already using RFID, or plan to, says a new Government Accountability Office (GAO) report.
But of the 16 agencies that responded to the question on legal issues associated with RFID (Radio Frequency Identification) implementation, “only one identified what it considered to be legal issues,” says the GAO. And these, "relate to protecting an individual’s right to privacy and tracking sensitive documents and evidence," it states.
Among key privacy issues were, “notifying individuals of the existence or use of the technology; tracking an individual’s movements; profiling an individual’s habits, tastes, or predilections; and allowing secondary uses of information”.
The study gives examples of RFI types, the simplest being a passive tag that responds to the reader’s radio frequency emissions and gets its power from the energy waves transmitted by the reader.
“A passive tag contains, at a minimum, a unique identifier for the individual item attached to the tag. Depending on the storage capacity of the tag, additional data can be added,” says the GAO. “Under perfect conditions, the tags can be read from a range of about 10 to 20 feet. The cost of passive tags ranges from 20 cents to several dollars. Costs vary based on the radio frequency used, amount of memory, design of the antenna, and packaging around the transponder, among other tag requirements. Passive tags can operate at low, high, ultrahigh, or microwave frequency (described in the next section). Examples of passive tag applications include mass transit passes, building access badges, and consumer products in the supply chain. The development of these inexpensive tags has created a revolution in RFID adoption and made widescale use of them a real possibility for government and industry organizations.
“Semipassive tags also do not initiate communication with the reader but contain batteries that allow the tag to perform other functions, such as monitoring environmental conditions and powering the tag’s internal electronics. These tags do not actively transmit a signal to the reader. Some semipassive tags remain dormant (which conserves battery life) until they receive a signal from the reader. The battery is also used to facilitate information storage. Semipassive tags can be connected to sensors to store information for container security devices.
“Active tags contain a power source and a transmitter, in addition to the antenna and chip, and send a continuous signal. These tags typically have read/write capabilities - tag data can be rewritten and/or modified. Active tags can initiate communication and communicate over longer distances - up to 750 feet, depending on the battery power. The relative expense of these tags makes them an option for use only where their high cost can be justified. Active tags are more expensive than passive, costing about $20 or more per tag. Examples of active tag applications are toll passes, such as “E-Z pass,” and the in-transit visibility applications on major items and consolidated cargo moved by DOD.”
In Privacy Issues Surrounding RFID Use, “The extent and nature of the privacy issues related to the federal and commercial use depends on the specific proposed use,” says the GAO.
“For example, using the technology for generic inventory control would not likely generate substantial privacy concerns. However, the use of RFIDs by the federal government to track the movement of individuals traveling within the United States could generate concern by the affected parties. Privacy issues associated with RFID implementation include notifying individuals of the existence or use of the technology; tracking an individual’s movements; profiling an individual’s habits, tastes, or predilections; and allowing for secondary uses of information."
And the GAO report lists issues of concern:
• Notification Individuals may not be aware that the technology is being used unless they are informed that the devices are in use. Therefore, unless they are notified, consumers may not be aware that the RFID tags are attached to or embedded in items they are browsing or purchasing or that the items purchased are being scanned.
• Tracking Tracking is real-time, or near-real-time, surveillance in which a person’s movements are followed through RFID scanning. Media reports have described concerns about ways in which anonymity is likely to be undermined by surveillance. As previously reported, many civil liberties groups are concerned about the application of this technology to track individuals’ movements, such as in a public school setting, and the resulting loss of anonymity in public places. Additionally, periodic public surveys have revealed a distinct unease with the potential ability of the federal government to monitor individuals’ movements and transactions. Three agencies also indicated that employing the technology would allow for the tracking of employees’ movements.
• Profiling Profiling is the reconstruction of a person’s movements or transactions over a specific period of time, usually to ascertain something about the individual’s habits, tastes, or predilections. Because tags can contain unique identifiers, once a tagged item is associated with a particular individual, personally identifiable information can be obtained and then aggregated to develop a profile of the individual. As previously reported,24 profiling for race, ethnicity, or national origin has caused public debate in recent years. Both tracking and profiling can compromise an individual’s privacy and anonymity.
• Secondary uses In addition to issues about the planned uses of such information, there is also concern surrounding the possibility that organizations could develop secondary uses for the information; that is, information collected for one purpose tends over time to be used for other purposes as well. This has been referred to as “mission-” or “function-creep.” The history of the Social Security number, for example, gives ample evidence of how an identifier developed for one specific use has become a mainstay of identification for many other purposes, governmental and nongovernmental. Secondary uses of the Social Security number have been a matter not of technical controls but rather of changing policy and administrative priorities.
"The widespread adoption of the technology can contribute to the increased occurrence of these privacy issues," the GAO continues.
"As previously mentioned, tags can be read by any compatible reader. If readers and tags become ubiquitous, tagged items carried by an individual can be scanned unbeknownst to that individual. Further, the increased presence of readers can provide more opportunities for data to be collected and aggregated. As the uses of technology proliferate, consumers have raised concerns about whether certain collected data might reveal personal information such as medical predispositions or personal health histories and that the use of this information could result in denial of insurance coverage or employment to the individual. For example, the use of RFID technology to track over-thecounter or prescription medicines has generated substantial controversy.
"Additionally, three agencies raised the issue of protecting personal data, such as date of birth and biometrics, contained on the tag as well as the associated database that stores this information."
Go here for a .pdf of the full report. We’ve also saved one here for future reference.
Something you think we should know? tips[at]p2pnet.net
