RFID and the Public Policy Void

August 18, 2003

Joint Committee on Preparing California for the 21st Century
California Legislature
Senator Debra Bowen, Chair

Testimony by Beth Givens

Privacy Rights Clearinghouse
3100 – 5th Ave., Suite B
San Diego, CA 92103

bgivens@privacyrights.org

www.privacyrights.org

 

Senator Bowen and Committee members, thank you for the opportunity to testify today. The Privacy Rights Clearinghouse is a nonprofit consumer education, research, and advocacy organization based in San Diego, and established in 1992.

The title of my presentation is "RFID and the Public Policy Void." The topics of today’s hearing -- pervasive computing and RFID, or radio frequency identification -- have received scant scrutiny by policymakers to date. Your hearing is a very important first step.

When Steven Spielberg was developing the 2002 movie Minority Report, he consulted a group of Massachusetts Institute of Technology (MIT) scientists, urban planners, inventors, and futurists to construct a society 50 years from now, based on the technology trends of today. The movie, starring Tom Cruise, takes place in the year 2054 in Washington, D.C. It portrays a society nearly devoid of privacy.

The movie’s science and technology advisor John Underkoffler is an MIT graduate with a decade of experience in MIT’s Media Lab. His job was to ensure that the technology infrastructure portrayed in the film is what Spielberg calls "future reality," and not science fiction – to quote Underkoffler, "a recognizable extrapolation of what we have today with technologies that are just emerging." (www.theage.com.au/articles/2003/07/04/1057179149614.html)

In the movie, cameras are everywhere, and people’s eyes are automatically scanned many times during the day by biometric readers located throughout the city in public places and in stores. RFID technology also appears to be part of the technology infrastructure. Billboards, store walls, and shop windows show an ever-changing array of personalized ads depending on who is passing by. Stores greet shoppers by name when they enter.

During one of the chase scenes, as Tom Cruise makes his way through a crowded shopping center, one of the displays tells him that he appears stressed out. "Why not have a Guiness?" it says to him as he passes by.

What Spielberg has accomplished with his team of MIT futurists is a form of technology assessment, that is, a holistic look at the impacts of technology on all of society in the not-so-distant future. It is just this sort of analysis that so far has been missing in the public policy arena regarding the development of RFID.

What an irony it is that what serves as technology assessment today comes to us, not from the public policy realm – at least not so far – but rather from Hollywood.

The process of technology assessment involves an in-depth multi-disciplinary analysis of a technology in order to provide early indications of the probable beneficial as well as adverse impacts. Ideally, the technology assessment process is overseen by a nonpartisan body comprised of representatives of all stakeholders. Likewise, the interests of all stakeholders are examined, including those of consumers. One of the major purposes of technology assessment is to enable legislators, other policymakers, and industry to develop policies in order to minimize societal harms.

At one time, Congress operated an organization that engaged in technology assessment. It established the nonpartisan Office of Technology Assessment (OTA) in 1972 to provide Congressional committees with objective analysis of public policy issues related to scientific and technological change. The definition of technology assessment that I just presented is from the OTA. This agency survived for two decades. At its height it had a staff of 200. (Princeton University maintains the archive of the OTA, www.wws.princeton.edu/~ota.)

The OTA closed its doors in September 1995, tragically just at a time of dramatic advances in many technologies – the Internet, genetics, biometrics, wireless communications, technologies of surveillance, and the beginnings of pervasive computing, sometimes referred to as ubiquitous computing.

And of course, the intervening years have also seen September 11, 2001. In the aftermath of the terrorist attacks, the evolution of these technologies has only accelerated.

If ever there were a technology calling for an in-depth multi-disciplinary holistic analysis involving all stakeholders, it is RFID. Yet this technology has sprung upon the scene with little attempt so far to address its many probable adverse impacts upon society.

We are not talking about a technology that is just emerging from the lab. The MIT AutoID Center, which is coordinating the development of RFID, is a partnership of 100 multinational corporations and five major research universities spanning the globe. (www.autoidcenter.org) The U.S. Department of Defense is one of the Center’s funders.

The trade association for this industry is AIM, short for Automatic Identification Manufacturers. It too is a global operation with RFID affiliates in 14 nations including the U.S., Europe, Asia, and Latin America. (www.aimglobal.org)

The MIT AutoID Center’s consortium is developing the standards and technology components to create what the AutoID Center calls an "Internet of Things." It envisions a "global infrastructure - a layer on top of the Internet - that will make it possible for computers to identify any object anywhere in the world instantly." (www.autoidcenter.org/aboutthecenter.asp, visited August 17, 2003)

It does not take a great deal of reflection to understand the profound privacy and civil liberties implications associated with RFID if indeed all the "things" of the world are uniquely identified and can be located and read at a distance. We human beings interact and surround ourselves with a huge number of objects – our clothes, the furniture and appliances in our home, the consumer electronics we use, the food we buy, our automobiles including the tires and every component inside, even movie tickets, public transportation passes, credit cards, and documents like our driver’s license, passport, and birth certificate.

Massive data bases will not only contain the unique product codes, but also personally identifying information connecting us with the RFID-coded items we buy or otherwise obtain. It is this association of personal identity with the object’s unique identity that will enable both profiling and location tracking.

In fact, objects don’t necessarily have to be matched with personal identifying information to be used for profiling and location tracking. Imagine a political demonstration in which thousands of people participate. As demonstrators mingle, law enforcement officers with hidden readers capture the unique RFID codes on clothing worn by the participants. Later, when participants perhaps pass through checkpoints, or when they board public transportation, or travel by airplane, the codes can be matched and demonstrators can be detained and/or then identified.

Industry literature envisions a world in which the unique Electronic Product Codes as they are called, or EPCs, in RFID tags will be associated with personal identity at the point-of-sale. A Forbes magazine article shows a drawing in which the shelf calls out to a shopper, "honey, you could get those pants [you are wearing] for less in Aisle 7." (Chana R. Schoenberger, "The Internet of Things," Forbes, March 18, 2002, (www.alientechnology.com/news/The_Internet_of_Things.htm, visited Aug. 17, 2003)

What should the public policy response be for RFID?

First, RFID must be subject to a formal technology assessment process, one that is not sponsored by industry but rather by a nonpartisan entity, perhaps similar to the model established by the now defunct Congressional Office of Technology Assessment. All stakeholders must be represented, including consumers. A variation on this theme is the privacy impact assessment.

Second, the technology and its implementation must be guided by a strong set of Fair Information Principles. There are several variations on this theme, ranging from the Federal Trade Commission’s five-part approach to the eight-part Privacy Guidelines of the Organization of Economic Cooperation and Development (OECD), and to Canada’s ten-part policy recently codified into law.

The FTC’s principles are notice, choice, access, security, and enforcement. This in my opinion is a watered down approach that omits several critical principles, key among them being accountability. Other vital privacy principles found in the OECD document that should guide the development of RFID are:

• Collection limitation
• Purpose specification
• Individual participation.

These are vital because of the invisibility of RFID tags as well as the potential for the tags to be read without the knowledge or consent of the individual.

Attached to this presentation and available on our web site are the texts of the OECD and Canadian principles. (www.privacyrights.org)

I recommend the following 7-point approach, based on the Fair Information Principles. In these points, I am expanding upon guidelines found in:

• "The RFID Right to Know Act of 2003," proposed by CASPIAN’s Katherine Albrecht and developed by Zoe Davidson of Boston University Legislative Clinic. www.nocards.org/#Legislation.
   
• "An RFID Bill of Rights," by technology writer and MIT Ph.D. student Simson Garfinkel. www.technologyreview.com/articles/print_version/garfinkel1002.asp.
   
• "Guiding Principles" drafted by the AutoID Center as posted on the Alien Technology web site. www.alientechnology.com/product/rfid_privacy.html.

1. Individuals have a right to know that products contain RFID tags. Labeling must be clearly displayed and easily understood. (Garfinkel, Caspian, AutoID)
2. Individuals also must know when, where, and why RFID tags are being read. There should be no tag-reading in secret. (Garfinkel)
3. Individuals have the right to have RFID tags removed or permanently deactivated (disabled) when they purchase products or otherwise obtain items containing RFID tags. (Garfinkel and AutoID, with the following guidelines by the PRC)

• Merchants must be prohibited from coercing customers into keeping the tags "live" on the product. For example, merchants cannot tell customers that in order to return the item, the RFID tag must not be disabled.
• The default option – whether to disable a tag or keep it "live" – must be to disable it. In situations where the individual’s preference is not known, the system must always disable the tag.
• Tags, once disabled, cannot be reactivated without the explicit consent of the individual associated with the tagged item. There can be no "back-door" means to reactivate tags once they have been permanently disabled.

1. Individuals have the right to own and use inexpensive readers so they can both detect tags and permanently disable them. (PRC)

5. The individual has the right to access an RFID’s stored data pertaining to him or her. (Garfinkel)
6. To those I would add number 6, the requirement of "security and integrity in transmission, databases, and system access." (AutoID)
7. In addition I would add a 7th point: An accountability mechanism must be established with the implementation of RFID. Industry processes and operations must be transparent. (AutoID) And individuals must know who they can contact in order to access data pertaining to them.

There must be entities in both industry and government where individuals can complain when they have been harmed by uses of the technology and when the guidelines have not been complied with, whether or not there is harm.This involves the development of mechanisms for redress of grievances both within the entity that has adopted RFID, for example the retailer industry, as well as within the government oversight body(ies) that enforces the privacy principles. There must be sanctions for entities that do not comply with these principles.
Some have recommended that such guidelines be voluntary and that the marketplace be allowed to ensure that these principles are adhered to. I have not yet seen any situation in which self-regulation has worked. Given RFID’s probable adverse impacts on privacy and civil liberties, I believe such guidelines must be codified in law.

Policymakers are going to have to grapple with the potential for law enforcement uses of RFID. This matter is beyond the scope of my presentation. Nonetheless, I believe the potential for 4th Amendment violations is very real.

We cannot turn back the clock on RFID. But many of the harmful effects envisioned for the pervasive implementation of this technology could be avoided if RFID were restricted to supply chain management and inventory control, if tags were "killed" at point-of-sale, and if personal identifying data were never linked to RFID tags.

If and when RFID is applied beyond the point-of-sale terminal, the Electronic Frontier Foundation (EFF) recommends that businesses use smarter privacy-protective RFID technology than is in use today in such devices as toll road EZ Pass systems and ExxonMobil's SpeedPass. Smarter RFIDs can contain secure access control technology which can give individuals more control over how the data is used. (www.eff.org)

Dan Moniz, staff technologist of the EFF, is here today and can speak to this issue in more detail.

For a more technical discussion of such security and privacy issues, read:

• Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels, "Radio-Frequency Identification: Security Risks and Challenges," in RSA Laboratories Cryptobytes, Vol. 6:1, Spring 2003. www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes_March_2003_lowres.pdf.
   
• "Radio Frequency Identification, RFID: A Basic Primer," AIM, the Association of the Automatic Identification and Data Capture Industry, Aug. 23, 2001. www.aimglobal.org/technologies/rfid/resources/papers/rfid_basics_primer.htm.

Public policymakers should not wait for a crisis involving RFID before exerting oversight. This technology embodies all the features to enable the development of the kind of total surveillance infrastructure portrayed in Spielberg’s Minority Report.

To keep his vision of the year 2054 from evolving, and to summarize, I recommend (1) that RFID undergo a formal technology assessment process involving all stakeholders including consumers, (2) that the development of this technology be guided by a strong set of Fair Information Principles codified in law, and (3) that meaningful consumer control be built into the implementation of RFID.

Again, thank you for the opportunity to testify today, and for convening this hearing.

 

Appendix A

Privacy Guidelines
Organization of Economic Cooperation and Development, 1980, www.oecd.org

Openness. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data quality principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose specification. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use limitation principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: (a) with the consent of the data subject; or (b) by the authority of law.

Security safeguards principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Openness principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity about usual residence of the data controller.

Individual participation principle. An individual should have the right:

• (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
   
• (b) to have communicated to him, data relating to him (1) within a reasonable time; (2) at a charge, if any, that is not excessive; (3) in a reasonable manner; and (4) in a form that is readily intelligible to him;
   
• (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
   
• (d) to challenge data relating to him and, if the challenge is successful, to have the data erased; rectified, completed or amended.

Accountability principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

[From "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data," OECD, 1980, www.oecd.org.]

 

Appendix B

Fair Information Principles
Canadian Standards Association, 1995, http://strategis.ic.gc.ca/SSG/ca01308e.html

Accountability. An organization is responsible for personal information under its control and shall designate a person who is accountable for the organization's compliance with the following principles.

Identifying purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information except where inappropriate.

Limiting collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Limiting use, disclosure and retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Openness. An organization shall make readily available to individuals specific information about its policies and practices relating to its handling of personal information.

Individual access. Upon request, an individual shall be informed of the existence, use and disclosure of personal information about the individual and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging compliance. An individual shall be able to challenge compliance with the above principles with the person who is accountable within the organization.

Appendix C

Fair Information Principles
Federal Trade Commission
For a discussion of the five-part FTC fair information practices, see  http://www.ftc.gov/reports/privacy3/fairinfo.htm