• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
RFID and Privacy
 

RFID and Privacy

on

  • 1,073 views

 

Statistics

Views

Total Views
1,073
Views on SlideShare
1,073
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    RFID and Privacy RFID and Privacy Document Transcript

    • Assignment #4 – SIMS 205, Spring 2005 1 Mike Wooldridge (mikew@sims.berkeley.edu) In March 2005, the Federal Trade Commission (FTC) published Radio Frequency IDentification: Applications and Implications for Consumers, a report investigating the current state of radio frequency identification (RFID) technology and the potential risks it poses to personal privacy. The report came out of a workshop that brought together “technologists, RFID proponents, privacy advocates, and policymakers” to discuss the future of the technology.1 With RFID, consumer items (and even consumers themselves) are tagged with tiny computer chips attached to antennas. An RFID reader is used to access the chip’s digital information, which can uniquely identify a tagged item. Today, RFID is commonly used to keep track of inventory as it moves through the supply chain, from manufacturer to supplier to retailer.2 The FTC report does a decent job of addressing the basic privacy issues that surround the tagging of retail goods when those goods are monitored only up to the point of purchase. Where the report is less informative is in cases where RFID can be used to match specific items to the consumer or where consumers themselves are tracked. As a result, the report is not as complete as it could be in assessing all the risks RFID poses to privacy. Consumer Privacy Challenges The FTC report identifies four consumer privacy challenges related to RFID. The first has to do with the inconspicuous nature of RFID technology. The smallest RFID tags are paper-thin and have a height and width of a fraction of a millimeter.3 RFID readers can be 1 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 2. 2 Id. at 8. 3 RSA Security, “A Primer on RFID” (available at http://www.rsasecurity.com/rsalabs/node.asp?id=2116)
    • Assignment #4 – SIMS 205, Spring 2005 2 Mike Wooldridge (mikew@sims.berkeley.edu) smaller than a dime.4 Unlike bar-code technology, line-of-sight is not required for tags to be read.5 Given these characteristics, consumers may not always know they are carrying RFID tags or that someone else is reading information from the tags. A second challenge involves the fact that an RFID tag can identify an item uniquely.6 A bar code, in contrast, identifies an item as a particular type of product but doesn’t distinguish it from identical products on the store shelf. This means that when a customer walks out of a store with a pair of RFID-tagged shoes, the tag (if not removed or disabled) could forever identify those shoes as being a particular brand from a particular store purchased for a particular price. The third challenge has to do with RFID enabling specific customer profiling, since businesses can use RFID tags to link customers to the items that they buy or place in their shopping cart.7 This could allow businesses to target customers with custom advertisements as they walk through a store. You and your items could also be tracked after you’ve bought them, as you carry your shopping bag into another section of a department store or to a different store owned by the same conglomerate (for instance, if you leave The Gap and go to Old Navy). The fourth challenge concerns the pooling of RFID information to build even more extensive profiles on people. Imagine Safeway inking a partnership agreement with Toys ‘R’ Us and the two companies combining their RFID data to identify both the brands of cereal and brands of 4 Jonathan Collins, “Reader Size Dips Below a Dime,” RFID Journal, June 9, 2004 (available at http://www.rfidjournal.com/article/articleview/980/1/1/). 5 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 4. 6 Id. at 13. 7 Id. at 14.
    • Assignment #4 – SIMS 205, Spring 2005 3 Mike Wooldridge (mikew@sims.berkeley.edu) toys that certain customers buy. The more RFID data a company can aggregate from different sources, the more it can predict customer preferences. To these four privacy challenges, I would add a fifth, one that customers may soon face if they don’t want to be subject to RFID tracking. If RFID-tag producers meet their goals,8 the technology may become so inexpensive that it makes business sense to tag all products that cost more than a few dollars. Will there be alternatives for people who don’t want to have their buying habits monitored? And what about visitors to amusement parks, ski resorts, and other venues who don’t want to wear the RFID-enabled wristbands that are becoming more commonplace? While the FTC considers the concept of “choice” when discussing a customer’s ability to remove an RFID tag after purchase, it doesn’t consider that the ubiquity of RFIDs in the marketplace may make the choice of opting out of monitoring impossible. The Case for Addressing Privacy While the FTC report acknowledges that RFID poses significant privacy challenges, the RFID examples it offers weaken the case for addressing the challenges. Essentially, the report includes examples that industry would like the public to hear about. One example is Wal-Mart, which uses RFID to monitor inventory on store shelves but not to “collect additional data about [its] customers or their purchases.”9 Another is Procter & Gamble, which released a statement describing its commitment to customer notice with regard to RFID and its decision not to participate in item-level tagging that goes beyond what is 8 Beth Stackpole, “RFID Finds Its Place,” Electronic Business Online, June 15, 2003 (available at http://www.acm.org/technews/articles/2003-5/0709w.html). 9 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 34.
    • Assignment #4 – SIMS 205, Spring 2005 4 Mike Wooldridge (mikew@sims.berkeley.edu) currently done with bar codes.10 A final example is U.K. retailer Marks & Spencer, which includes RFID-based “Intelligent Labels” on clothing but doesn’t scan the tag at checkout or match the item to its purchaser.11 Because these companies are doing nothing innovative in terms of using RFID to collect information about people, these examples imply that there is nothing the public needs to worry about. To be balanced, the report should have mentioned examples where RFID has more important implications for privacy. InCom Corporation,12 which develops RFID solutions for education, rolled out a pilot program at a school in Sutter, California, that used RFID readers to take attendance automatically. The program was dismantled when parents and privacy advocates protested that others could potentially read the school-issued RFID badges to track students’ activities outside of class.13 The report also downplays the case for addressing privacy—and undercuts its own legitimacy —by including pro-industry arguments that don’t jive with common sense. For instance, in response to consumer fears about item-level tagging, a workshop participant states that “RFID was not being used in this manner now and would not be in the near future.”14 This seems like a faulty assumption considering that item-level tagging is a key attribute of RFID that sets it apart from bar codes. Why wouldn’t companies somehow leverage that feature to better understand their customers? 10 Id. at 18. 11 Ibid. 12 InCom Corporation, “InClass” (available at http://www.incomcorporation.com/product1.htm) 13 Greg Lucas, “Students kept under surveillance at school,” SFGate.com, February 10, 2005 (available at http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/02/10/BAGG0B8I4D1.DTL). 14 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 15.
    • Assignment #4 – SIMS 205, Spring 2005 5 Mike Wooldridge (mikew@sims.berkeley.edu) Another participant claims that risks of privacy breaches are minimal when technological limitations are considered. Snoopers will need large antennas and enormous amounts of energy to surreptitiously read RFID information.15 We need only consider the effect of Moore’s law on computers or the increasing miniaturization in the area of wireless technology to see the problem with this argument. Claiming our privacy will be protected by lack of innovation seems naïve, if not downright disingenuous. Approaches to Addressing Privacy Industry Self-Regulation In examining the potential for self-regulation by industry, the report looks at the guidelines put out by EPCglobal,16 a leading RFID standards organization. The first industry guideline involves using labels to notify consumers that products include RFID technology. EPCglobal has developed a label that businesses can affix to their products explaining that an RFID tag is present and how to remove the tag after purchase.17 The notice requirement is important given the inconspicuous nature of RFID technology. It is also a first step in empowering customers to make informed decisions about whether they are comfortable buying tagged products. A disadvantage is that a label developed by industry might not be noticeable enough. For instance, the attractive “EPC” logo18 that marks an item as carrying RFID could be misconstrued as a marketing gimmick—similar to the “Intel Inside” label19—rather than a privacy warning. 15 Ibid. 16 EPGglobal, “Home Page” (available at http://www.epcglobalinc.com). 17 EPGglobal, “EPCglobal Consumer Information” (available at http://www.epcglobalinc.com/consumer/). 18 Ibid. 19 Intel.com, “Intel Inside Program” (available at http://www.intel.com/pressroom/intel_inside.htm).
    • Assignment #4 – SIMS 205, Spring 2005 6 Mike Wooldridge (mikew@sims.berkeley.edu) The second industry guideline involves enabling customers to remove RFID tags from the products they purchase. This gives the consumer more control in the transaction, at least after checkout. Of course, the “choice” offered by retailers probably wouldn’t extend to customers who don’t want to be tracked via RFID while shopping in the store prior to making a purchase. And, as mentioned previously, choice may also be irrelevant in the case of RFID applications where it is the customer being monitored, such as at ski areas or amusement parks. The third industry guideline advocates education and recommends that companies communicate how RFID tags work and how RFID technology benefits the customer.20 However, the best “education” comes from knowing all sides of an issue, and I’m skeptical that educational material produced by industry would include a thorough and objective discussion of privacy risks. The last industry guideline involves companies publishing details about how they retain, use, and protect the information they collect from customers via RFID.21 This could be quite valuable, since customers can make their best choices about giving away their personal information if they know exactly how that information will be used. Such notice would be effective if it was communicated in an up-front manner. It would be less effective if buried in a licensing agreement or in the fine print on a receipt. 20 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 23. 21 Id. at 17.
    • Assignment #4 – SIMS 205, Spring 2005 7 Mike Wooldridge (mikew@sims.berkeley.edu) Government Regulation The report also looks at the possibility of the government’s regulating the use of RFID technologies. One option would be for the government to maintain a set of business guidelines, similar to the ones just mentioned under industry self-regulation. Having a government agency handle RFID guidelines could help put consumer interests before those of industry. The report also mentions the possibility of using existing international guidelines for regulating RFID in the U.S. As we saw in the European Community Directive on Data Protection,22 foreign laws regarding consumer privacy may be stricter than those in the U.S. While adopting a common set of international RFID rules would be advantageous in terms of compatibility across borders, imposing rules that are too stringent could keep many beneficial RFID products from making it to the market. Another regulatory option includes requiring that consumers give consent before their personal information is gathered by RFID or having third-party auditors assess the security of RFID systems.23 These are good ideas, in theory. But given the expected widespread adoption of RFID, requiring consent before every transaction or managing audits for tens of thousands of businesses would put a significant burden on the customer and business. Technological Measures The report also discusses the strategy of using other technologies to address privacy issues raised by RFID. 22 European Community Directive on Data Protection (October 24, 1995). 23 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 20.
    • Assignment #4 – SIMS 205, Spring 2005 8 Mike Wooldridge (mikew@sims.berkeley.edu) A concern voiced by the Electronic Frontier Foundation is the lack of security present in many RFID applications, including proposed RFID enhancements for U.S. passports.24 New security options appear to be emerging. RFID systems that meet the new EPCglobal UHF Generation 2 standard, ratified earlier this year, will feature “advanced encryption technology, password protection and authentication.”25 Coming up with a single standard that could be applied to most, if not all, RFID applications would be an efficient way to keep the information on RFID tags from prying eyes. Disadvantages of encryption could include increased costs and incompatibility across systems if there are multiple standards. Other ways that technology could help ensure privacy are in the form of “blockers” that consumers could place over RFID tags and “kill switches” that consumers could use to deactivate RFID tags after purchase. A business could offer price incentives to users who leave their RFIDs readable if post-purchase information is important to it. However, there might be significant costs associated with manufacturing blockers (they would need to be at least as cheap as the RFID tags they block) as well as maintaining kill switches at the checkout aisles. Next Steps for the Commission I agree with the FTC’s recommendation that a key goal in crafting a successful RFID strategy is fostering transparency.26 Consumers need to know where RFID tags are used and what information businesses collect about them. 24 EFF.org, “RFID Policy: What Does Congress Need to Know” (available at http://www.eff.org/Privacy/Surveillance/RFID/RFID_one_pager.pdf). 25 EPCglobal, “Fact Sheet: EPCglobal UHF Generation 2 Standard” (available at http://www.epcglobalinc.org/news/FINAL_Gen2_Ratification_Fact_Sheet.doc). 26 Federal Trade Commission, Radio Frequency IDentification: Applications and Implications for Consumers (March 2005) at 2.
    • Assignment #4 – SIMS 205, Spring 2005 9 Mike Wooldridge (mikew@sims.berkeley.edu) To this end, the FTC should develop a standardized label that could be placed on or near RFID-tagged products. A clear and obvious labeling system help fulfill the FTC’s goal of transparency without placing undue limits on what companies can achieve with RFID. While EPCglobal’s labeling is a good starting point for how labels should be implemented, I don’t feel that an industry-funded organization has the objectivity to create a system that adequately informs consumers of privacy risks. The FTC’s label (I’ve created a prototype of what it might look like at right) would let customers know (1) that RFID technology is being used, (2) how it is being used and whether it can be removed, and (3) where to find more information. The RFID labels should take their inspiration from other widespread labeling standards developed by the U.S. government, such as the Surgeon General’s tobacco labels27 and the FDA’s nutrition labels.28 A high-profile labeling system could have the secondary effect of jump-starting the development of privacy-enhancing technology (such as blockers and kill switches). If consumers are uncomfortable buying products with RFID, the labeling will bear this out and industry can take steps to address their concerns. (I’m imagining radio-frequency-blocking 27 CDC.gov, “Warning Label Fact Sheet” (available at http://www.cdc.gov/tobacco/sgr/sgr_2000/factsheets/factsheet_labels.htm). 28 FDA.gov, “How to Understand and Use the Nutrition Facts Label” (available at http://www.cfsan.fda.gov/~dms/foodlab.html).
    • Assignment #4 – SIMS 205, Spring 2005 10 Mike Wooldridge (mikew@sims.berkeley.edu) handbags and mobile phones that sense RFID readers.) If consumers don’t mind RFID monitoring, labels will help us find that out too. The FTC should also take a closer look at business applications that use RFID technology to track customer behavior, since these pose a greater threat to personal privacy than applications that just track in-store merchandise. One example is the San Francisco Bay Area FasTrak29 system that enables commuters to pay bridge tolls electronically using RFID devices. Over time, such a system will compile an extensive database of information about where and when people travel in the Bay Area. Because FasTrak is run by a California state agency, information gathered by the system is subject to strict laws that limit who has access to the database.30 Another example is the Vertical Plus program31 at the Sierra-at-Tahoe ski resort that tracks customer behavior via RFID wristbands (and rewards frequent visitors with discounts). In contrast to FasTrak, the privacy policy for the Sierra-at-Tahoe is less restrictive, allowing the company to aggregate information about customers and share it with third parties.32 Assignment #1 Redux Assignment #1 for SIMS 205 this semester examined three recent privacy-related news stories: the court case of a wife who snooped on her husband’s online chats, the theft of Paris Hilton’s contact information from her mobile PDA, and the accidental sale of credit data to 29 511.org, “FasTrak Application and License Agreement” (available at http://www.511.org/fastrak/forms/FasTrakApplication.pdf). 30 Information Practices Act of 1977, California Civil Code Sections 1798-1798.78 (available at http://www.privacy.ca.gov/code/ipa.htm). 31 Sierra-at-Tahoe, “Vertical Plus” (available at http://www.sierratahoe.com/info/winter/vertical-plus.asp). 32 Booth Creek Ski Holdings, Inc., “Privacy Policy” (available at http://www.boothcreek.com/privacy.html).
    • Assignment #4 – SIMS 205, Spring 2005 11 Mike Wooldridge (mikew@sims.berkeley.edu) illegitimate buyers by ChoicePoint, an information aggregator. My conclusion was that, even in the face of the threats posed by the Internet, privacy challenges are best met by way of “social norms, technology, and business incentives” instead of by new laws. My opinion hasn’t changed after reading the cases in our course and learning more about how the legal system works. Rather, my opinion has been strengthened. As we’ve learned over the semester, the legal system is often an inefficient place to solve matters related to new information technology. For one, it takes a long time for a case to move through the courts. During that time, innovations in computer hardware, software, and networking continue to emerge. This new technology can render court decisions ineffective. While the Recording Industry Association of America (RIAA) was fighting in the courts to shut down Napster,33 other file-sharing applications such as Grokster were gaining in popularity. Today, as the RIAA fights to shut down Grokster,34 file-sharing applications based on BitTorrent35 technology are becoming the rage. (A more effective strategy for the RIAA might have been the one Apple uses with iTunes, which allows people to legally purchase music online but restricts their ability to make copies.)36 Secondly, information technology is a global phenomenon that extends outside the borders of the U.S. As a result, your best protection against spyware and spam is not the SPY ACT or CAN-SPAM act, which do nothing about hackers in China or South Korea,37 but software utilities that can ferret out spyware or filter potentially unwanted messages from your in-box. 33 A&M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d at 896 (N.D. Cal. 2000). 34 MGM v. Grokster, 380 F.3d at 1154 (9th Cir. 2004). 35 BitTorrent, “What is BitTorrent” (available at http://www.bittorrent.com/introduction.html). 36 The Berkman Center for Internet & Society, “iTunes Green Paper: Summary of Conclusions” (available at http://cyber.law.harvard.edu/media/uploads/72/6/iTunesSummary.pdf). 37 Commtouch.com, “Spam Trend For First Half of 2004” (available at http://www.commtouch.com/news/english/2004/pr_04063001.shtml).
    • Assignment #4 – SIMS 205, Spring 2005 12 Mike Wooldridge (mikew@sims.berkeley.edu) Lastly, there is a limit to how well anyone—the courts, the legislature, industry—can predict the future of technology. At the time of the Sony Betamax decision,38 no one could have predicted how video recording technology, which was arguably hurting copyright holders in the short term, would affect everyone in the long term. The court decided to take a hands-off approach and ruled that videotaping of movies was legal. Today the movie industry reaps a great deal of its revenues from video (and DVD) sales.39 In the area of RFID, the goal should be to maximize transparency of RFID-enabled transactions so that customers can make intelligent decisions about exposing their personal information. Laws and regulations should encourage this transparency, not prescribe limits on what types of RFID technologies are allowed. In addition, the FTC should help ensure that industry has economic incentives to create not only useful RFID applications, but also technologies that safeguard consumer privacy. 38 Sony Corp. v. Universal City Studios, 464 U.S. at 417 (1984). 39 VSDA.org, “2004 Annual Report on the Home Entertainment Industry: Highlights” (available at http://www.idealink.org/Resource.phx/vsda/annual-reports/index.htx).