RFID: The Privacy Imperative
Wednesday, June 03, 2009 - RFID Connections

      

Kathleen Carroll

Director of Government Relations

HID Global

 

RFID Connections spoke with Kathleen Carroll of HID Global about privacy issues, RFID industry response and the road forward.

 

Kathleen's views can be heard by clicking on the “podcast” link. So if you don’t have time to read the interview now, download it onto your iPod/MP3 player and listen in on your way home.

 

Note: Written transcript has been edited from audio interview for grammar and syntax.

 

RFID Connections: Privacy has been in the headlines again lately.  What are the main privacy concerns associated with RFID?

Kathleen Carroll: This has been an ongoing discussion. I think what it comes down to is that the main privacy concern associated with RFID has more to do with the right to be left alone than anything else. Warren and Brandeis, both US Supreme Court Justices first introduced the term “the right to be left alone” in an 1890 article on privacy for the Harvard Law Review so it has been a cornerstone of privacy for more than a hundred years.  And it is has been a part of the rallying cry of some in the privacy community who are stridently opposed to RFID technology.

 

More specifically, what perceived threat does RFID pose to an individual's "right to be left alone"?

 

The big fear among those who oppose the use of RFID technology is that it can be used to track individuals.  I have heard testimony from privacy advocates who say that if you are carrying anything -- a retail product, an ID card, an employee ID badge -- that contains RFID, you are in danger of being tracked and stalked and having your identity stolen.  And they use these examples such as going to a gun show, or participating in a political rally or going to the doctor’s office.  These are all activities that an individual would consider none of anybody else’s business.

 

But the one thing missing from such inflammatory rhetoric is a discussion of the many different types and frequencies of RFID and how it is used in different applications.  For example, it is often stated that RFID tags can be read from up to 70 feet away, a key privacy concern.  This statement ignores the physical reality and diversity of RFID.  For example, an active RFID tag may be able to be read from 70 feet away but a passive, 125 kHz tag, that's often used in employee ID badges, could not be read at such distances. 

 

There is also concern, voiced in a 2007 joint report from the Department of Commerce and the National Institute of Standards and Technology (NIST) that an RFID system does not have to store personal information to have privacy implications.  The report cites the example of an RFID tag on a bottle of prescription medicine that may identify the drug in the bottle but not the identity of the person for whom the prescription was written.  And here I will quote directly from the report which says,

 

“Nonetheless, the individual taking the medicine may still perceive the possession of the drug as personal information if scanned and read by another, as it might reveal information about a medical condition that the individual considers private.”

 

This statement, of course, ignores the fact that the tag will only have a unique number on it and for anyone to learn what that number means would require access to a database where the particular identifying information as to what the drug is will reside.

 

These are some of the top-line fears that have been expressed by the privacy community.

 

If that's the case, why should the industry -- users, manufacturers, and integrators of RFID technology -- care about privacy if there are so many variables and what may seem to be irrational fears?

 

You hit the nail on the head when you said "irrational fears" and that's a good way to describe them. But there are many reasons we need to care about privacy, not the least of which is that if users of our technology don’t trust it and, as you said have these irrational fears, we won’t be in business very long because they're not going to accept the technology.

 

Equally important, if policy makers -- and I'm talking about policy makers at the state, the federal and even the international level -- perceive that our products can and will invade citizen’s privacy they will take steps to regulate RFID technology.  This is already happening at the state level where legislation has been introduced that would impose costly mandates, such as requiring signs where RFID technology is in use and affixing special labels on each and every retail product or identification document that contains RFID. 

 

None of this legislation has passed at the state level to date but it keeps coming back. In the four years that I've been fighting legislation at the state level, the same bills come back year after year.

 

For example, in New Hampshire, the bill there is titled -- and you'll note the inflammatory language -- “The Regulation of Radio Frequency Tracking Devices”. That bill would have actually banned the use of RFID technology in certain applications.  A Rhode Island bill would have restricted the use of RFID because of its potential tracking capabilities.  And, in Alaska, an anti-RFID bill was introduced under the banner of “Privacy Protections for Alaskans.”

 

So, the potential for state legislation and also more recently the recommendations that came out of the European Union for the use of RFID should, I think, spur industry to take actions of our own accord so that we don't have to respond to costly mandates.

 

Has the industry already taken any steps to show policy makers and the general public that it is taking privacy seriously?

 

Yes, the industry has. We'll take it from a company level first.

 

From my personal experience, I have a job today because HID Global recognizes the need to proactively address the privacy concerns, real or imagined, associated with RFID.  Privacy is a key focus of my work in the security industry and the reason I earned my privacy certification through the International Association of Privacy Professionals (IAPP).

 

In addition, AIM Global has taken some steps as well towards making its membership aware of the privacy concerns. AIM Global has published RFID [Tag Data] Security Guidelines; they have designed an RFID Emblem for acceptance as an ISO standard. That emblem could be used to indicate the presence of an RFID reader or an RFID tag. AIM Global has also issued a privacy statement recognizing that, while some of the fears are irrational, some of them may be warranted and we take all of those concerns seriously.

 

In addition, EPCglobal has issued a set of guidelines for implementing RFID in retail applications in a privacy-protective manner.

 

So, yes, industry has, at the company level and at the organizational level taken steps to start to address some of these concerns.

 

When you say the industry has taken steps to "start to address some of these concerns", what else do you think the industry needs to do to fully address privacy issues?

 

This is just my personal opinion but I do believe that industry needs to proactively take more aggressive steps to mitigate privacy concerns and to do so voluntarily before policy makers impose onerous regulations.

 

First of all, we can educate ourselves, and I think that's a key thing that we in the RFID industry need to get the word out and AIM Global, of course, has taken some preliminary steps there to educate its membership about privacy concerns. 

 

We cannot dismiss, out of hand, the privacy fears associated with RFID, even if those fears are not legitimate.  We need to address those fears with facts.

 

I also think we need to consider privacy at every stage, from manufacture to implementation to deployment. 

First of all, at the manufacturing level, we need to consider privacy when we are designing and developing RFID technology: offering encryption capabilities; ensuring secure communications between tags and readers; considering the possibility of giving users more control -- a key privacy principle. 

 

At the implementation level, we should be conducting privacy impact assessments, looking at whether an RFID application will implicate privacy and minimizing the use of personally identifiable information wherever possible.  We also need to look at data retention capabilities of systems and the possibility of associating personally identifiable information (PII) with data collected through an RFID system.  If the data is not retained for long periods, it minimizes the risk of making a connection between PII and RFID data.

 

We also need to look at how the system will be deployed.  How and when RFID-enabled tags, documents or devices will be read; making sure that unauthorized readers will not be able to read the information on the tag. Deploying the system in a privacy sensitive way can address another privacy concern that RFID tags are remotely and secretly readable.  

 

Lastly, and perhaps most importantly, we need to educate consumers about the benefits they will derive from using RFID technology and the steps an educated consumer can take to protect themselves.  Let’s face it, there are always going to be "bad actors" who will abuse any technology -- just look at the Internet today and the proliferation of criminal enterprises focused on ripping users off.  Industry alone cannot protect individual privacy.  It has to be a shared effort.

 

Do you have any final thoughts you'd like to share with our listeners?

 

Just that there are plenty of resources for folks to learn more about privacy. There is the International Association of Privacy Professionals (IAPP), of which HID is a member; there is also the Department of Homeland Security Privacy Office website that has pretty much a blueprint for how to conduct privacy assessments; and also the FTC (Federal Trade Commission) at its website has resources for businesses that may implicate personally identifiable information in the deployment of an RFID system.

 

Just so that folks know that they don't have to "start from scratch". There's a lot of information already out there.

 

Kathleen, thank you very much.

 

Editor's note: AIM Global is continuing to work on privacy issues and that providers as well as users of the technology who do want to participate in developing best practice guidelines and similar materials should contact the AIM office.

 

-----

 

About Kathleen Carroll

 

Kathleen Carroll is the Director of Government Relations for HID Global, a leading manufacturer of proximity and smart card technologies in the access control industry.  Carroll oversees HID Global’s radio frequency (RF) technology privacy and policy initiatives, including pending legislation in the 50 states.  She also works to support public policies that address RF technology and privacy at the national and international levels.

 

Carroll serves as the Chairperson of the Security Industry Association’s (SIA) State Policy Advocacy Working Group which is working to educate legislators, business leaders and consumers about radio frequency technology applications and benefits in the physical access control marketplace, among other issues.  She is also an elected member of the Smart Card Alliance’s Identity Council Steering Committee.

 

With nearly 20 years experience in public relations and marketing communications, Carroll is currently pursuing a Master’s Degree in Political Science at Villanova University.  A member of the International Association of Privacy Professionals, she is a Certified Information Privacy Professional.

 

About HID Global

 

HID Global is focused on creating customer value as the trusted source for products, services, and know-how related to the delivery of secure identity.  Web site: www.hidglobal.com.

 

HID Global is the trusted leader in providing solutions for the delivery of secure identity, serving customers worldwide with proximity and contactless smart card technologies; IP-based networked access solutions; secure and custom card solutions; photo ID and ID card application control software; high definition printer/encoders and secure card issuance solutions. Headquartered in Irvine, California, HID Global operates international offices that support more than 100 countries and is an ASSA ABLOY Group brand.

 

-----

 

RESOURCES

 

AIM Global

RFID Website: http://www.rfid.org

RFID Privacy Statement (summary and background): http://www.aimglobal.org/technologies/rfid/privacy_security.asp

AIM Global RFID Emblem: https://www.aimglobal.org/estore/ProductDetails.aspx?productID=286

 

International Association of Privacy Professionals (IAPP)

Website: http://www.privacyassociation.org/

 

U.S. Department of Homeland Security - Privacy Office

Privacy Impact Assessments: http://www.dhs.gov/xinfoshare/publications/editorial_0511.shtm

 

U.S. Federal Trace Commission

Privacy Links: http://ftcsearch.ftc.gov/search?q=privacy&btnG=Search&entqr=0&ud=1&output=xml_no_dtd&sort=date%3AD%3AL%3Ad1&oe=UTF-8&ie=UTF-8&client=ftc_consumer&proxystylesheet=ftc_consumer&filter=0&site=default_collection

 

 

Share this Story
Digg   del.icio.us   Yahoo   Reddit   Facebook   Google

Related Articles :
No Related Content Found

Search Articles :