RFID: Balancing Technology and Privacy
B
February 2008
Radio Frequency Identification (RFID) tags, developed over twenty years ago, have become a well-used tool in many different industries. Acting as a next-generation bar code, an RFID system consists of a small microchip and an antenna placed on a product that sends information a short distance via radio waves. Similar to a bar code, the RFID chip holds inventory information related to the product to which it is attached. An RFID-tagged product can be easily tracked as it moves through the various stages of commerce; but the distance the information is transmitted varies from direct contact to several feet, which helps control who gets access to the data on the tag.
Currently, RFID is rarely used to store any personal information—it is used primarily for tracking purposes such as retail or medical supply inventories. While it is possible to store personal information on an RFID chip, outside of the health care industry (hospital patient information, etc.) primarily only government entities are looking at personal storage encapsulated onto RFID chips. But privacy concerns have led several states to introduce legislation dictating the type of information RFID chips may contain or how this relatively new technology may be used.
A bill has been introduced in order to address some of the privacy concerns regarding the possible abuse of sharing and using of personal information in connection with RFID chips. This is being heralded as a sort of “Electronic Bill of Rights.”
Engrossed Substitute House Bill 1031 would:
• Make it a violation of the Consumer Protection Act to intentionally scan a person’s identification device remotely, for any reason, without that person’s consent.
• Make it a class C felony to intentionally scan another person’s identification device remotely without that person’s knowledge and consent, for the purposes of fraud, identity theft or some other illegal purpose.
• Require a governmental or business entity to obtain the consent of the person associated with the data if the entity intends to use or retain the data after the sale, transaction or service has been completed.
• Allow the Attorney General to bring civil action to enforce the bill.
The bill is intended to ensure consumers are aware of how their own private data will be used by private businesses, in large part because abuses of this information can be catastrophic to a person’s credit, finances, etc. In an age of growing identity theft, backers of this proposal fear an escalation of fraud through new technological means.
However, a myriad of privacy laws are already on the books in dealing with the collection and dissemination of personal data. Federal legislation already regulates the financial, health care and credit reporting industries. The Washington Privacy Act restricts the interception or recording of private communications or conversations. Other laws on the books deal with identity theft, computer theft, and stalking or consumer credit card copying crimes.
In addition, the bill’s general description of radio frequency technology does not specifically pertain only commonly used RFID chips. The spectrum range specified as an electronic device has the potential to include wireless telephones, which opens a whole new set of complications, as wireless phones are primarily regulated by the Federal Communications Commission and not the state legislature or the Washington State Utilities and Transportation Commission.
Policymakers should focus on people who commit crimes of identity rather than try and micromanage the technology itself. Legitimate manufacturers and users of RFID technology are in agreement that abusing consumers’ private data, especially in a competitive marketplace, would be bad for business.
The private sector is not the only entity tapping into this technology. In the summer of 2007, the Washington State Department of Licensing decided to deploy a technology trial of an RFID-enabled driver’s license. One of the reasons behind this trial is to assess whether an RFID-enabled driver’s license is a reasonable alternative to a passport for Washington state drivers who cross the Canadian border regularly. The new license possesses a digital watermark and other authenticators. The RFID chip used in the license pilot project has a broadcast range of twenty feet and the licenses are available now but are completely voluntary.
RFID technology is also being used for the voluntary electronic tolling system on the new Tacoma Narrows Bridge, as well as the HOT lanes pilot project on SR 167.
Backers of this type of regulation are also advocating that consumers be provided with a preemptive “opt-in” right. This means that any business must gain the consumer’s consent prior to selling any RFID-enabled products to them.
A public policy stance often used with a technology that may not be completely understood by policymakers is called the “precautionary principle.” This principle states that if a certain technology or method is not fully understood by policymakers—or a sufficient consensus is not reached—the policy should be immediately discontinued until there is a sufficient consensus.
One of the problems with the precautionary principle in RFID technology is that no policymakers can account for how the technology will improve in the future. Computing power and technology components increase in efficiency exponentially every few years. Cutting today’s technologies off at the knees could short circuit future endeavors to shore up any privacy concerns while at the same time fulfilling the technological needs of the industries that rely upon RFID. Already there are many examples from around the world on how RFID-enabled products and services are enhancing customer experience or saving consumers and businesses both time and money, as well as increasing security in other sectors of business (day care for instance).
New technology can present challenges to businesses, governments and citizens in that everyone must agree on standardization and protections to personal privacy. But reacting to legitimate privacy concerns through the cost-prohibitive regulation of a product harms the business community and consumers. The cure is not to prohibit but to work with the private sector to develop a “best practices” approach to privacy concerns and crack down on anyone who willfully misuses any personal consumer information—many companies and RFID makers are already doing this.
RFID tags are used to track products and inventory, not people. It is understandable to take a hesitant approach to a technology many people outside the technology and retail sectors do not readily understand. But regulating a technology out of existence in order to shore up fears about privacy invasions hurts economic growth and business efficiencies.
Most businesses that deal in collecting data for the use of marketing or other legal purposes have a stated privacy policy. Consumers must also do their part in educating themselves about their rights in voluntarily disseminating their own personal information. As is the case with all technological advancements, responsible users of advanced technology have the capability to accomplish great things and improve the lives of consumers and society at large. There also exist those that wish to do harm to others. Simply regulating a technology in the name of consumer protection does not guarantee that criminals will not try to break the law in the future. Establishing data protection standards—already being done by private standards organizations—and enforcing the current criminal laws will benefit consumers and businesses while still providing the benefits from new technology.