Report highlights impact of RFID on everyday life
Radio Frequency Identification (RFID) technology is not yet sophisticated enough to pose a threat to our privacy. But this could change in the very near future, and measures must be in place to safeguard personal data and secure personal freedom for when that change occurs, according to STOA, the European Parliament's Scientific Technology Options Assessment body. RFID tags are small microchips made out of plastic or even paper. Attached to an antenna, they emit a unique serial number by radio over short distances. Until recently, RFID was mainly used in supply chain management, to track vehicles between depots and pallets of goods from warehouses to stores. But now RFID is catching on in a much bigger way. Tags can be embedded in all kinds of consumer products and scanned from between 3 to 50 metres away, revealing information about the product. People can also be identified using the technology, which has resulted in the development of RFID public transport cards, biometric passports, micro-payment systems, office ID tokens and consumer loyalty cards. Through a series of case studies, the researchers contracted by STOA were able to build up a picture of how RFID is perceived by consumers and those running the technology. They found that consumers generally see RFID as little more than an electronic key, while to the owners of the RFID systems, the technology enables them to register the movement, spending power, productivity, preferences and habits of the users. This access to personal information has been the cause for concern by many consumer protection watchdogs, who have argued that the deployment of this technology could have a serious adverse effect on people's privacy. The researchers found several cases of personal data being abused. One case involved travel data being used in a police investigation. The office context also provided some interesting cases. Employees, who had no other option but to use the RFID chipped items offered to them by their employers, were subjected to time registration and anti-theft surveillance. But the study also found that use of RFID was beneficial to users. Being identified as a loyal customer or demonstrating how much overtime a worker puts in are just two cases in point. Although a comprehensive study would be needed to draw definite conclusions, these first accounts, the study suggests, indicate a relatively low number of incidents in which personal data has been misused. The reason for this can be two-fold. First of all, in all cases it was clear who maintained the data and needed to comply with the guidelines on data protection. Second, many RFID systems are not very sophisticated and can only disclose small fragments of their users' identity. But as RFID systems develop rapidly, the study suggests that it will become easier to aggregate and analyse a user's data. Furthermore, once different RFID systems become connected to each other, or other technologies such as GSM, GPS, CCTV and the Internet, a much richer image of its users will appear. This would allow the owners of RFID systems to hand over personal RFID data for police investigation. Meanwhile, for users it will become much less clear who is actually managing their data, and in which systems, upsetting the power balance in the digital public space. There is not only the issue of protecting privacy or personal data, but also of securing personal freedom through the right balance between choice, convenience and control, argues the study. The study concludes by making the following recommendations: - RFID users need to know what the owners of RFID systems can and are allowed to do with their data; - RFID users should play a role in developing new RFID environments; - if personal data from different RFID systems are merged it should remain clear who is responsible form handling these data; - privacy guidelines and the concepts of personal data and informational self-determination need to be reconsidered in the light of an increasingly interactive environment; - governments should take a clear stance on whether RFID bulk data will be mined for investigation purposes.