RFID Law Blog

Last week, the national news was obsessed with the story about two State Department contractors that apparently snooped through Presidential candidate Barack Obama's passport records. To me, that is where the efforts of the privacy advocates and others critical of RFID should be focusing their efforts about passport data security. Which seems a more likely scenario for how passport data is stolen: Working with a $9/hour contractor at Stanley to snoop through passport records? Or, developing a high-intensity RFID-reader, standing next to people - undetected -as they walk across the border or through an airport, and electronically scanning their information from an RFID chip embedded in the passport?

I'm not trying to say that there aren't legitimate issues associated with the unprotected use of RFID in certain sensitive applications - there are. However, this story demonstrates that there are much bigger risks in passport data security than the disproportionate fear pointed at RFID.

| Posted By RFIDblogger In Privacy | Permalink | 0 Comments

The EU is calling for “meaningful discussion” considering its draft legislation on how to regulate RFID. The pending text can be found here, and cites past forum discussions and the EU’s commitment to “privacy, data protection and security.”

| Posted By RFIDblogger In Europe , Privacy , State Legislation | Permalink | 1 Comments

RFID-enabled ID cards are increasingly used as employee access cards for entrance to buildings and elevators. Those cards and readers have the capability to keep electronic records of the comings and goings of employees - even if employers aren't using them that way today. This article from the Seattle Post Intelligencer points out some of the pitfalls and risks of the needs of RFID providers, and their customers, to be thoughtful of how they address privacy issues in these kinds of applications.

| Posted By RFIDblogger In Privacy | Permalink | 0 Comments

Earlier this week, a blog on Yahoo posted about a scondary school in the United Kingdom that was kicking off a pilot RFID program.  The tags would be embedded in student's clothing to track their location on the basis of security concerns.  The original article from Information Week can be found here.  Check out the blog entry on Yahoo and voice your opinion about the issue!

| Posted By RFIDblogger In Privacy | Permalink | 1 Comments

On Thursday, August 30^th, the California State Senate passed legislation banning employers from requiring employees to be implanted with RFID tags.  As you might recall, we posted a related article about Citywatch.com, a Cincinnati based security company that operates in California, on July 24^th, 2007.  Citywatch.com currently tags specific employees in order to keep classified information secure.  State Senator Joe Simitian (D- Palo Alto), the bill’s sponsor, condemned human tagging as the “ultimate invasion of privacy.”

| Posted By RFIDblogger In Privacy , Uncategorized | Permalink | 0 Comments

A company called CityWatcher.com has recently received some press (see article pasted below) after implanting RFID chips into two of their employees in order to restrict access to a highly sensitive vault. 

This kind of application of RFID technology will undoubtedly raise new questions about the wisdom of the use of RFID in various applications and about the risks to personal privacy. The RFID industry needs to be able to answer, as an industry, how it feels about these kinds of uses and be able to address--from a policy and public relations perspective--whether there ought to be any limits or safeguards in place to address those concerns. A demonstration of self-regulation and self-control can go a long way toward addressing public policy concerns.

Surveillance Firm Implants RFID Tags In Employees
CityWatcher.com, a provider of surveillance equipment, attracted little notice itself -- until a year ago, when two of its employees had radio-frequency identification tags embedded in their forearms. AP reports that the company said the "chipping" of two workers with the tags was merely a way of restricting access to vaults that held sensitive data and images for police departments. "To protect high-end secure data, you use more sophisticated techniques," said Sean Darks, chief executive of the company. To some, the microchip was a high-tech helper that could increase security at nuclear plants and military bases. But to others, the notion of tagging people was Orwellian.

| Posted By RFIDblogger In Privacy | Permalink | 2 Comments

RFID Journal has the news here.

| Posted By RFIDblogger In Homeland Security , Privacy | Permalink | 0 Comments

From the Editor:
This was on the front page of the New York Daily News. I don't want anyone in RFID-land sending out a press release saying "We've got the perfect chip for child implants". Or we're all doomed.

Hil frets chips will be put in kids' brains
BY MICHAEL McAULIFF
DAILY NEWS WASHINGTON BUREAU

WASHINGTON - Madison Ave. ad execs are so bent on taking control of America's children, they'd put computer chips in kids' brains if they could, Sen. Hillary Clinton said yesterday.

Saying advertisers have found so many new ways to get at kids through video games and the Internet, Clinton warned that we're verging on a society out of a grim science fiction novel.

| Posted By RFIDblogger In Privacy | Permalink | 0 Comments

Check out these novel arguments for the security of RFID PayPass technology for financial transactions from GearLog:

What about the risks? They are real, but I don't think they are any greater than using a plain old credit card. I just don't think you should worry about it Here is why:

1. The risk of losing the token is basically the same as losing your wallet. Treat you keys more like your wallet and you should be fine.

2. Credit cards are more risky. In most cases you actually have to hand-over your credit card when making a charge. This opens it up to duplication and abuse.

3. The range on the token is very short, just two or three centimeters, so you won't get charged just by walking by a reader.

4. For charges greater than than $25, you need to sign the receipt, anyway.

5. You can't read the numbers off a pass pass token. I have a picture of mine right here in this post; I would not do this with my credit card.

6. Finally, there is no liability for customers. The company won't hold you responsible for fraudulent charges. According to MasterCard: "North American MasterCard cardholders are protected by zero liability for any fraudulent transaction."

Common sense goes a long way.

| Posted By RFIDblogger In Privacy | Permalink | 2 Comments

From http://www.rfidjournal.com/article/articleview/2360/1/1/:

Some government observers, however, say the report's potential effect may be limited. "The impact of the report is more public relations value against the use of RFID in applications related to tracking individuals, like e-passports or I-94 forms," says Douglas Farry, a managing director of McKenna, Long & Aldridge, a nationwide law firm focused on the intersection of public policy and technology. "There is no statutory or mandatory authority associated with these reports--it's just ammunition for those who might want Congress or the DHS itself to limit or prevent RFID from being used for [tracking individuals]."

"Whether it is RFID or any other kind of automatic identification system, the same privacy and security issues are at stake," he says, noting that they should all be addressed equally. The report's value, he adds, is that it "speaks to the need to have this kind of evaluation before large public announcements are made by government agencies that they are rolling out certain programs."

I agree with Jim Harper that the RFID business community should use this opportunity to engage with the privacy community and resolve the issues of how to use RFID securely -- to avoid damaging the reputation of the industry. Although, I will acknowledge, that some privacy advocates are easier to work with than others -- you can't just capitulate to anyone or any organization that calls themselves pro-privacy. I know Jim Harper, and he is just as interested in seeing businesses succeed as he is in seeing privacy protected.

| Posted By RFIDblogger In Homeland Security , Privacy | Permalink | 0 Comments

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee will be considering a report on the use of RFID in identification documents at its meeting June 7th in San Francisco. A draft of the report has been posted with a request for comments.

The report has already generated a little attention. This Government Computer News story overstates the tone of the report, but it's good.

From the DHS Privacy Committee Web site:

The Use of RFID for Human Identification (PDF, 15 pages - 127 KB) The DHS Emerging Applications and Technology Subcommittee of the Privacy Advisory Committee is seeking comments on this draft report. This report will be considered by the full Committee during the June 7, 2006 public Advisory Committee meeting in San Francisco, CA.

Please provide any comments in writing to privacycommittee@dhs.gov, by postal mail, or by fax by 12:00 p.m. EST on May 22, 2006. All Comments will be considered on an ongoing basis.

In other news, here's a blog posting drawing into doubt certain phone companies' denials that they participated in the NSA spying program.

I hope to see any S.F. Privacillites at the DHS Privacy Committee meeting. Those of you not in S.F. at that time, go ahead and be jealous of those of us who are.

Jim

Jim Harper (jim.harper@privacilla.org) is the Editor of Privacilla.org and Director of Information Policy Studies at the Cato Institute in Washington, D.C. (www.cato.org/tech). To subscribe, or unsubscribe from the Privacilla mailing list, just e-mail kindly saying which one you'd prefer. We're all friends here.

| Posted By RFIDblogger In Federal Legislation , Privacy | Permalink | 0 Comments

According to an article in BNA's Executive Report:

Staffers for the House Energy and Commerce Committee are drafting a comprehensive privacy bill that is expected to be introduced in June, committee counsel David Cavicke said May 5. Cavicke said that Committee Chairman Joe Barton (R-Texas) is committed to moving the legislation forward, but he acknowledged that it will be a "multi-year effort" to get it enacted.

Congress has contemplated, and resisted, passing comprehensive privacy legislation since the mid-1990's, when the primary concerns involved consumer privacy related to growing online commerce. Instead, there have been various state legislatures which have passed a variety of measures targeting spam, identity theft, spyware, etc. Chairman Barton has long been a supporter of federal privacy legislation, so his intentions are not surprising -- although the timing might be. And some in the IT industry, notably Microsoft, have begun stating a preference for a single, broadly-applied federal standard for privacy protection as a way to avoid multiple conflicting standards in multiple jurisdictions. Similar arguments have been forwarded to address the disparity between US and European privacy regulations -- that unification means simplification.

| Posted By RFIDblogger In Privacy | Permalink | 3 Comments