WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Privacy Topics >Radio-Frequency Identification (RFID)

Radio-Frequency Identification (RFID)

Radio Frequency Identification (RFID) is a type of automatic identification system that enables data to be wirelessly transmitted by portable tags to readers that process the data according to the needs of a particular application. "Passive" RFID tags do not have an internal power source, but derive power indirectly from the interrogating signal of a reader, while "active" RFID tags are self-powered.[698] Tags in use today are small enough to be invisibly embedded in products, product packaging, and even printing inks. They can be read from a distance and through a variety of substances such as snow, fog, ice, or paint, where barcodes have proved useless.[699] The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, or date of purchase. RFID readers are often connected to computer networks, facilitating the transfer of data from the physical object to databases and software applications thousands of miles away and allowing objects to be continually located and tracked through space. RFID may also be used to identify documents and currency. RFID may even be deployed to identify individuals.[700] Today, major uses of RFID include supply chain management, animal tracking, and electronic roadway toll collection.

While barcodes have historically been the primary means of tracking products, RFID systems are rapidly becoming the preferred technology for monitoring pets, products, vehicles and even people.[701] RFID systems enable tagged objects to speak to electronic readers over the course of a product's lifetime – from production to disposal – which could provide retailers with an unblinking, voyeuristic view of consumer attitudes and purchase behavior.[702] RFID systems of all kinds are capable of generating a volume of consumer data several orders of magnitude greater than has been possible before. With in-store deployment, it is predicted that Wal-Mart will generate more than seven terabytes of RFID data a day.[703] All of this data will reap a bonanza of high-resolution consumer information to be aggregated for further data mining or sold to third parties.[704] Industry experts estimate that the market for RFID technology will top USD 6 billion by 2010.[705]


The debate over RFID technology touches upon many controversial policy issues.[706] At its most fundamental, widespread use of RFID tags could enable corporations to track every move consumers make. Corporations that compile the data transmitted by the tags could determine which products a consumer purchases, how often products are used, and even where the product – and, by extension, the consumer – travels. By aggregating data to form consumer profiles, corporations could make assumptions about a consumer's income, health, lifestyle, travel and buying habits. This information could be sold to governments to create dossiers of individual citizens or simply sold to other corporations for marketing purposes. The potential to track spending habits and share RFID data for marketing is the highest cause for concern among consumers.[707] While the ability of RFID readers to collect data from tags once a consumer has left a store or moved beyond the readers' range is currently limited, many consumer groups and privacy advocates note that RFID technology is quickly advancing, while measures to protect individual privacy by limiting the amount and type of information corporations can collect is lacking.[708]


In the widely adopted EPCGlobal RFID standard, the data imprinted on a tag, the Electronic Product Code (EPC), provides a unique link to individual product data. The data is stored in a globally distributed, centrally managed electronic database, known as the Object Name Service (ONS). Tag readers in remote physical locations can connect to ONS via the Internet and then read and modify the item's ONS "dossier" throughout its lifecycle.[709] In January 2004, EPCGlobal chose Verisign, Inc. to manage the root directory of ONS because of similarities between the name service and Domain Name Service (DNS), which Verisign manages for the .COM and .NET top-level domains.[710] This choice raised alarm bells with privacy advocates, who note Verisign's poor track record in electronic privacy.[711] Recognizing that new innovative uses will drive RFID's profit potential, Verisign labeled 2005 as "The Year of the [RFID] Pilot" and sponsored a number of conferences aimed at EPC developers.[712]


Opponents of RFID tags have proposed measures to sidestep the chips' relentless information-gathering, ranging from disabling the tags by crushing or puncturing them, boycotting the products of companies that use or plan to implement RFID technology,[713] or finding ways to block the reading of a tag using special mylar bags or other technological means. One company has created a stainless steel fabric wallet to protect contents from RFID hackers.[714] The RFID industry has moved to meet this consumer demand with its own solutions, most notably the EPCGlobal standard for "killing tags," which allows for tags to be physically disabled at point of sale by the merchant.[715] Another industry-level solution has been proposed by RSA Security, Inc., which would provide a system for tag reading to be blocked in specified "privacy zones" of varying scope.[716] Both "tag killing" and tag blocking are problematic solutions that have yet to be proven in the field.[717] The "Blocker Tag" remains an unproven solution for many reasons. Technologists appear to disagree as to the ease with which such a system might be circumvented,[718] and it places a significant burden on consumers to make sure they protect their privacy through the duration of their ownership of a product.

Applications

Many large organizations have begun implementing RFID technology. Gillette, Wal-Mart, and Levi Strauss are among the early pioneers, using RFID for real-time tracking of inventory levels.[719] RFID systems have provided immediate benefits such as accurate replenishment of out-of-stock items and precise product sales performance statistics.[720] Other companies are developing "smart" shopping cart technology that makes use of RFID.[721] Using the Internet or a swipe card, the cart will guide consumers to their desired items and make suggestions for other products.[722] Hospitals are also beginning to use RFID to monitor medical supplies and track patients.[723]


Public organizations are also making use of the technology. For example, public libraries have embraced RFID.[724 ]A growing number of libraries in the United States[725] have already tagged every book, tape, CD, or other item in their collections.[726] Thirteen US government agencies plan to implement RFID within their operations in 2006.[727] The Energy Department wants to track hazardous waste materials.[728] The Labor Department plans to implement an RFID system to monitor and locate its tremendous volumes of case files.[729] These uses are not problematic, as RFID tags are not being used to identify and locate people. However, the Homeland Security and State departments want to use the technology to aid in border control and immigration management without taking travelers' privacy sufficiently into account. The US Department of Homeland Security is seeking to expand the use of RFID technology in identification documents, but it is facing obstacles. The agency is moving forward with the Western Hemisphere Travel Initiative[730] and the REAL ID system despite the fact that Homeland Security Secretary Michael Chertoff admitted in Congressional testimony in February 2007 that the agency is abandoning the use RFID-enabled documents in the US-VISIT border system because pilot testing failed.[731]


The US State Department's proposal[732] to roll out RFID-enabled passports with biometric data by Spring 2005[733] raised serious privacy and security issues that the agency disregarded. After more than two thousand critical comments[734] were filed,[735] the State Department backed off its original rollout date[736] and agreed to modify some of the RFID passport features to address some privacy and security problems. However, by October 2006, the 27 countries in the US Visa Waiver Program (which allows their citizens to enter the US without having to apply for a visa) were required to use electronic passports.[737] About 15 million people per year travel to the US through the Visa Waiver Program. The State Department began issuing RFID-enabled passports in August 2006, arguing that the technology can be secured.[738] However, a number of researchers have been able to break the security of so-called "strengthened passports." Security researchers, using off-the-shelf technology, hacked into RFID-enabled passports from Germany, the Netherlands and UK and cloned the chips.[739] In light of the many security and privacy risks, some US government experts are strongly recommending against RFID use in identity documents.[740]


Corporations in Europe and Asia have moved forward with plans to tag consumer products. The German retail conglomerate Metro has its suppliers use RFID tags on their cases and pallets.[741 ]Marks & Spencer, one of the largest retailers in the United Kingdom, has item-level RFID systems in 122 of its 433 stores.[742] The project is a follow-up to the company's implementation of RFID tags into 4 million produce delivery trays in 2002.[743] In South Korea, a company introduced a system to track freight at one of Asia’s largest shipping ports.[744] China has been developing an RFID standard since 2004 and is partnering with Korea and Japan on joint RFID projects.[745]


Some companies are offering RFID-enabled credit cards, but in October 2006, researchers at the University of Massachusetts and RSA Labs revealed the shaky security employed by credit card companies.[746] In tests on 20 cards from Visa, MasterCard and American Express, they found that the cards transmitted the cardholder's name and other data in plain text and without encryption. The researchers gathered the data with a device made out of commercially available electronic components and were able to use the stolen data to buy products online.


Europe's largest amusement park, Legoland in Denmark, uses active RFID tags contained in bracelets and Wi-Fi networks to help parents track their children through the park.[747] The PRISM system, developed by Alanco Technologies, Inc. for use in correctional facilities, uses tamper-proof RFID-enabled wrist bracelets to monitor the location of prison inmates in real-time, reducing instances of prison vandalism and other unruly behavior. "A host of management reporting tools are available that include medicine and meal distribution, adherence to pre-determined time schedules, restricted area management, and specific location, arrival and departure information."[748] The US Transportation Security Administration (TSA) is considering the use of RFID-tagged airline boarding passes.[749] In Spring 2005, TSA awarded grant monies for companies to develop tracking technologies for airport ground vehicles and baggage using RFID.[750] The United Kingdom's Manchester Airport recently completed a six-month trial where 50,000 people were tracked with RFID technology, and airport authorities have requested that the pilot test be implemented permanently.[751] All passengers would receive RFID-enabled boarding passes; even those who print out boarding passes at home will have RFID tags attached at the airport. Officials say this will improve security by making it possible to detect any entering an unauthorized area; however, it would be easy for a criminal to merely throw away the boarding pass to avoid being tracked. The only people who would be tracked would be innocent travelers.


Applications that are not initially designed to track individuals, such as the US RFID-based electronic highway toll collection system EZ Pass, might nonetheless make human tracking possible. One of the more offbeat proposals is to use RFID chips to track human corpses as a way to prevent the black-market sale of organs.[752] In California, a school board attempted to track all of its children with cards containing RFID tags, but the proposal was quickly rejected by parents and privacy advocates.[753] This incident led California Senator Joe Simitian to introduce a bill in 2005 banning the use of RFID technology in most state-issued ID cards.[754] The proposed Identity Information Protection Act would further require government IDs to use the highest level of RFID encryption.[755] Although it did not pass in the 2005 legislative session, Senator Simitian has reintroduced the bill, and it is currently being debated.[756] A school in Japan also experimented with tracking children in a short-term trial in 2004.[757]

Policy Responses

Several countries, including the US, Canada, Italy, Australia and Japan, have outlined guidelines for domestic industry to follow in their use of RFID.


Although it does not explicitly call for labeling, a joint resolution on RFID, proposed by data protection authorities in Germany, Spain and Switzerland and adopted at the International Conference of Data Protection and Privacy Commissioners in Sydney, Australia on November 20, 2003, requires consumers to be able to delete data and destroy or disable tags on consumer items. Further, the resolution asserts "all the basic principles of data protection and privacy law have to be observed when designing, implementing and using RFID technology." Joint guidelines released by Japan's Ministry of Public Management, Home Affairs, Posts and Telecommunications (MPT) and the Ministry of Economy, Trade and Industry (METI) on June 8, 2004, call for consumers to be given options on how they might interfere with the reading of tags, but appear to say nothing about rights to have the tag removed or destroyed.[758]


The European Union is heavily scrutinizing RFID technology. In 2003, The European Union published RFID privacy guidelines outlining the consumer's right to control and access information gathered through RFID technology.[759] In January 2005, the Article 29 Working Party put up for public consultation a "Working Document on Data Protection Issues Related to RFID Technology,"[760] and released the results of the consultation in September 2005.[761] The Working Party found that some people suggested the need for additional legislation, stating "that the use of RFID for item level tagging may not necessarily involve the processing of personal data, yet it seems appropriate to require notice, choice, right to object, etc."[762] Others recommended making it "mandatory to embed technical solutions (PETs) in RFID technology. This is true of kill commands and the use of cryptography for tags that store personal data. Some also ask for prohibition or strict rules for implants of RFID in the human body."[763]


In 2006, EU Information Society Commissioner Viviane Reding called for public engagement in the EU consultation on RFID. The increasing use of RFID technology "will raise tremendous challenges for sovereignty, individual liberties and economic independence. It will be necessary that citizens keep control of how the information concerning them is utilized and updated and how the tags can be deactivated," she said at the EU RFID Conference in October 2006.[764]


In March 2007, the European Commission held an RFID forum in Brussels and released a communication on steps toward a policy framework.[765] "[A] clear and predictable legal and policy framework is needed to make this new technology acceptable to users," the Commission said. "This framework should address: ethical implications, the need to protect privacy and security; governance of the RFID identity databases; availability of radio spectrum; the establishment of harmonised international standards; and concerns over the health and environmental implications." The Commission outlined ideas for such a framework and asked for comments.”


In July 2007, European consumer groups ANEC and BEUC issued a joint policy paper in response.[766] The groups recommended that the Commission begin "impartial and comprehensive information campaigns on the RFID technology, its potential benefits and risks," to help consumers choose whether to use RFID. The groups also suggested the formation of "a European committee dealing with ethics should be created and consulted” concerning any RFID or near field communication (NFC) technology applications." The European Commission is considering proposing legislation in 2007 to ensure privacy safeguards in the use of RFID technology.


In April 2007, the National Institute of Standards and Technology (NIST) issued its "Guidelines for Securing Radio Frequency Identification (RFID) Systems." NIST detailed how to address, in the context of an RFID system, the basic principles of the Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[767]

Human “Chipping”

RFID manufacturer VeriChip Corporation has developed the VeriChip Personal Identification System, designed for use in a variety of applications including financial and transportation security, residential and commercial building access, military and government security.[768] For a fee, customers’ arms are implanted with a glass chip about the size of a grain of rice, containing a unique verification number. When activated by a VeriChip scanner, that number is emitted by a small radio frequency, providing instant access to information logged in the Global VeriChip Subscriber Registry. A nightclub in Spain began using the VeriChip human implant system in March 2004, to improve access for VIPs and allow them to pay for drinks without cash or credit cards.[769] Soon after, clubs in Holland, Scotland, and the US also began implanting chips into their customers.[770]


VeriChip even had a campaign to promote the technology with the slogan "Get Chipped," and a mobile van called the "ChipMobile" performed the chip insertion procedure in towns that it visited.[771] In July 2006, two researchers demonstrated that the VeriChip implantable RFID tag could be easily copied.[772] The revelation came as VeriChip was trying to convince the US Defense Department to buy "digital dog tags" for soldiers.


In 2006, several US states began to legislate the use of RFID in human implants. Wisconsin and North Dakota passed legislation forbidding the compelled implantation of RFID chips in humans,[773] and Colorado, Ohio, Oklahoma and Florida are also debating such legislation.


In response to growing questions about ”chipping” humans, in July 2007, the American Medical Association (AMA) released a report, "Radio Frequency ID Devices in Humans" focusing on the ethical consequences surrounding the use of RFID implants in humans.[774] The report outlined potential risks with the technology: physical risk to patients; confidentiality; patient privacy; effective informed consent; and security of the information contained on the device.

Public Opposition to RFID

Many individuals and non-government organizations have voiced strong opposition to widespread implementation of RFID tags without proper privacy protections.[775] One US organization opposing the use of RFID tags is Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). CASPIAN organized a worldwide boycott of global retailer Tesco in opposition to its plan to expand item-level RFID tagging.[776] CASPIAN's main objection to Tesco is that its RFID tags are not deactivated at checkout to prevent possible tracking of consumers after the sale.[777]


In early 2007, CASPIAN found a patent filed by American Express in 2005 that described a plan to place RFID readers or "Consumer Trackers" in stores to gather RFID signals from objects picked up by consumers as they walked around stores picking up items.[778] American Express sought to use RFID to create a "targeting shopping experience," and considered embedding RFID tags into its credit cards, so cardholders could be easily identified and tracked. American Express also suggested that such "Consumer Trackers" could be used in school common areas, shopping centers, bus stations or "other places of public accommodation." After meeting with CASPIAN, American Express agreed to "review its entire patent portfolio and ensure that any people-tracking plans be accompanied by language requiring consumer notice and consent."[779] The company agreed to make "chip-less" versions of its cards available to those customers who asked for them, creating an opt-out regime. About the same time that the American Express scandal broke, shipping firm DHL announced it was rethinking plans to tag "every product it ships" with RFID by 2015, citing concerns about cost.[780]


In 2005, the Trans-Atlantic Consumer Dialogue (TACD), a consortium of US and EU consumer groups, called for urgent attention to the risks to consumers associated with RIFD.[781] The approach of regulatory movements worldwide varies considerably. RFID bills drafted in the US, all share a "notice" clause. This clause requires any consumer products bearing RFID tags to be conspicuously labeled. There is no legislation currently being considered in the US at the federal level.[782]



[698] See generally, EPIC's RFID Systems Web page <http://www.epic.org/privacy/rfid/>.
[699] See "What is Radio Frequency Identification (RFID)?," AIM Global, Association for Automatic Identification and Mobility <http://www.aimglobal.org/technologies/rfid/what_is_rfid.asp>; Savi Technology and EPCglobal, "Learn About RFID" <http://www.savi.com/rfid.shtml>; and John Stermer, "Radio Frequency ID: A New Era for Marketers?," Consumer Insight magazine, Winter 2001.
[700] Ellen Mesner, "RFID Is Really Getting under People's Skin," NetWorld Magazine, April 4, 2005 <http://www.networkworld.com/news/2005/040405widernetchip.html>.

[701] Even the most basic form of RFID tag, the passive, "class 0" tag with no independent source and no rewriting capability, enables the real-time tracking of objects, and, by association, the individuals that carry them.
[702] See "What is Radio Frequency Identification (RFID)?," AIM Global, Association for Automatic Identification and Mobility <http://www.aimglobal.org/technologies/rfid/what_is_rfid.asp>; Savi Technology and EPCglobal, "Learn About RFID" <http://www.savi.com/rfid.shtml>; and John Stermer, "Radio Frequency ID: A New Era for Marketers?," Consumer Insight magazine, Winter 2001.
[703] Mark Palmer, "Overcoming the Challenges of RFID," ZDNET.com, February 27, 2004 <http://zdnet.com.com/2100-1107_2-5165705.html>.
[704] Hadley Sharpe, "Marketing Benefits Tops in RFID Adoption, Says Study," RFID Product News, May/June 2005 <http://www.rfidproductnews.com/issues/2005.05/feature/marketingbenefits.php>.
[705] "RFID Market to Exceed $6 billion Worldwide by 2010," Supply & Demand Chain Executive, May 27, 2005, <http://www.sdcexec.com/web/online/Trends/RFID-Market-to-Exceed-6-billion-Worldwide-by-2010/20$6972>.

[706] Rich McIver, "How RFID Will Impact Consumer Privacy," RFID Gazette, March 22, 2005 <http://www.rfidgazette.org/2005/03/rfid_privacy_is.html>.
[707] Mary K. O’Conner, "Surveys Reveal Dubious Consumers," RFID Journal, February 17, 2005 <http://www.rfidjournal.com/article/articleview/1409/1/132/>.
[708] See generally EPIC's RFID Systems Web page <http://www.epic.org/privacy/rfid/>.

[709] EPCGlobal, "How the EPC Network Will Automate the Supply Chain," <http://riccistreet.net/port80/charthouse/future/epc.pdf>.
[710] Paul Roberts, "VeriSign to Manage RFID 'Root' Server," Industry Standard, January 13, 2004, available at <http://www.thestandard.com/article.php?story=20040113174055565>.
[711] In September 2003, Verisign was criticized for using its control over DNS root servers for .COM and .NET top-level domains to promote its own commercial services and potentially put consumer privacy at risk. Domain names that were mistyped during web browsing or e-mail writing were redirected to Verisign servers instead of responding with standard error messages. Redirection of mistyped e-mail addresses to Verisign servers made it possible for Verisign to intercept and store private personal e-mail messages. SecurityFocus, "Verisign's SiteFinder Finds Privacy Hullabaloo," The Register, September 19, 2003, available at <http://www.theregister.co.uk/2003/09/19/verisigns_sitefinder_finds_privacy_hullabaloo/>. Verisign stopped the practice in October 2003 after a demand from Internet regulatory body ICANN. Robert Lemos, "VeriSign Calls Halt to .com Detours," CNET.com, October 3, 2003 <http://news.com.com/2100-1032_3-5086101.html>.
[712] DataMonitor, Inc., "2005 Year of the RFID Pilot Says VeriSign," January 24, 2005 <http://www.datamonitor.com/~688e2e78ed2046e8a3ecfba341d342b5~/industries/news/article/?pid=2134C8AF-3C7C-4F06-B244-34E4F51254FD&type=NewsWire>.

[713] Andrew Donohue, "Privacy Activists Demand Tesco Boycott over RFID," ZDNet UK.com, January 26, 2005 <http://news.zdnet.co.uk/communications/wireless/0,39020348,39185481,00.htm>.
[714] Brendan Spiegel, "Sleek and Sturdy Steel Wallet Keeps RFID Hackers at Bay," Wired, July 16, 2007 <http://www.wired.com/gadgets/miscellaneous/news/2007/07/steel_wallet>.
[715] Junko Yoshida, "RFID Backlash Prompts 'Kill' Feature," EETimes. April 28, 2003.
[716] RSA's blocker tags, using a technique to confuse tag readers into thinking they are scanning a large number of tags, would work in conjunction with a "privacy bit" stored in the individual tag's EPC code. Using such a system, a merchant would "flip" the privacy bit on an item (from 0 to 1) at the point of sale. The consumer could then keep one of their blocker tags in the proximity of the item whenever they want to prevent the tag from being read. If, at a later date, the consumer needed to have the tag read for some reason, they could remove the blocker tag from the presence of the RFID reader so that data could be read normally. A. Juels, R. L. Rivest, and M. Szydlo, "The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy," in V. Atluri, ed. 8th ACM Conference on Computer and Communications Security, pp. 103-111, ACM Press, 2003 <http://www.rsa.com/rsalabs/node.asp?id=2060>.
[717] The EPC protocol "kill command" leaves the final step of the process, physically disabling the chip, to the individual chip manufacturer. Many technologists have admitted that real world implementations of the kill command have been shown to have bugs and don't always work. See e.g., Miyako Ohkubo, Koutarou Suzuki and Shingo Kinoshita (NTT Laboratories), "Cryptographic Approach to 'Privacy-Friendly' Tags," available at <http://www.rfidprivacy.us/2003/papers/ohkubo.pdf> and Kim Zetter, "Jamming Tags Block RFID Scanners," Wired News, March 1, 2004 <http://www.wired.com/techbiz/media/news/2004/03/62468>. Furthermore, some industry "kill" solutions involve erasing the data but not destroying the circuitry, enabling the chip to be "recycled" at a later date. In fact, some RFID proponents have publicly attested to the value of a sleep command, where a chip will be publicly unresponsive (appear to be killed) until sent an encoded "revitalize" command. See Jo Best, "Zombie RFID Tags May never Die," Silicon.com, May 18, 2004 <http://zdnet.com.com/2100-1103_2-5214648.html>.
[718] See Scott Mace, "RFID Blocker Tag Concerns," Information Manager Journal, March 5, 2004 <http://scottmace.typepad.com/imanager/2004/03/rfid_blocker_ta.html>.

[719] Chris Murphy, "Real-World RFID: Wal-Mart, Gillette, and Others Share What They're Learning," InformationWeek.com, May 25, 2005 <http://informationweek.com/story/showArticle.jhtml?articleID=163700955>.
[720] Id.
[721] Sun Microsystems, Inc., "Smart Carts Promise to Take the Drudgery out of Shopping," July 4, 2005 <http://www.sun.com/br/1004_ezine/ret_cart.html>.
[722] Evan Schuman, "A Smarter Smart Cart?," eWeek.com, February 16, 2005 <http://www.eweek.com/article2/0,1759,1765474,00.asp>.
[723] Sandy Kendall, "RFID Tagging for Hospital Patients," CIO Magazine, March 1, 2005.

[724 ]Katharine Mieszkowski, "The Checkout Line -- or the Check-you-out Line?" Salon.com, July 26, 2004 <http://www.salon.com/tech/feature/2004/07/26/rfid_library/index_np.html>.
[725] Eric Ipsen, "Librarians Focus on RFID," RFID Journal, March 15, 2004 <http://www.rfidjournal.com/article/articleview/829/1/82/>.
[726] David Molnar & David Wagner, "Privacy and Security in Library RFID Issues, Practices, and Architectures," 2004, available at <http://www.cs.berkeley.edu/~dmolnar/library.pdf>.
[727] Florence Olsen, "Feds Find RFID Uses," Federal Computer Week, May 31, 2005, available at <http://www.fcw.com/article89026-05-31-05-Web>.
[728] Id.
[729] Id.
[730] Under the Western Hemisphere Travel Initiative proposal, individuals would use a long-range (more than 30 feet) RFID-enabled "PASS Card" to exit and enter the country. US Departments of State and Homeland Security, "Card Format Passport; Changes to Passport Fee Schedule Proposed Rule," 71 Federal Register 60928, October 17, 2006, available at <http://www.epic.org/privacy/surveillance/spotlight/0806/pass_fr.html>; see also, EPIC, Spotlight on Surveillance, "Homeland Security PASS Card: Leave Home Without It,” August 2006 <http://www.epic.org/privacy/surveillance/spotlight/0806/>.
[731] Michael Chertoff, Secretary, Department of Homeland Security, Testimony at a Hearing on the Fiscal Year 2008 Department of Homeland Security Budget Before the US House Committee On Homeland Security, February 9, 2007, available at <http://www.epic.org/privacy/us-visit/chertoff_020907.pdf>; See also, EPIC's US-VISIT Web page <http://www.epic.org/privacy/us-visit/>. See generally, EPIC's National ID Cards and REAL ID Act Web page <http://www.epic.org/privacy/id_cards/>.

[732] US Department of State, "Proposal to Issue Enhanced Passports that Use Radio-frequency Identification Technology," February 18, 2005, 70 Fed.Reg. 8305-8309. See also Testimony of Secretary of State Colin Powell before the House Judiciary Committee, "Passports and Visas with Embedded Biometrics and the October Deadline," April 21, 2004, available at <http://www.state.gov/secretary/former/powell/remarks/31639.htm>.
[733] Erin Biba, "Biometric Passports Set to Take Flight," PCWorld.com, March 21, 2005 <http://www.pcworld.com/news/article/0,aid,120112,00.asp>.
[734] See, e.g., Electronic Frontier Foundation, EPIC, PrivacyActivism et al., Comments on the State Department's Notice for Public Rulemaking on RFID Passports, April 4, 2005, available at <http://www.epic.org/privacy/rfid/rfid_passports-0405.pdf>.
[735] Ryan Singel, "Passport Chip Criticism Grows," Wired.com, March 31, 2005 <http://www.wired.com/news/privacy/0,1848,67066,00.html>.
[736] Chris Gonsalves, "An RFID Passport to Trouble," eWeek.com, May 9, 2005 <http://www.eweek.com/article2/0,1759,1812731,00.asp>.
[737] Those countries are: Andorra, Australia, Austria, Belgium, Brunei, Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, the Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom. US Department of State, Press Release, "Majority of Visa Waiver Program Countries Meet Electronic Passport Deadline,” October 26, 2006, available at <http://www.state.gov/r/pa/prs/ps/2006/75184.htm>.
[738] US Department of State, Press Release, "Department of State Begins Issuing Electronic Passports to the Public," August 14, 2006, available at <http://www.state.gov/r/pa/prs/ps/2006/70433.htm>. Government officials have stressed that the passports will be protected from surreptitious cloning because the cover of the passport will block signals from reaching the RFID chip. However, the chip can still be read remotely and surreptitiously when the cover is opened, either by the passport holder or by anyone to whom the passport has been shown. The shielding on an RFID-equipped passport also eliminates an oft-touted benefit of RFID technology — that the chips can be read more quickly and without the need for human inspection. So now an official has to physically scan the e-passport through a contact reader in order open the RFID chip and then the RFID chip can wirelessly transmit. This is a process no faster than, and possibly longer than, the current one.
[739] Will Sturgeon, "Biometric Passport Cracked and Cloned," CNet News.com, August 4, 2006 <http://news.com.com/8301-10784_3-6102333-7.html>; “Expert: German E-Passports Not Secure," Deutsche Welle, August 7, 2007 <http://www.dw-world.de/dw/article/0,2144,2124298,00.html>; Steve Boggan, "Special Report on Identity Cards: Cracked It!,” Guardian, November 17, 2006 <http://www.guardian.co.uk/idcards/story/0,,1950226,00.html>; John Lettice, "Face And Fingerprints Swiped In Dutch Biometric Passport Crack," Register, January 30, 2006, <http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/>.
[740] In December 2006, the Department of Homeland Security Data Privacy and Integrity Advisory Committee adopted a report, "The Use of RFID for Identity Verification," which outlined security and privacy threats associated with RFID use in identification documents (such as "skimming" and "eavesdropping") and it urged against using RFID technology unless the technology is the "least intrusive means to achieving departmental objectives." Skimming occurs when information from an RFID chip is surreptitiously gathered by an unauthorized individual. Eavesdropping occurs when an individual intercepts data as it is read by an authorized RFID reader. Data Privacy and Integrity Advisory Committee, US Department of Homeland Security, "The Use of RFID for Identity Verification," December 6, 2006, available at <http://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_12-2006_rpt_RFID.pdf>.

[741 ]"Metro to Extend RFID Roll-out to Cases and Cartons," Food Production Daily.com, February 4, 2005 <http://www.foodproductiondaily.com/news/news-ng.asp?n=57851-metro-to-extend>; Andy McCue, "Tesco to Track Milk Deliveries by RFID," Silicon.com, June 1, 2006 <http://news.zdnet.com/2100-1035_22-6079022.html>.
[742] Andy McCue, " Marks & Spencer Extends RFID Tagging in Stores," CNET News.com, November 14, 2006 <http://news.com.com/2100-1008_3-6135347.html>.
[743] Miya Knights, "Marks & Spencer Extends RFID Trial," Computeractive.co.uk, February 23, 2005 <http://www.computeractive.co.uk/computing/news/2071527/marks-spencer-extends-rfid-trial>.
[744] Mike Clendenin, "South Korea Rolls out RFID for Cargo Port," EETimes.com, March 8, 2005 <http://www.eetimes.com/news/semi/showArticle.jhtml;jsessionid=30EACERIOSRPSQSNDBCCKH0CJUMEKJVN?articleID=60407369&_requestid=452269>.
[745] Laurie Sullivan, "China Works Out RFID Standards," InformationWeek.com, March 3, 2005 <http://www.informationweek.com/story/showArticle.jhtml?articleID=60405010&tid=5978>.

[746] John Schwartz, "Researchers See Privacy Pitfalls in No-Swipe Credit Cards," New York Times, October 22, 2006, available at <http://www.nytimes.com/2006/10/23/business/23card.html?ex=1185508800&en=3a367b50007f098d&ei=5070>; Thomas S. Heydt-Benjamin1, Daniel V. Bailey, et al, "Vulnerabilities in First-Generation RFID-enabled Credit Cards," October 22, 2006, available at <http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf>.

[747] Laurie Sullivan, "Legoland Uses Wireless And RFID For Child Security," InformationWeek.com, April 28, 2004 <http://www.informationweek.com/story/showArticle.jhtml?articleID=19202099>.
[748] See Alanco Technologies, Inc., "TSI Technology: Unique, Proprietary and Patented."
[749] Communications security technology chief at the agency, Anthony Cerino, stated that RFID boarding passes would let security personnel "know people's whereabouts." Bob Brewin, "TSA Eyes RFID Boarding Passes to Track Airline Passengers," Computerworld, April 1, 2004, <http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,91830,00.html>.

[750] Claire Swedborg, "TSA Funds Tracking System for Seaport," RFID Journal, April 20, 2005 <http://www.rfidjournal.com/article/articleview/1519/1/1/definitions_off>.

[751] David Millward, "Airports to Track Passengers With Radio ID Tags," Telegraph, April 11, 2007 <http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/04/10/nair10.xml>.

[752] Associated Press, "Body ID: Barcodes for Cadavers," February 5, 2005, available at <http://www.wired.com/news/medtech/0,1286,66519,00.html>.
[753] See EPIC's Children & RFID Systems Web page <http://www.epic.org/privacy/rfid/children.html>. See also Alorie Gilbert, "Elementary School Nixes Electronic IDs," CNet News.com, February 17, 2005 <http://news.com.com/Elementary+school+nixes+electronic+IDs/2100-1029_3-5581275.html>; Jane Wakefield, "Hi-tech Answers to Pupil Problems," BBC News, February 16, 2005, available at <http://news.bbc.co.uk/1/hi/technology/4268203.stm>.
[754] Alorie Gilbert, "Californial Bill Would Ban Tracking Chips in IDs," CNet News.com, April 28, 2005 <http://news.com.com/California+bill+would+ban+tracking+chips+in+IDs/2100-1039_3-5689358.html>.
[755] Mark Robert, Opinion, "A Compromise on the California RFID Bill," RFID Journal, July 4, 2005 <http://www.rfidjournal.com/article/articleview/1702/1/128/>.
[756] "Identity Information Protection Act of 2007:Safeguarding the Privacy, Safety, and Financial Security of Californians," SB 30, introduced December 4, 2006, <http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_30&sess=CUR&house=B&site=sen>.
[757] "RFID in Japan: Report on School RFID Project Released," March 17, 2005 <http://ubiks.net/local/blog/jmt/archives3/003535.html>.

[758] "Japanese RFID Privacy Guideline Released," June 8, 2004, RFIDBuzz.com, available at <http://www.rfidbuzz.com/news/2004/japanese_rfid_privacy_guideline_released.html>; see also Nikkei BP, June 8, 2004, available at <http://nikkeibp.jp/wcs/leaf/CID/onair/jp/flash/312386> (in Japanese).

[759] See International Conference of Data Protection & Privacy Commissioners, "Resolution on Radio-frequency Identification," Final Version, November 20, 2003, available at <http://www.privacyconference2003.org/resolutions/res5.DOC>. Laura Rohde, "EU Offers Privacy Guidelines for RFID," Industry Standard, April 4, 2005 <http://www.thestandard.com/internetnews/000996.php>.
[760] Article 29 Data Protection Working Party, "Working Document on Data Protection Issues Related to RFID Technology," January 1, 2005, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf>.
[761] Article 29 Data Protection Working Party, "Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology," September 28, 2005, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp111_en.pdf>.
[762] Id. at 3.
[763] Id.

[764] Viviane Reding, Member of the European Commission Responsible for Information Society and Media, "RFID: Why we need a European Policy," October 16, 2006, available at <http://europa.eu.int/rapid/pressReleasesAction.do?reference=SPEECH/06/597&format=PDF&aged=0&language=EN>.

[765] Commission of the European Communities, "Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework," March 15, 2007, available at <http://ec.europa.eu/information_society/policy/rfid/doc/rfid_en.pdf>.

[766] ANEC/ & BEUC, "Consumers' Scenarios for a RFID Policy: Joint ANEC/BEUC Comments on the Communication on Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework," July 2007, available at <http://www.anec.org/attachments/ANEC-ICT-2007-G-059.pdf>.

[767] NIST urged retailers, federal agencies, and other organizations to evaluate the potential security and privacy risks of RFID technology and use best practices to reduce them. "As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location and build personal profiles in ways that increase the privacy risk," NIST said. National Institute of Standards and Technology, "Guidelines for Securing Radio Frequency Identification (RFID) Systems," April 2007, available at <http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf>.

[768] See EPIC's VeriChip Web page <http://www.epic.org/privacy/rfid/verichip.html>; VeriChip FAQ, <http://www.verichipcorp.com/content/company/corporatefaq>.
[769] Chetna Purohit, "Technology Gets under Clubbers' Skin," CNN, June 9, 2004, available at <http://www.cnn.com/2004/WORLD/europe/06/09/spain.club/>.
[770] Todd Lewan, "Chips: High Tech Aids or Tracking Tools?," Associated Press, July 21, 2007, available at <http://www.businessweek.com/ap/financialnews/D8QHJ1A80.htm>.

[771] VeriChip Press Release, "VeriChip Corporation Launches National 'Get Chipped' Promotion," October 24, 2002, available at <http://www.prisonplanet.com/news_alert_102402_microchips.html>.
[772] Nic Fulton, "High-tech cloning," Reuters, July 22, 2006 <http://blogs.reuters.com/2006/07/22/high-tech-cloning/>; David Francis & Bill Myers, "Digital Dog Tag Already Cloned," Examiner, August 22, 2006 <http://www.examiner.com/printa-234701~Digital_dog_tag_already_cloned.html>; see Jonathan Westhues's Web site for instructions <http://cq.cx/verichip.pl>.

[773] Marc L. Songini, "N.D. Bans Forced RFID Chipping, ComputerWorld, April 12, 2007 <http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=15&articleId=9016385>; North Dakota, "SB 2415," signed April 4, 2007, available at <http://www.legis.nd.gov/assembly/60-2007/bill-text/HBPJ0300.pdf>; However, voluntary implantation is still permissible under the North Dakota law, and the bill does not address what is considered "voluntary."

[774] The report recommends that the medical community support investigation of the technology to be able to make informed medical decisions regarding the use of these devices. Council on Ethical & Judicial Affairs, American Medical Association, "Radio Frequency ID Devices in Humans," July 2007, available at <http://www.ama-assn.org/ama1/pub/upload/mm/467/ceja5a07.doc>; Beth Bacheldor, "AMA Issues Ethics Code for RFID Chip Implants," RFID Journal, July 17, 2007 <http://www.rfidjournal.com/article/articleview/3487/1/1/>.

[775] Alorie Gilbert, "Privacy Questions Arise as RFID Hits Stores," CNet News.com, September 30, 2004 <http://news.com.com/Privacy+questions+arise+as+RFID+hits+stores/2100-1012_3-5390446.html>.
[776] Andrew Donohue, "Privacy Activists Demand Tesco Boycott over RFID," ZDNet UK.com, January 26, 2005 <http://news.zdnet.co.uk/0,39020330,39185481,00.htm>.
[777] Id.

[778] CASPIAN, "American Express Patent Application #20050038718: 'Method and System for Facilitating a Shopping Experience'" (highlighting the more troubling aspects of the patent application) <http://www.spychips.com/press-releases/american-express-tracking-patent.html>; Full American Express patent file at the US Patent & Trademark Office, February 17, 2005, <http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220050038718%22.PGNR.&OS=DN/20050038718&RS=DN/20050038718>.
[779] CASPIAN, Press Release, "American Express Addresses RFID People Tracking Plans," March 9, 2007, <http://www.spychips.com/press-releases/american-express-conference.html>.
[780] Martin H. Bosworth, "Businesses Back Off RFID," ConsumerAffairs.Com, March 27, 2007 <http://www.consumeraffairs.com/news04/2007/03/rfid_backlash.html>.

[781] Trans-Atlantic Consumer Dialogue, "Resolution on Radio Frequency Identification (RFID)," May 5, 2005 <http://www.tacd.org/cgi-bin/db.cgi?page=view&config=admin/docs.cfg&id=274>.
[782] Federal Trade Commission, Workshop on Radio Frequency Identification: Applications and Implications for Consumers, June 21, 2004, available at <http://www.ftc.gov/bcp/workshops/rfid/>.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/EPICPrivHR/2006/