RFID and Public Policy

Elliot MaxwellFellow, Communications Program, Johns Hopkins

University and Distinguished Research Fellow, Pennsylvania State University

Why Care About Public Policy? RFID is being developed in an

environment where privacy & health issues are critical

WidespreadAdoption

Public Acceptance

benefits

issues

+ = wake up call

widespread adoption

Why Care About Public Policy?

regulation/legislationpublic unease

inconsistent regulation/legislation:

deployment

costs

$$$-California

-Utah

-Massachusetts

-Portugal

Why Care About Public Policy?

Policy issues unavoidable privacy community already engaged forums for debate multiplying New uses—contactless cards, mobile phones Poor implementations- Cal.school, passports

Reputational costs of policy failures are huge Doing nothing is not a viable option

Existing Laws and RegulationsWill Affect Implementation

Health rules re: exposure to radio waves

Existing Lawsand Regulations

EU Privacy Directive U.S. Federal Trade Commission Act

Japanese Law for the

Protection of Personal

Information

U.S. state consumer

protection laws

Labor laws and

employee contracts

Regulations

re: radio frequency spectrum

Implementation

What We’ve Learned So Far

Little privacy concern until RFID reaches the consumer

“Welcome, Elliot.”

What We’ve Learned So Far Consumers perceive threat

Information gathered about themselves without their consent and linked to personally identifiable data

Post-sale targeting and tracking using RFID Growth of surveillance infrastructure Government access to data

Companies want to protect competitive information Employees fear job loss Health impacts unknown

What We’ve Learned So Far

Many issues aren’t new - there are good policy precedents Customer loyalty cards Fair Information Practices

Deactivation options critical But could jeopardize post-sale benefits

Clear notices and straight forward consumer education are needed

Customer Loyalty Card

What We’ve Learned So Far Post-sale issues are new

technological fixes are being studied Post-sale consumer and societal benefits

are not well understood returns, warranties, recycling, support

for disabled, identifying counterfeit pharmaceuticals, ensuring food safety, minimizing medical errors, monitoring the elderly

Will take time/effort to build infrastructure for these uses

Technical Privacy and Security Measures Can Play an Important Role

Issues

Tradeoffs in functionality/size/cost

Who bears the burden? Impact on post-sale benefits

Solutions

Kill command Partial kill/on-off switch Randomization and

deserialization Encryption Authentication Blocker chips/scanners Database access controls Aggregate data/anonymous

data mining

Recommendations Be proactive, not reactive Privacy and security by design

Use Fair Information Practice as a road map Clear and understandable notices Choice for consumers re. information collected and retained

Provide choices for consumers regarding disabling/turning on-off Support the development of technical solutions for post-sale issues

Recommendations Consumer education and involvement Industry codes including mechanisms for responding to concerns

and enforcement Continue policy outreach/development (health, spectrum, etc.) Help stimulate infrastructure for societal benefits Maintain open standards to allow continued innovation

For further information contact:

Elliot Maxwell

emaxwell@emaxwell.net