RFID technology could become a major privacy threat, warns Privacy Commissioner Marie Shroff.
In a keynote address to last week’s Privacy Awareness Week opening forum, she said although RFID might not present a clear and immediate threat to personal privacy, the potential range of applications left room for concern, as well as doubt about future uses.
The devices were promiscuous in that they could talk to any compatible reader, as well as being stealthy and remotely readable.
“A study completed recently for the European Parliament noted that while RFID was originally used for logistical purposes, such as identifying cargo, it has now entered the public space on a massive scale: public transport cards; the biometric passport; micro-payment systems; office ID tokens; customer loyalty cards and other applications,” says Shroff.
“The study’s authors noted that once different RFID systems become connected to each other, or other technologies such as GSM, GPS, CCTV and the internet, a much richer image of its users will appear.
“It will be much more intrusive. The future [of RFID] is going to be much more serious in my view.”
Otago University’s Associate Professor of Information Science, Hank Wolfe, is even more blunt about the issue.
He says it is likely RFID will become ubiquitous in the very near future.
“When purchasing items, each will have the capability of being queried, and responding with its unique identification number. It is possible to query passive RFIDs from a distance of at least 40cm. In other words, someone can know the identity of every item a person has with them that is tagged, without the target person knowing this information has been gathered.
“If that information were to be matched against a loyalty programme’s database, it would be possible to identify the person, when they bought the item, where they bought it, how they paid [for it] and the price they paid.
“If these devices find their way into individual notes of currency [this has been proposed in Europe] a mugger would be able to scan you to see how much money you have with you.”
Wolfe says passports that have incorporated RFID have been read from a distance and cloned, opening the way for identity theft.
“Privacy law should dictate that all RFIDs should be destroyed at point of sale,” he says. “After that, there is no valid reason for them ever to be used again. They have no purpose after sale other than surveillance.”
He says an RFID chip can be turned into a listening device simply by changing its modulation.
On the issue of secondary usage of information about individuals, he called for the Privacy Act to have some teeth, with appropriate penalties for misuse, rather than acting only as a directive.
Shroff focused calls on what she entitled “privacy pollution”.
“It’s an idea I see having some similarity to air pollution: where small blots of contamination build to form blankets of smog. In themselves, they are relatively minor, but in combination the effect can be overpowering,” she says.
“We are unwittingly captured each day, on CCTV in the supermarket, at the petrol station, in the video shop, on the street and at the bank. We leave traces of ourselves everywhere we go.”
She says the overall effect of these tiny but insidious measures combined to shape behaviour. “Together, they contribute to a climate where private space, thoughts and choices are encroached upon and subtly eroded. Technology is making many low-level surveillance activities or intrusions possible.”
Shroff proposes that business and government think of practical ways to work toward building some privacy credit.
“Privacy-enhancing technologies are now widely available. To pursue the environmental lingo, these sorts of measures all go toward building our ‘privacy credits’ and thereby help to counteract low-level but pervasive privacy invasions,” she says.
“Building privacy credits will, I believe, foster customer trust and loyalty. In the short, what businesses might treat as a compliance cost is likely to generate benefits, both in terms of customer goodwill and profit. Sound security and data protection does attract business.”