MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID

Transcription

1 garfinkel.book Page 275 Thursday, June 2, :56 PM Chapter 17 MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID Ari Schwartz 1 Paula Bruening 2 Introduction T he private sector s rollout of RFID at the item level predictably raises concerns about consumers ability to protect the privacy of their personal information. This use of RFID represents the introduction of a new method of data collection in an environment already rich with opportunities for business and government to create powerful dossiers on individuals purchases, preferences, and movement throughout the world. To the extent that RFID technologies collect information that is not specific or linked to individuals and individual identity, they tend not to sound an alarm about privacy. But as the power of the technology increases so that information collected through RFID can be associated with a specific individual, perceptions of RFID as an invasive technology raise serious concerns. In public policy discussions about the threats to privacy raised by emerging technologies, experts often make the point that technologies do not invade privacy; people use technology to engage in privacy-invading activities. But while the assertion that technologies are policy neutral has become dictum, privacy neutrality is assured only if measures are taken in law, through technology, 1. Ari Schwartz is the associate director of the Center for Democracy and Technology (CDT). 2. Paula Bruening is the staff counsel for CDT. 275

2 garfinkel.book Page 276 Thursday, June 2, :56 PM 276 CHAPTER 17 MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID and in industry self-governance to enable consumers to exercise control over the collection of their personal information. Whether new technologies invade privacy or remain privacy neutral depends on whether privacy issues raised by the technology are examined and addressed early. Ensuring that new technologies are developed and deployed in a manner that makes it possible for consumers to exercise control over if and how much their personal information is collected and used requires a three-pronged approach. First, the design of the technology must incorporate privacy-enhancing technologies such as those that limit the collection of data, anonymize data, or offer users control over the collection of their personal information. Empowering users to consent to or deny the collection of information by a technology, or to disable a technology entirely when appropriate, gives them a critical tool for managing the collection and use of their personal information. Second, the collection, use, and retention of information with the technology must be guided by traditional principles of fair information practices incorporated in legislation. Such baseline legislation would establish consistent expectations for both consumers and businesses about their rights and responsibilities related to the data collected and would impose the force of law. Third, companies using the new technology to collect information must engage in self-regulation: self imposed, industry-wide policies that foster responsible data collection, sharing, and use. When it is enforced, self-regulation can build on the basic requirements set out in law, allowing industry to tailor its approach to privacy in a way that serves both business and consumers and allows industry to respond promptly to emerging technologies, evolving business models, and unanticipated privacy problems. The appropriate balance of these three elements technology, government action, and self-regulation depends on several factors. These include the nature of the information collection technology, the way it is used, the kind of information it collects, and the public s perception of the technology and its concern about possible privacy invasion. RFID raises unique concerns, in part because it is invisible to consumers; unless consumers are notified, they may be oblivious to its use. These concerns are heightened because of the passive way that information is collected from the RFID chips. Consumers do not engage in any active way to relinquish information or engage in data collection. And the readers are potentially ubiquitous. Current RFID readers have only short-range capabilities, but developers promise that more powerful readers will densely populate public and private spaces.

3 garfinkel.book Page 277 Thursday, June 2, :56 PM SCENARIO 1: NO ONE WINS 277 These considerations, specific to RFID technology and data collection, must guide decision making about how technology solutions, law, and self-regulation are implemented. Failure to properly account for these considerations can result in negative consequences for businesses, consumers, and the development of new technology. Public backlash against surreptitious use of technologies could slow implementation and impede its innovation for beneficial uses. As a result, neither the public nor industry would realize RFID s benefits, and government, spurred by public demand, could step in to enact legislation that would be ineffective at curbing abuses while stifling or skewing technology development. This chapter describes a series of scenarios that illustrate the best and worst results from the implementation and use of RFID for information collection. They are written from the vantage point of 2015, which is the not-too-distant future. The scenarios speculate about the decisions that might be made in the development of technology, the level of attention paid to consumer concerns and public policy about RFID, industry and government decisions on where and how to use the technology, and the possible consequences of these decisions for privacy. These scenarios are intended not to be predictive but rather to serve as the starting point for thought-provoking discussion about how best to address the privacy concerns raised by this technology. Scenario 1: No One Wins In mid-2004, industry and government increased their use of item-level RFID tagging with little thought to consumers perception about the possible invasiveness of the technology. At that time, the chips were used only in manufacturing processes and distribution chains to enhance inventory control and tracking of deliveries. However, plans were in place to implement tags more widely and to deploy more powerful tags that could transmit more sensitive information. Developers of RFID systems and organizations using the tags took no steps to consider the privacy implications of the technology and paid little attention to issues surrounding responsible tag use and the management of the information the tags collect. To fill the vacuum created by this lack of policy, by 2006, California passed a law that limited the use of RFID chips, such that the chips contained in merchandise purchased by consumers must be deactivated. Massachusetts also passed a law requiring opt-in consent by consumers for use of RFID in any way. The effect of these laws was to make it nearly impossible for companies to use RFID for even the most innocuous purposes. Companies doing business in

4 garfinkel.book Page 278 Thursday, June 2, :56 PM 278 CHAPTER 17 MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID California had used RFID technology for inventory control, but their inability to be sure that the tags were deactivated at the customer checkout raised concerns about liability and led them to end their use entirely. Massachusetts companies found themselves unable to manage the opt-in requirement and also stopped using the tags. Unwilling to assume the costs and liability of RFID tags, companies sought other measures to monitor inventory. Initially, companies simply increased store and stockroom video surveillance to reduce theft. By 2010, facial recognition cameras had become increasingly common in stores, both on the public storeroom floor and in stockrooms. Capitalizing on the capabilities of this technology, companies soon began matching consumer purchasers with facial ID, all without customer knowledge or consent. Although the purpose of this practice initially was to reduce the incidence of shoplifting, companies eventually used it for behavior-based marketing research. Data-mining companies began buying the proprietary databases created as a result of this practice. In 2015, two companies announced that they had collected images of over 150 million Americans and tied this information to their purchasing habits. The result: unprecedented consumer concern about privacy. Scenario 2: Shangri-La While developing plans for broad implementation of RFID in retail stores, companies recognized that, as with other information collection technologies, RFID might raise consumers concerns about privacy. Moreover, companies learned from the experience they gained from implementing other information collection technologies that it is best to address privacy concerns early. To encourage consumers acceptance of the technology and to protect the trust relationship, companies decided to directly address consumers concerns about collection and storage of information through RFID technology and an associated network of databases. Working with consumer and privacy advocates, technologists, industry coalitions, and academic experts, RFID implementers developed an effective selfregulatory regime to govern information collection through RFID. Under the self-regulatory program, consumers are given clear, effective notice that RFID technology is in use, and in most instances, they have the opportunity to make decisions about the collection of information via the tag and the persistent use of the tag after the product leaves the store. Collectors and custodians of information using RFID employ strong, reliable security measures for their databases, and consumers are provided the opportunity to access information

5 garfinkel.book Page 279 Thursday, June 2, :56 PM SCENARIO 3: THE WILD WEST 279 mentioned about them. Robust enforcement, through independent oversight organizations and consumer recourse mechanisms, promote the credibility of self-regulatory measures To further enhance the effectiveness of these efforts, the business community, working with consumer advocates, initiated a far-reaching public education campaign about how RFID technology is used and how consumers can exercise their privacy rights with regard to information collected through the technology. To promote broad adoption of self-regulation, industry leaders and trade associations worked closely with companies to highlight its benefits, both to businesses and to the companies developing RFID technology. Tag manufacturers required companies using the tags to sign agreements saying they would follow the rules. Companies outside the self-regulatory structure soon found doing business much more difficult and eventually complied with the standards. While readers are available for purchase, companies consider the information about individual items proprietary and guard it closely, making it extremely difficult for sensitive information to fall into the wrong hands. Scenario 3: The Wild West In 2008, businesses and government began deploying item-level RFID tags on a broad scale. Unmoved by expressions of concern about this technology s impact on privacy, they made no effort to address the issue through technology, self-regulation, or law. Immediately after the first RFID tags were deployed in retail establishments, researchers concerned about consumer privacy and misuse of the tags and the information collected from them published papers on how to clone and destroy the tags. Privacy vigilantes, angered by the lack of protection for information collected through RFID, began to wander through stores killing existing tags and placing cloned tags in the pockets of clothing to render the RFID technology useless. Tags used by government were treated similarly. The efforts to use RFID for baggage handling and customs control were frustrated, and government agencies were forced to return to twentieth-century, pre-9/11 approaches to securing travelers and borders. Citizens and government became fearful of the ability of bad actors to thwart the tags. In place of RFID, government and law enforcement adopted more onerous and invasive search and questioning procedures for travelers.

6 garfinkel.book Page 280 Thursday, June 2, :56 PM 280 CHAPTER 17 MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID By 2010, retailers and government began to use new, slightly more expensive tags that were harder to clone or destroy. However, two years later, information on a low-cost means to jam the new RFID readers was widely distributed. Implementers found that the large investment in the second-generation technology was completely wasted. As a third generation is developed, companies question the wisdom of investing in a continued Spy vs. Spy situation, particularly because anti-rfid activists are more organized than ever. Scenario 4: Trust but Verify In 2006, Congress passed legislation establishing baseline privacy protection for information collected about consumers. The law applied to no particular technology but rather codified in law long-established principles of fair information practices: notice, choice, security, access, and recourse to guide companies collection and management of consumer information. To comply with this general law governing information collection, companies using RFID were required to: Provide consumers with notice that RFID technology is being used and disclose the kind of information being collected by the technology Obtain the consent of the customer to share any personal information they collect using RFID for any purpose other than completing a transaction and inventory control Provide appropriate security for the information collected Provide individuals with the ability to access the information retailers maintain about them and correct inaccurate information similar to what is currently being done with credit reports The requirements of the law provided technologists and companies implementing RFID with some baseline expectations about privacy as well as the responsibilities attendant to the collection and use of information in general. Armed with this knowledge, companies using RFID were able from the outset to put in place the technological and information management controls to enhance privacy. Over and above these baseline requirements, the business community, prompted by consumer advocates, recognized that RFID raised some technology-specific questions about information collection. For example, how might a company most effectively offer notice to a consumer? The flexible environment of the Web to provide notice already tests companies ability to effectively and clearly communicate complex technical and legal

7 garfinkel.book Page 281 Thursday, June 2, :56 PM CONCLUSIONS 281 concepts with consumers. However, Web-based notice about the use of an invisible technology that collects information with no active consumer engagement presents even greater challenges. Similarly, how would companies make it possible for consumers to exercise choice about the collection and sharing of information gained with RFID technology? How could they ensure that their choice would be honored? To respond to such concerns, the business community developed privacyrespectful best practices for the use of RFID technologies. Building on the basic requirements in law, business was free to develop creative solutions to RFID-specific privacy challenges. In 2010, state attorneys general began to file lawsuits against companies found not in compliance with the requirements of the baseline privacy law. Meanwhile, business continued to develop and refine best practices in response to the developing technology and relied on self-regulatory regimes to address RFID-specific concerns. Conclusions RFID is a technology at the political crossroads. Examining scenarios for implementation of the technology and public policy is helpful to the extent that it urges policymakers in government and in industry to consider the potential harm and benefits that might result from a policy about privacy and RFID. It may also prompt them to explore the logical progression of events following the adoption of a policy and the expected and unexpected consequences that might result. Reliance on any one approach to addressing the privacy questions raised by this technology including taking no action at all is risky. The outcome could distort or impede the development of a technology that may offer significant benefits for consumers or that so severely compromises trust in the technology that public acceptance becomes impossible. The answer lies in a mix of approaches that provides a foundation of assurances for consumers in law and the flexibility of industry solutions that can respond quickly to rapidly changing technology and applications.

8 garfinkel.book Page 282 Thursday, June 2, :56 PM