Privacy advocates tune in to concerns about ID technology.
You unlock the Zipcar you rented by waving the key card near the windshield, use an EZ Pass to whiz through the highway tollbooth as you drive your friend home, and watch as she waves her purse containing a key card at the apartment building's front door, which opens after reading the information through the bag. You top off the tank before returning the car, flipping an ExxonMobil Speedpass in the general direction of the gas pump.
Each of those everyday actions uses radio-frequency waves to verify your identity and even access your bank account. Welcome to your lifetime.
Radio-frequencyidentification (RFID) technology is used in retail businesses to improve shipping and stocking, in libraries and schools to track books and supplies, and in the health care field to track drugs and equipment, boost efficiency and accuracy, and even monitor patient movement in hospitals. In June 2006, Consumer Reports estimated that $1.3 billion would be spent on RFID tags that year, and a business research firm found RFID technology revenue may exceed $7 billion by the end of this year.
An RFID "tag" contains a transponder with an integrated circuit and antenna that emit a short-range radio signal picked up by a transceiver (or reader), which reads the radio frequency conraining at least a chip's unique number and possibly other information. The number can then be used to access a database of detailed information about the tagged item.
There are two types of RFID: passive systems, in which the reader sends a signal to the transponder in the tag, which reflects back a signal; and active systems, in which the transponder actually broadcasts a signal.
RFID tags can be read from a distance. Passive systems usually have a range of inches to several yards; more powerful active tags with their own power supplies can broadcast information for several hundred feet.
Civil liberties activists warn that, for all its potential advantages, RFID technology raises serious issues of personal privacy and data security. At a December 2005 forum held by the National Conference of State Legislatures (NCSL), expert panelists expressed concern about linking RFID data to people and noted that the chips are invisible to the common consumer and can track a tagged item's location, which prior technology couldn't do. Potential misuses include "skimming," unauthorized reading of a signal, or "eavesdropping," when an unintended recipient intercepts the data flowing between the tag and the reader.
The American Civil Liberties Union (ACLU) warns that RFID technology could lead to identity theft and security breaches and give the government away to track people. It cautions that adequate privacy and security protections are needed before the technology goes forward.
Certainly, RFID now provides some access to identity--the RFID card a consumer uses at the gas station charges his or her account directly, and the card issuer can share the person's name and information with consumer reporting agencies, banks, insurance companies, and others unless the consumer reads the fine print of the contract and "opts out" of that provision.
RFID is already part of an identification standard--the U.S. passport. Those issued after October 2006 contain RFID chips that hold biometric information (biological traits that uniquely identify a person--currently a digital photo for facial recognition; perhaps fingerprints in the future) and the other information printed in the passport. The U.S. State Department says the documents are identify-theft protected, with "anti-skimming" film on both front and back covers (the chip is embedded in the back cover) and encryption of the stream of data that travels from chip to reader.
Currently, RFID is much more commonly used to track goods, not people. Farmers use RFID tags to monitor cattle, tire companies like Goodyear tag certain tires to track them, and shipping companies tag pallets and crates of goods so they can be accounted for without scanning bar codes or using other physical tracking methods.
IBM researchers envision RFID tracking the life cycle of a product--such as a pharmaceutical drug or grocery item-from raw materials to end use. In March 2007, IBM announced new software that will let companies consolidate and analyze RFID information, link it to other parts of the operation, and share the data.
But consumers are wary. After Gillette Co. announced in 2003 that it would test marking cases of its razors with RFID tags, consumers became alarmed that tagged packages could be traced to purchasers, which the company denied. Tagging individual items worried so many customers that Benetton backed off plans to put RFID tags in a clothing line after consumer protests.
A recent article in the Journal of the American Medical Association cited two basic uses for RFID technology in a health care setting: improving management of drugs and medical devices and providing complete access to medical in formation at the point of care. The authors noted that RFID could be used to track and identify patients; track equipment, assets, and drugs; match blood; provide data for the electronic health record; and authenticate medical products. (Binita S. Ashar &Ann Ferriter, Radiofrequency Identification Technology in Health Care, 298 JAMA 2305 (2007).)
In 2004, the FDA approved passive RFID chips for human implantation. This was hailed as a medical breakthrough, because implanted tags could provide access to medical information in situations where the patient is unresponsive. The American Medical Association said the devices could improve "the safety and efficiency of patient care," help identify patients, and give secure access to medical information.
The implant is a microchip and copper antenna encased in glass the size of a grain of rice that's usually inserted into the patient's upper arm. It transmits a unique 16-digit number, which is used to locate the medical record stored on a secure Web site. As of 2006, manufacturer VeriChip had sold about 2,500 chips for human implantation worldwide, but only about 100 had been implanted in the United States, most in the company's own employees.
VeriChip says the device is a passive one that doesn't track anyone, but privacy advocates wonder: Who will have access to personal health records? Health care professionals only? Clerical and administrative staff?. Police officers and public health officials? And hackers may be able to eavesdrop or skim information from the RFID implants.
One available protection is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which governs how private medical information is shared. "If a database contains RFID-gathered information for a person who's covered by HIPAA, then the information should be protected," said Joy Pritts, an assistant research professor at the Health Policy Institute at Georgetown University who studies privacy and patient records but has not yet examined the role of RFID.
For some trial lawyers, a promising medical use of RFID is tagging pharmaceuticals. In 2006, the FDA Counterfeit Drug Task Force called RFID "the most promising technology for implementing electronic track and trace in the drug supply chain." The FDA has not mandated that drugs be tagged, but it has asked the pharmaceutical industry to develop standards and pilot processes for RFID.
"We want a secure pharmaceutical supply chain; we have to have one," said attorney Eric Turkewitz of NewYork City, who has represented patients harmed by counterfeit drugs. He said the pharmaceutical industry has been talking about using RFID for years, but it's still years away from implementation.
"The problem is having a databank saying a particular drug has been given to a particular person," he said. "We want to track drugs from the manufacturer to the consumer to make sure all the loopholes [for counterfeit drugs] in the supply chain are closed; on the other hand, it becomes information in a databank that a consumer gets HIV medication, so there exists that potential privacy issue."
Civil rights groups like the ACLU, the Electronic Frontier Foundation, and the World Privacy Forum would like a voluntary moratorium on RFID technology in consumer goods until safety and privacy standards have been set.
Privacy advocates are also seeking federal legislation to require all RFID users to label items that use the technology.
"We absolutely must have labeling. It is crucial.... If someone desired to hide an RFID tag in a product, there is no way a consumer could visually protect themselves from that," said Katherine Albrecht, director of Consumers against Supermarket Privacy Invasion and Numbering.
In 2003, the grassroots group proposed the RFID Right to Know Act "to require that commodities containing radio-frequency identification tags bear labels stating that fact, to protect consumer privacy, and for other purposes." It would have amended several parts of the U.S. Code but did not pass.
Many privacy activists say the collection, use, and disclosure of RFID data will have to comply with existing privacy laws. For instance, the Electronic Communications Privacy Act, which already outlaws wiretapping without proper consent, could be amended to cover RFID technology.
At the state level, various bills have been introduced. At its forum, the NCSL reported that at least 12 states had introduced privacy legislation to control the use of RFID. But experts at the conference said the technology is still expanding too rapidly to expect legislation to provide standardization.
Some states have tried. In 2004, the California senate passed S.B. 834, perhaps the first attempt in the country to govern the use of RFID by requiring businesses that use it to tell customers and get express consent before tracking and collecting information. The assembly didn't pass the bill. Last year, the California senate passed a bill forbidding companies from requiring employees to have RFID chips implanted; it too failed in the assembly.
Another California bill, the Identity Information Protection Action of 2006, would have imposed new regulations on the use of RFID by government agencies. Gov. Arnold Schwarzenegger said the bill was "premature" and vetoed it. It was reintroduced last year, along with four other bills with RFID provisions.
RFID and discovery
RFID may crop up in civil cases when e-data needs to be discovered.
"Much of the information gathered from RFID is discoverable," said Nicole Ozer, technology and civil liberties director at the ACLU of Northern California. "For example, the EZ Pass records are discoverable for divorce and other cases. You do not know when RFID tags are being read, and if they proliferate, more and more data about [people's] activities and location will be collected and stored."
Craig Ball, a trial lawyer and computer forensics expert in Austin, Texas, agreed that RFID data is discoverable--"it's just digital information, like any other"--but refined the point. "When it's stored, reliable, and relevant, you can ask for it and are likely entitled to receive it in discovery, subject to the same considerations of undue burden and cost that serve as a governor on all forms of discovery," Ball said.
Relevance is the key factor, he cautioned. For example, he said, if a vet uses RFID to track a pet's medical records and hurts the pet after using the wrong records, then that data is probably discoverable, just as RFID data a hospital relies on to administer drugs would be discoverable when a medication error harms a patient.
"When it's evidence, it's discoverable, unless the burden and cost outweigh the relevance and materiality," Ball said.
Regarding concerns about the use of RFID to track what shoppers buy at the supermarket, Ball noted that millions of consumers have freely given up personal information by signing up for store loyalty cards. But, he conceded, "limiting the use of RFID is fine, if that's what the public wants. My only point is that, if the information is collected, stored, and relevant, it's discoverable."