Privacy-friendly RFID?

In a recent speech to the European Commission, Humberto Moran, chief executive of UK not-for-profit organisation Open Source Innovation, argued it is possible to create RFID systems that don't violate privacy

Good morning. In my intentionally provocative speech, I will introduce you to the necessary policies to foster privacy-friendly RFID. Yes, it is possible!

First of all, we all have to recognise that privacy issues are not unique to RFID: the Internet, mobile phones and other technologies currently pose tremendous privacy threats. This is because technology is becoming ubiquitous, smaller, more affordable, interconnected, and more powerful. In particular, it is acquiring automatic identification capabilities.

Experience from other technologies show the inability of self-regulation and free markets to create privacy-friendly approaches, hence the need for government regulation. This has been reported in many books such as Spychips from Katherine Albrecht and Liz Mcintyre; The Database Nation by Simson Garfinkel; and Who’s Watching You from John Gibb.

We believe that the e-privacy directive is inadequate and requires the inclusion of new definitions, and redefinition of consent. For instance, the definition of personal data should be extended to cover ID proxies such as clothing, and should be adapted for automatic identification. It is also difficult to enforce because data leaks are hard to trace. For instance, if I give my email address to several companies and get spammed, who should I blame? It is clear that the principles behind the European e-privacy directive (limitation, data quality, conservation) need furthering.

In the case of automatic identification, most privacy threats from RFID result from the automated link of personal and object data. This escapes the current privacy directive. In this case the privacy violation takes place at software level, where this relationship is established. Whilst individual devices provide harmless pieces of data, the real source of privacy issues is the software relating these in a “bigger picture”. Tags and readers are innocuous: it is the intelligence behind that really matters.

In this case, the concept of consent also loses ground because consent for individual transactions does not necessarily imply consent for the whole picture. For example, you can give consent to pay with your credit card, and to scan a pair of electronically tagged shoes; but not to link both transactions together. Moreover, you cannot give consent to automatic identification because it happens with no warning, and silently.

In this sense, we have been working on the design, research and development of privacy-friendly software, where this relationship is not established in the first place and linking trails such as timestamps and transaction IDs are either blurred or removed. This software only registers the very essential. That is, the principles of data quality, limitation and conservation are incorporated into the logic. We have explored this concept and have proved that it is possible to run most RFID applications under this approach. For instance: why does the shop have to keep a record of the EPC of your clothing? Which applications does this enable?

Then there is the issue of enforceability. Even if the software is privacy-friendly, how do we know that RFID adopters are complying with the principles?

For this, we suggest a very interesting principle promulgated by David Brin in the book The Transparent Society: reciprocal transparency. This principle holds that any advancement in transparency result from technology should be reciprocated at other levels to guarantee accountability. The bottom line is that secret surveillance is a strong source of power, highlighting the need to “watch the watchers”.

The application of the principle of reciprocal transparency suggests that software dealing with personal or sensitive data or ID proxies should be transparent -- that is, open source. This would enable accountability and the creation of certification programmes to detect tampering. This would also enable the creation of privacy-friendly spaces, where identification of the subject does not lead to privacy violations, and where consent is given by presence. We regard consent by presence as essential because it will not discriminate against people unaware of technology -- the elderly, children etc, as other privacy enabling technologies (PET) such as encryption and tag removal do. In the future we will have privacy-friendly supermarkets, airports, hospitals, shopping malls, transport systems etc. In these, security and freedom can coexist and no trade-off is necessary.

In a nutshell, the creation of privacy-friendly spaces requires open source software, certification programmes, and consumer awareness. Ideally, these should be complemented by privacy-friendly tags to prevent on-street (external) privacy issues, and should be enforced by regulation or market forces – e.g. by creating privacy-friendly trademarks similar to organic or “fair trade” products. The latter seems better because it provides citizens with the right to choose.

The necessary policies to foster the creation of privacy-friendly RFID and privacy-friendly spaces are:

1.- Include the principle of Reciprocal Transparency.
2.- Extend the concepts of personal data to include proxies and consumer behaviour. Include also the concepts of RFID technology, object data, talkative/discreet tags, and sensitive objects.
3.- Rule on data ownership.
4.- Enforce the usage of privacy-friendly open source software when ID proxies, personal or sensitive data are involved; and promote its creation if necessary.
5.- Promote consumer awareness and the creation of certification programmes.

Humberto Moran is chief executive of UK not for profit organisation Open Source Innovation