The Regulation Approach

Privacy and confidentiality issues have existed since the earliest days of modern computers. The Census Bureau used Hollerath machines, the first electronic calculators in the 1880 census. Census marshals in that same census signed oaths agreeing not to divulge information they collected about census subjects.

At one time, US Congress operated an organization that engaged in technology assessment. It established the nonpartisan Office of Technology Assessment (OTA) in 1972 to provide Congressional committees with objective analysis of public policy issues related to scientific and technological change. This agency survived for two decades.

The OTA was dissolved in September 1995, tragically just at a time of dramatic advances in many technologies – the Internet, genetics, biometrics, wireless communications, technologies of surveillance and the beginnings of pervasive computing, sometimes referred to as ubiquitous computing.

To fill up the vacuum created by the absence of OTA and in an effort to balance commerce with consumer privacy needs, the Federal Trade Commission (FTC) has relied on fair information principles to guide privacy regulation and industry practice in the United States (FTC 1999b). These principles, mostly based on self regulatory mechanism, include notice/awareness, choice/consent, access/participation, security/integrity and redress/enforcement.

Self regulation

There are two approaches for regulation viz. self regulation by the industry and the other done by law enforcing agencies. Self-regulation differs from a pure market approach in which consumer preferences drive company behavior. Under a pure market approach, it is assumed that consumers prefer to do business with firms that have implemented strong privacy protections and avoid firms that have breached privacy. In contrast, self-regulation is based on the three traditional components of government - legislation, enforcement, and adjudication - and these functions are carried out by the private sector rather than the government. Legislation refers to the question of defining the appropriate rules, enforcement to the initiation of an enforcement action when the rules are broken, and adjudication to whether or not a company has violated the privacy rules.

Despite industry self-regulation efforts, according to privacy advocates, many database owners are not following fair information practices. In addition to the lack of fair information practices followed by database owners, other privacy issues exist. In particular, the Internet has made it possible for organizations to disseminate information without the immediate knowledge of consumers. The major concern is that this data collected with help of RFID will be accessed at a later date and used for purposes other than that for which it was intended. It is argued further that even firms that make a commitment to privacy may at times compromise privacy standards if it is competitively necessary.

Following the self regulatory framework, Simson Grafinkel, of MIT Auto-Id proposes "The RFID Bill of Rights," a set of principles that consists of five articles as a voluntary framework for commercial deployment of RFID tags.

The articles are:

1. The right of the consumer to know what items possess RFID tags.
2. The right to have tags removed or deactivated upon purchase of these items.
3. The right of the consumer to access the data associated with an RFID tag.
4. The right to access services without mandatory use of RFID tags.
5. The right to know when, where, and why the data in RFID tags is accessed.

The spirit of the above articles is also similarly conveyed in a proposal submitted by CASPIAN, "The RFID Right to Know Act of 2003." The proposal requires mandatory labeling to inform consumers when an item contains an RFID tag. It would also prohibit companies from linking the chips with personally identifying information.

These five rights themselves would not be able, on a standalone basis, to completely assuage fears of consumers and privacy activists. But nevertheless these regulations would go a long way in coming years to bring acceptability among consumers, much like the introduction of barcodes twenty years ago. Manufacturers, suppliers and retailers need to rollout comprehensive frameworks covering all aspects such as policies and procedures that ensure complete privacy concerns and make these policies public in order to bring wider acceptability among consumers.

Ethics and RFID

The foundation of ethics lies in the adage "Power and responsibility should be in equilibrium." Whichever partner in a relationship has more power also has the responsibility to ensure an environment of trust and confidence. Accordingly, if RFID proponents or an organization using RFID choose a strategy of greater power and less responsibility, it might benefit them in the short run; however, that organization will lose power in the long run (e.g., increased government regulation). In contrast, a company in balance with its customers should benefit both in the short run and the long run.

To maintain such balance, facilitate trust and advancement of information technologies in society, organizations such as the Computer Ethics Institute laid down "The Ten Commandments of Computer Ethics." The RFID ethics can be laid down along the same lines.

The policy for RFID privacy, mapped on the example of “The Ten Commandments of Computer Ethics”:

1. Thou shalt not use a computer (RFID) to harm other people.
2. Thou shalt not interfere with other people’s computer (RFID) work.
3. Thou shalt not snoop around in other people’s computer (RFID) files.
4. Thou shalt not use a computer (RFID) to steal.
5. Thou shalt not use a computer (RFID) to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer (RFID) resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer (RFID) in ways that insure consideration and respect for your fellow humans.

While following the above mentioned ethics, the policy makers on RFID privacy have to deal with two conflicting realities. On one hand, the general perception of privacy is broader in many respects than the scope of clearly defined legal rights. On the other hand, the privacy law/ethics structure ranges from clearly defined to wildly obscure because it flows from multiple sources - constitutional law, tort law, statutes and changing public perceptions.

When faced with a privacy issue, policy makers have to first determine if existing laws address the issue. One must examine privacy policy to avoid permitting a RFID supporter to pursue a strategy that will raise the specter of legislation or litigation.

However, it is not wise to conclude that every issue that seems to involve privacy in fact creates a privacy problem. Often, if one defines the harm caused by a supposed invasion of privacy, one can tailor an RFID implementation strategy to avoid that harm. Thus, we see that RFID privacy issues often beg for self-regulatory and technological solutions.

The 10 Commandments adapted for RFID

The Commandments are readily applicable to the topic of privacy in RFID. Some general examples and illustrations are listed below.

1. Respect confidentiality (1, 2 and 8)
   If the data repository owners or data vendors desire to forward or otherwise share with other agencies (both Government and non-Government) they must make sure it is permissible. If that is somehow impossible, they must strip off all personal and identifying information with the product item purchased by the consumer.
2. Don’t ‘flame’ (Commandments 1, 10)
   The data collected must not be edited and should be in original format and spirit, otherwise it may cause great harm to the customer about whom data is collected. The data delivered electronically is easier to transfer, replicate and modify than any other type of media with potential for long lasting effects.
3. Don’t be anonymous (Commandments 1, 5, 10)
   Data collectors and repository holders must use the services with proper authentication, unless they are whistle blowing and fear recrimination for telling the truth. They must tell when, where, how and for what purpose the data was collected while disseminating the data to third party.
4. Don’t allow third party to access other's data (Commandment 3)
   Gaining access to another’s data is not justifiable unless expressly acting as their agent. Looking at someone’s data and information without valid and authentic reasons would be made unlawful.
5. Don’t misrepresent or lie (Commandment 5)
   Given the issue of the lack of privacy with the data collected by using RFID, the potential exists for a misrepresentation or falsehood to revisit the sender.
6. Follow government’s general guidelines (Commandment 7)
   The repository owners/managers must check to see if the service provider or the data solicitor has a RFID privacy policy. If in place, repository holders must know what is delineated in that policy. If not, they must follow the guidelines framed by law. Anything transmitted may be publicly aired if a privacy policy is not in effect.
7. Consider presentation of message (Commandment 10)
   The repository owners must evaluate the content of data to be disseminated. They must be aware of cultural differences or other issues that may affect the recipient adversely.

If a repository owner does not have an RFID privacy policy, it should, as well as establish privacy solutions that deal with all issues and assuage consumers' privacy concerns.