Chips, tags and scanners: Ethical challenges for radio ... - Springer Link

Download PDF
5 downloads 23546 Views 190KB Size Report
Comment
E-mail: [email protected]. Abstract. ... The tag sends a unique reply signal back to the reader ..... stickers on auto windshields (Privacy Journal 2005).
 Springer 2006

Ethics and Information Technology (2007) 9:101–109 DOI 10.1007/s10676-006-9124-0

Chips, tags and scanners: Ethical challenges for radio frequency identification Dara J. Glasser, Kenneth W. Goodman and Norman G. Einspruch 1

Department of Electrical and Computer Engineering, University of Miami, Coral Gables, FL 33124, USA Ethics Programs, University of Miami, P.O. Box 016960 (M-815), Miami, FL 33101, USA E-mail: [email protected] 2

Abstract. Radio Frequency Identification (RFID) systems identify and track objects, animals and, in principle, people. The ability to gather information obtained by tracking consumer goods, government documents, monetary transactions and human beings raises a number of interesting and important privacy issues. Moreover, RFID systems pose an ensemble of other ethical challenges related to appropriate uses and users of such systems. This paper reviews a number of RFID applications with the intention of identifying the technology’s benefits and possible misuses. We offer an overview and discussion of the most important ethical issues concerning RFID, and describes and examine some methods of protecting privacy. Key words: business ethics, ethics, privacy, radio frequency identification, RFID, surveillance

Introduction Radio Frequency Identification (RFID) is, after 50 years, becoming increasingly sophisticated and enjoying a renaissance of new uses and applications. The technology has, indeed, fostered a revolution in identification and tracking. While RFID tagging has become increasingly pervasive, the ethical issues it raises have been inadequately addressed. This article offers a review and initial analysis of some of those issues. It is no longer farfetched to imagine a society in which everything, from cans of soda to school children, carry their own unique identifier – data which can with increasing ease be matched to a detailed description of the subject’s traits, history, location and environment. Many of the most interesting ethical issues arise in the context of this vast array of current and potential uses. RFID: • Is altering supply-chain management by extending and superseding bar code capabilities. • Has the potential to transform law enforcement and homeland security by quickly reading chips embedded in personal and international documents, including passports. • Will likely alter monetary exchange in conjunction with credit cards, loyalty cards and currency. Norman G. Einspruch serves as a consultant to several high-technology companies, one of which is in the RFID components and systems business.

• Is being explored through the implantation of tags in animals and humans for tracking location and storing financial and medical information. The ethical issues that arise differ, depending largely upon how the technology is applied, how the related information is used and who is using it.

Background RFID systems comprise three basic elements: a tag, a reader and software. Typically, a reader transmits radio signals that are received by an antenna attached to the tag. The tag sends a unique reply signal back to the reader, which is then decoded into an identification number. This ID number is unique to the tag. Ideally, a global set of standards will dictate how these ID numbers are assigned and ensure that there are no repetitions or duplications (see Shepard 2005 for an overview of RFID technology). Readers are linked to computers, where identification numbers are matched with specific, relevant information. There are also more sophisticated and expensive tags that can store information in addition to ID numbers directly in the tag. Battery-powered tags are called ‘‘active tags.’’ The transponders in automobiles that pay highway tolls when they pass near readers are active RFID tags. Passive tags, on the other hand, are powered by the signal from the readers. Active tags can be read from a greater distance than passive tags, but their larger size and higher price have limited

102

DARA J. GLASSER

their use; one application is inventory management in which the tags are often reused (Cavoukian 2004). RFID system design has recently undergone significant advances which likely will lead to the technology’s ubiquity in the near future. Today, there exist RFID tags as small as a grain of rice, tags that store 64 kb of data (Wald 2004) and tags that can be read at a distance of 20 m. Readers can either be handheld or fixed at optimal locations. Readers are now equipped with technology to prevent ‘‘tag collision’’ or the confusing of tags when more than two or more are read in a short period of time at close proximity. Also, readers can be used near each other without interfering, or ‘‘reader collision’’ (Sarma et al. 2002). These and other improvements, combined with decreasing prices, are making RFID more attractive to industry and government agencies. Yet the qualities that make RFID systems so appealing are the same ones that threaten privacy (see Avoine 2005 for a comprehensive RFID privacy bibliography): 1. Tags are small enough to be hidden from the people carrying them, and they can potentially be scanned by unseen, distant readers. 2. The greater the capacity of the microchip, the more personal or sensitive information it can store. 3. Tags are becoming so durable that users have little control over how to disable them. As the technology evolves, there is a tension between the best means to maximize the social benefits of RFID and avoiding its hazards. One of the most anticipated applications of RFID is using tags to replace or supplement bar codes on manufactured products. The chips used for this purpose store only identification numbers. Although bar codes identify the type of item to which they are attached, they are not unique to each item. All products of the same kind and brand have the same bar code. An RFID tag, on the other hand, can be associated with the history of an individual item: where it was manufactured, the date it was sold, when it was destroyed. It is also able to identify the location of an object as well as properties such as temperature. RFID is thus ushering in a new era in supply chain management. Cartons, pallets and individual items can all be tagged such that the journey from the factory to the end-user is well monitored. Efficiency can be dramatically increased by knowing exactly where all inventoried items are and how long it takes for them to move from one point to another. Anomalies can be easily recognized by tags with built-in sensors, such as identifying a pint of ice cream that has been thawed and refrozen (Feder

ET AL

2004). Even the security of contents may be improved by tags that report that someone has tampered with the item or the container in which it is shipped and stored. Stolen items can be traced; counterfeiting of items such as prescription drugs will be more difficult. This technology will greatly assist retailers in managing inventory, permitting them to decrease the number of instances in which items are over- or understocked. In the future, checkout lines may be replaced by readers through which customers simply push their shopping carts for instantaneous scanning and pricing of the contents of the cart. Of course, and in parallel with other technologies (including bar codes), these data can be stored and linked to the customer’s credit card and to previous purchases. From humans keying in data on a cash register to bar codes to RFID tags, the increase in automation represents an increase in efficiency and therefore, at least usually, an increase in profitability. The question before us is whether the increased automation of commercial transactions represents a change merely of degree, or of kind. Put differently, does technological efficiency elicit more or greater ethical tensions than inefficiency?

Foundations of Privacy Tracking and predicting the behavior of consumers is not new. Every greengrocer who noticed that Mr. Gardner preferred papayas to pomegranates, and so made sure to have the former in stock, was collecting information, storing it and making predictions based on it. From a business point of view, it would be ineffective not to do so. If Ms. Greengrocer were the CEO of a large, multinational corporation, it would still be ineffective; indeed, (it could be argued) it would be a betrayal of investors’ trust, and hence of corporate fiduciary responsibility, not to use the latest information processing tools to maximize sales. Supply chain management is only the latest instantiation of the greengrocer’s art. If there is anything morally wrong with this, it is not with the kind of tools used to manage information; it would have to be with an economic system itself. People generally have two interests regarding data about their commercial behavior. First, they have an interest in the mere collection of data. In most cases, at least nowadays, consumers are aware that noncash purchases are recorded and that this information is stored; many are, moreover, generally prepared to make the tradeoff between the convenience of credit and the fact that businesses are collecting this information about them. Consumers have a second interest, in how information is used after it is

ETHICAL CHALLENGES

FOR

RADIO FREQUENCY IDENTIFICATION

collected. Is it used to predict future purchases? Sold to another entity that will make such predictions? Used to develop new products? Most consumers are sanguine about such uses, as long as they are characterized vaguely and apply to laundry soap and not HIV status or breakfast cereal and not video rentals or book purchases. Even in the former instances, however, the behind-the-scenes manipulation and analysis of personal data can, depending on the consumer, trigger deep-seated intuitions about privacy. At ground, privacy is understood as a right or entitlement to solitude, autonomy and individuality (Alpert 1995) such that with it we are able go where we please, love whom we want, read and listen and, perhaps, even shop as we wish – in short, to live the kind of life we want. While consumers might be blase´ about some aspects of privacy, they are not blase´ about what it attempts to safeguard, especially if privacy is seen as ‘‘based on the idea that there is a close connection between our ability to control who has access to us and to information about us, and our ability to create and maintain different sorts of social relationships with different people’’ (Rachels 1975: 292). For these and other reasons, when privacy protections fail, we believe we have been both wronged and harmed.

Precedents, consent and opting out Experience with credit cards provides some guide, or at least a precedent, for issues surrounding the collection and use of personal financial information. There is and perhaps ought to be considerable concern over the volume of data collected about consumers and their buying habits. Customer profiling and sharing information with third parties are major privacy issues, and we have known this for some time (Chaum 1992). However, these issues predate RFID development and use, and it is not clear yet precisely if or how our moral anxiety should be exacerbated by the new technology. Still, there are several ways in which RFID use raises the ante. For one thing, the introduction of RFID adds a new dimension to debates over consumer privacy by allowing products to be tracked after the point of purchase. The issues at stake depend on two factors: how personal the item is considered to be, and the mobility of the item. It can be argued that greater ethical concerns may arise from tagging a library book than from tagging a can of soup. However, libraries already can collect information on who is reading what material. Also, a greater privacy risk is posed from embedding a tag in

103

a pair of eyeglasses that is constantly worn by a mobile consumer than from embedding a tag in a sofa that remains in place. However, RFID does not violate privacy any more than credit card and bar code use, unless intruders have access to readers and the associated databases. Without regulations, it is possible for consumers not to know that the items they own contain RFID tags. Even if they did know about these tags, they might not know when the tags were being scanned. In order for consumers to maintain control over the use of RFID tags after the point of purchase, they have to know where these tags are and how and where they can be read. At the very least, consumers would need a rudimentary idea of what RFID is. In a study conducted by the National Retail Federation, approximately 75% of the consumers interviewed – many of whom used RFID devices regularly for disbursing highway tolls – had no idea what RFID was (Federal Trade Commission 2005). Knowledge of the principles and the applications of RFID combined with standards for the visibility of tags and readers would give consumers information upon which to make informed decisions. Once an informed person has made a purchase, the issue arises as to whether that consumer should be allowed to opt out of keeping the working tag attached to the item. As a solution to maintaining privacy once products leave the store, several chip manufacturers have incorporated a ‘‘kill command’’ that disables the chip. Cashiers asking if they should disable RFID tags would provide consumers with an opt-out option. It has even been suggested that cashiers disable tags without consent or disclosure, especially in situations in which most people are uneducated about the issues surrounding the technology. But such ‘‘kill switches’’ are not without controversy. One problem is that there might be more potential advantages than disadvantages in keeping tags working after purchase. Because the technology is not yet widespread, not every potential benefit and danger has been evaluated; however, several positive and negative scenarios have been sketched, based on the assumption that RFID readers will soon be commonplace. One cell phone manufacturer has already developed a prototype with an RFID reader attached (Charny 2004). There is consequently a fear that one could remotely scan a home, purse or car and then construct an inventory of everything inside: videos, medications, fine jewelry, etc. The person scanning could then identify the owner of the items and gain personal information about him or her. In fact, the person scanning will only encounter an array of numbers that have little meaning unless he or she

104

DARA J. GLASSER

has access to the database explaining them. Hence, the security of these databases is paramount. If such databases are secure, a kill switch is arguably unnecessary. Useful applications of RFID after purchase include product recalls, returns, warranty repair and recycling. Other innovative uses include refrigerators that keep inventory of contents, a method of finding misplaced keys and other valuables, and a resource for salespersons who know the customer’s size and style preferences. When tags are killed before their uses are realized, potential benefits may be forfeited. Other concerns about ‘‘killing tags’’ arise from skepticism about how killing really works. If a cashier has to disable every tag individually, then the process is very time consuming and threatens the vision of instant check out. When given the opt-out option, consumers may make decisions based upon what is convenient rather than how comfortable they are with RFID. However, future improvements in the technology may bring about faster and easier ‘‘kill’’ methods. There is also some distrust because the mechanism that disables chips is designed by RFID system manufacturers. In addition to failures during some applications of the ‘‘kill switch,’’ manufacturers might erase data without destroying the chip, so that it can be reused. Arousing even more suspicion is the fact that some tags are designed so as to appear disabled, but then work later (Laurant and Farrall 2004). As an alternative to ‘‘killing,’’ one supplier introduced blocker tags designed to give consumers the option whether to allow their tags to function. Blocker tags are placed over regular RFID tags and confuse readers by transmitting many ID numbers at once. The main advantage of these tags is that they can be placed and removed at the discretion of the owner, which eliminates problems associated with permanently ‘‘killing’’ a chip. However, blocker tags place the burden and responsibility on consumers rather than retailers. Neither ‘‘killing’’ nor blocking tags mitigate the tracking of consumer behavior within the store.

Government issued documents The next generation of passports is likely to include embedded RFID chips (U.S. Department of State 2005). One concept involves storing a unique ID number along with a name, address, date and place of birth and digital photo. The chip is designed to contain a digital signature ensuring that it was created by a government (Singel 2004). These new passports could reduce counterfeiting and theft.

ET AL

Drivers’ licenses are eventually to be embedded with RFID chips for the same reasons. Since RFID systems can read sensitive information directly, instead of matching numbers on a protected database, the threat of information or identity theft is heightened. Indeed, unlike systems using chips that store only ID numbers, document identification systems pose a novel suite of privacy and security issues. It is possible, for instance, that someone in close enough proximity to one of these documents could covertly obtain personal information. In the case of passports, one’s nationality, for example, could be identified abroad by terrorists. Since drivers’ licenses are nearly always carried by individuals, there exists a threat that anyone could be tracked anonymously. Several suggestions have been offered to help protect identities while reducing fraud and other misuse. One recommendation is to require physical contact between readers and documents, which makes the process of verification more inconvenient. Another is to encrypt the data such that only authorized officials could access the information. However, encrypted data can be problematic in the case of passports when every country would have to be able to determine what is stored in a passport chip. One solution proposed by governments and others for protecting passports is to use chips that cannot be read through metal – and then incorporating a layer of metal foil in the cover. The chip can then only be read when the passport is open. Similarly, wrapping drivers’ licenses and other such identification cards in metal foil can protect personal information. The government also suggests printing a password within each passport, so that the chip can only be read when the correctly entered password is scanned by the reader (Wald 2004). This would require the passport to be opened before data could be collected. Perhaps the safest alternative is to use a chip containing only an ID number in conjunction with layers of encryption between the chip and a secure database. It is noteworthy and open to debate whether government or industry poses the greatest risks. Some argue that it is precisely government that must be controlled, and that privacy fears elicited by the private sector are overblown (Brito 2004). For others, this is a distinction without a difference, at least in terms of privacy and confidentiality.

Financial transactions One of the significant potential uses of RFID is to provide a vehicle for exchanging money without requiring people to make physical contact. For example, a credit card with an embedded chip may be

ETHICAL CHALLENGES

FOR

RADIO FREQUENCY IDENTIFICATION

automatically scanned instead of swiped. In fact, credit cards may become obsolete, since an RFID chip can be placed in any ordinary object such as a key chain or wallet to achieve the same result. RFID devices have even been implanted beneath people’s skin for the purpose of contactless payment (Scheeres 2003). One’s arm might be scanned to debit funds to purchase a meal or admission ticket, for instance. In addition to financial information, the chips can indicate if someone is a preferred customer or VIP. Such a system could eliminate many of the inconveniences associated with monetary exchange. However, the ease with which personal financial data can be read increases the risk of such data falling into the wrong hands. The added level of convenience afforded by these chips is expected to encourage people to use them in situations where cash, the most anonymous form of payment, is normally used. Already, many drivers across the country are choosing to pay highway tolls with RFID embedded transponders instead of cash. Yet users of this system are leaving a trail of data behind them (Alpert 1995); divorce courts have used highway transponder information to find out where spouses have been traveling (Wood 2004). Casinos are embedding chips and cards with tags in order to study the betting behavior of players and to prevent cheating (Jarvis 2005). Cash itself might not be as anonymous as it once was: The European Central Bank plans to embed euros with RFID tags, which may help prevent counterfeiting, recover stolen money, catch illegal transactions and make counting easier (Yoshida 2001). However, a citizen might not be comfortable with others learning how much cash he is carrying or what cash purchases he is making. In balancing convenience and privacy, personal and collective decisions need to take into account the comparative weight of each value. Such an analysis requires attention to framing effects under which the same action is morally permissible or forbidden according as its description changes. RFID use for financial transactions could thus be rendered as either a boon to shoppers by increasing convenience or an erosion of ‘‘consumers’ ability to escape the oppressive surveillance of manufacturers, retailers, and marketers’’ (Albrecht 2002).

Surveillance of humans RFID chips have for years been implanted in animals to track livestock, locate missing pets and study wildlife behavior. More recently, RFID has been used in a multitude of applications involving the identification and tracking of human beings. Such tracking

105

of individuals can dramatically improve safety, health and productivity. Amusement parks are now able to utilize the technology to find lost children, and schools may one day be able to find students who are absent from class. People with debilitating mental conditions who become or appear to be missing can also be tracked. RFID, originally developed to identify military planes during World War II, can now be used to identify the whereabouts of military personnel (Cavoukian 2004). In some law firms, efficiency has increased thanks to chips that track workers (Plichta 2004). The technology exists to monitor, locate and identify dangerous criminals (or, perhaps more worrisome, those suspected of being criminals). Further, RFID can, at least in principle, reduce medical error (Blue 2005) by tracking surgical tools to prevent them from being left in patients, to mark surgical sites to identify the procedure needed and prevent wrong-sided surgery and by preventing drug dispensing errors (Dorschner 2004). Future chips might be able to monitor body temperature and other attributes. As we learned from one of the earliest ethical analyses of the use of computers in medicine (Miller et al. 1985), it is sometimes or often the case that one has a duty to use a technology if one thereby achieves a valued end; put differently, it is only the short-sighted and the Luddite who always disdain a new technology, or allow other considerations always to trump its use. But it is tracking and surveillance of humans that pose the most obvious ethical challenges. RFID chips intended to track humans come in two main forms: subdermal implants which are injected and external tags which are worn or carried. Such chips might be used with or without consent. In systems under which people are ‘‘chipped’’ with informed consent, we should question whether such a forfeiture of autonomy is permissible even with such consent. What precautions are required to prevent abuse of members of vulnerable populations? Is consent to be chipped always freely given? If chip recipients are compensated or rewarded, is there a sense in which those in greater need of compensation are making a less-thanvoluntary decision? A fair precedent and analogy is perhaps to be found in the domain of human subjects research. Because informed or valid consent is usually reckoned to require (i) adequate disclosure of risks, benefits and alternatives, (ii) voluntariness and (iii) mental capacity, committees which oversee such research regularly grapple with concerns that poor people might be unduly incentivized to endure research risks that those of higher socioeconomic status are likely to disdain. Contrarily, it might be argued that it is patronizing to protect people from their own decisions.

106

DARA J. GLASSER

Subdermal implants create an especially difficult situation if the person being tracked changes his mind, because surgery is required to remove the chips. Too, those seeking access to others’ chips, like kidnappers, might use extreme measures to remove a chip from a living person. But external tags might put people’s identities in greater jeopardy because they can (more) easily be stolen, tampered with or destroyed. To be sure, much more is at stake if any malfunction in the technology occurs when a human – rather than a grapefruit, say – is being tracked. For example, schools that have employed RFID monitoring systems receive calls from panic-stricken parents whenever a reader fails to scan their child’s ID card (Richtel 2004). Perhaps the greatest concern associated with tracking humans is that it may lead to increased and even ubiquitous spying, surveillance and stalking, which may erode relationships: parent–child, husband–wife, employer–employee or government– citizen. Are the advantages of tracking employee time management and productivity, for instance, by RFID surveillance worth the intrusion? Answers to such a question require a judgment about which value we regard more highly: productivity and its cousins efficiency, profitability and effectiveness; or privacy. What is noteworthy here is that productivity is not in itself a moral value; it is a business virtue (which takes on moral implications in terms of duties to shareholders). To value it over privacy would be to commit to a worldview in which moral considerations themselves are demoted or assigned lesser importance than such business (or national security or law enforcement) considerations. Absent social or legal constraints, including policies and guidelines (cf. Plichta 2004), on applications condemned by privacy advocates, there may just be nothing to be done about the growth of a surveillance society, at least in the workplace. While most everyone is a ‘‘privacy advocate,’’ at least nominally, this is nugatory in the absence of robust social commitment to the establishment of constraints on electronic intrusion. There is hardly a business in the industrialized world that does not reserve the option of monitoring employees’ email – an intrusion that has become ubiquitous with not a whisper of protest from workers who surely would have found monitoring of postal contents, for instance, to be utterly objectionable. Put differently, ordinary people are either inclined to endure such intrusions or are inert to their commencement. It remains for us to consider whether there ought to be a moral difference between monitoring and surveillance by businesses and by governments. While the idea of government surveillance might once have

ET AL

elicited vehement objections, in some countries, such objections are perhaps rarer in a terrorismpreparedness-obsessed world. In fact, however, there are a number of ways we might approach this problem. One way to seek grounds for policies to limit inappropriate RFID use is to be explicit about who is using the technology and what it is being used for.

Appropriate uses and users The users of RFID technology can be partitioned into business, government and individual. All of these user classes could use RFID in a manner that proved beneficial to the general population. Yet the collection of information from these kinds of systems can easily be used for different purposes than the ones originally intended. While private enterprises can profit from the technology, consumers can also benefit from reduced prices and enhanced service quality. However, shoppers would likely consider it inappropriate for the private sector to track individuals outside of the store for the purpose of consumer profiling. Tradeoffs will have to be made between convenience and privacy when it comes to opt-out options. Indeed, the post-9-11 debate about the balance between security and liberty is a debate about tradeoffs. Because much of the surveillance in this regard is by governments, we are not as sanguine about the intrusion as we are about workplace monitoring, for instance. Significantly, a (democratic) government can claim that a collective benefit follows from privacy intrusions, and that this benefit is worth sacrificing for – a utilitarian move that has far more moral traction than that of an employer who wants to reduce payroll costs. Tradeoffs between security and privacy must be made in the public realm. Even though citizens may find it acceptable for a government to use RFID in airports and seaports and at borders to ensure that people and goods carry authorized documentation, they tend not to be as comfortable with the government monitoring day-to-day activities. Using RFID to monitor one’s own belongings also seems like an appropriate use. Yet monitoring one’s family members and employees is more problematic. Here is what we said about appropriate uses and users of another technology, with ‘‘RFID’’ substituted (mutatis mutandis) for ‘‘data mining’’ and ‘‘knowledge discovery’’: It should be uncontroversial to point out that not all RFID use is by appropriate users, and not all uses enjoy equal moral warrant. An RFID police state may not be said to operate with the same

ETHICAL CHALLENGES

FOR

RADIO FREQUENCY IDENTIFICATION

moral traction as a government public health service in a democracy. (We may one day need to inquire whether use of RFID technology by a government is itself grounds for identifying it as repressive.) Similarly, given two businesses (insurance companies, say), it is straightforward to report that the one using RFID technology to identify trends in accidents, better to offer advice about preventing accidents, is on firm moral footing, as opposed to one that identifies trends in accidents, better to discriminate against minorities (Goodman 2006). What follows from this is that each judgment about an acceptable use or user must be informed by facts of the case, including user history, intentions and conflicts. Then a determination that any use or user is appropriate will, at least on utilitarian grounds, be based on some sort of moral metric. Compromise might be acceptable in cases in which there is a social mechanism for preventing, controlling or minimizing abuses. A good example of this is the requirement in most democracies that police must receive judicial approval before tapping a telephone call. Even if there were widespread agreement about how, when and by whom RFID should be used, hackers could eavesdrop or acquire the information gathered by these systems. This illustrates the need that any acceptable use be accompanied by policies for securing databases and encrypting data stored on chips. This is no small challenge: Chip limitations make it difficult to incorporate sophisticated encryption algorithms (Schwartz 2005). If society were to come to depend on RFID technology, inadequate security could cause major disruptions. As before, one solution is to limit the technology itself – by restricting data stored in a chip to an ID number and storing all other data in a secure database. Policies and guidelines – and perhaps even laws – represent what is probably the best approach to striking a balance between acceptable use and unacceptable abuse of RFID technology. There is no socially or politically clear path here. In California, the Legislature was considering a bill to outlaw the use of RFID devices in state identification documents while the Texas Legislature was simultaneously considering a measure that would require RFID tags be embedded in inspection stickers on auto windshields (Privacy Journal 2005). Nevertheless, the Electronic Privacy Information Center, for instance, has proposed a suite of guidelines that lay out a series of duties and rights that attempt to permit and constrain RFID

107

(Laurant and Farrall 2004). One set of guidelines distinguishes between duties of users of RFID systems that ‘‘do not gather data about individuals’’ and those ‘‘that can gather personal data about individuals.’’ The former requires users to • Disclose the presence of tags. • Turn off tags before the sale of a tagged item is completed. • Allow tags to be as easily removed as possible. • Assign ‘‘at least one person’’ responsibility for compliance with the guidelines. The latter set of guidelines attempts to embody some of the aspects of valid consent mulled earlier. Users of tags that gather personal data must, among other things: • ‘‘Obtain written consent from an individual before any personally identifiable information’’ is acquired. • Obtain written consent before RFID data is shared with a third party. • Not ‘‘require individuals to provide unnecessary personal information as a precondition of a transaction...’’ • Maintain the security of RFID data, and keep it accurate and up to date. • ‘‘Keep data only as long as it is necessary for the purpose for which the data was associated with personal information.’’ • Disclose data management policies and allow individuals to learn what information about them has been collected. It is by the use of such guidelines – there could be others, and all might be debated – that we can introduce explicitly moral considerations into the use of RFID and like technologies. It is not clear why or on what grounds a business or government would object to such guidelines. To be sure, it might be protested that acceptance of such duties might increase costs or limit efficiency. But those who insist on ethically optimized technology use can respond by pointing out and making explicit that those who would promote the values of cost containment and efficiency over privacy and valid consent have played such a hand; and that doing so requires paying a very dear social and ethical price.

Conclusion RFID can greatly improve security and convenience for a wide range of enterprises. Several precautions – including adequate security and clear guidelines for appropriate uses and users – can be taken to prevent

108

DARA J. GLASSER

the misuse of RFID and make the public legitimately comfortable with it. In the case of systems that only store an ID number in each chip, attention must be given to what information is stored in databases, who has access to them and how they are being protected from those who should not have access. Those affected by RFID should also be informed of secondary uses of the information being stored. Systems that contain personal information on chips pose a greater threat to privacy. Encryption or passwords should be utilized to protect information from getting into the wrong hands, and rules should govern data storage and use. Throughout, the values of privacy and valid or informed consent provide a practical lattice on which to affix such rules and guidelines. RFID poses ethical challenges that are in many respects similar to those that have arisen elsewhere in the Information Age. Those concerned about intrusion, monitoring and ubiquitous surveillance can emphasize the tension between privacy and efficiency, say, or liberty and security, and in so doing make clear that citizens in open societies continue to value privacy at least as much as convenience and safety. What is more, such ranking of values must be explicit, public and subject to ongoing debate. While technology evolves in ways that can challenge earlier pacts and protocols, applied ethics evolves by producing tools to guide and inform those who use technology and, sometimes, even protect those for whose sake the technology is allegedly being used.

References K. Albrecht. Supermarket Cards: The Tip of the Retail Surveillance Iceberg. Denver University Law Review, 79(4): 534–539 and 558–565, 2002. S. Alpert. Privacy and Intelligent Highways: Finding the Right of Way. Santa Clara Computer and High Technology Law Journal, 11(1): 97–118, 1995. G. Avoine. Security and Privacy in RFID Systems, 2005. http://www.lasecwww.epfl.ch/gavoine/rfid/index.html L. Blue. Statement before the U.S. House of Representatives Committee on Government Reform, September 29, 2005. http://www.reform.house.gov/UploadedFiles/ Symbol%20-%20Blue%20Testimony.pdf. J. Brito. Relax, Don’t Do It: Why RFID Privacy Concerns are Exaggerated and Legislation is Premature. UCLA Journal of Law and Technology, 5, 2004. http://www. lawtechjournal.com/articles/2004/05_041220_brito.pdf A. Cavoukian. Tag, You’re It: Privacy Implications of Radio Frequency Identification (RFID) Technology. Information and Privacy Commissioner, Ontario, 2004. http://

ET AL

www.ipc.on.ca/scripts/index_.asp?action=31&P_ID= 15007&N_ID=1&PT_ID=11351&U_ID=0. B. Charny. RFID Cell Phones Take Shape at Nokia. News.Com, October 24, 2004. http://www.news.com. com/RFID + cell+phones+take+shape+at+Nokia/ 2100-1039_3-5424528.html?part=rss&tag=5424528& subj=news. 1039.5. D. Chaum. Achieving Electronic Privacy. Scientific American, 267(2): 96–101, 1992. J. Dorschner. Surgical Chip Shows Patient Info. The Miami Herald, 1C, November 25, 2004. B.J. Feder. Keeping Better Track from Factory to Checkout. The New York Times, E5, November 11, 2004. Federal Trade Commission. Radio Frequency Identification: Applications and Implications for Consumers. Washington, D.C.: FTC, 2005. http://www.ftc.gov/os/2005/03/ 050308rfidrpt.pdf. K.W. Goodman. Moral Foundations of Data Mining. In J. Wang, editor, Encyclopedia of Data Warehousing and Mining, pp. 832–836. Idea Group Reference, Hershey, PA, 2006. R. Jarris. Carinos Bet Big on RFID. Business 2.0, March 23, 2005. http://money.cnn.com/magazines/business2/. C. Laurant and K. Farrall. RFID Workshop Comment P049106, FTC Workshop on Radio Frequency Identification: Applications and Implications for Consumers. June 21, 2004. (Comments of the Electronic Privacy Information Center to the Federal Trade Commission.) http://www.epic.org/privacy/rfid/ftc-comts-070904.html R.A. Miller, K.F. Schaffner and A. Meisel. Ethical and legal issues related to the use of computer programs in clinical medicine. Annals of Internal Medicine, 102 529– 536, 1985. G. Plichta. Accommodating RFID Technology and Expectations of Privacy: An Examination of Proposed Guidelines. Electronic Privacy Information Center, June 2004. http://www.epic.org/privacy/rfid/rfidplichta.html Privacy Journal. In the States – Contrast. May 2005: 6. J. Rachels. Why is Privacy Important? Philosophy and Public Affairs, 4(4): 323–333, 1975. M. Richtel. In Texas, 28,000 Students Test an Electronic Eye. The New York Times, A1, November 17, 2004. S.E. Sarma, S. Weis and D. Engels. RFID Systems and Security and Privacy Implications. In B.S. Kaliski, C.K. Koc¸ and C. Paar, editors, Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, Lecture Notes in Computer Science, Vol. 2523. London: Springer-Verlag, 454–469, 2002. J. Scheeres. When Cash is Only Skin Deep. Wired News, November 28, 2003. http://www.wired.com/news/ technology/0. J. Schwartz. Graduate Cryptographers Unlock Code of ‘‘Thiefproof’’ Car Key. The New York Times, A10, January 29, 2005. S.. Shepard, RFID: Radio Frequency Identification. McGraw-Hill, New York, 2005.

ETHICAL CHALLENGES

FOR

RADIO FREQUENCY IDENTIFICATION

R. Singel. American Passports to Get Chipped. Wired News, October 21, 2004. http://www.wired.com/news/ privacy/0 U.S. Department of State. The U.S. Electronic Passport, 2005. http://www.travel.state.gov/passport/eppt/eppt_2498.html. M.L. Wald. New High-Tech Passports Raise Snooping Concerns. The New York Times, November 26, 2004.

109

D.B. Wood. Radio ID Tags Proliferate, Stirring Privacy Debate. The Christian Science Monitor, December 15, 2004. J. Yoshida. Euro Bank Notes to Embed RFID Chips by 2005. EE Times, December 19, 2001. http://www.eetimes. com/story/OEG20011219S0016.