RFID Chips: A Privacy And Security Pandora’s Box?

A research article published in the current issue of the International Journal of Intellectual Property Management suggests that Big Brother could be opening a privacy and security Pandora’s Box if human rights, particularly regarding data protection are not addressed in the design of new RFID applications.

Radio-frequency identification (RFID) chips can be found tagging everything from groceries and clothing to the experimental swipe-free credit cards used to pay for those goods. In library cards, warehouse inventories, and under-skin pet tags. They are also used for prisoner and parole tags, in hospital patient wristbands, and in smart passports.

According to Eleni Kosta and Jos Dumortier of the Katholieke Universiteit Leuven in Belgium, the benefits of RFID technology in innovation are beyond question. However, the threats posed to personal privacy should be taken into account at the design phase of the applications. Their increasingly widespread deployment means individuals do not necessarily know when, how and what kind of information about them is being transmitted at any given time from an RFID in a passport, in their shopping bags, or even when they visit the library.

Lack of RFID standards leads to media panic

It’s scandalous sometimes how reporters can screw up a simple press release. (A panic button, like this one from Hong Kong, makes a great stress reliever.)

Let’s quote from the release, shall we?

“The lack of standardization of RFID in health care permits RFID systems originally designed for logistics to enter the medical arena on the basis of requirements such as the range at which medical tagged items or individuals are to be detected…The intensity of electronic life-supporting medical devices in this area requires careful management of the introduction of new wireless communications such as RFID,”

AMA says human RFID tags could pose serious privacy risk

RFID tags operate over short distances to provide a scanner with basic information about whatever item they’re attached to. This is being used commercially to both identify pricing details at retail and to allow users to simply wave credit cards in front of appropriately-configured readers in order to pay for them. But RFID has also moved into the realm of providing personal information; the US is making RFID-enabled passports, and the FDA approved human RFID implants back in 2004. Given the medical and privacy issues associated with human RFID tagging, the American Medical Association called for an evaluation of their implications; the resulting report is now available.

The report makes a distinction between two types of RFID tags. Passive tags have no power source and store information in read-only form; the scanner provides them with enough power to transmit basic information. Active RFID tags contain an internal battery, allowing them to store more sophisticated information, process data, and transmit over longer distances. Currently, only passive tags are approved for human use, but there’s no reason to think that current limitations will stand indefinitely. The passive tags are currently used for patients with chronic diseases that may require rapid medical intervention.

The report cites examples such as coronary artery disease, chronic obstructive pulmonary disease, diabetes mellitus, stroke, or seizure disorder. It also notes that tags are being used to identify patients with internal medical devices, such as pacemakers or replacement joints. Because of privacy concerns, these RFID devices only transmit a unique identification code; that code can be matched with records to provide information such as current medication lists and past diagnostic test results. Of course, all of this only works when the patient is being treated by someone with access to appropriately stored medical records, something which is hardly guaranteed.

{Despite their many unknowns it appears as the inevitability of human RFID tags is upon us. RFID’s pose a tremendous opportunity to decrease costs and medical mistakes while increasing the overall quality of patient care. However there are also many unknown privacy issues that have yet to be resolved. Doctors wouldn’t prescribe medicine without FDA approval and until the community of privacy and consumer advocates have reached a consensus agreement on human RFID chips, doctors should tread lightly. Unless real privacy protections are incorporated into RFID technology the most precious and sensitive personal data could be vulnerable to snooping, misuse or even worse, theft. Therefore, it is the responsibility of the medical community to follow the AMA’s recommendations if they choose to do use human RFID tags. ~ Dr. Deborah Peel, Patient Privacy Rights}