For the laymen, it may sounds complicated due to the technological jargon. For the computer scientists, it may be easy. For lawyers, it may be restricted in aspects of data protection and privacy. For civil liberties, it is all about rights and human rights. These are the clouding concerns RFID have posed. In this blog, the writer generally viewed that explaining RFID is not an easy task. I concurr. It takes many levels of attempt to reach the most adequate, comprehensive yet understandable explanation. But, not many will achieve the desired outcome of understanding.
Recently in the BBC, the complexity of RFID has been added with the WiFI RFID compliant and ability. It is believed the combination of both will make tracking more powerful as it is now. Siemen and Motorola are looking into the possibility of this potential product expansion. As many basic amenities in schools, universities, cafe' and hotels have deployed WiFI, it is, according to Siemen and Motorola wiseful to combine both technologies for maximum usage. A pry to privacy?
Thursday 31 May 2007
Tuesday 22 May 2007
UK National Consumer Council on RFID
Perhaps, it's late to mention this. I am wondering how "price discrimination" and "social exclusion" will have an impact to privacy enhancing technologies (PET)? The UK National Consumer Council has urged to develop a universally accepted principles on RFID,when desiging RFID applications.
Commentary:
* I think its the consumer awareness that will help to understand this technology generally
* RFID service provider and RFID enabler should disseminate to consumers whenever they deploy PETS in their premise or product
* Perhaps, a rethink should be made during the data protection principles and regulations were introduced 10 years back. On this note, examining the traditional role of "Data Controller" (which in this case, is the retailer) . This comparison will enable the Council to rethink.
* The outcome of the EU RFID consultation will provide some guidance and roadmap to the Council. But, the Council should clearly educate, disseminate and diffuse the advantages and disadvantges of this PETS on a balanced manner to the consumers
* I hope consumers are not being 'confused" or "exaggerated" by RFID
Commentary:
* I think its the consumer awareness that will help to understand this technology generally
* RFID service provider and RFID enabler should disseminate to consumers whenever they deploy PETS in their premise or product
* Perhaps, a rethink should be made during the data protection principles and regulations were introduced 10 years back. On this note, examining the traditional role of "Data Controller" (which in this case, is the retailer) . This comparison will enable the Council to rethink.
* The outcome of the EU RFID consultation will provide some guidance and roadmap to the Council. But, the Council should clearly educate, disseminate and diffuse the advantages and disadvantges of this PETS on a balanced manner to the consumers
* I hope consumers are not being 'confused" or "exaggerated" by RFID
Friday 18 May 2007
Post RFID paper presentation; some feedbacks
It has been sometime, I have not updated this blog. One of the reasons is due to my conference engagement in Istanbul, Turkey.
My RFID paper presentation went well, despite of the limited time given. These are some feedbacks that I have received:-
i) That Malaysia should actually strategise it's localised RFID policy rather than looking into how the EU's RFID experience.
On this, I would partially agree and partially disagree. On one hand, I would say that Malaysia still needs to look into the EU's RFID market, development and maturity. It will be the basis for Malaysia to promulgate potential benchmark in it's RFID regulation or supervision. On the other hand, I would agree, IF, the personal data protection and privacy legislation would have been passed by the Malaysian parliament, in which, subsequently will attract considerable debate to the Malaysian RFID players.
ii) That Malaysia should consider opt for consumer protection laws' remedies instead of awaiting the personal data protection bill in its RFID initiative
I agree on that option. However, Malaysian consumer protection laws' remedies are not strong as in the UK. The consumer awareness on RFID tagging is still lacking. Thus, there should be a strategic avenue for the consumers in Malaysia to channeling their concerns on their privacy intrusion.
iii) That there should be more RFID technological readiness, awareness and exposure to the people.
I totally agree on this.
In an interesting development, I have had the opportunity to share some of my RFID perspectives with academics from Liverpool and Notre Damn. There might be an interesting trilateral research interest between Malaysia, UK and EU on RFID soon. Just await the outcome.
My RFID paper presentation went well, despite of the limited time given. These are some feedbacks that I have received:-
i) That Malaysia should actually strategise it's localised RFID policy rather than looking into how the EU's RFID experience.
On this, I would partially agree and partially disagree. On one hand, I would say that Malaysia still needs to look into the EU's RFID market, development and maturity. It will be the basis for Malaysia to promulgate potential benchmark in it's RFID regulation or supervision. On the other hand, I would agree, IF, the personal data protection and privacy legislation would have been passed by the Malaysian parliament, in which, subsequently will attract considerable debate to the Malaysian RFID players.
ii) That Malaysia should consider opt for consumer protection laws' remedies instead of awaiting the personal data protection bill in its RFID initiative
I agree on that option. However, Malaysian consumer protection laws' remedies are not strong as in the UK. The consumer awareness on RFID tagging is still lacking. Thus, there should be a strategic avenue for the consumers in Malaysia to channeling their concerns on their privacy intrusion.
iii) That there should be more RFID technological readiness, awareness and exposure to the people.
I totally agree on this.
In an interesting development, I have had the opportunity to share some of my RFID perspectives with academics from Liverpool and Notre Damn. There might be an interesting trilateral research interest between Malaysia, UK and EU on RFID soon. Just await the outcome.
Thursday 3 May 2007
Some links to RFID boycott
Wednesday 2 May 2007
Latest RFID paper: to be presented in Istanbul, Turkey
Radio Frequency Identification Technology: (RFID):
Is legal risk management relevant in consumer privacy?
Noriswadi Ismail[i]
British Chevening Scholar, University of Strathclyde
noriswadi.ismail@strath.ac.uk
Abstract. RFID is regarded as technological perfection in many global industries; retails, logistics, libraries, passports, surveillance, healthcare and banking. RFID proponents assert that the technology has been complementing global industries’ value chain and business continuity. Global market analysis has predicted that the Return of Investment from this technology will massively attract widespread deployment by 2010. Whilst the strength of this technology remains relevant for the proponents, there remain handful debates on the weaknesses of RFID’s data surveillance. Due to the latter, this paper will reveal the weaknesses and how it leads to privacy debates in consumer privacy. Regulatory and commercial developments from the United Kingdom and European Union will be painstakingly analysed. This paper will also comparatively analyse the developments in Malaysia and Singapore. It will endeavour to outline the respective Regulators’ position and selected industries’ feedbacks in RFID on cursory note. Significantly, this paper will attempt to argue the relevance of legal risk management in consumer privacy as the key question to be answered. It will explore a potential approach that could be balanced between RFID technology vis-à-vis consumer privacy.
1. Introduction
RFID has been generally cited as one of the most evolving technologies in the world. This powerful technology remains incompatible in these industries: retails, logistics, military, libraries, surveillance and banking, yet it endures endless debates in some legal regimes and contours. When the technology was first deployed by the military, the impact of the technology was never intended to be as sensitive as it is today. Besides, global RFID spending has increased by leaps and bounds and provides an ongoing deployment by these various industries to enjoy its value chain and business continuity. Many will view that RFID substitutes the role of barcode as means of tagging technology despite of the inhibiting level of protection towards the internal subject of the tagging - which is the data and most importantly - privacy. Due to the latter, it has prompted potential data protection and civil liberties debates across the globe. Whilst this concern is ongoing, this paper will attempt to look into how RFID technology leads to potential questions of privacy. The central attention will be on consumer privacy. Two substantive developments are discussed:
· Regulatory and commercial developments; and
· Legal risk management as a tool towards managing consumer privacy
2. RFID – an overview
RFID is a technology which illustrates any system of identification that uses radio frequency or magnetic field variations, wherein an electronic device which activates the variations is attached to an item.[ii] A tag and a reader are the components of an RFID. Tag is the identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications which are called as RFID middleware.[iii] Even if the historical trail of this technology remains ambivalent, but generally, it goes back to 1920s during the World War II.[iv]
2.1. RFID general functions
RFID could not function without frequency.[v] The operating frequency is the electromagnetic frequency that the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. In relation to the technical standard of ultra high frequencies (UHF), there are different ranges of applications in different parts of the world. Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[vi]
As mentioned, the tag and the reader are two key components to operating an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In effect, it creates the radio wave. The radio wave may be received by an RFID tag, which ‘reflects’ some of the energy it receives in a particular way, based on the identity of the tag.[vii] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver so that it can detect and decode the reflected signal in order to identify the tag.
2.2. Types of categorisation
There are essentially three types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[viii] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[ix];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[x] This tag is mostly fragile and expensive in the market[xi]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[xii] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[xiii]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first and second category.
3. Regulatory and commercial developments
Besides the United States of America, there are regimes which have been very serious to addressing RFID policy and regulation; the European Union and the United Kingdom. These regimes have undertaken a very smart move to advocate a possible RFID policy in the very near future. The European Commission is undertaking an open public consultation towards establishing an RFID policy for Europe. [xiv] The outcome will be disseminated and diffused to the member states once the European Commission would have duly substantiated the consultative deliberations. However, for the purpose of this paper, it shall restrict generally into the governing Directives of the European Union and the guidance by the United Kingdom.
3.1. The European Union (EU)
In the EU, Article 29 of the EU Working Party which is established under the auspices Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[xv] On the data protection front, the Working Party has mooted the concerns on the effect of RFID technology which may lead to violation of human rights and data protections rights. The main concern exceedingly surrounds on the possibility of businesses and governments which have deployed RFID that is accruing and prying into the privacy sphere of individuals.[xvi] Cursorily, the published summary of responses by the RFID stakeholders has achieved a general satisfaction. In practice, however, it is asserted that the examples of RFID applications technically illustrated in the working document do not match the reality.[xvii] It is argued that societal benefits and realistic appreciation of technical possibilities should be painstakingly inferred whilst analysing RFID applications.
Two governing Directives are applicable within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These Directives outline the pre-emptive mechanism of data processing that should be complied with, by the member states.[xviii] In Directive 95/46/EC, it could be asserted that not all RFID applications are governed under the provisions. This is due to the complexity nature of RFID technology itself via the tags, the reader and middleware. Technically, the tags possess the capability to exchange information and thus, the existing provision in the Directive have ignored and limited its scope of regulation, thus, fails to achieving technology neutrality approach. It also leads to a certain level of biasness towards existing RFID middleware and applications which are integrated with other component of technologies. In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is asserted that a PC based system would fulfil the needs of the provision, but RFID may struggle to comply with the spirit due to the nature of its technical interface.
3.2 – Guidance in the United Kingdom (UK)
In the UK, the Data Protection Act 1998 regulates the processing of personal data. Supporting the provisions of the Act is The Data Protection Technical Guidance Radio Frequency Identification. It has outlined two scenarios in which personal data might be processed using RFID.[xix] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags or individual items can be used to identify the individual associated with the item, they will be personal data.[xx] The Act also applies when the personal data is collected, generated or disclosed using RFID either directly or indirectly. RFID users should also adopt the data protection principles of fair processing, use limitation, data quality, data retention and security. The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[xxi]
From these developments, the UK Information Commissioner has put a very high concern on the level of surveillance in the UK’s society. In a report on surveillance society, issued by the Surveillance Studies Network[xxii], RFID has been highlighted as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. Invariably, the report has analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society.
3.3. Development in Singapore[xxiii]
Singapore was one of earliest users of RFID technology in the world.[xxiv] Singapore Land Transport Authority has been deploying RFID since 1998 in what was the world's first Electronic Road Pricing system, an automated toll-collection system used to control and manage traffic volume in the city. Singapore's National Library Board was one of the first to harness RFID in a library environment back in late in 1998, when it embedded RFID tags on books to automate the borrowing and returning of library books as well as to expedite the process of sorting books and returning them to shelves.
As Asia's leading convention venue, Singapore has long used RFID technology to tracing delegates at large conferences and conventions in the city. Singapore became the first pilot port in Asia under the United States of America Container Security Initiative. The island-republic is now implementing the usage of RFID seals for all containers bound for the United States of America seaports. Selective local research institutions teamed up towards developing solutions to deploy RFID for tracing SARS contacts in local hospitals. At present, Singapore wants to leverage its existing expertise to undertake RFID research and development.[xxv]
It is evident that Singapore RFID deployment has positioned the republic as the leader in the Asia Pacific region. Whilst the commercial development looks positively encouraging, it is to note that data protection provisions in Singapore legal regime is rather sectorial and piecemeal.[xxvi] However, recent development in Singaporean parliament suggests that data protection and privacy should be the main priority for Singapore’s industries.[xxvii]
3.4. Development in Malaysia
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[xxviii] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[xxix]
On 24 February 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[xxx] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180 million) based on Japanese technology, is the first with multi-band frequencies.[xxxi] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
In Malaysia, the effort to draft the PDP Bill started in 2000. However, the legislation is yet to be seen.[xxxii] Rumours claimed that the Bill was motivated by the European Union regulatory approach as compared to the self-regulation approach of safe harbour of the United States of America.[xxxiii] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
The issue of the PDP Bill delay was also mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[xxxiv]
The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[xxxv] vis-à-vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4. RFID and consumer privacy
The regulatory and commercial developments in different legal regimes lead to different principles and approaches. Appropriately, these regimes are undertaking a multi-layered effort to ensuring that RFID remains relevant, yet there should be certain pre-emptive measures in protecting privacy. Civil liberties have also raised their eye brows questioning the legitimacy of RFID tracking technology. The technology reveals worried danger within the privacy sphere that needs to be defused.
In 2005, consumer privacy advocates had initiated a website boycotting TESCO which was aimed to encourage consumers’ participation and awareness on the danger of this “spy chip” technology.[xxxvi] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) launched the campaign nationwide evidencing the level of protest on privacy fears. CASPIAN was particularly concerned about item-level RFID tagging, especially the potential for retailers to be able to track goods after they leave the store - which it views as invasion of consumer privacy.
The boycott against GILLETTE is also another profound example advocated by CASPIAN in 2003. It was claimed that the GILLETTE product had been embedded with an RFID chip that was able to “spy” on consumers. Subsequently, a website to boycotting GILLETTE product was established to educate consumers the danger of RFID.[xxxvii] On the similar stance, BENETTON was also the subject of boycott by CASPIAN. It was claimed that the clothing that was on sale within the BENETTON’s premises were embedded with an RFID chip which simultaneously prying on consumers’ data and privacy.[xxxviii]
CASPIAN’s intention to educate the consumer privacy is commendable. On one hand, the boycott websites suggested consumers to abandon their intention to purchase the products due to the danger of potential data intrusion via the RFID technology. But, on the other hand, CASPIAN has failed to address the recommended best practices to consumers towards risk mitigation whenever the consumers would have purchased the product. Realistically, the outcome of boycott consultation between CASPIAN and the relevant RFID users like TESCO should also be channelled to the consumers for an informed notification.[xxxix]
4.1. Legal Risk Management in consumer privacy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[xl] is neither a new nor a coined terminology. It is a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[xli] Due to the hybrid nature of the module, akin to the RFID technology, RFID users should be able to adopt a strong risk management culture. A strong risk management culture commences with these levels of risk processes: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[xlii]
The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation or technical standard. The ultimate aim of adopting a legal risk management strategy for RFID users is to complement the industries’ readiness in complying privacy and data protection provisions.[xliii] This will also enable data controllers to self-regulate consumer privacy and be able to avoid potential boycotting.
Legal risk management does not favour any organisations or companies but it complements these entities within their risk appetites. Generally, risk management requires a pre-emptive strategy that is realistic and achievable. For organisations, the essential strategy starts with the establishment of an RFID risk manual.[xliv] This manual will be able to outline brief technical illustration of the RFID usage, the sensitive technical areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[xlv] that could serve as useful guidance and tool for the users. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
A strong RFID risk manual should be supplemented with ongoing training, dissemination, careful review and control. This is deemed to be essential to companies and organisations. In the context of consumer privacy, a strong risk management processes would be able to cover potential liabilities of the RFID service provider, retailers, data controllers and any third parties who are involved with the deployment. This will boost strong confidence to existing consumers and potential consumers who intend to purchase any products or items without privacy fear and danger.
4.2 Potential arguments against legal risk management
The option to adopt this legal risk management strategy is an open option to preserve consumer privacy. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries and regimes. This option also helps retailers, hyper markets, RFID technology service providers and any data controllers to disclaim their privacy liabilities. There may be two potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments.
First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package.
Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5. Privacy impact assessment
It is undeniable that RFID deployment involves multi layered of relationship ranging from the service providers, third parties’ applications, third parties’ middleware and to the users. In the event RFID technology has been deployed, it carries different levels of liabilities. It is very essential for these parties to conduct a privacy impact assessment as to ascertain the sustainability of the technology in the long run. Arguably, there are no specific models that could be developed for specific industries. However, it is asserted that this assessment will be able to carry a balanced weight which complements the legal risk management approach.
Appropriately, such assessment should involve four layers: technical, legal, economic and social.[xlvi] The assessment could be designed through detailed checklists corresponding to the structure of the RFID technology, based on specific industries’ demands and needs. For consumer privacy, retailers should be able to ascertain the sustainability of their RFID-related policy so that an informed notification has been channelled and disseminated to the consumers. It is also indispensable for retailers to model a tailor made RFID privacy policy for consumers’ attention so that the choice and option of consumers to purchase a specific product shall not be abandoned. Strategic privacy impact assessment between CASPIAN, the retailers and consumers should also take place in the very near future. The rationale is to establish a dynamic co-existence between these focused groups which will equalise a unique level of cooperation towards pre-empting privacy fears derived from RFID technology.
6. Conclusion
From the foregoing developments, caution steps should be taken by all parties who are involved directly and indirectly by RFID deployment. Whilst the European Union and the United Kingdom have provided a general model of RFID guidance, Malaysia and Singapore should expedite the lobbying to pass the motherhood of privacy and data protection legislation at the first instance. With that, it will enable to bridge the gap between RFID technology development vis-à-vis regulations. Even if the legislation would have been in place, it shall take some considerable time for both countries to reach the tested maturity stage alike of the European Union and the United Kingdom.
With regards to consumer privacy, CASPIAN, being the leader of civil liberties and consumer advocate should play a more effective cum strategic role in RFID. Whilst the boycotting and lobbying the consumers to abandon such purchases tend to be a brave move, it is however, needs effective yet resourceful dissemination and diffusion for consumers. As suggested, a trilateral consultative process between CASPIAN, retailers and consumers shall lead the headway towards a privacy compliant RFID environment.
It is very interesting to awaiting the outcome of the European Commission RFID EU Policy consultation. The impact shall change the current RFID landscape and, consumers should be able to monitor its developments tenaciously. Whilst the outcome remains to be speculative, it is timely for RFID players and actors to embark on with the best and strategic option which may fit their companies and organisations. As the notion of there is ‘no one size fits all’ deemed to be applicable in RFID technology context, it is however needful for the industries to consider the best and practical options from various perspectives; technically, economically, legally and socially. By this, it is believed that privacy will not be a nightmare and over exaggerated by unqualified justifications and assertions. RFID remains relevant and indeed it is.
1 Head, Company Secretary, Compliance & Risk Management of HeiTech Padu Berhad. See http://www.heitech.com.my. For detailed RFID research blog: http://the-rfid-nexus.blogspot.com. See also his paper presented in the British Irish Legal Education Technology Association 2007, hosted by University of Hertfordshire on 16-17 April 2007 titled “RFID: Malaysia’s privacy at the crossroads?”, readable at the RFID research blog.
[ii] Bill Glover & Himanshu Bhatt, “RFID Essentials” (2006, O’Reilly) pp 1-19.
[iii] Glover & Bhatt en above at p.1.
[iv] See generally Matt Ward, Rob van Kranenburg and Gaynor Backhouse “RFID: frequency, standards and innovation”, JISC Technology and Standards Watch, May 2006 at p. 4-5. Retrievable online: http://www.jisc.ac.uk/uploaded_documents/TSW0602.pdf, accessed 20 February, 2007.
[v] RFID typically operates within a low frequency (LF), high frequency (HF), ultra high frequency (UHF) and microwave. In practice, the actual frequencies available to RFID are limited to those frequencies set aside as Industrial Scientific Medical (ISM). Frequencies lower than 135 kHz are not ISM frequencies, but in this range RFID systems are usually using powerful magnetic fields and operating over short ranges, so much so, interference is less of an issue than it might be otherwise.
[v] Battle for different applications of UHF is also still taking place amongst RFID users in specific industry such as pharmacy. See generally: http://www.unisys.com/commercial/news_a_events/all__news/04048642.htm, accessed 20 February 2007.
[vi] It is argued that this standard shall lead to possible RFID technological convergence towards pre-emptive technical regulation. It is hoped that governments and standard bodies should make a genuine effort to cooperate producing a global standard; see also EPC Global, “Communications Commission sets the stage for the EU to realise benefits of applications based on EPCglobal standards” Retrievable online: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf, accessed 20 February 2007; see generally: http://en.wikipedia.org/wiki/EPCglobal, accessed 20 February 2007.
[vii] Steve Hodges & Mark Horrison, “WHITE PAPER – Demystifying RFID: Principles and Practicalities”, Auto-ID Centre, Institute for Manufacturing, University of Cambridge, Published 1 October 2003 at p. 8-9; see also http://www.ifm.eng.cam.ac.uk/automation/publications/documents/CAM-AUTOID-WH024.pdf, accessed 20 February 2007.
[viii] Ibid., at p.9.
[ix] See JISC Technology and Standards Watch, May 2006 at p. 4-5.
[x] Ibid., at p.9.
[xi] See en 16 above, at p. 4-5.
[xii] Ibid., at p.9.
[xiii] See en 18 above, at p.4-5.
[xiv] See generally http://ec.europa.eu/information_society/policy/rfid/index_en.htm, accessed 2 May 2007.
[xv] See generally http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm; see also http://www.edri.org/edrigram/number3.3/consultation, and http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf respectively, accessed 22 March 2007.
[xvi] See Olli Pitkanen and Marketta Niemela, “Privacy and data protection in emerging RFID-applications”, Helsinki Institute for Information Technology HIIT, Helsinki University of Technology and University of Helsinki, VTT Technical Research Centre of Finland. This paper was presented in the EU RFID Forum 2007, retrievable at: http://www.rfidconvocation.eu/Papers%20presented/Business/Privacy%20and%20Data%20Protection%20in%20Emerging%20RFID-Applications.pdf, accessed 22 March 2007.
[xvii] Ibid., see en 17 above, at p.1-2.
[xviii] The data should be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes; accurate and, where necessary, kept up to date. For restrictions, see http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, accessed 22 March 2007.
[xix] See http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf; see also http://www.ico.gov.uk/global/search_results.aspx?search=RFID, accessed 22 March 2007.
[xx] Ibid., see en 18 above at p 3-4.
[xxi] The concerns include “skimming”, “hacking”, “rogue RFID tag readers”, “skimmers” “cloned EFID chip”, “blocker tags” and “clipped tags”. For more detailed explanation, see the guidance at p. 5-7; see also http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/radio_frequency_identification_tags.pdf, accessed 23 March 2007.
[xxii] As the bulk report remains an authoritative and guidance to data controller, it is suggested however that the substance of the report should be inferred within the context of data protection strategy and management of the data controller. See http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf, accessed 23 March 2007; see also the appendices of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_appendices_06.pdf, accessed 23 March 2007; see the summary of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_summary_06.pdf, accessed 23 March 2007.
[xxiii] See generally http://www.itu.int/osg/spu/ni/ubiquitous/Presentations/4_poon_RFID.pdf, accessed 2 May 2007; see also http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN018240.pdf, accessed 2 May 2007.
[xxiv] See generally http://www.rfidjournal.com/article/articleview/1024/1/1/, accessed 2 May 2007.
[xxv] With government help, RFID technology provider Tunity Technologies is developing EPC-compliant multifrequency RFID tags that operate in three different RF bands.
[xxvi] See generally http://www.american.edu/carmel/ag0466a/Doc13.htm, accessed 2 May 2007.
[xxvii] See generally http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf, accessed 2 May 2007; see also http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=1319, accessed 2 May 2007.
[xxviii] See http://www.theedgedaily.com/cms/content.jsp?id=com.tms.cms.article.Article_d2cc4b98-cb73c03a-29d65b00-cd5c3a50, accessed 20 February 2007 see also http://morerfid.com/details.php?subdetail=Report&action=details&report_id=1032&display=RFID, accessed 20 February 2007. In the Malaysia RFID 2006-2010 Forecast and Analysis, it predicted the state of the market for RFID solutions implementation in Malaysia, historical development, and prediction for the future. It also presents an end user's RFID case study and write-up on key players that offer RFID solutions in Malaysia. Based on the study, hardware comprises largest portion of the total commercial RFID spending in 2005 at 60%, driven primarily by the purchases of readers and tags, followed by software and services which take up the remaining 40% of the RFID spending. "Based on the IDC's definitions, software revenue captured in this forecast is limited to RFID middleware, reader firmware, and additional enterprise middleware directly related to integrating data from the RFID layer with the enterprise application layer. It does not incorporate spending on enterprise applications and upgrades beyond middleware to accommodate and take advantage of the influx of data from RFID tags. Services included in this forecast are business process consulting, installation, systems integration, and ongoing support services. Software and services would pose more growth potential, with CAGR of 48% and 51% respectively.
[xxix] The owner of the car should be nearby if the police officials want to check the driver's identity. The system will be implemented next year. The new cars would have such plates followed by the older ones. The risk what I see is that in case the RFID system of your car breaks down then you might be pulled from your car by the cops thinking that you are a thief. See generally http://www.iht.com/articles/ap/2006/12/09/asia/AS_GEN_Malaysia_Car_Thefts.php, accessed 22 February 2007.
[xxx] See http://www.hitachi.co.jp/Prod/mu-chip/index.html, accessed 22 February 2007.
[xxxi] The Prime Minister, Datuk Seri Abdullah Ahmad Badawi, who launched the microchip yesterday, said the chip with its identification serial number, could help to counter the forgery of government documents; currency notes; halal certificates; medical products and compact discs, among others. Besides, some applications currently being developed would further assist to improve the public service delivery system. See http://www.mida.gov.my/beta/view.php?cat=14&scat=1552, accessed 22 February 2007; see also http://en.qschina.com/html/tradeinfo/html/2007/3/13/9088.html, accessed 22 February 2007.
[xxxii] See Ida Madieha Azmi, “E-commerce and privacy issues: an analysis of the personal data protection bill”, International Review of Computer Laws & Technology, Volume 16, No. 3, pp 317-330, 2002.
[xxxiii] See Ida Madieha Azmi, “Why has data protection law been delayed in Malaysia? Nothing to do with Islam and who needs it anyway?” BILETA 2006, Malta 6th – 7th April 2006. See generally: http://events.um.edu.mt/bileta2006/29DP&I%20v1%20Ida%20madieha%20Aziz.pdf, accessed 22 February 2007; see also Hurriyah El Islamy, “Privacy and Technology”, BILETA 2005, Belfast retrievable at: http://www.bileta.ac.uk/Document%20Library/1/Privacy%20and%20Technology.pdf, accessed 22 February 2007.
[xxxiv] Jane Ritikos, Florence A. Samy and Elizabeth Looi, “Same law apply for bloggers, say BN rep”, The Star Online, Thursday March 22 2007; see also: http://star-techcentral.com/tech/story.asp?file=/2007/3/22/technology/20070322114048&sec=technology, accessed 22 March 2007.
[xxxv] See generally http://en.wikipedia.org/wiki/Technological_convergence, accessed 22 March 2007.
[xxxvi] See generally http://www.boycotttesco.com./, accessed 2 May 2007; see also http://news.bbc.co.uk/1/hi/business/4209545.stm, accessed 2 May 2007.
[xxxvii] See http://www.out-law.com/page-3812, accessed 2 May 2007 see also http://www.boycottgillette.com/, accessed 2 May 2007.
[xxxviii] Se http://www.boycottbenetton.com/ accessed 2 May 2007; see also http://www.rfidjournal.com/article/articleview/344/1/1/, accessed 2 May 2007 see generally http://www.out-law.com/page-3465, accessed 2 May 2007.
[xxxix] See generally http://www.ipc.on.ca/images/Resources/up-rfidtips.pdf, accessed 3 May 2007.
[xl] See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xli] Globally, the preferred risk management module is enterprise risk management. See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xlii] See generally http://www.admin.ox.ac.uk/riskmgt/overview.shtml, accessed 24 March 2007.
[xliii] Frederic Thiesse, “Managing risk perceptions of RFID” Auto-ID Labs White Paper WP-BIZAPP-031, pp 11-17; see Atkinson, W. (2004), “Tagged: the risks and rewards of RFID technology” Risk Management Journal 51 (7) at pp. 12-19; see also Cavoukian, A. (2004), “Tag, You’re it: privacy implications of Radio Frequency identification Technology, Information and Privacy Commissioner Ontario, Toronto; see also an interesting Australian perspective: http://www.privacy.gov.au/news/04_07.html, accessed 24 March 2007.
[xliv] RFID risk manual can only be established once organisations or companies have undergone the levels of risk management exercise. See also an example of risk management checklist: http://www.lms.ca/@pdf/Risk_Management_Checklist.pdf, accessed 24 March 2007.
[xlv] See generally http://cyber.law.harvard.edu/ecommerce/privacyaudit.html, accessed 24 March 2007; see also http://www.itcinstitute.com/display.aspx?id=2499, accessed 24 March 2007.
[xlvi] See http://csrc.lse.ac.uk/asp/aspecis/20050060.pdf, accessed 3 May 2007.
Is legal risk management relevant in consumer privacy?
Noriswadi Ismail[i]
British Chevening Scholar, University of Strathclyde
noriswadi.ismail@strath.ac.uk
Abstract. RFID is regarded as technological perfection in many global industries; retails, logistics, libraries, passports, surveillance, healthcare and banking. RFID proponents assert that the technology has been complementing global industries’ value chain and business continuity. Global market analysis has predicted that the Return of Investment from this technology will massively attract widespread deployment by 2010. Whilst the strength of this technology remains relevant for the proponents, there remain handful debates on the weaknesses of RFID’s data surveillance. Due to the latter, this paper will reveal the weaknesses and how it leads to privacy debates in consumer privacy. Regulatory and commercial developments from the United Kingdom and European Union will be painstakingly analysed. This paper will also comparatively analyse the developments in Malaysia and Singapore. It will endeavour to outline the respective Regulators’ position and selected industries’ feedbacks in RFID on cursory note. Significantly, this paper will attempt to argue the relevance of legal risk management in consumer privacy as the key question to be answered. It will explore a potential approach that could be balanced between RFID technology vis-à-vis consumer privacy.
1. Introduction
RFID has been generally cited as one of the most evolving technologies in the world. This powerful technology remains incompatible in these industries: retails, logistics, military, libraries, surveillance and banking, yet it endures endless debates in some legal regimes and contours. When the technology was first deployed by the military, the impact of the technology was never intended to be as sensitive as it is today. Besides, global RFID spending has increased by leaps and bounds and provides an ongoing deployment by these various industries to enjoy its value chain and business continuity. Many will view that RFID substitutes the role of barcode as means of tagging technology despite of the inhibiting level of protection towards the internal subject of the tagging - which is the data and most importantly - privacy. Due to the latter, it has prompted potential data protection and civil liberties debates across the globe. Whilst this concern is ongoing, this paper will attempt to look into how RFID technology leads to potential questions of privacy. The central attention will be on consumer privacy. Two substantive developments are discussed:
· Regulatory and commercial developments; and
· Legal risk management as a tool towards managing consumer privacy
2. RFID – an overview
RFID is a technology which illustrates any system of identification that uses radio frequency or magnetic field variations, wherein an electronic device which activates the variations is attached to an item.[ii] A tag and a reader are the components of an RFID. Tag is the identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications which are called as RFID middleware.[iii] Even if the historical trail of this technology remains ambivalent, but generally, it goes back to 1920s during the World War II.[iv]
2.1. RFID general functions
RFID could not function without frequency.[v] The operating frequency is the electromagnetic frequency that the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. In relation to the technical standard of ultra high frequencies (UHF), there are different ranges of applications in different parts of the world. Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[vi]
As mentioned, the tag and the reader are two key components to operating an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In effect, it creates the radio wave. The radio wave may be received by an RFID tag, which ‘reflects’ some of the energy it receives in a particular way, based on the identity of the tag.[vii] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver so that it can detect and decode the reflected signal in order to identify the tag.
2.2. Types of categorisation
There are essentially three types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[viii] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[ix];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[x] This tag is mostly fragile and expensive in the market[xi]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[xii] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[xiii]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first and second category.
3. Regulatory and commercial developments
Besides the United States of America, there are regimes which have been very serious to addressing RFID policy and regulation; the European Union and the United Kingdom. These regimes have undertaken a very smart move to advocate a possible RFID policy in the very near future. The European Commission is undertaking an open public consultation towards establishing an RFID policy for Europe. [xiv] The outcome will be disseminated and diffused to the member states once the European Commission would have duly substantiated the consultative deliberations. However, for the purpose of this paper, it shall restrict generally into the governing Directives of the European Union and the guidance by the United Kingdom.
3.1. The European Union (EU)
In the EU, Article 29 of the EU Working Party which is established under the auspices Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[xv] On the data protection front, the Working Party has mooted the concerns on the effect of RFID technology which may lead to violation of human rights and data protections rights. The main concern exceedingly surrounds on the possibility of businesses and governments which have deployed RFID that is accruing and prying into the privacy sphere of individuals.[xvi] Cursorily, the published summary of responses by the RFID stakeholders has achieved a general satisfaction. In practice, however, it is asserted that the examples of RFID applications technically illustrated in the working document do not match the reality.[xvii] It is argued that societal benefits and realistic appreciation of technical possibilities should be painstakingly inferred whilst analysing RFID applications.
Two governing Directives are applicable within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These Directives outline the pre-emptive mechanism of data processing that should be complied with, by the member states.[xviii] In Directive 95/46/EC, it could be asserted that not all RFID applications are governed under the provisions. This is due to the complexity nature of RFID technology itself via the tags, the reader and middleware. Technically, the tags possess the capability to exchange information and thus, the existing provision in the Directive have ignored and limited its scope of regulation, thus, fails to achieving technology neutrality approach. It also leads to a certain level of biasness towards existing RFID middleware and applications which are integrated with other component of technologies. In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is asserted that a PC based system would fulfil the needs of the provision, but RFID may struggle to comply with the spirit due to the nature of its technical interface.
3.2 – Guidance in the United Kingdom (UK)
In the UK, the Data Protection Act 1998 regulates the processing of personal data. Supporting the provisions of the Act is The Data Protection Technical Guidance Radio Frequency Identification. It has outlined two scenarios in which personal data might be processed using RFID.[xix] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags or individual items can be used to identify the individual associated with the item, they will be personal data.[xx] The Act also applies when the personal data is collected, generated or disclosed using RFID either directly or indirectly. RFID users should also adopt the data protection principles of fair processing, use limitation, data quality, data retention and security. The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[xxi]
From these developments, the UK Information Commissioner has put a very high concern on the level of surveillance in the UK’s society. In a report on surveillance society, issued by the Surveillance Studies Network[xxii], RFID has been highlighted as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. Invariably, the report has analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society.
3.3. Development in Singapore[xxiii]
Singapore was one of earliest users of RFID technology in the world.[xxiv] Singapore Land Transport Authority has been deploying RFID since 1998 in what was the world's first Electronic Road Pricing system, an automated toll-collection system used to control and manage traffic volume in the city. Singapore's National Library Board was one of the first to harness RFID in a library environment back in late in 1998, when it embedded RFID tags on books to automate the borrowing and returning of library books as well as to expedite the process of sorting books and returning them to shelves.
As Asia's leading convention venue, Singapore has long used RFID technology to tracing delegates at large conferences and conventions in the city. Singapore became the first pilot port in Asia under the United States of America Container Security Initiative. The island-republic is now implementing the usage of RFID seals for all containers bound for the United States of America seaports. Selective local research institutions teamed up towards developing solutions to deploy RFID for tracing SARS contacts in local hospitals. At present, Singapore wants to leverage its existing expertise to undertake RFID research and development.[xxv]
It is evident that Singapore RFID deployment has positioned the republic as the leader in the Asia Pacific region. Whilst the commercial development looks positively encouraging, it is to note that data protection provisions in Singapore legal regime is rather sectorial and piecemeal.[xxvi] However, recent development in Singaporean parliament suggests that data protection and privacy should be the main priority for Singapore’s industries.[xxvii]
3.4. Development in Malaysia
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[xxviii] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[xxix]
On 24 February 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[xxx] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180 million) based on Japanese technology, is the first with multi-band frequencies.[xxxi] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
In Malaysia, the effort to draft the PDP Bill started in 2000. However, the legislation is yet to be seen.[xxxii] Rumours claimed that the Bill was motivated by the European Union regulatory approach as compared to the self-regulation approach of safe harbour of the United States of America.[xxxiii] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
The issue of the PDP Bill delay was also mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[xxxiv]
The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[xxxv] vis-à-vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4. RFID and consumer privacy
The regulatory and commercial developments in different legal regimes lead to different principles and approaches. Appropriately, these regimes are undertaking a multi-layered effort to ensuring that RFID remains relevant, yet there should be certain pre-emptive measures in protecting privacy. Civil liberties have also raised their eye brows questioning the legitimacy of RFID tracking technology. The technology reveals worried danger within the privacy sphere that needs to be defused.
In 2005, consumer privacy advocates had initiated a website boycotting TESCO which was aimed to encourage consumers’ participation and awareness on the danger of this “spy chip” technology.[xxxvi] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) launched the campaign nationwide evidencing the level of protest on privacy fears. CASPIAN was particularly concerned about item-level RFID tagging, especially the potential for retailers to be able to track goods after they leave the store - which it views as invasion of consumer privacy.
The boycott against GILLETTE is also another profound example advocated by CASPIAN in 2003. It was claimed that the GILLETTE product had been embedded with an RFID chip that was able to “spy” on consumers. Subsequently, a website to boycotting GILLETTE product was established to educate consumers the danger of RFID.[xxxvii] On the similar stance, BENETTON was also the subject of boycott by CASPIAN. It was claimed that the clothing that was on sale within the BENETTON’s premises were embedded with an RFID chip which simultaneously prying on consumers’ data and privacy.[xxxviii]
CASPIAN’s intention to educate the consumer privacy is commendable. On one hand, the boycott websites suggested consumers to abandon their intention to purchase the products due to the danger of potential data intrusion via the RFID technology. But, on the other hand, CASPIAN has failed to address the recommended best practices to consumers towards risk mitigation whenever the consumers would have purchased the product. Realistically, the outcome of boycott consultation between CASPIAN and the relevant RFID users like TESCO should also be channelled to the consumers for an informed notification.[xxxix]
4.1. Legal Risk Management in consumer privacy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[xl] is neither a new nor a coined terminology. It is a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[xli] Due to the hybrid nature of the module, akin to the RFID technology, RFID users should be able to adopt a strong risk management culture. A strong risk management culture commences with these levels of risk processes: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[xlii]
The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation or technical standard. The ultimate aim of adopting a legal risk management strategy for RFID users is to complement the industries’ readiness in complying privacy and data protection provisions.[xliii] This will also enable data controllers to self-regulate consumer privacy and be able to avoid potential boycotting.
Legal risk management does not favour any organisations or companies but it complements these entities within their risk appetites. Generally, risk management requires a pre-emptive strategy that is realistic and achievable. For organisations, the essential strategy starts with the establishment of an RFID risk manual.[xliv] This manual will be able to outline brief technical illustration of the RFID usage, the sensitive technical areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[xlv] that could serve as useful guidance and tool for the users. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
A strong RFID risk manual should be supplemented with ongoing training, dissemination, careful review and control. This is deemed to be essential to companies and organisations. In the context of consumer privacy, a strong risk management processes would be able to cover potential liabilities of the RFID service provider, retailers, data controllers and any third parties who are involved with the deployment. This will boost strong confidence to existing consumers and potential consumers who intend to purchase any products or items without privacy fear and danger.
4.2 Potential arguments against legal risk management
The option to adopt this legal risk management strategy is an open option to preserve consumer privacy. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries and regimes. This option also helps retailers, hyper markets, RFID technology service providers and any data controllers to disclaim their privacy liabilities. There may be two potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments.
First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package.
Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5. Privacy impact assessment
It is undeniable that RFID deployment involves multi layered of relationship ranging from the service providers, third parties’ applications, third parties’ middleware and to the users. In the event RFID technology has been deployed, it carries different levels of liabilities. It is very essential for these parties to conduct a privacy impact assessment as to ascertain the sustainability of the technology in the long run. Arguably, there are no specific models that could be developed for specific industries. However, it is asserted that this assessment will be able to carry a balanced weight which complements the legal risk management approach.
Appropriately, such assessment should involve four layers: technical, legal, economic and social.[xlvi] The assessment could be designed through detailed checklists corresponding to the structure of the RFID technology, based on specific industries’ demands and needs. For consumer privacy, retailers should be able to ascertain the sustainability of their RFID-related policy so that an informed notification has been channelled and disseminated to the consumers. It is also indispensable for retailers to model a tailor made RFID privacy policy for consumers’ attention so that the choice and option of consumers to purchase a specific product shall not be abandoned. Strategic privacy impact assessment between CASPIAN, the retailers and consumers should also take place in the very near future. The rationale is to establish a dynamic co-existence between these focused groups which will equalise a unique level of cooperation towards pre-empting privacy fears derived from RFID technology.
6. Conclusion
From the foregoing developments, caution steps should be taken by all parties who are involved directly and indirectly by RFID deployment. Whilst the European Union and the United Kingdom have provided a general model of RFID guidance, Malaysia and Singapore should expedite the lobbying to pass the motherhood of privacy and data protection legislation at the first instance. With that, it will enable to bridge the gap between RFID technology development vis-à-vis regulations. Even if the legislation would have been in place, it shall take some considerable time for both countries to reach the tested maturity stage alike of the European Union and the United Kingdom.
With regards to consumer privacy, CASPIAN, being the leader of civil liberties and consumer advocate should play a more effective cum strategic role in RFID. Whilst the boycotting and lobbying the consumers to abandon such purchases tend to be a brave move, it is however, needs effective yet resourceful dissemination and diffusion for consumers. As suggested, a trilateral consultative process between CASPIAN, retailers and consumers shall lead the headway towards a privacy compliant RFID environment.
It is very interesting to awaiting the outcome of the European Commission RFID EU Policy consultation. The impact shall change the current RFID landscape and, consumers should be able to monitor its developments tenaciously. Whilst the outcome remains to be speculative, it is timely for RFID players and actors to embark on with the best and strategic option which may fit their companies and organisations. As the notion of there is ‘no one size fits all’ deemed to be applicable in RFID technology context, it is however needful for the industries to consider the best and practical options from various perspectives; technically, economically, legally and socially. By this, it is believed that privacy will not be a nightmare and over exaggerated by unqualified justifications and assertions. RFID remains relevant and indeed it is.
1 Head, Company Secretary, Compliance & Risk Management of HeiTech Padu Berhad. See http://www.heitech.com.my. For detailed RFID research blog: http://the-rfid-nexus.blogspot.com. See also his paper presented in the British Irish Legal Education Technology Association 2007, hosted by University of Hertfordshire on 16-17 April 2007 titled “RFID: Malaysia’s privacy at the crossroads?”, readable at the RFID research blog.
[ii] Bill Glover & Himanshu Bhatt, “RFID Essentials” (2006, O’Reilly) pp 1-19.
[iii] Glover & Bhatt en above at p.1.
[iv] See generally Matt Ward, Rob van Kranenburg and Gaynor Backhouse “RFID: frequency, standards and innovation”, JISC Technology and Standards Watch, May 2006 at p. 4-5. Retrievable online: http://www.jisc.ac.uk/uploaded_documents/TSW0602.pdf, accessed 20 February, 2007.
[v] RFID typically operates within a low frequency (LF), high frequency (HF), ultra high frequency (UHF) and microwave. In practice, the actual frequencies available to RFID are limited to those frequencies set aside as Industrial Scientific Medical (ISM). Frequencies lower than 135 kHz are not ISM frequencies, but in this range RFID systems are usually using powerful magnetic fields and operating over short ranges, so much so, interference is less of an issue than it might be otherwise.
[v] Battle for different applications of UHF is also still taking place amongst RFID users in specific industry such as pharmacy. See generally: http://www.unisys.com/commercial/news_a_events/all__news/04048642.htm, accessed 20 February 2007.
[vi] It is argued that this standard shall lead to possible RFID technological convergence towards pre-emptive technical regulation. It is hoped that governments and standard bodies should make a genuine effort to cooperate producing a global standard; see also EPC Global, “Communications Commission sets the stage for the EU to realise benefits of applications based on EPCglobal standards” Retrievable online: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf, accessed 20 February 2007; see generally: http://en.wikipedia.org/wiki/EPCglobal, accessed 20 February 2007.
[vii] Steve Hodges & Mark Horrison, “WHITE PAPER – Demystifying RFID: Principles and Practicalities”, Auto-ID Centre, Institute for Manufacturing, University of Cambridge, Published 1 October 2003 at p. 8-9; see also http://www.ifm.eng.cam.ac.uk/automation/publications/documents/CAM-AUTOID-WH024.pdf, accessed 20 February 2007.
[viii] Ibid., at p.9.
[ix] See JISC Technology and Standards Watch, May 2006 at p. 4-5.
[x] Ibid., at p.9.
[xi] See en 16 above, at p. 4-5.
[xii] Ibid., at p.9.
[xiii] See en 18 above, at p.4-5.
[xiv] See generally http://ec.europa.eu/information_society/policy/rfid/index_en.htm, accessed 2 May 2007.
[xv] See generally http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm; see also http://www.edri.org/edrigram/number3.3/consultation, and http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf respectively, accessed 22 March 2007.
[xvi] See Olli Pitkanen and Marketta Niemela, “Privacy and data protection in emerging RFID-applications”, Helsinki Institute for Information Technology HIIT, Helsinki University of Technology and University of Helsinki, VTT Technical Research Centre of Finland. This paper was presented in the EU RFID Forum 2007, retrievable at: http://www.rfidconvocation.eu/Papers%20presented/Business/Privacy%20and%20Data%20Protection%20in%20Emerging%20RFID-Applications.pdf, accessed 22 March 2007.
[xvii] Ibid., see en 17 above, at p.1-2.
[xviii] The data should be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes; accurate and, where necessary, kept up to date. For restrictions, see http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, accessed 22 March 2007.
[xix] See http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf; see also http://www.ico.gov.uk/global/search_results.aspx?search=RFID, accessed 22 March 2007.
[xx] Ibid., see en 18 above at p 3-4.
[xxi] The concerns include “skimming”, “hacking”, “rogue RFID tag readers”, “skimmers” “cloned EFID chip”, “blocker tags” and “clipped tags”. For more detailed explanation, see the guidance at p. 5-7; see also http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/radio_frequency_identification_tags.pdf, accessed 23 March 2007.
[xxii] As the bulk report remains an authoritative and guidance to data controller, it is suggested however that the substance of the report should be inferred within the context of data protection strategy and management of the data controller. See http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf, accessed 23 March 2007; see also the appendices of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_appendices_06.pdf, accessed 23 March 2007; see the summary of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_summary_06.pdf, accessed 23 March 2007.
[xxiii] See generally http://www.itu.int/osg/spu/ni/ubiquitous/Presentations/4_poon_RFID.pdf, accessed 2 May 2007; see also http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN018240.pdf, accessed 2 May 2007.
[xxiv] See generally http://www.rfidjournal.com/article/articleview/1024/1/1/, accessed 2 May 2007.
[xxv] With government help, RFID technology provider Tunity Technologies is developing EPC-compliant multifrequency RFID tags that operate in three different RF bands.
[xxvi] See generally http://www.american.edu/carmel/ag0466a/Doc13.htm, accessed 2 May 2007.
[xxvii] See generally http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf, accessed 2 May 2007; see also http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=1319, accessed 2 May 2007.
[xxviii] See http://www.theedgedaily.com/cms/content.jsp?id=com.tms.cms.article.Article_d2cc4b98-cb73c03a-29d65b00-cd5c3a50, accessed 20 February 2007 see also http://morerfid.com/details.php?subdetail=Report&action=details&report_id=1032&display=RFID, accessed 20 February 2007. In the Malaysia RFID 2006-2010 Forecast and Analysis, it predicted the state of the market for RFID solutions implementation in Malaysia, historical development, and prediction for the future. It also presents an end user's RFID case study and write-up on key players that offer RFID solutions in Malaysia. Based on the study, hardware comprises largest portion of the total commercial RFID spending in 2005 at 60%, driven primarily by the purchases of readers and tags, followed by software and services which take up the remaining 40% of the RFID spending. "Based on the IDC's definitions, software revenue captured in this forecast is limited to RFID middleware, reader firmware, and additional enterprise middleware directly related to integrating data from the RFID layer with the enterprise application layer. It does not incorporate spending on enterprise applications and upgrades beyond middleware to accommodate and take advantage of the influx of data from RFID tags. Services included in this forecast are business process consulting, installation, systems integration, and ongoing support services. Software and services would pose more growth potential, with CAGR of 48% and 51% respectively.
[xxix] The owner of the car should be nearby if the police officials want to check the driver's identity. The system will be implemented next year. The new cars would have such plates followed by the older ones. The risk what I see is that in case the RFID system of your car breaks down then you might be pulled from your car by the cops thinking that you are a thief. See generally http://www.iht.com/articles/ap/2006/12/09/asia/AS_GEN_Malaysia_Car_Thefts.php, accessed 22 February 2007.
[xxx] See http://www.hitachi.co.jp/Prod/mu-chip/index.html, accessed 22 February 2007.
[xxxi] The Prime Minister, Datuk Seri Abdullah Ahmad Badawi, who launched the microchip yesterday, said the chip with its identification serial number, could help to counter the forgery of government documents; currency notes; halal certificates; medical products and compact discs, among others. Besides, some applications currently being developed would further assist to improve the public service delivery system. See http://www.mida.gov.my/beta/view.php?cat=14&scat=1552, accessed 22 February 2007; see also http://en.qschina.com/html/tradeinfo/html/2007/3/13/9088.html, accessed 22 February 2007.
[xxxii] See Ida Madieha Azmi, “E-commerce and privacy issues: an analysis of the personal data protection bill”, International Review of Computer Laws & Technology, Volume 16, No. 3, pp 317-330, 2002.
[xxxiii] See Ida Madieha Azmi, “Why has data protection law been delayed in Malaysia? Nothing to do with Islam and who needs it anyway?” BILETA 2006, Malta 6th – 7th April 2006. See generally: http://events.um.edu.mt/bileta2006/29DP&I%20v1%20Ida%20madieha%20Aziz.pdf, accessed 22 February 2007; see also Hurriyah El Islamy, “Privacy and Technology”, BILETA 2005, Belfast retrievable at: http://www.bileta.ac.uk/Document%20Library/1/Privacy%20and%20Technology.pdf, accessed 22 February 2007.
[xxxiv] Jane Ritikos, Florence A. Samy and Elizabeth Looi, “Same law apply for bloggers, say BN rep”, The Star Online, Thursday March 22 2007; see also: http://star-techcentral.com/tech/story.asp?file=/2007/3/22/technology/20070322114048&sec=technology, accessed 22 March 2007.
[xxxv] See generally http://en.wikipedia.org/wiki/Technological_convergence, accessed 22 March 2007.
[xxxvi] See generally http://www.boycotttesco.com./, accessed 2 May 2007; see also http://news.bbc.co.uk/1/hi/business/4209545.stm, accessed 2 May 2007.
[xxxvii] See http://www.out-law.com/page-3812, accessed 2 May 2007 see also http://www.boycottgillette.com/, accessed 2 May 2007.
[xxxviii] Se http://www.boycottbenetton.com/ accessed 2 May 2007; see also http://www.rfidjournal.com/article/articleview/344/1/1/, accessed 2 May 2007 see generally http://www.out-law.com/page-3465, accessed 2 May 2007.
[xxxix] See generally http://www.ipc.on.ca/images/Resources/up-rfidtips.pdf, accessed 3 May 2007.
[xl] See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xli] Globally, the preferred risk management module is enterprise risk management. See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xlii] See generally http://www.admin.ox.ac.uk/riskmgt/overview.shtml, accessed 24 March 2007.
[xliii] Frederic Thiesse, “Managing risk perceptions of RFID” Auto-ID Labs White Paper WP-BIZAPP-031, pp 11-17; see Atkinson, W. (2004), “Tagged: the risks and rewards of RFID technology” Risk Management Journal 51 (7) at pp. 12-19; see also Cavoukian, A. (2004), “Tag, You’re it: privacy implications of Radio Frequency identification Technology, Information and Privacy Commissioner Ontario, Toronto; see also an interesting Australian perspective: http://www.privacy.gov.au/news/04_07.html, accessed 24 March 2007.
[xliv] RFID risk manual can only be established once organisations or companies have undergone the levels of risk management exercise. See also an example of risk management checklist: http://www.lms.ca/@pdf/Risk_Management_Checklist.pdf, accessed 24 March 2007.
[xlv] See generally http://cyber.law.harvard.edu/ecommerce/privacyaudit.html, accessed 24 March 2007; see also http://www.itcinstitute.com/display.aspx?id=2499, accessed 24 March 2007.
[xlvi] See http://csrc.lse.ac.uk/asp/aspecis/20050060.pdf, accessed 3 May 2007.
Subscribe to:
Posts (Atom)